Security and Connectivity for the IoT Edge

Menu

IoT Cybersecurity Improvement Act 2020 – Understanding the Act

Home / IoT Cybersecurity Improvement Act / IoT Cybersecurity Improvement Act – Understanding the Act

Let's Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.

Let's Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.

Understanding the IoT Cybersecurity Improvement Act

Prior to the passing of the IoT Cybersecurity Improvement Act, a number of initiatives had been undertaken to better regulate IoT security. Work on the legislation was aided by this work, in particular the NIST standards that had been published.

The government moved to formalize these requirements into legislation in order to standardize overall cybersecurity capabilities, and to maximize the resiliency of IoT ecosystems specifically within federal agency operations. This ensures that the enormous potential value of IoT devices, which is predicated on reliable and secure data, will not be compromised.

In practical terms, the act creates consistency and clarity around the design and implementation of IoT devices related to issues such as how to secure data (at rest and in motion), authentication standards, and reporting requirements.

This will give IoT device manufacturers greater control over security, and provide government organizations that purchase and deploy these devices assurances that a proactive approach has been followed to protect against data breaches and system disruptions.

The Preference for Secure By Design

There are two approaches to incorporating security into IoT ecosystems: “Secure by Design” and “Bolt-On” Security.

Secure by Design, as the name implies, means security is built in to the product and is part of the initial design and implemented throughout the product’s entire lifecycle.

Since numerous IoT device manufacturers have not designed security into their products, mechanisms have been developed to manage security once devices have been rolled out. This “Bolt-On” approach entails monitoring, alerting and remediation of security related issues using software (including AI and machine learning). Sophisticated technologies such as End Point Detection and Response (EDR) have been modified and adopted for this purpose.

However, layering on security after the fact leaves devices vulnerable in other phases of the product’s lifecycle (e.g. Beginning of Life, Decommission and Disposal) and is therefore not optimal for safeguarding IoT ecosystems from vulnerabilities.

The key objective of the federal legislation is to make sure IoT devices deployed in government agencies are secure. This will happen by continuing to develop the guidelines, achieving widespread adoption, and ultimately having IoT device manufacturers implement Secure by Design product development.

Good for Government and Industry

The IoT Cybersecurity Improvement Act is beneficial for both government and industry. The legislation is initially meant for federal agencies to ensure the systems they use are secure, and to allow IoT system providers to create secure devices using common guidance.

Since the federal government is such a significant user of these technologies (e.g. V.A. Hospitals, the Military), it will highly encourage device manufacturers to adopt a Secure by Design philosophy.

Over time, this will be beneficial to non-government entities, ensuring that IoT deployments meet stringent security guidelines across all industries. This is good for all stakeholders: manufacturers, government and industry, and customers and end users.

IoT Cybersecurity Improvement Act Documentation

The act has over thirty “government owned” documents, six primary and the rest secondary reference documents that contain the specific IoT security details. The first two were published prior to the act, and the subsequent four were released in draft form after the law was enacted.

The only way the act could be passed was by taking this approach. There was resistance to dictating security standards to the IoT manufacturers, or how they would be achieved, because this could stifle creativity and innovation. By focusing on the need to tighten security within federal agencies, and using guidelines that had previously been published as a framework, the legislation received the necessary support.

The primary documents are:

  • NISTIR 8259
  • NISTIR 8259 A
  • NISTIR 8259 B
  • NISTIR 8259 C
  • NISTIR 8259 D
  • SP 800-213

NISTIR 8259

This is the first document referenced in the House Resolution for the IoT Cybersecurity Improvement Act and was already in place prior to the act being passed. NISTIR 8259 offers a high level overview of IoT device security requirements, and references a number of other documents for details.

It is organized into pre-market and post-market sections that describe requirements during both the design and commercial phases. It is expected that analyses, including market feedback, is conducted during these phases.

NISTIR 8259 A

This baseline document defines a set of core device capabilities that are generally needed to support IoT security controls.

NISTIR 8259 B

NISTIR 8259 B specifically addresses the four non-technical capabilities that directly impact the state of security. Non-technical capabilities includes documentation and communications systems to notify stakeholders of events such as version updates and breaches. These non-technical capabilities are a crucial element within a secure IoT infrastructure.

NISTIR 8259 C

This document provides a general format to generate a custom security profile for a specific application. It allows IoT manufacturers to create device profiles that describe the security capabilities that are inherent within the device.

NISTIR 8259 D

Provides a sample IoT security profile that complies in general with the requirements of the federal government.

SP 800-213

A detailed list of IoT security requirements. 

Nielsen Case Study: IoT Device Security for A Multi-Billion Dollar International Company

IoT device security is especially important for a huge, multi-national company like Nielsen, to ensure their data is legitimate and accurate.

Allegro Talks Combining IoT with NFTs, ZKPs & More at The Embedded Tech Convention 2022

Loren Shade, VP of Marketing at Allegro Software, is speaking at the 2022 Embedded Tech Convention USA on June 8th and 9th. Loren will be speaking Wednesday, June 8th in Theater 3 from 2:45 pm to 3:15 pm about combining IoT with NFTs, ZKPs and more. about combining...

Customized Cryptography Solutions for Military Tech Industry

Cryptography solutions for military comm devices including FIPS validation, ACE software cryptography & custom validation with small code footprint.

Best Practices for Managing IoT Related Risks

Allegro’s “Best Practices” document addresses the topic of IoT security related risks by taking a closer look at Critical Requirements and Functional Implementation.

7 Key Elements of Proactive IoT Security

All types of Internet of Things (IoT) devices are under attack. They are routinely recruited as unwitting members of botnets used for Distributed Denial of Service (DDOS) attacks, hosting various malware, and extracting sensitive data. Why are hackers drawn to these...

Open Source Issues in Mergers and Acquisitions

Open Source Issues in Mergers & Acquisitions In a merger or acquisition in which a technology company is the target, the target company’s software is often a material – and perhaps even the principal – asset of the deal. Often, this software was developed using...
Our Resources

Let Us Help You With Your IoT Security Needs

Download Allegro’s Playbook

  • This field is for validation purposes and should be left unchanged.

Contact Us Today

  • This field is for validation purposes and should be left unchanged.