US federal agencies will soon have to clean up numerous networked devices. A new law called the IoT Cybersecurity Amendment Act of 2020 is intended to strengthen the security of the Internet of Things (IoT) and lead to more transparency in IT security in general. Stricter procurement criteria could enable the new law to have a leverage effect, so that more, better secured, networked devices become available.
First, the US standards agency NIST (National Institute of Standards and Technology) is to develop standards and guidelines for IoT devices at federal authorities, including minimum requirements for IT security and risk management and rules for secure installation, security updates, identity management and configuration. As far as possible, NIST should orient itself towards existing standards.
Pay attention to quality when shopping
At the latest six months after these provisions have been issued, the OMB (Office of Management and Budget) budget authority is to review implementation at all federal authorities and, if necessary, issue further regulations. Systems belonging to the area of national security are, however, left out. If NIST revises the standards and guidelines, which must be done no less than every five years, an examination by the OMB follows.
In addition, federal authorities are only allowed to buy or use networked devices that comply with NIST requirements. Exceptions can be made for research and national security, or if it is possible to secure the unsafe devices in another way. These regulations will increase the demand for more secure IoT devices.
This could mean that companies and private individuals will also have more, better-protected devices to choose from. Perhaps the public sector can help slow down the trend towards IoT devices that are becoming less secure overall.
Suppliers have to help with IT security
Part of the law is dedicated to IT security at US federal agencies in general: NIST is to develop standards for the coordinated collection, reception and publication of information about security vulnerabilities and their elimination.
This standard will also require all suppliers and all their subcontractors to pass on information about potential IT security gaps and their elimination to the respective federal authorities. This means that the supplier’s duties of care will extend beyond sales.
Support both US parties das Gesetz IoT Cybersecurity Amendment Act of 2020. In the lower house it was decided without a detailed survey of the proportion of votes, in the upper house unanimously. The law has been in the White House since Tuesday and awaits the US President’s signature.