On Friday, December 4, 2020, the U.S. President signed into law "the Internet of Things (IoT) Cybersecurity Improvement Act of 2020” (H.R. 1668), which had bipartisan sponsorship by Dem. Rep. Robin Kelly (IL) and Rep. Rep. Will Hurd (TX).
The act is based on a list of considerations that IoT devices must cover secure development, identity management, patching, and configuration management. It affirms risks inherent with accelerated use of Internet-connected devices and calls for cooperative efforts between government, industry, and academia.
Until now, IoT cybersecurity recommendations from the National Institute of Standards and Technology (NIST) was followed voluntarily by a number of organizations. The law mandates federal government use of IoT devices to conform to minimum security requirements.
These most basic requirements are expected to set a baseline for IoT manufacturers and suppliers.
In addition, the responsibility to protect federal agencies against cyberattacks now starts with the executive branch and descends through a defined hierarchy that includes the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) will work together.
The act mandates NIST and OMB update IoT security standard, guidelines, and policies at least every five years. A vulnerability-disclosure policy obligates contractors / suppliers to notify (federal) agencies of any known vulnerabilities affecting devices used.
Rep. Senator Cory Gardner (CO) anticipates ‘tens of billions of devices’ to be operating on networks in the coming years, as households and government alike adopt this innovative concept.
Data from IoT devices are already empowering more efficient operations as well as predictive maintenance, reducing downtime by avoiding failures and promoting operations at peak performance.