Enacted on December 4, 2020, the Internet of Things Cybersecurity Improvement Act of 2020 (the “IoT Act”) is expected to dramatically improve the cybersecurity of the ubiquitous IoT devices. With IoT devices on track to exceed 21.5 billion by 2025, the IoT Act mandates cybersecurity standards and guidelines for the acquisition and use by the federal government of IoT devices capable of connecting to the Internet. The IoT Act, and the accompanying standards and guidance being developed by the National Institute of Standards and Technology (NIST) will directly affect government contractors who manufacture IoT devices for federal government use, or who provide services, software or information systems using IoT devices to the federal government.
There will also be a significant indirect effect on private sector organizations purchasing IoT devices or systems using such devices for corporate use. Indeed, Congress specifically intended for a wide ranging spillover effect on the private sector with the expectation that the proverbial rising tide will raise all boats. Organizations will ultimately need to determine whether they will purchase and use IoT devices, software and systems that meet the standards for federal use, or acquire insecure or less secure IoT devices and systems. Corporations that consume and use IoT devices and systems, including in manufacturing, logistics, healthcare, hospitality and retail, should consider the impact the IoT Act will have on organizational cybersecurity. The IoT Act and the accompanying NIST standards will influence compliance under state and federal laws providing for the cybersecurity of protected information, such as personal or private information, and protected health information (PHI).
Among other things, the IoT Act contains the following requirements:
- NIST STANDARDS AND GUIDELINES FOR USE AND MANAGEMENT OF IoT DEVICES: NIST shall publish standards and guidelines for the federal government’s use of IoT devices, including minimum information security requirements for managing cybersecurity risks. The guidance shall address secure development, identity management, patching and configuration management. NIST shall “consider relevant standards, guidelines and best practices developed by the private sector, agencies, and public-private partnerships.” As noted in the legislative history, there is presently no national standard to ensure the security of IoT devices, with the inability to effectively patch these devices or set secure device passwords, among other vulnerabilities, a significant threat to the nation’s infrastructure and security.
- NIST GUIDELINES FOR THE DISCLOSURE AND RESOLUTION OF IoT DEVICE VULNERABILITIES: NIST shall also publish guidelines: (a) for the reporting and publishing of security vulnerabilities of information systems owned or controlled by a federal agency (including IoT devices owned or controlled by an agency), and the resolution of such vulnerabilities; and (b) for a contractor or subcontractor providing such systems receiving vulnerability information and dissemination of information about the resolution of such security vulnerability. Significantly, the guidelines are to include example content, on the vulnerability disclosures that should be “reported, coordinated, published or received” by a contractor, or any subcontractor thereof.
- ISSUANCE OF FEDERAL AGENCY INFORMATION SECURITY POLICIES AND PRINCIPLES: The Director of the Office of Management and Budget shall review agency information security policies and principles based on the NIST standards and guidance, and issue policies and principles as necessary to align the policies and principles with NIST standards and guidelines.
- REVISIONS TO THE FEDERAL ACQUISITION REGULATION: The Federal Acquisition Regulation shall be revised as necessary to implement the NIST standards and guidelines.
- CONTRACTOR COMPLIANCE WITH NIST STANDARDS AND GUIDELINES: Federal agencies are prohibited from procuring, obtaining, renewing a contract to procure or obtain, or using an IoT device, if the Chief Information Officer (CIO) of the agency determines that the use of such device prevents compliance with the NIST standards and guidelines, subject to a waiver for certain devices. This prohibition takes effect in December 2022, effectively providing for a two-year ramp up for planning to meet the new standards.
NIST has published draft guidance on IoT device cybersecurity, for which the comment period ended on February 26, 2021. According to NIST, the guidance offers a suggested starting point for manufacturers who are building IoT devices for the federal government market, as well as guidance to federal agencies on what they should ask for when they acquire these devices. NIST has presented publicly on the guidance and received comments and is in the process of finalizing its guidance. See, e.g., NIST drafts SP 800-213, NISTIR 8259B, 8259C, and 8259D, as well as NISTIR Final 8259, 8259A. These publications collectively discuss both technical and non-technical controls for securing federal IoT devices, including standards for manufacturing and acquiring these devices.
Organizations should do the following now to plan for the IoT Act taking effect in December 2022:
- Manufacturers who produce IoT devices for use by the federal government should review the draft guidance and await the final NIST guidance and standards, and develop appropriate device level requirements and documentation. They will also need to plan to develop processes to publicly report and mitigate vulnerabilities in their devices.
- Federal contractors, including software and service providers, should identify information systems that use IoT devices, and plan to meet the NIST IoT guidance and standards, including in their IoT device specifications, vendor selection and contractual requirements. Acquisition, purchasing and contracting decisions made in the coming months may impact the organization’s ability to be utilizing secure IoT devices as of December 2022.
- Organizations that are not federal contractors should consider how NIST IoT standards and guidance may impact their compliance with cybersecurity laws requiring reasonable safeguards for protected information depending on the use cases (e.g., Gramm-Leach Bliley, Health Insurance Portability and Accountability Act (HIPAA); HR7898 as a defense or mitigation to HIPAA enforcement, NY SHIELD Act, California Civil Code §1781.5, Massachusetts data protection regulation, Illinois Personal Information Protection Act and Biometric Information Protection Act (BIPA)), including potential impact on risk assessments, risk management frameworks (including NIST frameworks – e.g., SP 800-53, NIST Cybersecurity Framework and other information security standards, such as ISO, OWASP), vendor selection, purchasing and contracting, RFP processes, supply chain risk and workforce training. The organization should identify IoT devices incorporated into its information systems and their usage in light of the NIST guidance. Chief Information Security Officers (CISOs) and Chief Technology Officers (CTOs) should determine whether voluntarily following the prohibition operable on their counterparts in federal agencies against using non-compliant IoT devices and systems furthers the organization’s compliance and risk reduction strategies, and the potential adverse consequences of not doing so. The potential impact of NIST IoT cybersecurity guidance on private sector compliance and risk reduction strategy should involve information technology, information security, compliance, personnel, and legal departments, as well as the individual business units responsible for the IoT device use.
EBG works closely, under attorney-client privilege, with organizations to conduct risk assessments and develop information security programs, manage supply chain risk and identify recognized security practices that may bolster practical security and improve compliance defensibility. Any questions may be directed to the authors or another member of EBG’s Privacy, Cybersecurity, and Data Asset Management Group. Brian G. Cesaratto is a Certified Information Systems Security Professional (CISSP) and Certified Ethical Hacker (CEH). Alexander Franchilli is an Associate in the Employment, Labor & Workforce Management and Litigation practices, in the New York office of Epstein Becker Green.
 IoT devices “have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood, and can function on their own and are not only able to function when acting as a component of another device, such as a processor.” The wide range of IoT devices that connect to the Internet include security cameras and systems, geolocation trackers, smart appliances (e.g., tvs, refrigerators), fitness trackers and wearables, medical device sensors, driverless cars, industrial and home thermostats, biometric devices, manufacturing and industrial sensors, farming sensors and other smart devices.