IoT Cybersecurity Improvement Act 2020 – Understanding the Act

There are two approaches to incorporating security into IoT ecosystems: “Secure by Design” and “Bolt-On” Security.

Secure by Design, as the name implies, means security is built in to the product and is part of the initial design and implemented throughout the product’s entire lifecycle.

Since numerous IoT device manufacturers have not designed security into their products, mechanisms have been developed to manage security once devices have been rolled out. This “Bolt-On” approach entails monitoring, alerting and remediation of security related issues using software (including AI and machine learning). Sophisticated technologies such as End Point Detection and Response (EDR) have been modified and adopted for this purpose.

However, layering on security after the fact leaves devices vulnerable in other phases of the product’s lifecycle (e.g. Beginning of Life, Decommission and Disposal) and is therefore not optimal for safeguarding IoT ecosystems from vulnerabilities.

The key objective of the federal legislation is to make sure IoT devices deployed in government agencies are secure. This will happen by continuing to develop the guidelines, achieving widespread adoption, and ultimately having IoT device manufacturers implement Secure by Design product development.

The IoT Cybersecurity Improvement Act is beneficial for both government and industry. The legislation is initially meant for federal agencies to ensure the systems they use are secure, and to allow IoT system providers to create secure devices using common guidance.

Since the federal government is such a significant user of these technologies (e.g. V.A. Hospitals, the Military), it will highly encourage device manufacturers to adopt a Secure by Design philosophy.

Over time, this will be beneficial to non-government entities, ensuring that IoT deployments meet stringent security guidelines across all industries. This is good for all stakeholders: manufacturers, government and industry, and customers and end users.

The act has over thirty “government owned” documents, six primary and the rest secondary reference documents that contain the specific IoT security details. The first two were published prior to the act, and the subsequent four were released in draft form after the law was enacted.

The only way the act could be passed was by taking this approach. There was resistance to dictating security standards to the IoT manufacturers, or how they would be achieved, because this could stifle creativity and innovation. By focusing on the need to tighten security within federal agencies, and using guidelines that had previously been published as a framework, the legislation received the necessary support.

The primary documents are:

• NISTIR 8259
• NISTIR 8259 A
• NISTIR 8259 B
• NISTIR 8259 C
• NISTIR 8259 D
• SP 800-213

NISTIR 8259

This is the first document referenced in the House Resolution for the IoT Cybersecurity Improvement Act and was already in place prior to the act being passed. NISTIR 8259 offers a high level overview of IoT device security requirements, and references a number of other documents for details.

It is organized into pre-market and post-market sections that describe requirements during both the design and commercial phases. It is expected that analyses, including market feedback, is conducted during these phases.

NISTIR 8259 A

This baseline document defines a set of core device capabilities that are generally needed to support IoT security controls.

NISTIR 8259 B

NISTIR 8259 B specifically addresses the four non-technical capabilities that directly impact the state of security. Non-technical capabilities includes documentation and communications systems to notify stakeholders of events such as version updates and breaches. These non-technical capabilities are a crucial element within a secure IoT infrastructure.

NISTIR 8259 C

This document provides a general format to generate a custom security profile for a specific application. It allows IoT manufacturers to create device profiles that describe the security capabilities that are inherent within the device.

NISTIR 8259 D

Provides a sample IoT security profile that complies in general with the requirements of the federal government.

SP 800-213

A detailed list of IoT security requirements.