IoT Cybersecurity Improvement Act 2022 (E31a)
The United States Federal Government has passed the first Internet of Things (IoT) legislation that prohibits federal agencies from purchasing IoT devices that do not meet specified security protocols. According to the Internet of Things Cybersecurity Improvement Act of 2020, IoT products must meet minimum cybersecurity standards, and device providers must comply with a vulnerability and notification program. This follows legislation passed in California (SB-327) and Oregon (Oregon’s IoT Law) in early 2020, and is designed to ensure IoT devices comply with “reasonable baseline security measures”. This is being driven by the rapid proliferation of IoT devices within government operations, and in society in general. According to a Government of Accountability study, roughly two-thirds of government agencies are using IoT technology in applications such as asset tracking, access control and many others. This talk focuses on the advances of the IoT Cybersecurity Improvement Act and interactions with the other more recent executive orders around the topic of cybersecurity. Take-aways from this session will be:
• What are the NIST and industry documents associated with the Act (it is far more the 6 documents listed in most press releases) and their state of completion?
• How does FIPS validation fit into the Improvement Act?
• How do the recent executive orders (EO) on cybersecurity impact this act?
• Can this work with current development processes?
• How does this relate to IoT Platforms (AWS, Azure, Google, others)?
• Does FIPS and CC play a role