According to the Internet of Things Cybersecurity Improvement Act of 2020, IoT products must meet minimum cybersecurity standards, and device providers must comply with a vulnerability and notification program.
This follows legislation passed in California (SB-327) and Oregon (Oregon’s IoT Law) in early 2020, and is designed to ensure IoT devices comply with “reasonable baseline security measures”.
According to an article in GovInfoSecurity, this is being driven by the rapid proliferation of IoT devices within government operations, and in society in general. According to a Government of Accountability study, roughly two-thirds of government agencies are using IoT technology in applications such as asset tracking and access control.
The next step is for the National Institute of Standards and Technology (NIST) to publish minimum IoT security standards for federal government agencies. NIST had been working on these guidelines prior to the passage of the legislation, and to date has published six documents:
- NISTIR 8259A addresses basic cybersecurity controls that should be embedded in IoT devices.
- NISTIR 8259 provides baseline security recommendations for IoT device manufacturers.
- NISTIR 8259B, NISTIR 8259C, NISTIR 8259D, and NIST SP 800-213 were published in draft form right after the announcement of the IoT security legislation. NIST is seeking comments on the draft documents to further develop their IoT security framework and security recommendations.
The Office of Management and Budget has been given the responsibility of reviewing the guidelines and sharing insights with the federal agency responsible for cybersecurity. Once established, the guidelines must be re-visited at least every five years to ensure they keep up with advances in IoT technology and cybersecurity best practices.
NIST must also collate data on identified vulnerabilities and make this information available to all affected stakeholders.
Ultimately, the legislation and associated standards, review processes, and problem tracking are meant to deal with the most pressing IoT security challenge – potential vulnerabilities across supply chains as the standards apply to both federal agencies and their subcontractors (Millions of IoT Devices at Risk From TCP/IP Stack Flaws).
Allegro Software, headquartered in Boxborough, Massachusetts, is a leading provider of IoT edge security and connectivity software toolkits to manufacturers worldwide. Field-proven in over 250,000,000 devices, our solutions enable OEMs in the Energy, Healthcare, Medical, Military, Enterprise, and Consumer sectors to create connected, secure devices using TLS, SSH, FIPS and more.
Since 1996, Allegro has been on the forefront of leading the evolution of embedded device management, security, and connectivity with its patented embedded web server and security toolkits.
