In September 2020, the House of Representatives passed a bill known as the IoT Cybersecurity Improvement Act that requires all Internet of Things (IoT) government devices to meet minimum security requirements. Naturally, with everything interconnected, the need for a function improvement in the security of the networks that share information is much needed. Multiple reports have indicated that around 98% of traffic from IoT devices is unencrypted to this day, and obviously, this number should be close to zero. Security is of imperative importance for the services we plan to rely on in the coming years.
H.R.1668 – IoT Cybersecurity Improvement Act of 2020 has the potential to improve the security of IoT devices. This new law:
1. Requires the National Institute of Standards and Technology (NIST) to issue standards and guidelines for the use of IoT devices controlled or owned by federal agencies;
2. Directs NIST to consider relevant standards, guidelines, and best practices created by the private sector, agencies, and public-private partners;
3. Directs the Office of Management and Budget (OMB) to issue guidelines for every agency that is consistent with the NIST recommendations, including updating the Federal Acquisition Regulation;
4. Directs NIST to work with industry experts, cybersecurity researchers, and the Department of Homeland Security (DHS) to publish guidelines on security vulnerability about information systems controlled or owned by an agency (including IoT devices managed or owned by an agency), and the solution of such security vulnerability;
5. Requires any federal-owned IoT devices to comply with the NIST standards and guidelines; and
6. Requires contractor compliance with the NIST standards and regulations and agencies to decide on such compliance before awarding a contract to obtain an IoT device from the contractor.
7. This responsibility will be carried out by working collaboratively within and among agencies in the executive branch, industry, and academia.
8. In accordance with the bill, not later than 90 days after the date of the enactment of the IoT Cybersecurity Improvement Act, the Director of the NIST will have to develop and publish standards and guidelines for the Federal Government on the appropriate use and management by agencies of IoT devices controlled or owned by an agency and connected to information systems managed or owned by an agency.
9. Not later than five years after the date on which the Director of the Institute publishes the standards and guidelines. At least once every five years after that, the Director of the Institute will have to review and revise standards and guidelines as appropriate.
10. Once the standards and guidelines are revised, the Director of OMB, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, will update any policy or principle as necessary to ensure those policies and principles are consistent with the review and any revision.
Conclusion
The importance of this new Act cannot be overstated from a cybersecurity standpoint. IoT vulnerabilities are a notorious cyber threat that often leads to data breaches or denial-of-service attacks.
Finally, not only is “complying” with NIST 8259 going to be the “gatekeeper” for sales of IoT devices to the federal government, but it will also become important in sales to private industry. For many users (especially home users or small businesses), this won’t matter at all. But the larger ones (who are much more accustomed to dealing with regulations and have a lot more at stake if they get hit by a cyberattack) will very likely ask every IoT device vendor about 8259 compliance.