US federal agencies will soon have to clean out numerous connected devices. A new law called the IoT Cybersecurity Amendment Act of 2020 is intended to strengthen security in the Internet of Things (IoT) and lead to more transparency in IT security in general. Stricter procurement criteria could leverage the new law, so that more, better secured, networked devices become available.

First, the US standards authority NIST (National Institute of Standards and Technology) is to develop standards and guidelines for IoT devices at federal authorities, including minimum requirements for IT security and risk management and rules for secure installation, security updates, identity management and configuration. NIST should orientate itself as far as possible to existing standards.

Pay attention to quality when purchasing No later than six months after availability The budget authority OMB (Office of Management and Budget) should check the implementation of these provisions by all federal authorities and issue further regulations if necessary. Systems belonging to the area of ​​national security are, however, left out. If NIST revises the standards and guidelines, which must be done no less than every five years, an examination by the OMB follows.

In addition, federal authorities are only allowed to Buy or use networked devices that meet NIST specifications. Exceptions can be made for research and national security, or if it is possible to secure the unsafe devices in other ways. These provisions will increase the demand for better secured IoT devices.

This could mean that companies and private individuals will also have more better secured devices to choose from. Perhaps the public sector can help to slow down the trend towards IoT devices that are generally becoming less secure.

Suppliers must help with IT security Part of the law is dedicated to IT security at US federal agencies in general: NIST is to develop standards for the coordinated collection, receipt and publication of information about security vulnerabilities and their elimination.

This standard will also require all suppliers and all their subcontractors to pass on information about potential IT security gaps and their elimination to the respective federal authorities. This means that the supplier’s duty of care will extend beyond the sale.

Both US parties support the IoT Cybersecurity Amendment Act of 2020. In the lower house it was decided without a detailed survey of the proportion of votes, in the upper house unanimously. The law has been in the White House since Tuesday and awaits the signature of the US President.

(ds)