(US) IoT Cybersecurity Improvement Act of 2020 | Notion

The IoT Cybersecurity Improvement Act of 2020 is a U.S. law aimed at enhancing the cybersecurity of Internet of Things (IoT) devices and systems used by federal agencies. Here are the key points of the law:

1. Cybersecurity Standards for IoT Devices

The law requires that IoT devices purchased by the federal government meet specific cybersecurity standards. This includes ensuring that devices are designed and built with security in mind to minimize vulnerabilities.
The National Institute of Standards and Technology (NIST) is tasked with developing these standards, guidelines, and best practices.

2. NIST Role in Developing Guidelines

NIST is directed to create and update a set of security requirements for IoT devices that federal agencies must follow. These guidelines will address areas such as device authentication, secure communications, and vulnerability management.
NIST must consider existing cybersecurity standards and frameworks, including those from the private sector, to ensure the guidelines are robust and comprehensive.

3. Vulnerability Disclosure Requirements

The law encourages the adoption of practices for timely and responsible disclosure of vulnerabilities in IoT devices. This aims to ensure that security flaws in devices are reported and addressed swiftly.
Agencies are encouraged to follow responsible disclosure protocols and work with manufacturers to address any identified weaknesses.

4. Procurement Requirements for Federal Agencies

Federal agencies are prohibited from purchasing IoT devices that do not comply with the new security standards and guidelines set by NIST. This ensures that government systems are not exposed to unnecessary cybersecurity risks.
Agencies must also evaluate the cybersecurity of IoT devices as part of their procurement processes.

5. Coordination with Industry and Other Stakeholders

The law stresses the importance of collaboration between government agencies, industry groups, and other stakeholders to improve the overall security of IoT devices.
This includes working with manufacturers to encourage the adoption of secure design practices, as well as engaging in public-private partnerships to address cybersecurity challenges.

6. Report to Congress

The law requires periodic reports from the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) to Congress, detailing the progress on implementing the cybersecurity standards for IoT devices and the overall security posture of IoT within the federal government.

7. Strengthening IoT Cybersecurity Across the Nation

While focused on federal procurement, the law signals a broader effort to improve IoT cybersecurity across various sectors, with the intention of raising standards and influencing the private sector as well.