Congress Passes IoT Cybersecurity Act
Tuesday, November 24, 2020 | Comments

The U.S. Senate passed a bill aimed at improving the cybersecurity of internet of things (IoT) devices. The bill was passed by the House in September and now moves to the president for approval.

The IoT Cybersecurity Improvement Act of 2020 requires the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines for the federal government on the appropriate use and management of IoT devices owned by federal agencies, as well as IoT devices connected to systems owned by those agencies. The standards are due 90 days after enactment of the act.

The act also requires the NIST director to ensure that the standards and guidelines include key information such as:
• Examples of possible security vulnerabilities of IoT devices;
• Considerations for managing those security vulnerabilities; and
• Secure development, identity management, patching and configuration management for IoT devices.

No later than 180 days after those standards are developed, the director of the Office of Management and Budget (OMB) is required to review agency information security policies and principles based on the standards to ensure they are consistent with those standards. After that review, the OMB is responsible for issued any policies or principles that are necessary to ensure agency policies are consistent with the NIST standards and guidelines.

No more than 180 days after the act goes into effect, NIST must develop and publish guidelines that cover:
• The reporting, coordinating, publishing and receiving information about security vulnerabilities related to agency systems and the resolution of those vulnerabilities
• Information from contractors providing an IoT system or device about potential security vulnerability and how to resolve that vulnerability.

Two years after the enactment of the bill, the OMB must develop and oversee implementation of policies, principles, standards or guidelines necessary to address any security vulnerabilities. The bill prohibits an agency from procuring an IoT system or device from a contractor if the chief information officer (CIO) of that agency determines that the use of that device prevents compliance with the guidelines.

The act requires NIST to review the policies and guidelines every five years and make any necessary revisions.

Would you like to comment on this story? Find our comments system below.

Post a comment
Name: *
Email: *
Title: *
Comment: *


No Comments Submitted Yet

Be the first by using the form above to submit a comment!


April 2021

22 - 22
Webinar: FirstNet — Managing Testing and Vaccination Logistics

June 2021

21 - 25
UTC Telecom and Technology Conference
Portland, Oregon

August 2021

15 - 18
APCO Conference and Expo
San Antonio, Texas

September 2021

27 - 30
International Wireless Communications Expo (IWCE) 2021
Las Vegas

More Events >

Site Navigation