Last month, Congress passed the Internet of Things Cybersecurity Improvement Act of 2020, and shortly after, the President signed the bill into law. The unanimous bipartisan support in the House and Senate shows that the U.S. government is taking cybersecurity seriously. The law pertains to IoT devices purchased by the federal government and is a significant step toward improving the security of IoT devices connected to the government’s information systems. IoT device makers need to be aware of this law’s key aspects, such as how it defines IoT devices, the minimum-security requirements for those devices, and how manufacturers need to support a new vulnerability disclosure process.

The law specifies an expansive and practical definition of “IoT devices” as devices that have “at least one transducer” and “at least one network interface” but are not conventional IT devices, such as smartphones or laptops. This definition applies to almost any embedded device connected to a government network, ranging from simple air-quality or temperature sensors to security cameras and printers. Even HVAC systems would fall under this definition, given that many can be network-connected. The law excludes IoT devices used in national security systems because those responsible agencies, like the NSA and U.S. military, are considered authorities in cryptography. The equipment used in those systems already has advanced cybersecurity capabilities beyond the scope of this law.

The law focuses on two aspects of cybersecurity, both of which can impact IoT device security in a meaningful way. Section 4 calls for the definition of standards, guidelines, and minimum-security requirements that IoT devices will need if connected to federal government information systems.

Section 5 outlines a requirement for a vulnerability disclosure process. This process will clear the way for ethical hackers to test IoT devices used in federal government systems for vulnerabilities and report them responsibly. Both specs for the minimum requirements and the vulnerability disclosure process will be defined by NIST and deployed by the Office of Management and Budget (OMB).

A Law to Pay Attention To

The law has teeth; it prohibits federal government agencies from purchasing IoT devices that don’t meet the NIST-defined minimum guidelines and vulnerability disclosure process. In other words, if a device doesn’t have the specified security features or the contractor doesn’t support the published vulnerability disclosure process, the federal government is not allowed to purchase that device. The CIOs of government agencies will be responsible for following the requirements when approving IoT procurement contracts.

NIST now has the challenging job of specifying the minimum-security requirements while balancing the need to make them thorough enough for devices to be cyber secure. AT the same time, they don’t want to make it too burdensome for IoT manufacturers to add security in a reasonable timeframe.

NIST is required to publish these requirements by March 2021 and then change the procurement rules 180 days later. If an IoT device doesn’t already have the security features needed to meet NIST’s minimum requirements, minor changes are possible given this timeline. But, given the complexities of combining cybersecurity and embedded engineering, some manufacturers will find it challenging to add substantive features in only 180 days.

Here’s a summary of the law’s timelines:

1. The President signed the act into law on December 4, 2020, given unanimous Congressional approval. NISTIR 8259 and 8259A will be the basis for the requirements and guidelines.
2. NIST will publish the minimum-security requirements for IoT devices by March 4, 2021.
3. NIST will publish guidelines on vulnerability disclosures by June 4, 2021.
4. Federal government agencies must comply with IoT device procurement as soon as September 4, 2021.
5. Within two years, federal government agencies must implement policies to address the security vulnerabilities of IoT devices.

Given the short timeframes for the NIST requirements to go into effect, manufacturers selling to the federal government may need assistance to meet the new requirements and vulnerability disclosure processes. BG Networks offers cybersecurity software consulting services to assist manufacturers in meeting NIST requirements, specifically secure development, identity management, patching, and configuration management. WINSYSTEMS offers trusted hardware platforms built in a secure supply chain providing a significant head start for IoT device development with secure remote management and assurance during operation.

For a more detailed explanation of these elements and what companies making IoT devices should do to prepare, view the article from BG Networks on the IoT Cybersecurity Act of 2020.

Colin Duggan is the founder and CEO of BG Networks.  Previously, Colin worked at Analog Devices, holding various roles in engineering, sales, and marketing in the processor and RF groups.