Navigate the complex world of cybersecurity regulation for IoT products in the United States. A complete overview of compliance for manufacturers.
Background on regulation and legislation in the United States
The U.S. regulatory system is complex and layered. At the federal level, laws are passed by Congress while the President can issue executive orders that carry force for federal agencies. Federal agencies such as the National Institute of Standards and Technology (NIST) supplement these laws with detailed guidelines and standards that help implement them in practice.
At the same time, individual states have the authority to enact their own laws as long as they do not conflict with federal law. This federal structure often results in a web of regulations that companies must navigate carefully. For IoT manufacturers, this means considering not only national standards but also the specific requirements of the states where they intend to sell their products.
Federal laws
At the federal level there are several important laws and initiatives aimed at improving cybersecurity generally and the security of IoT devices in particular.
Executive Order 14028 improving the nation’s cybersecurity
On May 12, 2021, President Biden signed Executive Order 14028 (https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity), which aims for a comprehensive strengthening of the nation’s cybersecurity. The order emphasizes several key areas:
- It promotes improved information sharing between government and the private sector to detect and respond to threats more quickly.
- It requires the implementation of stronger cybersecurity standards in federal agencies, including adoption of zero-trust architectures.
- It places special focus on improving software supply chain security, including introducing a Software Bill of Materials (SBOM) to increase transparency about components used in software.
The order also foresees the creation of a Cyber Safety Review Board to analyze major cyber incidents and draw lessons. Additionally, it aims to standardize responses to cybersecurity incidents to enable more effective and coordinated threat responses.
For IoT manufacturers, the executive order has wide-reaching consequences. Companies should expect higher security standards, especially if they want to sell products to government agencies. The order also demands greater transparency about product security and paves the way for stricter reviews and certifications. While primarily directed at federal agencies, it sets new benchmarks for the whole industry and indirectly influences the private sector.
Many manufacturers remain uncertain which requirements from executive orders, federal laws, and NIST guidelines actually apply - particularly when products are supplied to public entities or critical customers. A brief classification can help clarify actual exposure.
Internet of Things Cybersecurity Improvement Act of 2020
Another milestone is the IoT Cybersecurity Improvement Act (https://www.congress.gov/bill/116th-congress/house-bill/1668), enacted on December 4, 2020. This law specifically targets the security of IoT devices used by U.S. federal agencies. It tasks NIST with developing standards for those devices and sets minimum requirements in areas such as secure development, identity management, patching, and configuration.
The law requires the Office of Management and Budget to develop procurement policies for IoT devices and introduces vulnerability disclosure policies. For IoT manufacturers this means meeting the standards developed by NIST to be eligible to sell to federal agencies. Moreover, the law effectively establishes an industry benchmark, since many private companies tend to align with public-sector requirements.
These regulations create a strong incentive for manufacturers to revise their development practices and security measures. Although the law initially applies only to sales to federal agencies, it indirectly affects the wider IoT market because companies often prefer unified product lines for all customers.
U.S. Cyber Trust Mark
Announced in July 2023, the U.S. Cyber Trust Mark is a voluntary certification program for IoT devices. The program envisions a visible label for products that meet certain security standards. The underlying standards are based on NIST guidance and cover elements such as secure default settings, data encryption, regular updates, and clear privacy policies.
Initially the program focuses on consumer IoT devices like smart-home gadgets, fitness trackers, and smart TVs. For IoT manufacturers the Cyber Trust Mark offers a way to differentiate in the market and build consumer trust. It incentivizes ongoing investment in product security and could evolve into a de facto market standard.
The program underscores the growing importance of IoT security at the national level and aims to foster a culture of security across the industry. For consumers it provides an easy guide for choosing more secure IoT products.
Laws in individual states
In addition to federal initiatives, several U.S. states have enacted or are considering laws on IoT security. These state laws play an important role in shaping the IoT security landscape in the United States.
- California led the way with Senate Bill No. 327 (https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327) in 2018, becoming the first state to pass an IoT security law. That law requires “reasonable” security features for connected devices and mandates that devices either have a unique password or force users to create a new password before first use. As a pioneering law it set an important precedent at the state level and drew manufacturers’ and consumers’ attention to the importance of basic security measures.
- Oregon followed in 2019 with House Bill 2395 (https://olis.oregonlegislature.gov/liz/2023R1/Measures/Overview/HB2395), building on California’s model but going further. It more precisely defines what counts as “reasonable” security features and requires industry-standard protections and explicit safeguards against unauthorized access. By offering clearer definitions it gives manufacturers more concrete guidance and raises the bar for IoT security. Oregon’s law shows how states learn from each other and refine laws to address weaknesses in earlier versions.
- Other states have launched initiatives as well. In Illinois, Illinois House Bill 3391 (https://www.ilga.gov/legislation/BillStatus.asp?DocNum=3391&GAID=15&DocTypeID=HB&LegID=119982&SessionID=108&SpecSess=&Session=&GA=101) was proposed to create a “Security of Connected Devices Act” but did not pass during the 2019 - 2020 legislative session.
- New York is considering Assembly Bill 561 (https://www.nysenate.gov/legislation/bills/2023/A561), which follows approaches similar to those in California and Oregon. Although still in development, a law from New York could have wide-reaching effects given the state’s size and influence.
The importance of these state laws extends well beyond state borders. They set standards for basic security measures and influence the development of federal standards. For IoT manufacturers this means they must adapt product development to multiple state and federal requirements. Many manufacturers choose to align their products with the strictest requirements to offer a unified product line across the U.S., which makes laws from large states like California and New York effectively national in scope.
Differing federal and state requirements raise practical questions for product strategy - such as whether a strictest-requirement approach is worthwhile or whether differentiated product variants make more sense.
Impact on IoT manufacturers
The evolving regulatory landscape has profound effects on IoT manufacturers. They must not only adapt product development to various state and federal requirements but also expect growing investments in R&D for security features. This can increase production costs but also offers opportunities to differentiate through early compliance and innovative security solutions.
Manufacturers that respond proactively to these regulatory challenges can gain competitive advantages. They can position themselves as security leaders and trusted partners for consumers and businesses that increasingly care about the safety of their connected devices.
Future developments and trends
IoT security regulation in the United States is in a dynamic phase. The IoT Cybersecurity Improvement Act has already initiated important steps toward federal harmonization, but development is far from complete.
The framework established by the IoT Cybersecurity Improvement Act will likely be expanded and refined. Expect NIST standards to be updated regularly to keep pace with a rapidly evolving threat landscape.
Initiatives like the U.S. Cyber Trust Mark are likely to gain importance. Such programs could shift from voluntary to quasi-mandatory standards, similar to how energy efficiency labels became market expectations. Participation in these programs could become a decisive competitive factor.
With the growing role of artificial intelligence and machine learning in IoT security, future regulations may introduce specific requirements for the use of these technologies. This could include guidelines for transparent algorithms, bias prevention, and ethical AI use.
Given the increasing volumes of data collected by IoT devices, a closer integration of security and privacy regulations is likely. Future rules may require holistic approaches that address both aspects together.
These developments will continue to shape the U.S. IoT landscape and pose new challenges for manufacturers, but they also offer opportunities for innovation and competitive advantage through early adaptation to higher security standards.
Conclusion
Cybersecurity regulation for IoT in the United States is at a pivotal point. The mix of federal initiatives, state laws, and voluntary standards creates a complex but forward-looking regulatory framework. For IoT manufacturers this means continuous strategy adjustments, but it also opens doors for innovation and market differentiation.
The challenge is to reconcile security with technological progress. Going forward, AI-based security solutions, international standardization efforts, and tighter links between security and privacy are likely to gain importance.
Ultimately the success of these regulations will be measured by whether they can create a secure and innovation-friendly IoT ecosystem. Decisions made in the United States will undoubtedly influence the global IoT landscape.
The U.S. approach to IoT regulation differs significantly from the European model (for example CRA, RED, or ETSI standards). If you want to assess how U.S. requirements affect your product development, documentation, or market access strategy, this can be clarified in a no‑obligation discussion.