Skip to main content

Internet of Things Cybersecurity Improvement Act of 2020

The IoT Cybersecurity Improvement Act of 2020 requires IoT devices bought by U.S. federal agencies to meet NIST security standards and follow vulnerability disclosure guidance. It uses procurement gating rather than fines to drive device security.

Jurisdiction
United States

What the IoT Cybersecurity Improvement Act Is

The Internet of Things Cybersecurity Improvement Act of 2020 establishes minimum security standards for Internet of Things (IoT) devices purchased by U.S. federal agencies. It exists because the federal government is a massive buyer of connected devices, and weak device security creates risk to government systems and, indirectly, the broader market. By using federal purchasing power, the law nudges manufacturers toward stronger baseline security.

The Act directs the National Institute of Standards and Technology (NIST) to develop standards and guidelines for IoT device security and vulnerability disclosure, and directs the Office of Management and Budget (OMB) to align agency policies accordingly.

Who It Applies To

The law directly applies to federal agencies, which generally may not procure or use IoT devices that fail to meet the NIST-developed standards. In practice it applies to manufacturers and vendors that want to sell IoT devices to the federal government, since their products must conform to the required guidance to be eligible.

Key Requirements

  • NIST standards — Devices must meet NIST guidelines covering secure development, identity management, patching, and configuration.
  • Vulnerability disclosure — Contractors and vendors must follow coordinated vulnerability disclosure guidelines based on NIST guidance.
  • Agency policies — Agencies must implement and update IoT security policies consistent with the standards.
  • Procurement gating — Agencies are restricted from procuring devices that do not comply, subject to waivers.
  • Ongoing updates — NIST guidance is periodically reviewed and updated to reflect evolving threats.

Penalties for Non-Compliance

The Act works through procurement rather than fines. The primary consequence of non-compliance is ineligibility to sell IoT devices to federal agencies, and agencies may be barred from buying or operating non-compliant devices. Vendors that cannot meet the standards lose access to a large market, which is a strong commercial incentive.

How to Comply

Manufacturers should design devices to the relevant NIST IoT standards, ensuring secure-by-default configurations, unique device identity, the ability to receive security updates, and protection of stored and transmitted data. Establish a coordinated vulnerability disclosure program aligned with NIST guidance, and document conformance to support federal procurement. Agencies should update procurement and operational policies and verify vendor compliance.