The United States Has Passed a Law with Security Requirements for the Internet of Things


Ericson Scorsim. Lawyer and Consultant in Communication Law. Ph.D. in Law from the University of São Paulo (USP). Author of the Communications Law Collection.  Author of the book “Jogo geopolítico das comunicações 5G – Estados Unidos, China e impacto sobre o Brasil” (The Geopolitical Game of 5G Communications – United States, China, and Impact on Brazil), published on Amazon.  

The United States has passed a law with security requirements for the Internet of Things.

The law is called the Internet of Things Cybersecurity Improvement Act of 2020. The agencies responsible for managing the Internet of Things must follow these security parameters. 

Basically, the Internet of things is a network of machine-to-machine communications, integrated by electronic, optical, and acoustic sensors, among others. The National Institute of Standards and Technology (“NIST”) must approve the Internet of Things guidelines to be followed by federal agencies. Among the security requirements are identifying and managing IoT devices’ vulnerabilities, secure product development, device identity management; patching; and configuration management.

The federal agency responsible for infrastructure cybersecurity must update its standards. Information about vulnerabilities in information systems, including IoT devices, must be disclosed. The law also references rules to be followed when procuring technology related to the Internet of Things. The U.S. Comptroller General must briefly brief Congress on IoT-related practices, networks, equipment, and information systems. On this topic, we highlight the business alliance called Global Standard for IoT Security (IoTX), with members such as Facebook, Amazon, Google, T-Mobile, Comcast, and Zigbee, among others.

There are countless applications of the Internet of Things: precision agriculture, energy, medicine, industry, among others. On this note, there is a reference to the Internet of Things in the 2021 National Defense Authorization Act refers to the Internet of Things. Thus, the law provides for creating a workgroup on the Internet of Things, with the participation of the National Institute Standards and Technology, the Department of Commerce, National Oceanic and Atmospheric Administration, Department of Transportation, Department of Homeland Security, Department of Energy, among others. The workgroup will identify regulations on the Internet of Things, verifying potential benefits for intelligent traffic, logistics and supply chains, sustainable infrastructure, precision farming, environmental monitoring, public safety, and health. The National Telecommunications and Information Administration will assess the wireless services and radiofrequency spectrum demands.

The law also contemplates actions to support small and medium enterprises in IoT businesses.  IoT and 5G networks increase the risks of cyberattacks. Hence the need to clearly and precisely define cybersecurity standards to be adopted by companies and the regulatory agencies responsible for monitoring their application.

*All rights reserved and cannot be reproduced or used without citing the source.

Ericson M. Scorsim

Lawyer and Consultant in Communication Law. PhD in Law from USP. Author of the Ebooks Collection on Communication Law with a focus on topics on technologies, internet, telecommunications and media.