New Internet Of Things (IoT) Cybersecurity Law’s Far Reaching Impacts – Technology – Digitalmunition

Featured Mondaq_Share.jpg

Published on March 16th, 2021 📆 | 4425 Views ⚑


New Internet Of Things (IoT) Cybersecurity Law’s Far Reaching Impacts – Technology

United States:

New Internet Of Things (IoT) Cybersecurity Law’s Far Reaching Impacts

16 March 2021

Epstein Becker & Green

To print this article, all you need is to be registered or login on

Enacted on December 4, 2020, the Internet of Things Cybersecurity Improvement Act
of 2020 (the “IoT Act”) is expected to dramatically
improve the cybersecurity of the ubiquitous IoT devices.1 With
IoT devices on track to exceed 21.5 billion by 2025, the IoT Act mandates
cybersecurity standards and guidelines for the acquisition and use
by the federal government of IoT devices capable of connecting to
the Internet. The IoT Act, and the accompanying standards and
guidance being developed by the National Institute of Standards and Technology
(NIST) will directly affect government contractors who
manufacture IoT devices for federal government use, or who provide
services, software or information systems using IoT devices to the
federal government.

There will also be a significant indirect effect on private
sector organizations purchasing IoT devices or systems using such
devices for corporate use. Indeed, Congress specifically intended
for a wide ranging spillover effect on the private sector with the
expectation that the proverbial rising tide will raise all boats.
Organizations will ultimately need to determine whether they will
purchase and use IoT devices, software and systems that meet the
standards for federal use, or acquire insecure or less secure IoT
devices and systems. Corporations that consume and use IoT devices
and systems, including in manufacturing, logistics, healthcare,
hospitality and retail, should consider the impact the IoT Act will
have on organizational cybersecurity. The IoT Act and the
accompanying NIST standards will influence compliance under state
and federal laws providing for the cybersecurity of protected
information, such as personal or private information, and protected
health information (PHI).

Among other things, the IoT Act contains the following

standards and guidelines for the federal government’s use of
IoT devices, including minimum information security requirements
for managing cybersecurity risks. The guidance shall address secure
development, identity management, patching and configuration
management. NIST shall “consider relevant standards,
guidelines and best practices developed by the private sector,
agencies, and public-private partnerships.” As noted in the legislative history, there is presently no
national standard to ensure the security of IoT devices, with the
inability to effectively patch these devices or set secure device
passwords, among other vulnerabilities, a significant threat to the
nation’s infrastructure and security.

NIST shall also publish guidelines: (a) for the reporting and
publishing of security vulnerabilities of information systems owned
or controlled by a federal agency (including IoT devices owned or
controlled by an agency), and the resolution of such
vulnerabilities; and (b) for a contractor or subcontractor
providing such systems receiving vulnerability information and
dissemination of information about the resolution of such security
vulnerability. Significantly, the guidelines are to include example
content, on the vulnerability disclosures that should be
“reported, coordinated, published or
received” by a contractor, or any subcontractor thereof.

INFORMATION SECURITY POLICIES AND PRINCIPLES: The Director of the Office of Management and
Budget shall review agency information security policies and
principles based on the NIST standards and guidance, and issue
policies and principles as necessary to align the policies and
principles with NIST standards and guidelines.

ACQUISITION REGULATION: The Federal Acquisition Regulation shall be revised
as necessary to implement the NIST standards and guidelines.

prohibited from procuring, obtaining, renewing a contract to
procure or obtain, or using an IoT device, if the Chief Information
Officer (CIO) of the agency determines that the use of such device
prevents compliance with the NIST standards and guidelines, subject
to a waiver for certain devices. This prohibition takes effect in
December 2022, effectively providing for a two-year ramp up for
planning to meet the new standards.

NIST has published draft guidance on IoT device cybersecurity,
for which the comment period ended on February 26, 2021. According
to NIST, the guidance offers a suggested starting point for
manufacturers who are building IoT devices for the federal
government market, as well as guidance to federal agencies on what
they should ask for when they acquire these devices. NIST has presented publicly on the guidance and
received comments and is in the process of finalizing
its guidance. See, e.g., NIST drafts SP 800-213, NISTIR 8259B, 8259C, and 8259D, as well as NISTIR Final 8259, 8259A. These publications collectively discuss
both technical and non-technical controls for securing federal IoT
devices, including standards for manufacturing and acquiring these

Organizations should do the following now to plan for the IoT
Act taking effect in December 2022:

Manufacturers who produce IoT devices
for use by the federal government should review the draft guidance
and await the final NIST guidance and standards, and develop
appropriate device level requirements and documentation. They will
also need to plan to develop processes to publicly report and
mitigate vulnerabilities in their devices.

Federal contractors, including
software and service providers, should identify information systems
that use IoT devices, and plan to meet the NIST IoT guidance and
standards, including in their IoT device specifications, vendor
selection and contractual requirements. Acquisition, purchasing and
contracting decisions made in the coming months may impact the
organization’s ability to be utilizing secure IoT devices as of
December 2022.

Organizations that are not federal
contractors should consider how NIST IoT standards and guidance may
impact their compliance with cybersecurity laws requiring
reasonable safeguards for protected information depending on the
use cases (e.g., Gramm-Leach Bliley, Health Insurance Portability and Accountability
Act (HIPAA); HR7898 as a defense or mitigation to HIPAA enforcement, NY SHIELD Act, California Civil Code §1781.5, Massachusetts data protection regulation, Illinois Personal Information Protection Act
and Biometric Information Protection Act (BIPA)),
including potential impact on risk assessments, risk management
frameworks (including NIST frameworks – e.g., SP 800-53, NIST Cybersecurity Framework and other
information security standards, such as ISO, OWASP), vendor
selection, purchasing and contracting, RFP processes, supply chain
risk and workforce training. The organization should identify IoT
devices incorporated into its information systems and their usage
in light of the NIST guidance. Chief Information Security Officers
(CISOs) and Chief Technology Officers (CTOs) should determine
whether voluntarily following the prohibition operable on their
counterparts in federal agencies against using non-compliant IoT
devices and systems furthers the organization’s compliance and
risk reduction strategies, and the potential adverse consequences
of not doing so. The potential impact of NIST IoT cybersecurity
guidance on private sector compliance and risk reduction strategy
should involve information technology, information security,
compliance, personnel, and legal departments, as well as the
individual business units responsible for the IoT device use.

EBG works closely, under attorney-client privilege, with
organizations to conduct risk assessments and develop information
security programs, manage supply chain risk and identify recognized
security practices that may bolster practical security and improve
compliance defensibility. Any questions may be directed to the
authors or another member of EBG’s Privacy, Cybersecurity, and Data Asset
Management Group. Brian G. Cesaratto is a Certified
Information Systems Security Professional (CISSP) and Certified
Ethical Hacker (CEH). Alexander Franchilli is an Associate
in the Employment, Labor & Workforce Management and Litigation
practices, in the New York office of Epstein Becker Green.


1 IoT devices
“have at least one transducer (sensor or actuator) for
interacting directly with the physical world, have at least one
network interface, and are not conventional Information Technology
devices, such as smartphones and laptops, for which the
identification and implementation of cybersecurity features is
already well understood, and can function on their own and are not
only able to function when acting as a component of another device,
such as a processor.” The wide range of IoT devices that connect to the Internet
include security cameras and systems, geolocation trackers, smart
appliances (e.g., tvs, refrigerators), fitness trackers and
wearables, medical device sensors, driverless cars, industrial and
home thermostats, biometric devices, manufacturing and industrial
sensors, farming sensors and other smart devices.

Originally Published by Epstein Becker, March 2021

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

FinTech Comparative Guide
J. Sagar Associates
FinTech Comparative Guide for the jurisdiction of India, check out our comparative guides section to compare across multiple countries

Virtual Currencies Comparative Guide
Bull Blockchain Law LLP
Virtual Currencies Comparative Guide for the jurisdiction of United States, check out our comparative guides section to compare across multiple countries

originally appeared on Source link

Tagged with:

Leave a Reply