The House of Representatives passed the IoT Cybersecurity Improvement Act in 2020. This bill requires all government devices categorized as Internet of Things (IoT) to meet a standard of security. Everything now is interconnected; therefore, the passing of this bill means that improvements to network security are also needed.
Reports have shown that nearly all of the traffic (as much as 98 percent) from IoT devices is currently unencrypted. Given the nature of government data, this figure should be as close to zero as possible.
Data security will be of the utmost importance in the future. As we rely more and more on IoT technology, cybercriminals will continue to up their game to breach security and obtain data.
Under the new NIST 8259 law , the following rules are required:
- The National Institute of Standards and Technology (NIST) is required to set guidelines and standards for all federal agency-used IoT devices.
- The NIST should consider all of the guidelines and standards that were created by agencies, public-private partners and the private sector.
- The NIST should work directly with experts (those in the IoT industry, researchers in cybersecurity and the Department of Homeland Security (DHS)) to develop guidelines concerning security vulnerability. This includes IoT devices that are managed/owned by government agencies, as well as developing solutions for security.
- Contractors should comply with any NIST regulations/standards. Agencies should also develop compliances for contractors before they award any contracts for IoT device usage.
- The Director of the NIST will distribute guidelines/standards within 90 days of the enactment of the IoT Cybersecurity Improvement Act. These guidelines are for the use and management of IoT devices controlled/owned by government agencies.
- Furthermore, guidelines/standards should be reviewed and revised by the Director of the Institute every 5 years.
- After standards are revised, the Office of Management and Budget (OMB) Director, along with the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, will make updates to policies and principles as it becomes necessary to keep them consistent.
- Guidelines should be issued for every agency by the OMB that are consistent with NIST recommendations. This includes any updates to the Federal Acquisition Regulation.
- The responsibility to develop guidelines/standards should be a collaboration between the executive branch, industry and academia.
- All IoT devices that are federally owned must be in compliance with the guidelines/standards set by the NIST.
IoT vulnerabilities are not a new concept and often result in denial-of-service attacks as well as data breaches. NIST 8259 won’t only provide security protection for the federal government; it’s also likely to influence the sale of IoT devices in the private industry.