Security and Connectivity for the IoT Edge

+1 978-264-6600


IoT Cybersecurity Improvement Act 2020 – Understanding the Act

Home / IoT Cybersecurity Improvement Act / IoT Cybersecurity Improvement Act – Understanding the Act

Understanding the IoT Cybersecurity Improvement Act

Prior to the passing of the IoT Cybersecurity Improvement Act, a number of initiatives had been undertaken to better regulate IoT security. Work on the legislation was aided by this work, in particular the NIST standards that had been published.

The government moved to formalize these requirements into legislation in order to standardize overall cybersecurity capabilities, and to maximize the resiliency of IoT ecosystems specifically within federal agency operations. This ensures that the enormous potential value of IoT devices, which is predicated on reliable and secure data, will not be compromised.

In practical terms, the act creates consistency and clarity around the design and implementation of IoT devices related to issues such as how to secure data (at rest and in motion), authentication standards, and reporting requirements.

This will give IoT device manufacturers greater control over security, and provide government organizations that purchase and deploy these devices assurances that a proactive approach has been followed to protect against data breaches and system disruptions.

The Preference for Secure By Design

There are two approaches to incorporating security into IoT ecosystems: “Secure by Design” and “Bolt-On” Security.

Secure by Design, as the name implies, means security is built in to the product and is part of the initial design and implemented throughout the product’s entire lifecycle.

Since numerous IoT device manufacturers have not designed security into their products, mechanisms have been developed to manage security once devices have been rolled out. This “Bolt-On” approach entails monitoring, alerting and remediation of security related issues using software (including AI and machine learning). Sophisticated technologies such as End Point Detection and Response (EDR) have been modified and adopted for this purpose.

However, layering on security after the fact leaves devices vulnerable in other phases of the product’s lifecycle (e.g. Beginning of Life, Decommission and Disposal) and is therefore not optimal for safeguarding IoT ecosystems from vulnerabilities.

The key objective of the federal legislation is to make sure IoT devices deployed in government agencies are secure. This will happen by continuing to develop the guidelines, achieving widespread adoption, and ultimately having IoT device manufacturers implement Secure by Design product development.

Good for Government and Industry

The IoT Cybersecurity Improvement Act is beneficial for both government and industry. The legislation is initially meant for federal agencies to ensure the systems they use are secure, and to allow IoT system providers to create secure devices using common guidance.

Since the federal government is such a significant user of these technologies (e.g. V.A. Hospitals, the Military), it will highly encourage device manufacturers to adopt a Secure by Design philosophy.

Over time, this will be beneficial to non-government entities, ensuring that IoT deployments meet stringent security guidelines across all industries. This is good for all stakeholders: manufacturers, government and industry, and customers and end users.

IoT Cybersecurity Improvement Act Documentation

The act has over thirty “government owned” documents, six primary and the rest secondary reference documents that contain the specific IoT security details. The first two were published prior to the act, and the subsequent four were released in draft form after the law was enacted.

The only way the act could be passed was by taking this approach. There was resistance to dictating security standards to the IoT manufacturers, or how they would be achieved, because this could stifle creativity and innovation. By focusing on the need to tighten security within federal agencies, and using guidelines that had previously been published as a framework, the legislation received the necessary support.

The primary documents are:

  • NISTIR 8259
  • NISTIR 8259 A
  • NISTIR 8259 B
  • NISTIR 8259 C
  • NISTIR 8259 D
  • SP 800-213



This is the first document referenced in the House Resolution for the IoT Cybersecurity Improvement Act and was already in place prior to the act being passed. NISTIR 8259 offers a high level overview of IoT device security requirements, and references a number of other documents for details.

It is organized into pre-market and post-market sections that describe requirements during both the design and commercial phases. It is expected that analyses, including market feedback, is conducted during these phases.


This baseline document defines a set of core device capabilities that are generally needed to support IoT security controls.


NISTIR 8259 B specifically addresses the four non-technical capabilities that directly impact the state of security. Non-technical capabilities includes documentation and communications systems to notify stakeholders of events such as version updates and breaches. These non-technical capabilities are a crucial element within a secure IoT infrastructure.


This document provides a general format to generate a custom security profile for a specific application. It allows IoT manufacturers to create device profiles that describe the security capabilities that are inherent within the device.


Provides a sample IoT security profile that complies in general with the requirements of the federal government.

SP 800-213

A detailed list of IoT security requirements. 


Amazon FreeRTOS Developers Improve IoT Device Security with FIPS Validated Cryptography and TLS v1.3 from Allegro Software

Amazon FreeRTOS Developers Improve IoT Device Security with FIPS Validated Cryptography and TLS v1.3 from Allegro Software Pre-Integrated with Onica’s IoTanium hardware, software, and analytics platform for rapid prototyping and accelerated deployment of your IoT...

Allegro Software Expands IoT Edge Framework with Support for TLS 1.3

Allegro Software Expands IoT Edge Framework with Support for TLS 1.3 Securing IoT edge devices with the latest advanced data-in-motion encryption standard for TLS BOXBOROUGH, MA and SAN FRANCISCO, CA February 24, 2020 - At the RSA® Conference 2020 in San Francisco,...

Allegro Software Announces TLS API Compatibility Layers to Speed IoT Development with TLS v1.3 and FIPS 140-2

Allegro Software Announces TLS API Compatibility Layers to Speed IoT Development with TLS v1.3 and FIPS 140-2 API compatibility with ARM’s Mbed TLS and OpenSSL provides developers with access to latest TLS v1.3 and FIPS Validated Cryptography BOXBOROUGH, MA and SAN...

Best Practices for Managing IoT Related Risks

Allegro’s “Best Practices” document addresses the topic of IoT security related risks by taking a closer look at Critical Requirements and Functional Implementation.

7 Key Elements of Proactive IoT Security

All types of Internet of Things (IoT) devices are under attack. They are routinely recruited as unwitting members of botnets used for Distributed Denial of Service (DDOS) attacks, hosting various malware, and extracting sensitive data. Why are hackers drawn to these...

Open Source Issues in Mergers and Acquisitions

Open Source Issues in Mergers & Acquisitions In a merger or acquisition in which a technology company is the target, the target company’s software is often a material – and perhaps even the principal – asset of the deal. Often, this software was developed using...
Our Resources
Verkada Breach Highlights IoT Device Security Vulnerabilities

Verkada Breach Highlights IoT Device Security Vulnerabilities

In March, Silicon Valley start up Verkada suffered a significant breach when hackers compromised nearly 150,000 of the company’s cloud-based security cameras. Intruders were able to access camera data collected from schools, prisons, hospitals, and several companies, including Tesla and Cloudflare.

read more
Podcast: IoT Cybersecurity Improvement Act 2020

Podcast: IoT Cybersecurity Improvement Act 2020

The intent of the IoT Cybersecurity Improvement Act 2020 is to ensure IoT technologies purchased and deployed by the U.S. Government meet well-understood security standards. The legislation is based on recommendations developed by the National Institute of Science and...

read more
IoT Security in Healthcare

IoT Security in Healthcare

The Internet of Things (IoT) has become prevalent in the healthcare industry due to the benefits derived from sharing patient data and treatment information through connected devices. This convergence of physical assets and digital technologies is the way of the...

read more

Let’s Talk IoT Security

Implementing IoT device security can be a challenge. Let us help you by sharing our proven framework for integrating a proactive security approach into your design. Click the button below to schedule a one-on-one web conference to discuss your security needs.