Privacy & Information Security Law Blog

On November 17, 2020, the Senate passed by unanimous consent H.R. 1668, the Internet of Things (“IoT”) Cybersecurity Improvement Act (the “IoT Bill”). The House previously passed the IoT Bill in September after negotiations with the Senate to resolve differences in their respective bills. The IoT Bill now heads to the President’s desk for signature.

The IoT Bill would require the National Institute of Standards and Technology (“NIST”) to develop and publish baseline standards and guidelines for how the federal government should appropriately use and manage IoT devices connected to information systems, including “minimum information security requirements for managing cybersecurity risks associated with such devices” (the “guidelines”). When developing these guidelines, the IoT Bill directs NIST to consider current industry standards, guidelines and best practices.

Other key elements of the IoT Bill include:

• charging the Office of Management and Budget with implementing NIST’s guidelines and reviewing federal agency information security policies and principles pertaining to IoT devices to ensure consistency with the guidelines;
• creating a process for IoT vendors to report on security vulnerabilities related to IoT devices, so federal officials learn of vulnerabilities as soon as they are uncovered;
• revising the Federal Acquisition Regulation as necessary to implement the NIST guidelines; and
• prohibiting federal agencies from procuring IoT devices that do not allow for compliance with NIST’s guidelines.

The IoT Bill excludes from these various requirements several categories of devices, including personal computers, as well as national security systems.

Though the IoT Bill would apply only to the practices of the federal government and federally-procured IoT devices, NIST’s guidelines are anticipated to eventually set the standard for the private sector as well.