wordpress blog stats
Connect with us

Hi, what are you looking for?

US Senate passes bill setting cybersecurity standards for IoT devices

Amazon echo, IoT device

A bipartisan bill that sets specific cybersecurity standards for Internet of Things (IoT) devices used by all American government agencies has been passed in the US Senate. Called the IoT Cybersecurity Improvement Act 2020, it makes it mandatory for the director of National Institute of Standards and Technology (NIST) to evolve standards for government acquisition and use of such devices, and create a policy around disclosing security vulnerabilities in them. This Act would come into force latest within two years of enactment. The bill is currently waiting the American president’s signature to be enacted into law.

This bill, if enacted, would apply to all establishments in the executive branch of the US government, except the Government Accountability Office (GAO), Federal Election Commission, governments of DC and of territories and possessions of the US, and government-owned contractor-operated facilities. The Bill borrows the definition of IoT devices from a May 2020 report from the National Institute of Standards and Technology (NIST) as per which,

IoT devices “have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface [such as ethernet, Wi-Fi, Bluetooth, etc.], and are not conventional Information Technology devices, such as smartphones and laptops” and “can function on their own and are not only able to function when acting as a component of another devices, such as a processor”.

The bill had been introduced by Democratic Representative Robin L. Kelly in November 2019 and was co-sponsored by multiple representatives across the political aisle.

Set standards for IoT devices, review cybersecurity policies of government agencies

As per the bill, within 90 days of its enactment, the director of NIST must develop and publish standards and guidelines for the federal government on the appropriate use and management of IoT devices. These guidelines must include mimimum information security requirements for managing cybersecurity risks associated with such devices.

These standards and guidelines must be compatible with NIST’s existing efforts related to:

Advertisement. Scroll to continue reading.
  • Possible security vulnerabilities of IoT devices
  • Standards must look at: secure development, identity management, patching, and configuration management.

180 days after these standards are published, the director of Office of Management and Budget (OMB) must review the information security policies of each of the government agencies on the basis of the standards published by the NIST director. To do that, the OMB director must consult with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security. However, any policy that the OMB director issues would not apply to national security systems, that is, telecommunication or information systems that involve intelligence, military and weapon activities.

The OMB director must update any policy or principles within 180 days of the NIST director reviewing and revising the standards and guidelines for IoT devices, which must happen at least once every five years.

Heads of government agencies are prohibited from procuring or using IoT devices that do not comply with these standards and guidelines. This prohibition can be waived by the head of the agency only if the Chief Information Officer of the agency determines that the waiver is necessary for national security, or such device is necessary for research, or will be secured using alternative and effective methods. The OMB director will establish a standardised process for the CIO to follow to assess whether or not the prohibition can be waived.

Set guidelines for disclosing vulnerabilities in information systems

Within 180 days of the enactment of the act, the NIST director, in consultation with cybersecurity researchers and private sector industry experts, must publish guidelines to report, coordinate, publish and receive information about any security vulnerabilities, and resolutions, in information systems owned or used by government agencies. This includes IoT devices used by the agency.

The NIST director will also publish guidelines for contractors and subcontractors for reporting such a vulnerability and disseminating information about it.

These guidelines must adhere, as much as possible, to industry best practices and Standards 29147 and 30111 of the International Standards Organisation (ISO) that determine the vulnerability disclosure processes and standards.

Implementation of these guidelines will be seen by the OMB director.

Advertisement. Scroll to continue reading.

Oversight mechanisms

Every two years, the Comptroller General of the US will submit an unclassified report to the House Committees on Oversight and Reform, and on Homeland Security, and the Senate Committee on Homeland Security and Governmental Affairs with the following details:

  • Effectiveness of the standardised process set up by the OMB director to assess waivers of prohibition
  • Recommended best practices for the procurement of IoT devices
  • Number and type of each IoT device that received a waiver from the head of an agency along with the reason for such waiver.

A year after the Act is enforced, the Comptroller General will brief the aforementioned committees about broader IoT efforts that have been undertaken to manage potential security vulnerabilities. A report related to this must be submitted within two years of enactment of the Act.

Also read: Singapore will label IoT products with cybersecurity ratings

Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ