What Is the IoT Cybersecurity Improvement Act of 2020?

Imagine you’ve just set up a shiny new smart home system — your thermostat, security camera and even your coffee maker are now connected. But have you ever stopped to think about how secure these devices are? 

Every Internet of Things (IoT) device you add to your home network is another potential entry point for cybercriminals. And when it comes to the government, where sensitive data and critical infrastructure are at stake, these risks aren’t just about convenience — they’re about national security.

The IoT Cybersecurity Improvement Act of 2020 aims to tackle these risks head-on. But what exactly does this law do, and why was it created? Explore how it impacts IoT device security and what it means for you as a consumer.

What Is the IoT Cybersecurity Improvement Act of 2020?

The IoT Cybersecurity Improvement Act of 2020 is a U.S. law designed to enhance the security of IoT devices used by federal agencies. Signed into law in December 2020, this legislation sets minimum security requirements for IoT devices purchased and deployed by government entities.

The Act was born out of necessity. As IoT devices proliferated, so did their vulnerabilities. From health care systems to military operations, unsecured devices posed a significant risk to federal networks. 

The 2016 Mirai botnet attack — which weaponized IoT devices to disrupt popular sites and major internet services — underscored the urgency of addressing these threats. This law ensures federal IoT devices adhere to strict cybersecurity standards, reducing the chances of such attacks in critical systems.

Why Was the IoT Cybersecurity Improvement Act of 2020 Created?

The Act addresses several pressing issues:

• Vulnerabilities in IoT devices: Many IoT devices are built with minimal focus on security, leaving them susceptible to attacks.

• Rising cyber threats: With state-sponsored and independent cyberattacks on the rise, federal systems require robust defenses.

• Lack of existing standards: Before this law, federal systems had no universal standard for IoT device security, leaving agencies to navigate a fragmented landscape.

The Act fills these gaps by mandating baseline standards, ensuring consistent security measures across the board.

How Does the IoT Cybersecurity Improvement Act of 2020 Work?

The Act revolves around three main pillars:

• Guidance from NIST: The National Institute of Standards and Technology (NIST) develops cybersecurity guidelines under the Act. These guidelines outline best practices for secure device design, software updates and identity management.

• Federal procurement standards: Federal agencies must purchase only IoT devices that comply with NIST guidelines. This ensures that insecure devices are excluded from government systems.

• Vulnerability reporting: Manufacturers must establish clear processes for identifying and addressing vulnerabilities in their IoT devices, allowing for swift responses to emerging threats.

How Does This Law Affect You as a Consumer?

While the law directly applies to federal agencies, its impact extends beyond government procurement. Here’s how it could affect your experience with IoT devices:

• Higher security standards across the industry: Manufacturers aiming to sell to the federal government will likely apply NIST guidelines to all their products, including consumer-grade devices. This could mean better security for the IoT devices you buy, such as encrypted communications and stronger password protections.

• Fewer cybersecurity risks at home: Improved device security reduces the chances of your smart home devices being hacked or exploited in broader attacks, giving you peace of mind.

• A shift in consumer expectations: As more manufacturers adopt robust security practices, consumers like you may begin to demand higher standards from all IoT devices. This law sets a precedent that could influence industry trends globally.

What Types of Devices Are Covered?

The law specifically targets IoT devices used in federal systems. These include:

• Smart surveillance cameras
• Connected medical devices
• Sensors in critical infrastructure
• Industrial IoT systems

While it doesn’t regulate all IoT devices, the security improvements driven by this law will also influence consumer products.

How Can You Ensure Your IoT Devices Are Secure?

As IoT devices evolve, you have a role in safeguarding your home network. Here are actionable tips to enhance your security:

• Update firmware regularly: Manufacturers often release updates to address security vulnerabilities. Enable automatic updates where possible.

• Use secure networks: Connect your devices to a secure Wi-Fi network with a strong password. Ensure your router’s firmware is up to date to protect against known vulnerabilities.

• Change default passwords: Always set unique, strong passwords for your devices to prevent unauthorized access. Avoid reusing passwords and change them regularly.

• Disable unused features: Many IoT devices come with unnecessary features enabled by default. To reduce potential vulnerabilities, deactivate those you don’t need.

• Use Multi-Factor Authentication (MFA): If your IoT devices or their associated apps support MFA, enable it. This adds an extra layer of protection by requiring a second verification method — such as a code sent to your phone — in addition to your password.

• Segment your network: Use separate Wi-Fi networks for IoT devices and more sensitive systems like your work or personal devices. Network segmentation ensures that if one device is compromised, attackers can’t easily access the rest of your systems.

• Disable remote access: Many IoT devices allow remote access by default, which hackers can exploit. Disable this feature unless it’s absolutely necessary.

• Turn off unused devices: If you’re not using a device, disconnect it from the network or power it down. This reduces the chance of it being targeted by attackers.

• Audit your devices regularly: Periodically check what devices are connected to your network. Identify any unauthorized connections and remove devices you no longer use.

• Enable firewalls: Use a firewall to block unauthorized traffic to and from your IoT devices. Some routers come with built-in firewalls that can provide an extra layer of protection.

• Choose devices with automatic security updates: Look for IoT devices that advertise regular and automatic security updates. This ensures that vulnerabilities are patched quickly without requiring manual intervention.

• Research manufacturer security practices: Before purchasing an IoT device, investigate the manufacturer’s reputation for cybersecurity. Choose brands known for robust security features and long-term support.

• Check app permissions: Many IoT devices are controlled through mobile apps. Review the permissions granted to these apps and restrict access to unnecessary features like location data or microphone use.

• Monitor data traffic: Use tools or software to monitor the data flow from your IoT devices. Unusual traffic patterns can be an early warning sign of a breach.

What’s Next for IoT Security?

The IoT Cybersecurity Improvement Act is just the beginning. As IoT devices become even more embedded in daily life, future regulations may extend these requirements to consumer markets. Other countries might adopt similar laws, creating a global push for stronger IoT security standards. 

For now, the Act serves as a model for secure IoT practices. Setting these benchmarks paves the way for a safer connected world.

Take Control of Your IoT Security

The IoT Cybersecurity Improvement Act of 2020 represents a significant step toward reducing vulnerabilities in a world that increasingly relies on connected devices. While its primary focus is on federal systems, its ripple effects benefit everyone. As a consumer, you can take steps to protect your devices and demand better security from manufacturers.