The IoT Cybersecurity Improvement Act and FIPS Validation (E22a)
The United States Federal Government has passed the first Internet of Things (IoT) legislation that prohibits federal agencies from purchasing IoT devices that do not meet specified security protocols. According to the Internet of Things Cybersecurity Improvement Act of 2020, IoT products must meet minimum cybersecurity standards, and device providers must comply with a vulnerability and notification program. This follows legislation passed in California (SB-327) and Oregon (Oregon’s IoT Law) in early 2020, and is designed to ensure IoT devices comply with “reasonable baseline security measures”. This is being driven by the rapid proliferation of IoT devices within government operations, and in society in general. According to a Government of Accountability study, roughly two-thirds of government agencies are using IoT technology in applications such as asset tracking, access control, and many others. This presentation focuses on the IoT Cybersecurity Improvement Act, FIPS validation, and what this means for IoT device manufacturers. Take-aways from this session will be:
• What are the NIST and industry documents associated with the Act (it is far more than the 6 documents listed in most press releases)?
• How does FIPS validation fit into the Improvement Act?
• What is the overall timeline for implementation?
• Can this work with current development processes?
• How does this relate to IoT Platforms (AWS, Azure, Google, others)?
• Many others