The Federal IoT Bill Has Passed—How ioXt Can Help You Leverage the Opportunity

The Federal IoT Bill Has Passed—and ioXt Can Help You Leverage the Opportunity

The day has come. After three years of debate, the IoT Cybersecurity Improvement Act (H.R. 1668) is now law. What does the Act mean in general, and what does it mean specifically for manufacturers of connected devices? Let's dive in.

What's momentous about H.R. 1668 is it marks the first federal bill that addresses IoT security. The bill's purpose is to set a security standard for devices purchased by the U.S. government. Devices increasingly run our world, and the federal government is not immune. Like consumers, U.S. agencies continue to buy more and more devices to assist with the business of doing (government) business. Since we're talking about Uncle Sam, that tends to include things like tracking, monitoring, and controlling things that impact millions of Americans. This is why federally-procured devices, especially, need to be secure. 

The IoT Cybersecurity Improvement Act is an important step towards making that happen. 

It will require two sets of standards to be defined and implemented. First, security standards (Section 4)  for the development, use and management of IoT shall be defined by NIST and then reviewed by the Office of Management and Budget (OMB). These standards mostly focus on device and service requirements for secure development methods, identity and configuration management, and firmware patching. NIST will also be required to work with industry to consider standards and best practices already in place.

The second focus of the Act is around vulnerability reporting AND disclosure. Not only will contractors be required to have a vulnerability disclosure program and to monitor vulnerabilities found in their devices, but the Act will also require all subcontractors to do the same. As product security is an ever-changing issue, it is critical that manufacturers implement a vulnerability disclosure program to gather security issues from researchers and users. However, one study found that as many as 93 percent of companies in the Forbes Global 2000 list don’t include a vulnerability disclosure policy among top business concerns.

The good news is the ioXt Alliance is here to help. Since ioXt Certification aligns with—and actually goes beyond—what the Act requires, manufacturers that certify their products and services with ioXt can know they're  in alignment with government contracts. Further, the Alliance helps companies with their vulnerability disclosure programs and provides reporting interfaces to impacted parties, as required by the Act.

As the Global Standard for IoT Security, we provide our members regulatory updates and guidance as other countries adopt similar (yet slightly different) policies. Backed by the biggest names in technology, including Google, Amazon, Facebook, T-Mobile, Comcast and over 300 others, the ioXt Alliance offers the only global  security certification program for Smart Home, Smart Building, and Cellular IoT products and services.

Learn more at www.ioxtalliance.org