Federal agencies have until December to implement cybersecurity requirements for Internet of Things (IoT) deceives, Katerina Megas, program manager for the National Institute of Standards and Technology’s (NIST) IoT cybersecurity program, said on Nov 8.
The cyber requirements come from legislation – the IoT Cybersecurity Improvement Act of 2020 – approved by Congress in 2020 for the Federal government to leverage its procurement powers to bolster minimum cybersecurity standards for IoT devices.
“Now the deadline is coming up for Federal agencies to establish NIST’s cybersecurity requirements for IoT devices – which we actually finalized and published last year,” said Megas at an event organized by the American Enterprise Institute.
The IoT Cybersecurity Improvement Act of 2020 directed NIST to publish standards and guidelines for agencies on best practices in using and managing IoT devices. NIST released the final version of the IoT cybersecurity guidance for Federal agencies last year, in December 2021.
“The idea of this legislation was for NIST to develop minimum standards for IoT devices that are being procured and purchased by the Federal government as a way to potentially use the Federal government’s procuring power to secure IoT devices,” said Megas.
Included in that guideline is a catalog of cybersecurity requirements for IoT devices procured by the Federal government. It also requires agencies to comply with several risk management frameworks and other IoT-specific guidance featured in additional NIST publications.