An important step toward securing the Internet was achieved on December 4, 2020, when President Trump signed an IoT security bill into law. The Internet of Things Cybersecurity Improvement Act of 2020 has been in the works since 2017 and was passed by the U.S. House of Representatives in September 2020 and the U.S. Senate in November 2020.

The bi-partisan team that backed the IoT bill included Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Tex.), and Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo), and was backed by multiple tech companies, including BSA (The Software Alliance), Cloudflare, CTIA, Mozilla, Rapid7, Symantec, and Tenable, according to SecurityWeek.

This new IoT security law calls for the National Institute of Standards and Technology (NIST) to publish, within 90 days, “standards and guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.” This includes but is not limited to, secure development, identity management, patching and configuration management.

The law also requires the office of Management and Budget (OMB) to publish recommendations within 180 days, based on the NIST publication and consultation with cybersecurity researchers and private sector industry experts.

It’s not just the federal government who is looking to fix this problem with legislation. According to BTB Security, “A growing number of state legislatures are concerned about the lack of security posed by Internet-of-Things (IoT) devices. California was the first to pass a law mandating better IoT security in 2018 and Oregon has followed suit this year while Illinois, Kentucky, Massachusetts, Maryland, New York, Rhode Island, Vermont and Virginia are considering similar legislation.”