Skip to main content

IoT Cybersecurity Bill Signed Into Law

Capitol Hill
(Image credit: Architect of the Capitol)

NCTA-the Internet & Television Association is celebrating the President's signature on the Internet of Things Cybersecurity Improvement Act.

The bill, introduced in March 2019, "requires that devices purchased by the U.S. government meet certain minimum security requirements." 

Related: IoT BIll Heads to Senate

“We applaud the President for signing into law the Internet of Things Cybersecurity Improvement Act," NCTA said in a statement. "With potential security threats to networks always looming, maintaining stringent cybersecurity standards is a must to protect many business and government operations. Since the government is such a large purchaser and user of IoT devices, this new law will have an impact on IoT purchases by businesses and beyond. Many thanks to Senators Gardner and Warner, and Representatives Kelly and Hurd, for introducing this important legislation and navigating it through Congress.”

Specifically, the law:

"Requires contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation." 

"Requires the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices. 

"Directs the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years. 

"Requires any Internet-connected devices purchased by the federal government to comply with those recommendations. 

"Directs NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed."

The bill was introduced in the Senate by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.), co-chairs of the Senate Cybersecurity Caucus, as well as Sens. Maggie Hassan (D-N.H.) and Steve Daines (R-Mont.). Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas) took the lead on the bill in the House.