Trump's Return to the White House: A Look Back at the U.S.’s First IoT Security Law He Signed

With the conclusion of the 2024 U.S. presidential election, Republican candidate Donald Trump has secured victory and is set to return to the White House after four years. During his previous term, Trump introduced various policies impacting the tech sector significantly, and industry experts are now analyzing how his reelection may shape policies across different areas. As part of the tech industry, the Internet of Things (IoT) has also experienced shifts, particularly following the signing of the “IoT Cybersecurity Improvement Act” on December 4, 2020. Let’s revisit this pivotal IoT security legislation, which may serve as a foundation for future IoT policies in the U.S.

The Legislative Journey of the U.S.’s First IoT Security Law

In 2016, several major cybersecurity incidents, such as botnet attacks causing widespread disruptions, raised global awareness of the need for IoT security. With the rapid growth in IoT devices, U.S. lawmakers recognized the necessity of dedicated IoT security legislation to address vulnerabilities.

In 2017, with support from the Atlantic Council and Harvard University, Democratic Senator Mark Warner from Virginia and Republican Senator Cory Gardner from Colorado introduced the “IoT Cybersecurity Improvement Act.” This bill sought to establish guidelines requiring federal government suppliers to follow industry-standard security practices, such as ensuring device updates, secure passwords, and patch management to address known vulnerabilities. Despite its intentions, the bill did not pass due to various challenges.

In March 2019, the bill was reintroduced in Congress as H.R. 1668. This version aimed to mitigate cybersecurity risks by establishing minimum security standards for IoT devices purchased by U.S. federal agencies. It garnered bipartisan support, creating a strong foundation for the final version of the IoT Cybersecurity Improvement Act.

On September 14, 2020, the U.S. House of Representatives passed the IoT Cybersecurity Improvement Act, and on November 17, 2020, the Senate approved it without amendments. It was then presented to the White House and signed into law by then-President Trump on December 4, 2020.

Key Provisions of the IoT Cybersecurity Improvement Act

The law defines IoT devices as having at least one sensor or actuator that interacts with the physical world, a network interface, and the ability to function independently without forming part of a larger system. It also specifies that smartphones, laptops, and other electronic devices fall outside the Act's scope.

The Act directs the National Institute of Standards and Technology (NIST) to develop security guidelines for IoT devices used by federal agencies and mandates the Office of Management and Budget (OMB) to review federal policies to ensure they align with NIST’s standards. Federal agencies are prohibited from purchasing IoT devices that do not meet these security requirements.

NIST plays a critical role in the Act's implementation. To support its enforcement, NIST released the “Guidelines for Federal Agencies on IoT Cybersecurity” in December 2021, which included:

1. IoT Device Cybersecurity Guidance for Federal Agencies: This document provided clearer, more practical cybersecurity guidelines for federal agencies.
2. IoT Device Cybersecurity Requirements Catalog: This catalog provided consistent, balanced, and easy-to-reference cybersecurity requirements for both technical and non-technical aspects of IoT devices.

The legislation’s aim is for NIST to set minimum cybersecurity standards for IoT devices procured by federal agencies, with enforcement beginning December 4, 2022. This regulation leverages federal procurement power to prevent agencies from using IoT devices that fail to meet NIST’s cybersecurity standards.

The Act’s Broader Implications

The IoT Cybersecurity Improvement Act provides only minimum standards for IoT devices used by federal agencies, yet it marks a starting point in recognizing IoT security as a priority for the government. This Act has influenced global approaches to IoT security.

In 2021, President Biden issued an executive order on improving national cybersecurity, one of the most comprehensive U.S. directives on cybersecurity. This order emphasized enhancing IoT security through several key initiatives:

• Establishing Security Standards: The executive order mandated minimum security standards for federal IoT devices to protect against cyber threats.
• Launching a Cybersecurity Labeling Program for Consumers: The order included a labeling program to inform consumers about the security features of IoT products, similar to energy efficiency labels on appliances.
• Accountability for Cybersecurity: The order required federal agencies to prioritize IoT device security within their software supply chains.
• Adoption of Zero Trust Architecture: Agencies were encouraged to adopt zero-trust principles in IoT device deployment and management.

This executive order went beyond the federal level, also initiating efforts for consumer IoT security. Major economies, including the U.S., Europe, Singapore, and Germany, have since introduced cybersecurity labeling initiatives for consumer IoT devices, reinforcing security efforts worldwide.

In the U.S., the IoT labeling program has reached an advanced implementation stage, with plans to expand to automotive IoT. The U.S. Department of Commerce’s IoT Advisory Board recently recommended that auto dealerships display IoT privacy disclosures prominently on vehicle windshields as part of broader IoT security recommendations.

Future Prospects for IoT Security

Trump’s signing of the IoT Cybersecurity Improvement Act laid the groundwork for subsequent federal IoT security policies, extending into consumer IoT and vehicle IoT. Should Trump continue these policies in his upcoming term, the scope of IoT security regulation may expand to encompass all economic and social sectors that require IoT devices. This expansion could bring about new challenges and requirements for the global IoT industry, making cybersecurity and data protection essential components for market entry worldwide.