The Internet of Things Cybersecurity Improvement Act has now been signed into law, aligning efforts of the ioXt Alliance and the U.S. federal government in addressing IoT security. The law requires that federal agencies apply cybersecurity requirements to all purchased and used IoT devices. The ioXt Alliance, the Global Standard for IoT Security, has led industry-input in the development of the bipartisan-supported legislation.
ioXt Alliance members have worked with representatives of the bill as well as the National Institute of Standards and Technology (NIST) to realize this legislation and closely align it with industry best practices -- like those put forth by the Alliance. The IoT Cybersecurity Improvement Act will now require standards to be defined and ultimately implemented, including requirements for IoT devices and services, as well as vulnerability reporting and disclosure for government purchased devices. Both contractors and subcontractors alike will require vulnerability disclosure programs.
“This action is a long time coming for IoT, and we applaud the steps the administration and industry have taken together to advance regulations around connected devices,” said Brad Ree, CTO of the ioXt Alliance. “We’re equally as committed to improving and driving the adoption of security standards and are eager to harmonize our principles with the IoT Improvement Act to further help manufacturers implement these critical measures. Between our certification program, cross-recognition programs, and compliance tools – our organization is best positioned to lead the charge.”
Within 90 days of the bill passing, NIST must publish the minimum security requirements for federal agencies addressing the risk associated with IoT devices. From there, the Director of the Office of Management and Budget (OMB) will review and approve the specifications.
“We will continue to work closely with NIST along with private and public sector leaders to incorporate industry feedback into the IoT Act’s requirements,” continued Ree. “It is imperative that together, we build a scalable compliance program that will ensure the safety of this technology and will allow manufacturers to seamlessly navigate government and industry requirements across the globe. We are more than ready to start the process to finalize specifications and implementation. While this is U.S. government specific, we’re confident that it will serve as the catalyst that prompts network operators, consumer ecosystems, and retailers to follow suit in device security certification moving forward.”