Public Law No. 116-207 went into effect on December 04, 2020. The law originated as the “Internet of Things Cybersecurity Improvement Act of 2020” and it will affect the manufacture, deployment and use of physical access control systems and visitor management systems, along with a host of other security technologies and solutions.
Why? Because many of today’s security technologies are connected to the internet. What follows is an analysis of Public Law No. 116-207 and its impact on the security industry, as well as a discussion of practical steps companies can take to help ensure compliance with the new law.
First, the law sets out to establish minimum security standards for IoT devices owned or controlled by the Federal government. If your business sells, or wants to sell, its IoT devices to the Federal government, you will have to comply with the standards set forth. Even if you have no intention of selling your products to the Federal government, you would do well to pay attention to the security standards that emerge.
How do you know if your security product is considered an IoT device? The law relies on the definition the National Institute of Standards (NIST) published in January 2020 https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8259.pdf. IoT devices “have at least one transducer (sensor or actuator)” that interacts directly with the physical world and have at least one network interface. The devices must also be able to function on their own as opposed to acting as a component of another device.
What you need to know:
- NIST is directed to promulgate standards and guidelines for IoT devices owned or controlled by Federal agencies and connected to those agencies information systems. NIST is one of the most collaborative Federal agencies and often seeks industry input when developing standards and guidelines. This presents an opportunity for IoT device manufacturers to work with NIST to develop standards that are reasonable and will not stifle innovation.
- Standards and guidelines will be consistent with current NIST efforts to address possible security vulnerabilities of IoT devices; steps to be taken to manage such vulnerabilities include secure development, identity management, patching, and configuration management.
- Agency heads are prohibited from procuring or renewing a contract to procure IoT devices found to be out of compliance with the standards and guidelines that NIST issues. There are some exceptions, including for national security or if the device will be used for research only.
- Any IoT device security vulnerability detected will be reported and published. Contractors (including any subcontractors at any tier) providing the agency with an information system, including IoT devices, will be responsible for disseminating the resolution of a security vulnerability. In essence, manufacturers of IoT devices owned and operated by Federal agencies will be on the hook here.
Again, while this law applies only to Federal agency use of IoT devices there are compelling reasons for IoT device manufacturers, especially those whose IoT devices are consumer-facing, to pay close attention to the standards and guidelines developed. In the last few years, the Federal Trade Commission (FTC) has filed complaints against IoT device manufacturers of wireless routers, internet video cameras, and internet-connected smart locks for alleged security violations. Alleged violations included using insecure cloud services, default login credentials that consumers did not have to change and unencrypted login credentials. More on the ramifications for companies that receive such complaints in my next post.
What can you do today to help you meet the requirements within this new law and the security standards and guidelines that will emerge? First and foremost, when you are developing an IoT product, consider how your product, intended for good, can be compromised by those with harmful intent. That means taking the time during the design phase to incorporate security features that anticipate potential attack vectors. The old saying “a stitch in time, saves nine” applies here.
When you identify a risk, employ a “defense-in-depth’ strategy. In other words, use layered security as the physical security world has done for years. As you all know, protecting physical assets, be they places, things or human beings relies on a variety of solutions from physical access control to CCTV cameras to identity management.
Have a plan in place to monitor your connected devices during their lifecycle and provide patches for known risks. Develop robust and timely communication strategies to alert owners and operators of your IoT devices to new risks so that the patches you send are deployed without delay.
Some final thoughts. IoT devices capture enormous amounts of data, including personal information (PII). For example, today’s televisions are often connected to the internet and capture your viewing habits then share that information with third-parties. The same can be said for access control devices that capture location data which, according to most privacy laws enacted, is considered PII.
The IoT is a wondrous development that delivers many benefits but also creates opportunities for bad actors to exploit security and privacy weaknesses. When you combine your innovative spirit with a keen understanding of the risks, your IoT solutions will deliver on their promise to enhance security and people’s lives.