Insights

  • Home
  • Insights
  • Internet of Things Cybersecurity Improvement Act Enacted

Share

Internet of Things

Internet of Things Cybersecurity Improvement Act Enacted

New IoT law mandates security standards and guidance for federal procurement of IoT devices.

December 2020 Alert

On December 4, 2020, President Trump signed Internet of Things ("IoT") Cybersecurity Improvement Act  ("IoT Law"). The IoT Law requires the National Institute of Standards and Technology ("NIST") to develop and publish baseline standards and guidelines for how the federal government uses and manages IoT devices connected to information systems. NIST—which already has been addressing IoT cybersecurity—is required to promulgate "minimum information security requirements for managing cybersecurity risks associated with such devices." The IoT Law requires these new standards and guidelines to be consistent with NIST’s current guidance regarding:

  • Vulnerability identification and management;
  • Secure development;
  • Identity management;
  • Patch management; and
  • Configuration management.

NIST is also tasked with publishing guidelines for IoT vendors regarding the disclosure of security vulnerabilities and dissemination of information about resolution of these vulnerabilities. 

In addition to mandating NIST’s development of standards and guidelines, the IoT Law provides:

  • Requirements for the Office of Management and Budget ("OMB") to review federal agency information security policies for consistency with the NIST standards and guidelines;
  • Updates to the Federal Acquisition Regulation for consistency with the NIST standards and guidelines; and
  • Prohibitions on federal procurement of IoT devices that fail to comply with NIST standards and guidelines.

While technically applying only to federal government procurement, NIST's standards and guidelines have the potential to influence state law and private sector practices. For instance, many IoT devices sold to the federal government that meet the NIST-based standards inevitably also will be sold to the private sector. As a practical matter, the NIST standards may have a broader impact on security practices across the IoT industry.

Daniel Ongaro, an associate in the Minneapolis Office, assisted in the preparation of this Alert.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.
You May Also Be Interested In

April 2024 Alert

Here We Go Again: U.S. Congress Reintroduces New Comprehensive Federal Privacy Law

April 2024 Alert

FDA Proposes Updated Guidance Concerning Cybersecurity of Medical Devices

April 2024 White Paper

2023 False Claims Act Enforcement in Health Care and Life Sciences, Part II

April 2024 Alert

CISA Releases Proposed Cyber Incident and Ransom Payment Reporting Rules to Implement CIRCIA

Before sending, please note:

Information on www.jonesday.com is for general use and is not legal advice. The mailing of this email is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.