Security and Connectivity for the IoT Edge

+1 978-264-6600


IoT Cybersecurity Improvement Act 2020 – The Details

Home / IoT Cybersecurity Improvement Act / IoT Cybersecurity Improvement Act – The Details

The Details

The IoT Cybersecurity Improvement Act of 2020 is intended to create value for all stakeholders:

  • The government establishes a consistent security framework that ultimately protects everyone who benefits from IoT ecosystems.
  • IoT manufacturers get clear direction regarding their security obligations, and are therefore less susceptible to liability and their brands being tarnished.
  • Organizations that deploy IoT devices, and their customers, can be assured their data is and personal information is secured.

The Cybersecurity Act covers more than just the technology to achieve this level of compliance and confidence. The act is all-encompassing, and addresses both technical and non-technical requirements and capabilities, including processes and procedures.

Technical and Non-Technical Details

Technical requirements are spelled out in the act’s NISTIR 8259 A document that deals with core, baseline capabilities. This documents offers high level recommendations to IoT manufacturers and describes how everyone benefits as a result.

NISTIR 8259 A does not itself provide specific implementation details – it references technical documents for this information. As an example, for secure device identification and configuration, it points to NIST SP 800-213, which points to NIST SP 800-53 Rev 5, which in turn references FIPS Validated Cryptography documentation.

Taken together, these materials provide all the specifications and requirements that underpin compliance.

Technical Capabilities

Device Identification

This is the immutable Root of Trust of a device, confirming that it is valid and has not been compromised in any way.

Device Configuration

Instructions that describe how devices can be securely configured – how configurations are entered into a device, who has the authority and capability to make configuration changes, how configurations are securely stored so they cannot be changed, etc.

Data Protection

Ensuring that data is secure, whether it is in motion, at rest or in use. As a general rule, data should be decoded as late as possible and protected using the appropriate levels of encryption while it is being transmitted as well as stored.

Logical Access to Interfaces

Requirements associated with device monitoring and proactive, corrective action when potential breaches or disruptions are detected. Also describes practices for network and user interface access.

Software Updates

Making sure mechanisms are put in place for secure remote updates – locked down software and firmware, remote update process, digital signatures, cryptography, etc.

Cybersecurity State Awareness

IoT devices must have a self-awareness to recognize when they have been compromised so the necessary security protocols can be enacted. Trigger mechanisms when breaches are detected initiate alerting and a reporting path, and the appropriate actions to eliminate the source of the breach (e.g. malware).

Non-Technical Capabilities

The NIST guidance also includes four non-technical requirements, over and above the technology capabilities, that play a significant role in the securing of IoT ecosystems.


IoT device manufacturers must provide documentation that not only includes a “how-to use guide”, but also a cybersecurity bill of materials and characteristics (e.g. what type of cryptography is built into the device, what version of TLS is being used, what are the origins of the cybersecurity components).

Documentation encourages manufacturers to provide details regarding security measures that have been built into the IoT device and ecosystem.

Information and Query Reception

Deployed IoT ecosystems are heterogenous as they contain various device types and versions of hardware and software. Manufacturers are therefore required to respond to queries about the components deployed in the network. A database must be maintained so that manufacturers can effectively respond to requests for information, including a complete “pedigree” of the cybersecurity and device information .

Information Dissemination

Manufacturers must have systems in place to proactively disseminate information about version updates, breaches, potential vulnerabilities, etc. This information must be shared with the IoT manufacturer’s customers and the customer’s customers so all stakeholders are made aware of security issues that may affect them.

This capability has a direct impact on how an IoT manufacturer’s brand is perceived.

Education and Awareness

Availability of educational materials to inform end users about how to safely and effectively deploy the IoT technology, and about the security capabilities and processes that have been incorporated into the devices.

Amazon FreeRTOS Developers Improve IoT Device Security with FIPS Validated Cryptography and TLS v1.3 from Allegro Software

Amazon FreeRTOS Developers Improve IoT Device Security with FIPS Validated Cryptography and TLS v1.3 from Allegro Software Pre-Integrated with Onica’s IoTanium hardware, software, and analytics platform for rapid prototyping and accelerated deployment of your IoT...

Allegro Software Expands IoT Edge Framework with Support for TLS 1.3

Allegro Software Expands IoT Edge Framework with Support for TLS 1.3 Securing IoT edge devices with the latest advanced data-in-motion encryption standard for TLS BOXBOROUGH, MA and SAN FRANCISCO, CA February 24, 2020 - At the RSA® Conference 2020 in San Francisco,...

Allegro Software Announces TLS API Compatibility Layers to Speed IoT Development with TLS v1.3 and FIPS 140-2

Allegro Software Announces TLS API Compatibility Layers to Speed IoT Development with TLS v1.3 and FIPS 140-2 API compatibility with ARM’s Mbed TLS and OpenSSL provides developers with access to latest TLS v1.3 and FIPS Validated Cryptography BOXBOROUGH, MA and SAN...

Best Practices for Managing IoT Related Risks

Allegro’s “Best Practices” document addresses the topic of IoT security related risks by taking a closer look at Critical Requirements and Functional Implementation.

7 Key Elements of Proactive IoT Security

All types of Internet of Things (IoT) devices are under attack. They are routinely recruited as unwitting members of botnets used for Distributed Denial of Service (DDOS) attacks, hosting various malware, and extracting sensitive data. Why are hackers drawn to these...

Open Source Issues in Mergers and Acquisitions

Open Source Issues in Mergers & Acquisitions In a merger or acquisition in which a technology company is the target, the target company’s software is often a material – and perhaps even the principal – asset of the deal. Often, this software was developed using...
Our Resources
Verkada Breach Highlights IoT Device Security Vulnerabilities

Verkada Breach Highlights IoT Device Security Vulnerabilities

In March, Silicon Valley start up Verkada suffered a significant breach when hackers compromised nearly 150,000 of the company’s cloud-based security cameras. Intruders were able to access camera data collected from schools, prisons, hospitals, and several companies, including Tesla and Cloudflare.

read more
Podcast: IoT Cybersecurity Improvement Act 2020

Podcast: IoT Cybersecurity Improvement Act 2020

The intent of the IoT Cybersecurity Improvement Act 2020 is to ensure IoT technologies purchased and deployed by the U.S. Government meet well-understood security standards. The legislation is based on recommendations developed by the National Institute of Science and...

read more
IoT Security in Healthcare

IoT Security in Healthcare

The Internet of Things (IoT) has become prevalent in the healthcare industry due to the benefits derived from sharing patient data and treatment information through connected devices. This convergence of physical assets and digital technologies is the way of the...

read more

Let’s Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.