First Federal IoT Security Legislation Becomes LawThe Act Prohibits Procurement of Insecure IoT Devices
President Donald Trump on Friday signed into law the Internet of Things Cybersecurity Improvement Act of 2020, the first U.S. federal law addressing IoT security.
The act requires that federal agencies only procure devices that meet minimum cybersecurity standards and establishes a vulnerability reporting and notification program.
The legislation, which has been in the making for at least three years, met no opposition from lawmakers, passing the U.S. House of Representatives in September and sailing unanimously through the Senate last month (see: Senate Passes IoT Cybersecurity Improvement Act).
Two states already have IoT legislation. California's law - SB-327 - which went into effect in January, forbids the sale of devices that don't have reasonable baseline security measures. Oregon's IoT law, which also became effective in January, is similar to California's.
The act comes as U.S. government agencies’ use of IoT continues to rise, according to a survey released by the Government Accountability Office in September. Fifty-six of 90 agencies report using IoT in some way, including asset tracking, monitoring and access control. Some agencies, however, abandoned planned IoT projects due to security concerns.
The act is a “huge milestone” for the IoT industry that will likely have a broad effect, says Brad Ree, who is CTO of the consultancy ioXt and board member at the ioXt Alliance, an industry trade group dedicated to improving IoT security.
“Though this bill is targeted at government purchases, I fully expect network operators, consumer ecosystems, and retailers to follow with similar requirements for consumer products,” Ree says.
Signing of the act now sets in motion a series of deadlines for the National Institute of Standards and Technology. Within 90 days, NIST must publish minimum security requirements for federal agencies addressing the risk associated with IoT devices.
Those requirements will include guidance on security development, identity management, patching and configuration management.
NIST has been working on IoT guidelines, and in May it published NISTIR 8259A, which covers a core baseline of cybersecurity controls that devices should support. It also finalized baseline security recommendations for IoT device manufacturers in NISTIR 8259.
Vulnerability Management Program
Once the guidelines are complete, the law calls for the Director of the Office of Management and Budget to review them and consult with the director of the Cybersecurity and Infrastructure Security Agency.
CISA is currently led by Brandon Wales, who became director after Trump fired former Director Christopher Krebs. Trump alleged that Krebs made inaccurate statements about the integrity of the recent presidential election. Krebs, along with the Elections Infrastructure Government Coordinating Council, have maintained the election was “the most secure in American history” (see: Fired CISA Director Refutes Election Fraud Allegations).
The guidelines are to be reviewed at least every five years. The legislation also requires that NIST develop a program to collate data on vulnerabilities and disseminate that information, a key measure to ensure that IoT devices are kept up to date.
Vendors that are selling devices to the federal government must be able to receive information about vulnerabilities and also have the ability to update users about the resolution of vulnerabilities.
Ree says the requirements will help address some of the significant software supply chain security problems in which a vulnerable component ends up in many different products, such as the Ripple20 and Amnesia:33 TCP/IP stack flaws (see: Millions of IoT Devices at Risk From TCP/IP Stack Flaws).
“This law addresses a core issue in IoT: lack of supply chain transparency,” Ree says. “Suppliers of products to the federal government will be required to report vulnerabilities in their products, but their subcontractors will be held to the same standard.”