The bipartisan Internet of Things (“IoT”) Cybersecurity Improvement Act of 2020 (S. 734, H.R. 1668) has passed the House and the Senate and is headed to the President’s desk for signature. The bill was sponsored in the House by Representatives Hurd (R-TX) and Kelly (D-IL), and in the Senate by Senators Warner (D-VA) and Gardner (R-CO).  President Trump is expected to sign the measure into law.

According to Senator Warner (D-VA), the bill would “harness the purchasing power of the federal government and incentivize companies to finally secure the [internet-connected] devices they create and sell.”

The IoT Cybersecurity Improvement Act will require the National Institute of Standards and Technology (“NIST”) to develop minimum cybersecurity standards for internet-connected devices purchased or used by the federal government.  The bill sets forth the following requirements:

  • NIST must develop standards and guidelines for the appropriate use and management of all IoT devices owned or used by the federal government.
  • These standards must include minimum security requirements for managing cybersecurity risks for IoT devices and should take into account:
    • secure development,
    • identity management,
    • patching, and
    • configuration management.
  • The Comptroller General would be required to brief Congress on the increasing convergence of IoT devices and traditional information technology devices, networks, and systems, and make certain reports about security vulnerabilities available to the public.
  • The Director of NIST must also publish guidelines for the reporting, coordinating, publishing, and receiving of information about security vulnerabilities relating to agency information systems, including IoT devices, and resolution of such security vulnerabilities. To develop these guidelines, the Director of NIST may consult with researchers and private-sector experts, as the Director deems appropriate.
  • Federal agencies would be prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an IoT device if their Chief Information Officer determines that the use of the device prevents compliance with the NIST guidance. The head of the agency may waive this prohibition under certain circumstances.

In commenting on the bill, Senator Gardner noted that “Most experts expect tens of billions of devices operating on our networks within the next several years as the . . . [IoT] landscape continues to expand.  We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.”

Representative Kelly (D-IL), another of the bill’s sponsors, reflected that “IoT devices are more and more common and fulfill greater and greater functions in our government, especially in this largely digital work environment created by COVID-19 . . . . By establishing some baseline standards for the security of these devices, we will make our country and the data of American citizens more secure.”

This bill may be of particular interest to manufacturers of IoT devices, in particular with respect to any standards ultimately developed by NIST under this law.

Regular updates on developments related to IoT and cybersecurity can be found on Covington’s Internet of Things website.

Print:
EmailTweetLikeLinkedIn
Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She represents and advises content distributors, broadcast companies, trade associations, and other media and technology entities on…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She represents and advises content distributors, broadcast companies, trade associations, and other media and technology entities on a wide range of issues. Jennifer has more than two decades of experience advising clients in the communications, media and technology sectors, and has served as a co-chair for these practices for more than 15 years. On IoT issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including legal issues with respect to connected and autonomous vehicles, internet connected devices, smart ecosystems, and other IoT products and services.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements with cable, satellite, and telco companies, network affiliation and other program rights agreements for television companies, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection…

Jayne Ponder is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group. Jayne’s practice focuses on a broad range of privacy, data security, and technology issues. She provides ongoing privacy and data protection counsel to companies, including on topics related to privacy policies and data practices, the California Consumer Privacy Act, and cyber and data security incident response and preparedness.