New IoT Cybersecurity Act: Creating a floor for IoT security?
In December 2020, when President Donald Trump signed the new IoT cybersecurity bill into law, it signaled that the government wants to take IoT security seriously.
The IoT Cybersecurity Improvement Act doesn’t specify requirements, other than instructing National Institute of Standards and Technology to do so — and to do so by March. The act applies to any IoT device purchased with government money. In addition to establishing new mandatory minimum security standards for these devices, the bill requires that these standards and policies be updated at least once every five years.
Technically, the law covers only government agency purchases. But in reality, private-sector companies will likely have to adhere to the new law as well.
“This is the start of the path,’” said Evan Wolff, the co-chair of the privacy and cybersecurity group at the Crowell & Moring law firm. “They are saying, ‘Let’s have NIST be an impartial party that understands what good security is.” He suggested that enterprise CISOs should consider trying to participate in the NIST process.
Wolff said that he wants NIST to recommend a “clear standard [for] patching and maintenance. Not a time period, but a regular patching regime.”
With IoT Cybersecurity Improvement Act, Only Some Improvement
Various experts stressed that the law will almost certainly affect only new IoT purchases, leaving a security vacuum for existing devices, along with devices purchased before the government guidelines kick in or, more precisely, once vendors start delivering devices that comply with the new standard.
To read the complete article, visit IoT World Today.