Security and Connectivity for IoT Devices


IoT Cybersecurity Improvement Act 2020 – Understanding the Act

Home / IoT Cybersecurity Improvement Act / IoT Cybersecurity Improvement Act – Understanding the Act

Let's Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.

Let's Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.

Understanding the IoT Cybersecurity Improvement Act

Prior to the passing of the IoT Cybersecurity Improvement Act, a number of initiatives had been undertaken to better regulate IoT security. Work on the legislation was aided by this work, in particular the NIST standards that had been published.

The government moved to formalize these requirements into legislation in order to standardize overall cybersecurity capabilities, and to maximize the resiliency of IoT ecosystems specifically within federal agency operations. This ensures that the enormous potential value of IoT devices, which is predicated on reliable and secure data, will not be compromised.

In practical terms, the act creates consistency and clarity around the design and implementation of IoT devices related to issues such as how to secure data (at rest and in motion), authentication standards, and reporting requirements.

This will give IoT device manufacturers greater control over security, and provide government organizations that purchase and deploy these devices assurances that a proactive approach has been followed to protect against data breaches and system disruptions.

The Preference for Secure By Design

There are two approaches to incorporating security into IoT ecosystems: “Secure by Design” and “Bolt-On” Security.

Secure by Design, as the name implies, means security is built in to the product and is part of the initial design and implemented throughout the product’s entire lifecycle.

Since numerous IoT device manufacturers have not designed security into their products, mechanisms have been developed to manage security once devices have been rolled out. This “Bolt-On” approach entails monitoring, alerting and remediation of security related issues using software (including AI and machine learning). Sophisticated technologies such as End Point Detection and Response (EDR) have been modified and adopted for this purpose.

However, layering on security after the fact leaves devices vulnerable in other phases of the product’s lifecycle (e.g. Beginning of Life, Decommission and Disposal) and is therefore not optimal for safeguarding IoT ecosystems from vulnerabilities.

The key objective of the federal legislation is to make sure IoT devices deployed in government agencies are secure. This will happen by continuing to develop the guidelines, achieving widespread adoption, and ultimately having IoT device manufacturers implement Secure by Design product development.

Good for Government and Industry

The IoT Cybersecurity Improvement Act is beneficial for both government and industry. The legislation is initially meant for federal agencies to ensure the systems they use are secure, and to allow IoT system providers to create secure devices using common guidance.

Since the federal government is such a significant user of these technologies (e.g. V.A. Hospitals, the Military), it will highly encourage device manufacturers to adopt a Secure by Design philosophy.

Over time, this will be beneficial to non-government entities, ensuring that IoT deployments meet stringent security guidelines across all industries. This is good for all stakeholders: manufacturers, government and industry, and customers and end users.

IoT Cybersecurity Improvement Act Documentation

The act has over thirty “government owned” documents, six primary and the rest secondary reference documents that contain the specific IoT security details. The first two were published prior to the act, and the subsequent four were released in draft form after the law was enacted.

The only way the act could be passed was by taking this approach. There was resistance to dictating security standards to the IoT manufacturers, or how they would be achieved, because this could stifle creativity and innovation. By focusing on the need to tighten security within federal agencies, and using guidelines that had previously been published as a framework, the legislation received the necessary support.

The primary documents are:

  • NISTIR 8259
  • NISTIR 8259 A
  • NISTIR 8259 B
  • NISTIR 8259 C
  • NISTIR 8259 D
  • SP 800-213


This is the first document referenced in the House Resolution for the IoT Cybersecurity Improvement Act and was already in place prior to the act being passed. NISTIR 8259 offers a high level overview of IoT device security requirements, and references a number of other documents for details.

It is organized into pre-market and post-market sections that describe requirements during both the design and commercial phases. It is expected that analyses, including market feedback, is conducted during these phases.


This baseline document defines a set of core device capabilities that are generally needed to support IoT security controls.


NISTIR 8259 B specifically addresses the four non-technical capabilities that directly impact the state of security. Non-technical capabilities includes documentation and communications systems to notify stakeholders of events such as version updates and breaches. These non-technical capabilities are a crucial element within a secure IoT infrastructure.


This document provides a general format to generate a custom security profile for a specific application. It allows IoT manufacturers to create device profiles that describe the security capabilities that are inherent within the device.


Provides a sample IoT security profile that complies in general with the requirements of the federal government.

SP 800-213

A detailed list of IoT security requirements. 

How the U.S. Government is Using Blockchains, NFTs and more to Transform their Processes

The U.S. Government is Utilizing new IoT related technologies to transform its processes, including the 2030 census. Learn more about these technologies.

The Allegro Cryptographic Engine Listed as a CMVP Module in Process by NIST

Allegro is pending review for FIPS 140-3 validation from NIST for the Allegro Cryptography Engine – ACE™. Allegro has been added to the Modules in Process List (MIP), which highlights the modules that the NIST Cryptographic Module Validation Program (CMVP) is actively...

Allegro Joins The Medical Device Software Development Summit

As a leading provider of embedded software solutions, Allegro is pleased to announce its attendance at the Medical Device Software Development Summit 2023. This event is set to take place in Boston, Massachusetts, from May 16th to May 18th, 2023. The Medical Device...

Best Practices for Managing IoT Related Risks

Allegro’s “Best Practices” document addresses the topic of IoT security related risks by taking a closer look at Critical Requirements and Functional Implementation.

7 Key Elements of Proactive IoT Security

All types of Internet of Things (IoT) devices are under attack. They are routinely recruited as unwitting members of botnets used for Distributed Denial of Service (DDOS) attacks, hosting various malware, and extracting sensitive data. Why are hackers drawn to these...

Open Source Issues in Mergers and Acquisitions

Open Source Issues in Mergers & Acquisitions In a merger or acquisition in which a technology company is the target, the target company’s software is often a material – and perhaps even the principal – asset of the deal. Often, this software was developed using...
Our Resources

Let Us Help You With Your IoT Security Needs

Download Allegro’s Playbook

  • This field is for validation purposes and should be left unchanged.

Contact Us Today

  • This field is for validation purposes and should be left unchanged.