In December 2020, the Internet of Things Cybersecurity Improvement Act of 2020 became law. It is a significant step forward by the federal government to improve the security of IoT devices used in Federal Government programs and systems. IoT device manufacturers need to be aware of the consequences this act will have on the design, development, and deployment of IoT equipment for government contracts. This blog is complementary to “What You Need to Know About the Fed’s New IoT Cybersecurity Law” posted on Embedded Computing Design as this one provides more detail on the nine key points of the bill. To start there is a quick reference list below, followed by further information on each of the key issues.
The 9 Key Points of the IoT Cybersecurity Improvement Act of 2020
- The president signed the act into law on December 4th, 2020, given unanimous Congressional approval.
- The definition of an IoT device is broad: a device having a transducer and network interface.
- The law does not apply to smartphones, laptops, or IoT devices used in national security systems.
- NIST will publish minimum-security requirements for IoT devices by March 4th, 2021.*
- NIST will publish guidelines on vulnerability disclosures by June 4th, 2021.
- NISTIR 8259 and 8259A thru 8259D will be the basis for the requirements and guidelines.
- The federal government can only procure IoT devices meeting the NIST requirements.
- Federal government agencies must comply with IoT device procurement as soon as September 4th, 2021.
- Within two years, federal government agencies must implement policies to address the security vulnerabilities of IoT devices.
* Public comments on documents NISTIR 8259B/C/D and NIST SP 800-213 are due by Feb 12, 2021.
1. The president signed the act into law on December 4th, 2020, given unanimous Congressional approval.
This bipartisan bill was initially introduced in the house in 2019 by Representatives Will Hurd (R-Texas) and Robin Kelly (D-Ill). It was passed unanimously in both the House and Senate and signed into law on December 4th, 2020. The strong support is a good indication the federal government is taking the cybersecurity of IoT devices seriously as they are a critical part of the United States’ national infrastructure at risk of being breached by adversarial nations.
For example, the Russian-based Dragonfly cyber espionage group attacked the United States’ and Europe’s electrical infrastructure, which included gathering information on operational technology physically controlling the US power grid. With the US Federal Government leading the way, the cybersecurity industry can expect local, state, and international government agencies will soon follow suit, along with larger multinational corporations.
2. The definition of an IoT device is broad: any device having a transducer and network interface.
The term “Internet of Things (IoT)” covers a broad category of devices, and as such, the law’s definition of an “IoT device” is expansive. IoT devices are defined simply as a device that has “at least one transducer (a sensor or actuator) for interacting with the physical world” and “have at least one network interface.” These devices can range from simple air quality or temperature sensors to security cameras and printers.
3. The law does not apply to smartphones, laptops, or IoT devices used in national security systems.
This law does not cover conventional Information Technology equipment for which cybersecurity is well understood, such as laptops or smartphones. Additionally, the devices and equipment used in national security systems are exempt because the agencies building and monitoring those networks already have advanced cybersecurity capabilities beyond the scope of the law.
4. NIST will publish minimum-security requirements for IoT devices by March 4th, 2021.
Now that the President has signed the bill into law, the National Institute of Standards and Technology (NIST) has 90 days to publish the standards, guidelines, and minimum recommendations for IoT cybersecurity devices used in federal government systems. NIST can quickly respond because they have been preparing for this law with the May 2020 release of IoT cybersecurity recommendation documents NISTIR 8259 and NISTIR 8259A. These documents are referred to in the law as their definition of IoT devices is used. NIST have created subsequent NISTIR documents 8259B thru D, which are open for public comment, closing on Feb 12, 2021.
5. NIST will publish guidelines on vulnerability disclosures by June 4th, 2021.
The law also tasks NIST to develop vulnerability disclosure guidelines IoT device manufacturers must follow if used in Federal Government systems. These guidelines will define the disclosure policies and procedures for government agencies and contractors selling IoT devices to the government. Government agencies will be prohibited from procuring IoT devices from manufacturers that do not meet these guidelines. The guidelines are to align with ISO standards 29147 (vulnerability disclosure) and 30111 (vulnerability handling process) as much as practically possible.
6. NISTIR 8259 documents will be the basis for the requirements and guidelines.
Since the law explicitly mentions NISTIR 8259, NIST will likely base the standards, recommendations, and minimum requirements on these documents. NIST divides NISTIR 8259 publication into specific activities (8259) and device capabilities (8259A) for manufacturers, which complement each other. NIST has since drafted 8259B thru D continuing to outline non-technical core baselines for IoT devices, how to create profiles using the technical and non-technical core baselines, and a profile for the Federal Government agencies using the supporting documents.
NISTIR 8259 – “Foundational Cybersecurity Activities for IoT Device Manufacturers” – provides a list of recommendations and activities IoT device manufacturers should support pre- and post-sale. The NISTIR 8259 recommendations cover the entire lifecycle of an IoT device from device development, where it is crucial to understand customer use cases and needs, to the retirement of a device at the end of its life. The law explicitly highlights secure development, identity management, patching, and configuration management covered in the NIST documents.
NISTIR 8259A – “IoT Device Cybersecurity Capability Core Baseline” – defines the IoT device capabilities generally needed to support common cybersecurity controls. The publication applied the best practices from various industry standards and associations. Recommendations from 15 groups were reviewed, including CTIA (Cellular Telecommunications and Internet Association), ENISA (European Union Agency for Network and Information Security), IIC (Industrial Internet Consortium), OCF (Open Connectivity Foundation), and ARM’s PSA (Platform Security Architecture). For more information on recommendations from these groups see our blog “The State of IoT Security”. NISTIR 8259A contains an excellent table summarizing the six recommendation categories with references to the organization’s specific technical documents.
New NIST draft documents: 8259B/C/D and SP 800-213 – NIST has released a series of new draft documents in support of IoT security defined in 8259 and 8259A. NISTIR 8259B outlines the non-technical supporting capability core baseline manufacturers should develop. NISTIR 8259C describes the process for creating a profile using the IoT Core Baseline and Non-Technical Baseline defined in 8259A and 8259B respectively. NISTIR 8259D creates a profile for Federal Government Agencies using the previous 8259 and other supporting documents. Finally, NIST SP 800-213 is a document for federal agencies providing information on what to consider in terms of IoT cybersecurity risks.
7. The federal government can only procure IoT devices meeting the NIST requirements.
In section of the law titled Prohibition on Procurement and Use, “[t]he head of an agency is prohibited from procuring or obtaining … or using an Internet of Things device, if the Chief Information Officer of that agency determines … that the use of such device prevents compliance with the standards of guidelines developed” by NIST. Essentially, federal agencies cannot purchase or use an IoT device if the CIO of that agency feels it does not adhere to the NIST standards, guidelines, and requirements.
The Prohibition on Procurement and Use section applies to the IoT cybersecurity features required to be in a device and the vulnerability disclosure guidelines defined by NIST. The law makes no reference to retrofitting IoT devices already deployed.
8. Federal government agencies must comply with IoT device procurement as soon as September 4th, 2021.
Based on the timeline outlined in the law of approving NIST requirements and updating the OMB policies, new IoT devices and equipment procured by the federal government agencies will need to comply as soon as September 4th, 2021. The timeline is as follows:
- The bill was signed into law by the President on December 4, 2020.
- Once signed into law, NIST has 90 days to develop and publish the standards and guidelines for IoT devices. The publication of the standards and guidelines would occur on March 4th, 2021.
- Once the NIST standards and guidelines are published, the Office of Management and Budget (OMB) Office has 180 days to review and update, as needed, agency “information policies and principles” to ensure they are consistent with the NIST standards and guidelines. The final sign-off from OMB would happen on September 4th, 2021.
Nine months is not much time for embedded device manufacturers to add new cybersecurity features to their IoT devices to meet the NIST standards and guidelines. The manufacturers will also need to ensure their vulnerability disclosure procedures (VDP) are also compliant with the NIST recommendations.
To be ready to sell IoT devices and equipment to federal government agencies by the end of 2021, manufacturers need to immediately review the NIST cybersecurity requirements as soon as they are available and make adjustments to their designs, features, and functionality as required.
9. Within two years, federal government agencies must implement policies to address the security vulnerabilities of IoT devices.
NIST has 180 days to develop guidelines “for the reporting, coordinating, publishing, and receiving of information about” security vulnerabilities of IoT devices. The OMB has a total of two years from the law’s enactment to “develop and oversee the implementation” of the guidelines and policies to address security vulnerabilities of information systems and IoT devices. While the OMB will consult with the Secretary of Homeland Security when developing these guidelines so they are consistent with NIST and ISO standards and publications, there is no clear mandate for the OMB to follow NIST’s guidelines on vulnerability disclosure.
How IoT Embedded Engineers Can Prepare for the New Federal Cybersecurity Law
While the law first requires NIST and the OMB to develop guidelines, procedures, and policies for the minimum-security requirements for IoT devices and vulnerability disclosures, they will be completed quickly because the law lays out specific timelines. IoT device manufacturers and embedded engineers not familiar with cybersecurity protocols should not delay reviewing the existing guidelines, recommendations, and policies. They should also compare them to their own IoT device features and company policies to ensure they comply with the law when enforced by September 2021.
Embedded engineers for IoT device manufacturers can better prepare for the new policies by following these simple steps:
- Review NISTIR 8259 documents and compare the defined requirements with your IoT devices’ cybersecurity features currently sold to the federal government.
- Stay up to date on the National Institute of Standards (NIST) cybersecurity requirements for IoT devices by following Cybersecurity Insights, a NIST blog, and signing up for email alerts as they draft the requirements and recommendations for review.
- Review your company’s current vulnerability disclosure policy (VDP) and compare it to ISO Standards 29147 and 30111. If your company doesn’t have a VDP for IoT, start to create one using the template created for the federal agencies to comply with the law.
BG Networks offers cybersecurity software consulting services to assist manufacturers in meeting NIST requirements, specifically in the areas called out in the law which are: secure development, identity management, patching, and configuration management.
For more information on how hardware impacts security see the article from WINSYSTEMS titled “The Importance of Trusted Hardware and The IoT Cybersecurity Improvement Act of 2020.” WINSYSTEMS offers trusted hardware platforms that are built in a secure supply chain and provide a significant head start for IoT device development with secure remote management and assurance during operation. WINSYSTEMS single board computers support cybersecurity with TPM 2.0 and by using on-processor security features. Designs based on WINSYSTEM platforms have an excellent foundation to meet NIST’s requirements that will be part of this new federal law.
Contact BG Networks today to schedule a free consultation about your IoT cybersecurity needs.