Why the IoT Cybersecurity Improvement Act will probably fade away
- Sep 2, 2021 2:04 am GMT
My last two posts have discussed the two mandatory cybersecurity “regulations” – the IoT Cybersecurity Improvement Act of 2020 and the IoT device “labeling” requirement in the May 12 Executive Order - that were promulgated within about six months of each other (under two very different presidents) recently. At first, it might seem that these couldn’t be more different. Here are some of the differences:
- The Act is a law, approved by both houses of Congress and by the president. The EO is simply an order that can’t in itself override a law and could be overridden by another law, if Congress were inclined to pass one.
- The Act focuses entirely on IoT devices, while the EO is a sprawling attempt to improve cybersecurity in the federal government, on many different fronts.
- The Act focuses entirely on federal agencies, requiring them to incorporate cybersecurity concerns into their procurement terms and conditions for IoT devices. Of course, there’s no doubt that the intention of the Act was to have the Feds set a standard for private industry, but there’s not a word in the Act itself about that. On the other hand, the device labeling provision in the EO, while also aiming directly at procurement by federal agencies, repeatedly speaks of “education” and “consumers”. For example, paragraph (s) of section 4 includes the phrase “educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices”. And paragraph (t) says that the labeling program should be “compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products” (you can read both paragraphs in full in my previous post).
- The Act seems to be a variation on a fairly familiar theme: require federal contractors to be assessed against a new standard that would be developed by NIST (and has been. More on that in a moment). On the other hand, just the name “device labeling” was a signal that this is a very different type of cybersecurity regulation than has been seen previously in the US – although it has been used to a limited degree in Europe and Southeast Asia.
No discussions yet. Start a discussion below.
Get Published - Build a Following
The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.
If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.