IOT cyber rule covering federal buyers about to take effect

Under a 2020 law that goes into effect in December, the federal government will leverage its procurement powers to bolster minimum cybersecurity standards for Internet of Things devices.

Katerina Megas, program manager of NIST's IoT cybersecurity program, said on Tuesday that agencies have until next month to meet minimum cybersecurity requirements published last year after Congress passed the IoT Cybersecurity Improvement Act of 2020. The legislation directed NIST to publish standards and guidelines for agencies on best practices for the use and management of IoT devices. 

The guidelines include a catalog of cybersecurity requirements for IoT devices procured by the federal government, and requires agencies to comply with a series of risk management frameworks and other IoT-specific guidance featured in additional NIST publications.

The law focuses on federal procurement, but officials across the government have been looking to harden cybersecurity for consumer IoT devices. Plans are afoot to develop a cyber labeling system "for products that meet U.S. government standards and are tested by vetted and approved entities"  according to a White House fact sheet published last month.