This year, a bipartisan group of lawmakers passed
The Internet of Things Cybersecurity Improvement Act, which will require Internet of Things (IoT) device manufacturers to follow new security standards to sell to the federal government. While this doesn’t directly impact the private sector, enterprises should keep an eye out for this space as there might be carryover in the future.
ioXt Certification Isn’t Enough
For a bit of perspective, IoT devices are responsible for 32.72% of all infections observed in mobile networks, an increase from 16.17% in 2019, according to a Nokia “
Threat Intelligence Report 2020.” To combat these IoT security threats, organizations like the IoXt Alliance, which comprises over 120 organizations and includes manufacturers, industry experts, and government organizations, have offered a voluntary security certification,
IoXt Alliance: Certified IoT Security Program.
However, many experts believe this isn’t enough. While voluntary specifications and frameworks — like those provided by the IoXt Alliance — can deliver IoT security, enforcement is the key. The IoT Act will force IoT manufacturers to meet a common set of security requirements for the federal government that should also be attractive to the private sector as well. The Act will make manufacturers accountable if security is insufficient when the devices are deployed.
Taking a Closer Look at the Act
The Act also mandates that standards and guidelines be developed “collaboratively within and among agencies in the executive branch, industry and academia.” It also defines the IoT according to the second draft of the National Institute for Standards and Technology (NIST) Interagency, or
NIST’s Internal Report NISTIR 8259.
As part of the IoT Act, IoT devices must contain at least one transducer (sensor or actuator) that interacts with the physical world and include at least one network interface. IoT devices must function on their own and can't be a component of another device, like a processor. Devices like smartphones and laptops aren’t considered IoT devices per the law.
The NIST will publish the standards on the appropriate use and management of IoT devices by government agencies. This produces minimum security requirements for managing cybersecurity risks and will be compatible with NIST’s existing efforts related to IoT devices, which includes the incorporation of identity management, patching, and configuration management.
Be Ready
When you go about purchasing and deploying IoT devices, I suggest you look at devices that are certified with the ioXt recommendations. Though the new NIST standards won’t publish until 2021, with enforcement starting later in 2021, you should monitor the IoT Act’s progress and investigate if IoT manufacturers that you rely on change to conform to this law.