The universe of technology and devices has significantly surged in the last few years without signs of stopping. Just to mention, there were more than 9.9 billion IoT devices in 2019, and it is expected to surpass 21.5 billion by 2025. The increasing use of these devices has led to increased cybersecurity risks and vulnerabilities. As a result, there is increased pressure on the government and industry players to enhance security status before it reaches the tipping point.
Among the recent measures to curb cybersecurity is the recent passing of the IoT Cybersecurity Improvement Act that government agencies and employers using IoT devices should comply with. While this is a step towards improving network security, these standards don’t apply to the entire IoT devices market. However, many people hope that these updates will slowly trickle out to every IoT device and vendor.
Provisions of the New Cybersecurity Act
The act features several components aimed at improving IoT cybersecurity. The first provision of the act directs the National Institute of Standards and Technology to develop stringent security guidelines for the proper use and management of IoT devices. This includes establishing the basic security requirements for managing cybersecurity concerns from these devices.
The second set of provisions from the act guides the disclosure of cybersecurity vulnerabilities to federal agencies and other industry players. Similarly, NIST should create guidelines that help agencies on how to report, receive, and disseminate information about cybersecurity vulnerabilities in their IoT devices and resolutions.
While these two provisions set the basis for cybersecurity standards, the third part of the act prohibits agencies, including employers and digital marketing firms, from purchasing and using IoT devices that will make the agency or business non-compliant with NIST standards and guidelines.
Implications of the IoT Cybersecurity Improvement Act
Without a doubt, the bill has various clauses guiding the purchase contracts by government agencies. With many other provisions, the clauses mentioned above can be grouped into two categories;
As the name suggests, vendors selling IoT devices should affirm that the device;
- Doesn’t have any known cybersecurity vulnerabilities
- Meets the minimum industry-standard technology required for communication and security
- Can be accessed and updated by vendors securely
- Doesn’t have hard-coded or fixed credentials
After supplying the device to government agencies and other employers, vendors should;
- Notify users of IoT devices if they discover any vulnerability
- Update these devices for optimal security
- Replace or repair devices if a security need arises
- Provide continuous security support, including a timeline when the provision of the support ends
Based on these, government agencies are directed to avoid renewing procurement contracts with IoT device vendors that fail to comply with NIST guidelines.
Broader Impact of the Bill
While the bill highlights cybersecurity concerns that vendors dealing with IoT devices should meet, it has broad effects. Among them include;
Sets Precedence for More Legislation
Most cybersecurity experts believe that the world of IoT security has been left behind. Therefore, this legislation might just be the beginning. As the law gains traction, it will most likely inspire more legislation, both within the U.S, individual states, and other countries. For instance, California recently passed quite a similar law requiring increased security features for internet devices.
Even though California’s bill might not be as comprehensive as the IoT act, it features similar sections, such as requirements for login credentials. California’s bill also only applies to IoT devices manufactured and used in California.
Puts Onus on Vendors
By including these provisions in vendor contracts, the federal government has transferred liabilities to vendors. The government understands that it is impossible to secure all devices used by agencies and employers. Therefore, the decision to encourage corporations to include these requirements in vendor contracts is a way of passing the buck. Through this, if the organization faces cybersecurity risks, they can ardently blame and hold vendors liable.
Note to Employers
While the current IoT act has direct effects on IoT devices purchased by the government, the bill incidentally raises the bar for general IoT security. As such, it may initiate trends from private corporations and other employers whose employees rely on IoT devices. That said, employers, both from public and private corporations, should keep tabs and adhere to these provisions to avoid legal consequences. Engaging employment lawyers can help your organization abide by and implement these provisions better.