Security and Connectivity for IoT Devices


IoT Cybersecurity Improvement Act 2020 – The Details

Home / IoT Cybersecurity Improvement Act / IoT Cybersecurity Improvement Act – The Details

Let's Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.

Let's Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.

The Details

The IoT Cybersecurity Improvement Act of 2020 is intended to create value for all stakeholders:

  • The government establishes a consistent security framework that ultimately protects everyone who benefits from IoT ecosystems.
  • IoT manufacturers get clear direction regarding their security obligations, and are therefore less susceptible to liability and their brands being tarnished.
  • Organizations that deploy IoT devices, and their customers, can be assured their data is and personal information is secured.

The Cybersecurity Act covers more than just the technology to achieve this level of compliance and confidence. The act is all-encompassing, and addresses both technical and non-technical requirements and capabilities, including processes and procedures.

Technical and Non-Technical Details

Technical requirements are spelled out in the act’s NISTIR 8259 A document that deals with core, baseline capabilities. This documents offers high level recommendations to IoT manufacturers and describes how everyone benefits as a result.

NISTIR 8259 A does not itself provide specific implementation details – it references technical documents for this information. As an example, for secure device identification and configuration, it points to NIST SP 800-213, which points to NIST SP 800-53 Rev 5, which in turn references FIPS Validated Cryptography documentation.

Taken together, these materials provide all the specifications and requirements that underpin compliance.

Technical Capabilities

Device Identification

This is the immutable Root of Trust of a device, confirming that it is valid and has not been compromised in any way.

Device Configuration

Instructions that describe how devices can be securely configured – how configurations are entered into a device, who has the authority and capability to make configuration changes, how configurations are securely stored so they cannot be changed, etc.

Data Protection

Ensuring that data is secure, whether it is in motion, at rest or in use. As a general rule, data should be decoded as late as possible and protected using the appropriate levels of encryption while it is being transmitted as well as stored.

Logical Access to Interfaces

Requirements associated with device monitoring and proactive, corrective action when potential breaches or disruptions are detected. Also describes practices for network and user interface access.

Software Updates

Making sure mechanisms are put in place for secure remote updates – locked down software and firmware, remote update process, digital signatures, cryptography, etc.

Cybersecurity State Awareness

IoT devices must have a self-awareness to recognize when they have been compromised so the necessary security protocols can be enacted. Trigger mechanisms when breaches are detected initiate alerting and a reporting path, and the appropriate actions to eliminate the source of the breach (e.g. malware).

Non-Technical Capabilities

The NIST guidance also includes four non-technical requirements, over and above the technology capabilities, that play a significant role in the securing of IoT ecosystems.


IoT device manufacturers must provide documentation that not only includes a “how-to use guide”, but also a cybersecurity bill of materials and characteristics (e.g. what type of cryptography is built into the device, what version of TLS is being used, what are the origins of the cybersecurity components).

Documentation encourages manufacturers to provide details regarding security measures that have been built into the IoT device and ecosystem.

Information and Query Reception

Deployed IoT ecosystems are heterogenous as they contain various device types and versions of hardware and software. Manufacturers are therefore required to respond to queries about the components deployed in the network. A database must be maintained so that manufacturers can effectively respond to requests for information, including a complete “pedigree” of the cybersecurity and device information .

Information Dissemination

Manufacturers must have systems in place to proactively disseminate information about version updates, breaches, potential vulnerabilities, etc. This information must be shared with the IoT manufacturer’s customers and the customer’s customers so all stakeholders are made aware of security issues that may affect them.

This capability has a direct impact on how an IoT manufacturer’s brand is perceived.

Education and Awareness

Availability of educational materials to inform end users about how to safely and effectively deploy the IoT technology, and about the security capabilities and processes that have been incorporated into the devices.

How the U.S. Government is Using Blockchains, NFTs and more to Transform their Processes

The U.S. Government is Utilizing new IoT related technologies to transform its processes, including the 2030 census. Learn more about these technologies.

The Allegro Cryptographic Engine Listed as a CMVP Module in Process by NIST

Allegro is pending review for FIPS 140-3 validation from NIST for the Allegro Cryptography Engine – ACE™. Allegro has been added to the Modules in Process List (MIP), which highlights the modules that the NIST Cryptographic Module Validation Program (CMVP) is actively...

Allegro Joins The Medical Device Software Development Summit

As a leading provider of embedded software solutions, Allegro is pleased to announce its attendance at the Medical Device Software Development Summit 2023. This event is set to take place in Boston, Massachusetts, from May 16th to May 18th, 2023. The Medical Device...

Best Practices for Managing IoT Related Risks

Allegro’s “Best Practices” document addresses the topic of IoT security related risks by taking a closer look at Critical Requirements and Functional Implementation.

7 Key Elements of Proactive IoT Security

All types of Internet of Things (IoT) devices are under attack. They are routinely recruited as unwitting members of botnets used for Distributed Denial of Service (DDOS) attacks, hosting various malware, and extracting sensitive data. Why are hackers drawn to these...

Open Source Issues in Mergers and Acquisitions

Open Source Issues in Mergers & Acquisitions In a merger or acquisition in which a technology company is the target, the target company’s software is often a material – and perhaps even the principal – asset of the deal. Often, this software was developed using...
Our Resources

Easily Fulfill Technical Capabilities Using Allegro’s IoT Security Components

Download Allegro’s Playbook

  • This field is for validation purposes and should be left unchanged.

Contact Us Today

  • This field is for validation purposes and should be left unchanged.