Blogpost

Is the New Federal IoT Law a Sign?

During the three years it took for the IoT Cyber Security Improvement Act of 2020 to complete its legislative journey, more than 11.8 billion devices were connected to the Internet. That’s a decidedly conservative estimate of IoT device growth, one based on former Cisco Chief Futurist David Evans’ calculation way back in 2015 that an average of 127 new things are connected to the Internet each second.

Before we despair at the glacial pace of federal legislation, an optimistic note is worth sounding.

The new law, signed by former President Trump on Dec. 4 of last year, required a deeply bipartisan effort during a period of extreme partisanship. That collaboration also managed to overcome some hefty business opposition: the U.S. Chamber of Commerce initially came out against the bill.

While the scope of the new law is fairly focused – it does establish minimum security standards for IoT devices owned or controlled by the federal government – and importantly it will affect a larger number of the government’s third party providers. It also may lay the ground work for more expansive IoT security standards and/or laws to be considered by the new Administration.

Here are the key actions that the Internet of Things (IoT) Cybersecurity Improvement Act calls for, according to U.S. Senators Mark R. Warner,  (D-VA) and Cory Gardner (R-CO) who co-chair the Senate’s Cybersecurity Caucus:

  • Requiring the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Directing the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including making any necessary revisions to the Federal Acquisition Regulation to implement new security standards and guidelines.
  • Requiring any IoT devices  purchased by the federal government to comply with recommendations.
  • Directing NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on vulnerability disclosure and remediation for federal information systems.
  • Requiring government contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.

The fact that opposing political parties were able to come together on a data security issue also suggests that the passage long-discussed federal privacy law – a U.S. Data Protection Regulation, if you will – may not be as far-fetched as it seemed less than a year ago, and importantly align numerous state law privacy requirements, eg California Consumer Privacy Act and others.

Future of Privacy Forum Senior Fellow Peter Swire, a privacy-legislation influencer for more than 20 years, “believes the U.S. is on the cusp of passing comprehensive federal privacy legislation,” according to the International Association of Privacy Professionals (IAPP).