Digital LockOn Friday, December 4, 2020, H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, was signed into law. The bipartisan bill was sponsored by Senators Mark Warner (D-VA) and Cory Gardner (R-CO) in the Senate and Representatives Robin Kelly (D-IL), and Will Hurd (R-TX) in the House. The new law will require IoT devices “owned or controlled” by the federal government to meet minimum security standards that address network vulnerabilities, and it may have significant implications for government contractors. It was introduced in response to a series of distributed denial of service (DDoS) attacks in 2016, in which the Mirai malware variant was used to compromise tens of thousands of IoT devices, causing a severe disruption in commercial web services.

Scope of the Law

IoT devices are defined in the law as ones that can operate independently and interact with the physical world through the use of embedded systems, like a sensor or software. H.R. 1668 § 2(4)(A)-(B). These “smart” devices often store data and connect to the internet or an internal network. Examples of affected IoT devices include devices such as security cameras, environmental control systems, or access control systems that operate within an agency’s network. Borrowing from the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. §1501(17)), the law broadly defines the “security vulnerabilities” it is targeting, which include “any attribute of hardware, software, process, or procedure that could enable or facilitate the defeat of a security control.”  H.R. 1668 § 3(8).

Implementation Guidelines

The law tasks the National Institute of Standards and Technology (NIST) with developing standards and guidelines for appropriate use and management of IoT devices owned or controlled by an agency and those connected to agency-owned or -controlled information systems. NIST’s guidelines will likely mirror their recent recommendations for IoT device manufacturers (NISTIR 8259 and NISTIR 8259A), as well as International Standards Organization (ISO) guidance, specifically ISO Standard 29147 and 30111 pertaining to vendor disclosure of vulnerabilities and best practices for remediating reported potential vulnerabilities. H.R. 1668 § 5(b)(1). These guidelines relate to device identification, software configuration and updating, data protection, network access, vulnerability management, and incident detection.

After NIST’s guidelines are approved by the Office of Management and Budget (OMB), the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS), which govern U.S. military, space, and civilian federal agency contracts, may be revised as necessary. H.R. 1668 § 4(d).

Impact of the Law

H.R. 1668 presents new cybersecurity compliance obligations for IoT manufacturers, who are now responsible for identifying and communicating security vulnerabilities. While this particular obligation applies only to the federal government and its contractors, lawmakers have expressed hope that manufacturers will extend similar safeguards to consumer devices, including smart home systems. Some states already have consumer-facing IoT legislation. For instance, California (SB-327) and Oregon (HB-2395) similarly require manufacturers to equip IoT devices with security features that help prevent unauthorized access, use, or disclosure of consumer information.

The new federal law presents a timely opportunity for companies to reassess the role cybersecurity plays in their product development lifecycles, risk assessment procedures, and incident response infrastructure. While the full extent of the law’s implementation is to be seen in the upcoming NIST guidelines, companies that deal in the IoT market can prepare by confirming that compliance plans for their devices follow NIST’s guidelines.

For more information on this new law or to discuss privacy or cybersecurity issues generally, please contact a member of our Data, Privacy & Cybersecurity Practice or visit https://www.ropesgray.com/en/practices/data-privacy-cybersecurity.