The Cybersecurity Improvement Act has now been in place since 2020. The Act required National Institute of Standards and Technology (NIST) to develop minimum security standards and guidelines for the Federal Government that will form the basis for new IoT procurement restrictions.
IoT device manufacturers must follow new standards and regulations in order to meet these government agency requirements.
A Brief Introduction to The Cybersecurity Improvement Act & NIST Guidance
The Cybersecurity Improvement Act of 2020 (IoT CIA) is the first federal law in the United States to regulate the security of IoT devices. According to the legislation, an IoT device is one that has at least one sensor or actuator for interacting directly with the physical world, at least one network interface, and the ability to function independently, rather than solely as part of a larger system. Smartphones, laptops, and other electronic devices are not covered by the statute.
The law applies to IoT devices owned or controlled by an agency that are connected to a federal information system, defined by NIST as "an information system used or operated by an executive agency, a contractor of an executive agency, or another organization on behalf of an executive agency."
The IoT CIA is not concerned with securing individual devices by imposing password requirements or encryption standards, both of which will need to evolve. Instead, it looks to the National Institute of Standards and Technology (NIST) to establish many of the standards that federal organizations must follow when acquiring connected devices. These rules view overall security as a collection of components, necessitating particular prescriptions for device, cloud, and communication security.
The IoT Cybersecurity Improvement Act of 2020 required NIST to publish standards and guidelines for agencies on ‘the appropriate use and management by agencies of [IoT] devices’. NIST released the final version of the IoT cybersecurity guidance for Federal agencies last year- NIST SP 800-213 Series, in December 2021.
-
SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements, was revised based on stakeholder feedback to be clearer, more usable, and more accommodating of the range of capabilities in IoT devices of possible interest to federal agencies.
-
SP 800-213A, IoT Device Cybersecurity Requirements Catalog, was revised to be more consistent in presentation, more balanced between technical and non-technical aspects, and more easily referenced. The catalog includes mappings to SP 800-53 and the Cybersecurity Framework as well as an IoT cybersecurity profile. The material included in this new publication was based on collaborative input from the public that NIST received via GitHub throughout all of 2021.
The objective behind this legislation was for NIST to set minimum standards for IoT devices procured and purchased by the Federal government in order to potentially use the Federal government's procuring power to secure IoT devices.
The Internet of Things Cybersecurity Improvement Act of 2020 generally prohibits agencies from procuring or using an IoT device after Dec. 4, 2022, if that device is considered “non-compliant” with standards developed by the National Institute of Standards and Technology (NIST).
Federal agency customers must remember that the Risk Management Framework (RMF) remains the foundational security guidance for federal systems and applies as much to IoT devices as to any other information, communications, or operational technology.
IoT Adoption in the US Government
The US government has relied on IoT connected devices for years and after the increasing number of attacks, it’s no surprise that legislation is now in place to secure the IoT it purchases and connects.
The US government uses IoT devices on a wide basis to improve facilities and reduce costs. For example, in the smart buildings sector, thousands of low-cost connected sensors are installed at 80 high-energy-use government buildings. The Government Services Administration uses telematics to track, locate and monitor the emissions of more than 200,000 vehicles to ensure compliance with government mandates for reductions in greenhouse gas emissions by 30% by 2025. Other federal agencies such as the Department of Defense (DoD) use RFID tags and sensors from connected devices to track and manage military supplies, such as clothing, construction materials and medical supplies. These devices have enabled the Defense Logistics Agency and the US Transportation Command to monitor billions of transactions per month from DoD logistics systems and commercial transportation carriers.
We should also take into consideration that today’s IoT systems are being integrated with others to become ‘systems of systems’. With this integration, cybersecurity develops into a broader concept of trust, that includes not only the integrity of data, connections, and devices, but also the reliability of results.
Best Practices
NIST's initial rules include today's best practices. These practices range from unique identities for each device so it can be identified on a network, and a way for authorized users to change features related to access and security, also ensuring an over-the-air device update program, The guidelines also include logging an IoT device's or its related app's actions and clearly and securely communicating the details of a device's security to the user.
For industries like manufacturing, which increasingly rely on Digital Certificates and Public Key Infrastructure (PKI), such as GlobalSign’s offering that enables secure device identity, this law is a step in the right direction. Experts have warned for years that connected devices could be exposed without a way to patch their software or replace shared hard-coded passwords set at factories – increasingly a concern since hackers are known for exploiting basic security holes, especially in the case of sensors. By leveraging existing best practices stronger authentication approaches like per-device unique Digital Certificates are now being more widely adopted. This law is a tipping point for manufacturers to collaborate more closely with the cybersecurity industry to ensure that devices in the exploding IoT market are as secure as possible.
Our Thoughts on the Bill
GlobalSign has been delivering identity and security solutions over many years. As experts within the field of identity and security for some of the world’s largest organizations, we believe this law demonstrates the government has taken the necessary steps to ensure the security of connected devices, and that stronger security solutions will be put in place to limit attacks. Our company is uniquely positioned to issue digital certificates at high volume and massive scale to IoT devices delivering strong device identities to enable the foundations of IoT security; authentication, encryption and device integrity. We are working closely with manufacturers of some of these devices, which in some cases could be part of government networks.
We are also aware that for both current and future government collaboration, IoT devices owned or controlled by an agency must have the proper security measures in place. If these stringent controls are not followed, this could amount to a significant loss of existing or future business opportunities.
It is imperative for federal IoT stakeholders to remain engaged and active in this environment since NIST's IoT security standards and advice will have long-term consequences across the IoT ecosystem.
Non-government companies in the IoT sector who are not affected by this law should also consider implementing the NIST standards. The advantage is that they can sell their IoT product line as complying with federal security compliance criteria.
For more about how IoT security starts with PKI, click here to find out more about our IoT solutions.
