IoT Players Should Start Diving into the New U.S. IoT Cybersecurity Improvement Act in Preparation of Things to Come

Subscribe To Download This Insight

1Q 2021 | IN-6044

The U.S. government’s recently passed act on IoT cybersecurity will require all U.S. agencies to understand, evaluate, and enhance the criteria for IoT digital security, with new rules for conducting business, deploying devices, and maintaining IoT services. The NIST will play a key role in clearly outlining all security processes and streamlining operations across the board.

Registered users can unlock up to five pieces of premium content each month.

Log in or register to unlock this Insight.


More Responsibilities for the NIST


The year 2021 has had a promising head start in the Internet of Things (IoT) security side of things. On December 4, 2020, the U.S. Congress successfully passed the “IoT Cybersecurity Improvement Act of 2020” that was introduced in 2019. The primary purpose of the 2020 act is to “establish minimum security standards for Internet of Things devices owned or controlled by the Federal Government, and for other purposes,” with the latter part pointing to endeavors such as research, academia, oversight, management processes, and other purposes that will be further developed and outlined in the weeks to follow by the National Institute of Standards and Technology (NIST) and the federal government. This piece of legislation is incredibly important not just for the United States, but globally, as it can serve as a precursor for further (and much-needed) regulation and standardization practices for the evolving IoT ecosystem. There is a lot of valuable information to digest and both U.S. and non-U.S. IoT players should start reviewing the act in preparation of things to come.

Key Highlights of the Act


The frenzied expansion of IoT technologies has often raised significant hurdles for legislation, let alone for the creation of a unified standardization model. The IoT Cybersecurity Improvement Act of 2020 is meant to provide a fundamental process for government agencies in the United States to understand, evaluate, and enhance the criteria for IoT digital security. The federal government will also make amendments and revisit the bill as required according to new technological trends and cyberthreats (mandatory after 5 years or at any given time during this period if required). In short, the act will uplift IoT security considerations, create a more accountable perspective for vendors, and provide a more transparent audit trail for device and system security, albeit with a certain degree of confusion at first for organizations because the key points are not specifically outlined.

A few key highlights include the following:

  • What Is an IoT Device? IoT devices are defined as having at least one transducer, networking interface, and are not conventional IT devices, which can function on their own or as part of another component of a different device or processor unit (conventional Information Technology (IT) device examples provided by the NIST refer to smartphones or laptops).
  • Minimum Security: All IoT devices that are currently owned, managed, or will be acquired by the U.S. government and any U.S. agencies must adhere to certain specified minimum-security standards according to the NIST’s specifications, which are to be released in the following months.
  • Revisit, Adapt, Update: The Director of the Office of Management and Budget and the Secretary of Homeland Security, along with the Director of the NIST, will continue to hone the specifics of the act and provide a more thorough update in the months that follow and will continue to better hone the security technology requirements in the years that follow according to current market threats and connectivity demands (at least to a minimum acceptable standard for starters) and will revisit the act every 6 months for further updates if needed.
  • Key Security Features: The act outlines a few top-level security features that will be of crucial importance. These include: 1) use-case scenarios on how digital security can be applied in the IoT ecosystem; 2) examination of vulnerabilities; 3) attempt to address said vulnerabilities; 4) engage in secure development processes for IoT applications; 5) secure IoT identity management; 6) secure patching; 7) secure configuration management; and 8) outline and consider all relevant IoT security standards that can be used throughout the entire process.

Market Effects that IoT Players Should Keep on Their Radar


So, what does all that mean for IoT players?

Stakeholders and Original Equipment Manufacturers (OEMs) Will Need to Step Up Their Game: The act concerns mainly U.S. government applications, and all related partnering vendors, equipment manufacturers, and stakeholders. This means that IoT vendors and contractors that deal directly with U.S. agencies will need to step up their game with regard to IoT security, as they will be forced to disclose and address security concerns across the entire value chain.

Confusion Is to Be Expected at First: The minimum-security standards mentioned in the act, however, are not precisely outlined in the act’s current form. This has certainly caused additional confusion for high-tier IoT device manufacturers and security providers still on standby, unable to restructure their IoT manufacturing processes and deployment strategies.

Cross-Over Effects Are to Be Expected—and This Is a Good Thing: This act is of vital importance to the entire IoT ecosystem, there is no denying that. While it is primarily focused on governmentally-owned IoT devices, it also outlines a direct involvement of industrial actors, enterprises, and academia in the development and rollout of the actual final regulatory security measures. This will undoubtedly cross over to the larger IoT ecosystem due to adjacency effects after the collaboration of such a wide breadth of stakeholders. Thus, ABI Research expects that these specifications will ultimately cross over to more IoT markets, transforming all related device management processes, uplifting security standards in the entire connected landscape, and applying new rules of conducting business, deploying devices, and maintaining IoT services.

Challenges with External Partners Could Be on the Horizon: In its current state, it is unclear how this legislation will affect other non-U.S. markets, but it certainly has the potential to affect all players from other regions that choose to do business with U.S. agencies. The recent heated debate for 5G infrastructure and connected devices originating from China is a perfect example of this. This does have the potential to affect the U.S. market in a manner similar to that of the General Data Protection Regulation (GDPR) in the European Union (EU) and all vendors choosing to do business with European countries.

Reaching a Consensus Will Add Even More Responsibilities for Involved Industries: This act will significantly enhance the responsibilities of the NIST, which is mentioned as the key actor in ascertaining and applying all necessary changes to the specifications and standards. This will also create additional pressure on all involved industry entities, U.S. agencies, and even academia. Reaching a consensus on IoT security using this wide-reaching formula can be an incredibly powerful and useful tool, albeit with its fair share of hurdles regarding multi-faceted and multi-leveled cooperation.

Deployment strategies for IoT players are bound to change in the coming years. This is not necessarily a bad thing when considering future business strategies either. A more unified and structured IoT ecosystem, as observed under one leading entity like the NIST, has the potential to clearly outline all security processes and streamline operations across the board. There is still one key issue with that. As outlined in the act, the NIST will need to revisit the specifics when needed and reformulate the “minimum requirements.” This has the potential to be quite disruptive, unless the U.S. government and the NIST perform said changes in a manner that can both appreciate vendor challenges and address the constantly mounting cybersecurity concerns.



Companies Mentioned