On November 17, 2020, H.R. 1668, the “Internet of Things Cybersecurity Improvement Act of 2020”, was unanimously passed by the Senate. The bill is now on its way to President Trump for signature or veto.
The bill would require the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”) to take certain steps to increase cybersecurity for Internet of Things (“IoT”) devices. IoT describes the extension of internet connectivity into physical devices and everyday objects. Examples of IoT devices include internet connected appliances, thermostats, locks, or smoke detectors, but they are now pervasive across virtually all types of retail products.
The bill would specifically require NIST to develop minimum or baseline IoT cybersecurity standards. The OMB would then be tasked with issuing guidelines to agencies in consultation with NIST.
Notably, the bill also requires federal agencies to only use devices that meet the NIST standards and expressly prohibits the government from entering into any contract that would prevent compliance with those standards. Because the bill would, in effect, prohibit the government from entering into any contracts with third parties that would result in the purchase or use of IoT devices that are not compliant with the NIST standards, it is likely that the bill will encourage manufacturers of such products to adopt the NIST standards.