On December 4, 2020 the President signed into law the IoT Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the “IoT Act”). The legislative purpose behind the new law is to ensure the highest level of cybersecurity at federal agencies by working collaboratively within government, industry and academia. Pub. L. No. 116-207 § 2.
The IoT Act mandates specific actions by the National Institute of Standards and Technology (NIST), the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) regarding: (i) standards and guidelines for IoT devices, (ii) determining whether federal agencies adhere to those standards, (iii)implementing guidelines to disclose security vulnerabilities to contractors and report the resolution of those vulnerabilities.
Beginning on December 5, 2022, the IoT Act will prohibit federal agencies from signing or renewing contracts that cannot comply with NIST’s IoT security standards or disclosure guidelines.
Keypoint: The new law only applies to IoT devices bought by the federal government, but as the largest single ‘customer’ in the world, the government’s purchasing power could make the law’s security standards the cornerstone of a comprehensive security standard for IoT devices in the private sector as well.
New and Useful Pre-Existing Definitions
The law begins by defining IoT devices as physical objects equipped with at least one sensor or actuator “for interacting with the physical world, hav[ing] at least one network interface, … function[ing] on their own and are not only able to function when acting as a component of another devices, such as a processor.” Pub. L. No. 116-207 § 2(4).
Notably, this definition of IoT devices would include equipment such as heating and air conditioning systems that are connected to the Internet. The definition expressly excludes computers, laptops tablets and smart phones that are considered conventional Information Technology (IT) devices, which are defined in 40 U.S.C. § 11101.
Although the U.S. Code already refers to ‘operational technologies’ in the definition of industrial control systems, operational technologies were not defined. The IoT Act introduces a definition for Operational Technology to mean “hardware and software that detects or causes a change through the direct monitoring or control of physical devices, processes, and events in the enterprise.” Pub. L. No. 116-207 § 3(6).
The new law also references four authorizations and definitions in the U.S. Code that provide useful context:
- The Computer Security Act of 1987 gave NIST the mission of developing “standards and guidelines, including minimum requirements, for information systems used or operated by an agency or by a contractor of an agency ….” 15 U.S.C. § 278g-3(a).
- The 2015 National Defense Authorization Act amended the U.S. Code to require all non-defense contracts for the procurement of information technology must be reviewed by the respective federal agency’s chief information officer. 40 U.S.C. § 11319(b)(1)(C).
- Information Systems are defined in the Paperwork Reduction Act of 1995 to mean “a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information;” 44 U.S.C. § 3502.
- Security Vulnerabilities are defined in the Cybersecurity Information Sharing Act of 2015 to mean “any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.” 6 U.S.C. § 1501(17).
The IoT Act’s Teeth – Prohibiting Federal Contracts for Non-Compliant IoT Devices
As discussed in greater detail below, and consistent NIST’s requirements under the Computer Security Act of 1987 to develop standards and guidelines for information systems, the IoT Act directs NIST to promulgate standards and guidelines for federal agencies on the appropriate use of their IoT devices, and to promulgate guidelines for disclosing and resolving security vulnerabilities on federal information systems, to include IoT devices. 15 U.S.C. § 278g-3(a); Pub. L. No. 116-207 § 4(a).
In the event that the chief information officer determines the entry or renewal of contracts involving the use of IoT devices will prevent the agency from complying with the NIST security standards or the NIST disclosure guidelines described below, the agency is prohibited from entering or renewing those contracts. This prohibition goes into effect on December 5, 2022. Pub. L. No. 116-207 § 7(a).
December 5, 2022 is also the deadline by which OMB and DHS are required to develop and oversee the implementation of policies and principles necessary to address security vulnerabilities of federal information systems, including IoT devices. Id. § 6(a). Congress authorized that the Federal Acquisition Regulation be revised as necessary to implement these policies and principles. Id. § 6(d).
NIST Requirement #1 – Security Standards and Guidelines for IoT Devices
No later than March 5, 2021, NIST must develop, publish and update security standards and guidelines on the appropriate use of IoT devices connected to government information systems. As NIST develops these standards and guidelines for IoT devices, NIST is required to address the following issues:
- Identifying and managing security vulnerabilities;
- Secure development;
- Identity management;
- Patching; and
- Conﬁguration management.
Id. § 4(a). Congress directed that when NIST develops these standards, that they be consistent with previous NIST guidance for IoT devices, and that NIST consider well-accepted recommendations from the private sector. Within six months after NIST’s standards and guidelines are developed, OMB and DHS are required to review federal agencies’ security policies for consistency with these NIST standards. Id. § 4(b). Congress also required that the Federal Acquisition Regulation be revised as necessary to implement NIST’s security standards and guidelines. Id. § 4(d).
Historically, IoT devices have had a checkered past with respect to security. IoT security was often put second to the economic pressures in getting a functional product into the market. In addition, designing IoT devices which could be easily used by consumer also caused IoT developers to simplify security provisions. Further, laziness sometimes controlled with manufacturers delivering products with default password of “password.” Without a governing regulation, these other design factors inevitably conflicted with the time and expense needed to install effective security measures on the devices. This resulted in many IoT devices being easy targets for cybercriminals to plunder, not only for sensitive data but also for entry points into unsuspecting networks or being used for denial of service attacks.
In addition to recent laws in California and the promulgation of consumer privacy laws, the IoT Act is another regulatory driver which necessarily creates an economic incentive for IoT manufacturers to put greater emphasis on security protections for their devices, particularly those going into government networks. Further, economies of scale should spur some manufacturers to build those protections into all of their IoT devices, regardless of the anticipated customer. The IoT Act also sets an important set of standards, which other nations and/or industry standards organizations may adopt or mimic. These scenarios would be welcome steps to increase the likelihood that the security of IoT devices becomes a more important design factor, particularly when they are connected to “high-priority networks, such as those used in government facilities.”
NIST Requirement #2 – Guidelines for Receiving and Disclosing Security Vulnerabilities
By June 3, 2021, NIST must develop and publish guidelines for the reporting, coordinating, publishing and receiving information regarding security vulnerabilities related to federal information systems, IoT devices owned or controlled by federal agencies, and the resolution of those vulnerabilities. The disclosure guidelines will also apply to contractors and subcontractors that provide information systems, including IoT devices, to a federal agency. Id. § 5(a). To follow these guidelines, contractors and subcontractors will most likely have to establish programs and processes to receive information about potential security vulnerabilities on their IoT devices, and to disseminate the solutions for those vulnerabilities.
Greater information sharing and transparency are generally viewed as net positives in the cybersecurity community, but these new guidelines have the potential to create some challenges for the government and the private sector. For example, these guidelines may require the government to lay more ‘cards on the table’ regarding vulnerability detection and resolution capabilities. Also, increased awareness of the disclosed but uncorrected vulnerabilities can create new security risks or magnify existing risks for users of the affected IoT devices who are slow to take corrective actions. However, the guidelines will ultimately provide examples of the specificity of this information.
No doubt, the IoT Act will have the greatest impact on businesses selling IoT products and services to the federal government in the near-term. Nevertheless, these comprehensive IoT security requirements will be a fundamental shift in United States law, which has historically applied an industry-sectoral model to cybersecurity and data privacy. Once these standards are set, they may become the floor for contractual obligations and/or industry standards for manufacturers of IoT devices sold to the private sector. Accordingly, the effect of IoT Act could be transformative in the industry and far-reaching.