Trump Signs IoT Cybersecurity Improvement Act into Law

Advertisement

On Dec. 4, 2020, President Donald Trump signed into law the bipartisan-backed Internet of Things Cybersecurity Improvement Act of 2020. By its terms, the new law applies solely to federal government agencies, but its downstream consequences are likely to reach further, impacting devices procured by the federal government and—likely, eventually—consumer devices.

Internet of Things (IoT) devices are in widespread use, most visibly by consumers of new smart home devices. The new law defines IoT devices as those devices that:

Advertisement
  1. Interact with the physical world
  2. Have a network interface for transmitting or receiving information via the internet
  3. Are not conventional information technology devices such as smartphones or laptops and cannot function as a component of another device such as a processor

Despite having a highly technical definition, IoT devices are common and becoming increasingly so. You probably even have several in your home or office, with many wireless devices—like refrigerators, smart speakers, networked printers, security systems and locks—satisfying this definition of an IoT device.

Though perhaps less visible than consumer adoption of IoT devices, the federal government’s use of IoT devices is increasing and, given the federal government’s significant size and buying power, impacting the market in meaningful ways. For instance, the Environmental Protection Agency (EPA) uses sensors that transmit data regarding weather conditions. Customs and Border Protection (CBP) uses autonomous surveillance towers that detect and identify items of interest at the border. NASA even uses spacesuits that monitor and transmit data regarding astronauts’ vital signs. Although these items often serve more sophisticated functions than IoT devices purchased and used by consumers, many of the underlying technologies are similar or even identical.

Advertisement

Despite, or perhaps because of, their growing adoption, IoT devices are generally viewed as being more vulnerable to cyberattacks and subject to abuse as part of distributed denial of service (DDoS) attacks.

Advertisement

The IoT Cybersecurity Improvement Act seeks to reduce those risks, at least among IoT devices procured by the federal government. To achieve this goal, the new law:

  1. Tasks the National Institute of Standards and Technology (NIST) with developing, publishing and updating security standards for IoT devices
  2. Requires the Office of Management and Budget (OMB) to review each federal agency’s information security policies to ensure they comply with the standards NIST promulgates for IoT devices
  3. Prohibits federal agencies from procuring any devices that fail to comply with NIST’s standards

Although NIST’s standards are not yet drafted and, even when they are, will not impose any direct requirements on the private sector, it is important for all device manufacturers and sellers to pay close attention to developments. The sheer size and scope of the federal government’s buying power may result in private sector businesses adopting the eventual NIST standards to ensure they can sell devices to the government. Similarly, the eventual NIST standards may provide a possible baseline for private sector businesses to satisfy and bring themselves into compliance with state IoT security laws that require “reasonable security features.”


Copyright © 2020 Godfrey & Kahn S.C.
For more articles on IoT, visit the National Law Review Communications, Media & Internet
section.

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.