U.S. IoT Cybersecurity Improvement Act signed into law

On 4 December 2020, the IoT Cybersecurity Improvement Act was signed into law, establishing minimum security requirements for Internet of Things (IoT) devices purchased by the federal government. The law directs NIST to develop standards and guidelines for IoT device security, and requires OMB to review federal acquisition regulations to stay compliant. While directly applicable to federal procurement, the standards will influence commercial IoT security practices.

NIST requirements

The Act directs NIST to publish standards and guidelines for secure development, identity management, patching, and configuration management of IoT devices. NIST must also develop guidelines for reporting, coordinating, and publishing information about security vulnerabilities in IoT devices. The standards build on NIST's existing IoT cybersecurity work, including NISTIR 8259 series on IoT device manufacturers.

NIST published the required guidelines in December 2021, covering device capabilities for secure development, vulnerability disclosure, and lifecycle management. The guidelines emphasize secure defaults, authentication requirements, data protection, and the ability to receive security updates.

Federal procurement implications

OMB must develop policies requiring federal agencies to only procure IoT devices meeting NIST standards, with limited waiver authority for mission-critical needs. Contractors and vendors selling IoT products to the federal government must ensure devices comply with the standards. Non-compliant devices may be excluded from federal contracts.

The law also requires federal contractors to adopt coordinated vulnerability disclosure policies for IoT products, enabling security researchers to report vulnerabilities without legal risk. This is a big shift toward transparency in IoT security management.

Industry impact

While the Act applies directly to federal procurement, the standards will become baseline expectations for commercial IoT devices. Manufacturers selling to both government and commercial markets will probably adopt NIST standards across product lines. Industry certification programs may emerge to verify compliance.

IoT device manufacturers should evaluate products against NIST guidelines, establish vulnerability disclosure programs, and ensure devices support secure update mechanisms. The law signals growing regulatory attention to IoT security that is likely to expand beyond federal procurement to broader consumer and industrial applications.

NIST Guidelines Implementation Details

The NIST guidelines establish baseline security capabilities for IoT devices including secure boot mechanisms that verify firmware integrity, authentication requirements preventing unauthorized access, data protection through encryption at rest and in transit, and update mechanisms enabling security patch deployment throughout device lifecycles. Configuration management requirements ensure devices deploy with secure defaults and provide administrators capability to modify settings according to organizational security policies.

Vulnerability disclosure guidelines require manufacturers to establish clear channels for security researchers to report identified vulnerabilities, commit to reasonable remediation timelines, and coordinate public disclosure to enable user protection. These requirements align with industry good practices reflected in ISO 29147 and ISO 30111 standards for vulnerability handling.

Supply Chain and Procurement Implications

Federal contractors must evaluate IoT product portfolios against emerging NIST standards and focus on compliance investments for devices marketed to government customers. Procurement teams should update vendor qualification criteria to incorporate IoT security requirements, establish contractual provisions requiring NIST compliance attestation, and implement ongoing monitoring for vendor vulnerability disclosure practices.

The waiver authority for mission-critical needs creates limited flexibility for essential deployments where compliant alternatives are unavailable, but you should document waiver justifications and establish remediation timelines for transitioning to compliant products. Audit and inspection processes should verify waiver conditions are appropriately scoped and tracked.

Long-term Industry Transformation

The Act represents initial federal IoT security regulation likely to expand over time. State legislatures, particularly California with SB-327, have established complementary IoT security requirements that manufacturers must address. International regulatory developments in the EU and elsewhere create additional compliance considerations for global manufacturers.

Industry certification programs may emerge to provide third-party verification of NIST compliance, potentially reducing procurement assessment burden while creating market differentiation for certified products. If you are affected, monitor certification program developments and evaluate participation benefits for their product portfolios and procurement practices.

You may also find useful

Hand-picked articles on adjacent topics.

Policy · Credibility 71/100 · May 12, 2021

U.S. EO 14028 on Improving the Nation’s Cybersecurity signed

President Biden signed Executive Order 14028 on 12 May 2021, mandating federal zero trust roadmaps, software bill of materials requirements, and incident sharing under new playbooks.

Policy · Credibility 89/100 · December 3, 2020

EU Sixth AML Directive Deadline

EU Member States faced the December 2020 deadline to transpose Directive (EU) 2018/1673 (6AMLD), which broadens predicate offenses, strengthens corporate liability, and raises sanctions for money laundering across the…

Policy · Credibility 90/100 · December 1, 2020

New Zealand Privacy Act 2020 Commences

New Zealand brought the Privacy Act 2020 into force, replacing the 1993 framework with mandatory breach notification, stronger cross-border controls, and new compliance orders overseen by the Privacy Commissioner.

Policy · Credibility 90/100 · December 7, 2020

MAS Environmental Risk Management Guidelines

Singapore’s Monetary Authority finalized environmental risk management guidelines for banks, insurers, and asset managers on December 7, 2020, embedding board accountability for climate and nature-related governance in…

Policy · Credibility 92/100 · December 15, 2020

EU Digital Services & Markets Acts Proposed

The European Commission unveiled the Digital Services Act and Digital Markets Act proposals to modernize platform liability, content governance, and gatekeeper obligations across the single market.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

December 4, 2020

Coverage pillar

Policy

Source credibility

92/100 — high confidence

Topics

IoT security · federal procurement · NIST standards · legislation

Sources cited

3 sources (congress.gov, cvedetails.com, iso.org)

Reading time

6 min

Documentation

1. H.R.1668 - IoT Cybersecurity Improvement Act of 2020 — Congress.gov
2. CVE Details - Vulnerability Database — CVE Details
3. ISO 31000:2018 — Risk Management Guidelines — International Organization for Standardization