Enacted on December 4, 2020, the Internet of Things Cybersecurity Improvement Act of 2020 (the “IoT Act”) is expected to dramatically improve the cybersecurity of the ubiquitous IoT devices.[1] With IoT devices on track to exceed 21.5 billion by 2025, the IoT Act mandates cybersecurity standards and guidelines for the acquisition and use by the federal government of IoT devices capable of connecting to the Internet. The IoT Act, and the accompanying standards and guidance being developed by the National Institute of Standards and Technology (NIST) will directly affect government contractors who manufacture IoT devices for federal government use, or who provide services, software or information systems using IoT devices to the federal government.

There will also be a significant indirect effect on private sector organizations purchasing IoT devices or systems using such devices for corporate use. Indeed, Congress specifically intended for a wide ranging spillover effect on the private sector with the expectation that the proverbial rising tide will raise all boats. Organizations will ultimately need to determine whether they will purchase and use IoT devices, software and systems that meet the standards for federal use, or acquire insecure or less secure IoT devices and systems. Corporations that consume and use IoT devices and systems, including in manufacturing, logistics, healthcare, hospitality and retail, should consider the impact the IoT Act will have on organizational cybersecurity. The IoT Act and the accompanying NIST standards will influence compliance under state and federal laws providing for the cybersecurity of protected information, such as personal or private information, and protected health information (PHI).

Among other things, the IoT Act contains the following requirements:

• NIST STANDARDS AND GUIDELINES FOR USE AND MANAGEMENT OF IoT DEVICES: NIST shall publish standards and guidelines for the federal government’s use of IoT devices, including minimum information security requirements for managing cybersecurity risks. The guidance shall address secure development, identity management, patching and configuration management. NIST…