Signed by the president on December 4, the IoT Cybersecurity Improvement Act of 2020 (IoT CIA) is the first federal law regulating the security of IoT devices, but it should come as no surprise to anyone working in IoT.
Congress proposed several versions and held a number of committee hearings on IoT cybersecurity, and the content of the current law is similar to earlier drafts. It relies on the National Institute of Standards and Technology (NIST) to formalize IoT regulations in coordination with academia and the private sector.
California and several other influential states, as well as the European Union and the United Kingdom, have been moving to regulate the largely unregulated IoT sector. Their actions have had a big impact on global privacy and security law — as has the NIST, which recently drafted a proposed standard for IoT and has helped develop frameworks for best practices in cyber and privacy.
The act considers an IoT device to be a device with at least one sensor or actuator for interacting directly with the physical world, at least one network interface, and the ability to function on its own, not only as part of a larger system. The act excludes smartphones, laptops and other computing devices.
The definition is not black-and-white. Do the new rules apply to industrial automation control systems (IACS) such as manufacturing systems in use at the Bureau of Engraving and Printing? Do they apply to building managed systems (BMS) used at many government facilities? If so, the government and the private sector can expect to feel substantial repercussions.
The law applies to IoT devices owned or controlled by an agency and connected to a federal information system, which NIST defines as “an information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.”
Among the IoT CIA’s requirements:
How federal agencies use IoT varies, and federal customers make up a small portion of the overall IoT market. But the government’s use of IoT tends to support critical processes — meaning a breach could have serious ramifications. And every IoT device connected to a federal network adds another layer of vulnerability to cyberattack.
Agencies use IoT devices to:
Device owners must secure and monitor their devices to protect their own environments and to make sure malicious actors don’t use their systems to attack others, as happened in the Mirai botnet DDoS attack in 2016. IoT device owners and manufacturers must work together to securely procure, deploy, configure and monitor these IoT devices.
Although security has made great strides in recent years, many embedded systems including IoT still lack basic security controls. Reasons include hardware constraints, security costs and haste to get the devices on the market.
To get in front of the new federal guidelines, we recommend that IoT device manufacturers take three key steps.
Review your product portfolio and contracts to determine whether the new law will affect your company.
Do you make IoT devices, firmware or components for federal agencies or their contractors?
If your company stands to be affected, make sure you’re already in, or working toward, alignment with existing guidance from the NIST and other federal agencies and industry groups.
Your planning should focus on heightened security requirements, vulnerability reporting, traceability of hardware and software components, and a thorough vetting of hardware and software supply chain risks.
Pay close attention to NIST IR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers. Since the NIST will write the mandated guidelines, it’s fair to anticipate that those guidelines will hew closely to this document.
Federal agencies will now need to vet their IoT device manufacturers for compliance with the IoT CIA guidelines in addition to existing information security laws including the Federal Information Security Management Act (FISMA) and Federal IT Acquisition Reform Act (FITARA).
Get involved in industry working groups and contribute to developing the guidelines in collaboration with the NIST.
In developing its guidelines, the NIST will collaborate with private sector and academic experts. This collaboration period is an excellent time to participate in the process and affect the results.
Existing guidance on cybersecurity of Internet of Things |
---|
IoT Device Cybersecurity Guidance for the Federal Government NIST SP800-213 |
Foundational Cybersecurity Activities for IoT Device Manufacturers |
IoT Device Cybersecurity Capability Core Baseline |
IoT Non-Technical Supporting Capability Core Baseline |
Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline |
Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government |
Product Development Requirements and 62443-4-2: Technical Security Requirements for IACS Components |
FDA Pre and Post Market Management of Cybersecurity in Medical Devices Link |
ISO Standards 29147 and 30111 |