Navigate the complex world of cybersecurity regulation for IoT products in the US. A complete overview of compliance requirements for manufacturers.
Background on regulation and legislation in the US
The US regulatory system is complex and multilayered. At the federal level, laws are passed by Congress while the President can issue executive orders that carry force for federal agencies. In addition, federal bodies like the National Institute of Standards and Technology (NIST) develop detailed guidelines and standards that support the practical implementation of laws and regulations.
In parallel, individual states have the authority to pass their own laws as long as they do not conflict with federal statutes. This federal structure often results in a web of regulations that companies must navigate carefully. For IoT manufacturers, this means they must consider not only national standards but also the specific requirements of the states where they intend to sell their products.
Federal laws
At the federal level there are several important laws and initiatives aimed at improving cybersecurity in general and the security of IoT devices in particular.
Executive Order 14028 improving the nation's cybersecurity
On May 12, 2021 President Biden signed Executive Order 14028, which aims to comprehensively strengthen cybersecurity in the United States. This order emphasizes several key points:
- It promotes improved information sharing between government and the private sector to detect and respond to threats more quickly.
- It mandates the implementation of stronger cybersecurity standards in federal agencies, including adoption of zero-trust architectures.
- A particular focus is improving software supply chain security, including the introduction of a “Software Bill of Materials” (SBOM) to increase transparency about components used in software.
The order also provides for the establishment of a Cyber Safety Review Board to analyze significant cyber incidents and draw lessons from them. Furthermore, it aims to standardize incident response to enable a more effective and coordinated reaction to threats.
For IoT manufacturers, this Executive Order has wide-ranging consequences. They must prepare for higher security standards, especially if they intend to sell products to government agencies. The order also requires greater transparency regarding product security and paves the way for stricter reviews and certifications. Although primarily aimed at federal agencies, the order sets new benchmarks for the industry as a whole and indirectly affects the private sector.
Internet of Things Cybersecurity Improvement Act of 2020
Another milestone in IoT security regulation is the IoT Cybersecurity Improvement Act, which took effect on December 4, 2020. This law specifically targets the security of IoT devices used by US federal agencies. It tasks NIST with developing standards for these devices and sets minimum requirements in areas such as secure development, identity management, patching, and configuration.
The law requires the Office of Management and Budget to develop procurement policies for IoT devices and introduces policies for vulnerability disclosure. For IoT manufacturers this means they must meet the standards developed by NIST to sell products to federal agencies. Moreover, the law effectively sets an industry standard, as many private companies tend to align with public-sector requirements.
These regulations create a strong incentive for manufacturers to revise their development practices and security measures. Although the law initially applies only to sales to federal agencies, it indirectly impacts the entire IoT market because companies often aim for unified product lines across all customers.
U.S. Cyber Trust Mark
As the latest initiative, the U.S. Cyber Trust Mark was announced in July 2023 as a voluntary certification program for IoT devices. The program envisions a visible label for products that meet certain security standards. The underlying standards are based on NIST guidance and cover aspects such as secure default settings, data encryption, regular updates, and clear privacy policies.
The program initially focuses on consumer IoT devices like smart-home gadgets, fitness trackers, and smart TVs. For IoT manufacturers, the Cyber Trust Mark offers a way to differentiate in the market and build consumer trust. It incentivizes ongoing investment in product security and could evolve into a de facto market standard.
The program underlines the growing national importance of IoT security and aims to foster a culture of security across the industry. For consumers it provides a simple guide to choosing more secure IoT products.
State laws
In addition to federal initiatives, several US states have enacted or are considering their own IoT security laws. These state-level laws play an important role in shaping the IoT security landscape in the US.
- California was the first state to pass an IoT security law with Senate Bill No. 327 in 2018. That law requires “reasonable” security features for connected devices and mandates that devices either have a unique password or force the user to create a new password before first use. As a pioneering law, it set an important precedent and drew manufacturers' and consumers' attention to the importance of basic security measures.
- Oregon followed in 2019 with House Bill 2395, which builds on the California model but goes further. It more precisely defines what constitutes “reasonable” security features and requires industry-standard security measures as well as explicit protection against unauthorized access. By offering clearer definitions, it provides manufacturers with more concrete guidance and raises the bar for IoT security. Oregon's law illustrates how states learn from one another and refine legislation to address weaknesses in earlier versions.
- Other states have launched initiatives as well. In Illinois the Illinois House Bill 3391 was introduced to create a “Security of Connected Devices Act,” but it did not pass during the 2019 - 2020 legislative session.
- New York is considering Assembly Bill 561, which follows approaches similar to those in California and Oregon. Although still under development, such a bill could have wide-ranging effects on the national IoT landscape given New York's size and influence.
The significance of these state laws extends beyond state borders. They set standards for basic security measures and influence the development of federal standards. For IoT manufacturers this means they must adapt product development to different state requirements. Many opt to align their products with the strictest requirements to offer a uniform product line across the US market. As a result, laws in large states like California and New York often have a de facto national effect.
Impact on IoT manufacturers
The evolving regulatory landscape has profound implications for IoT manufacturers. They must not only adapt product development to various state and federal requirements but also anticipate increased investment in research and development for security features. This can raise production costs but also offers opportunities to differentiate through early compliance and innovative security solutions.
Manufacturers who respond proactively to these regulatory challenges can gain competitive advantages. They position themselves not only as security leaders but also as trusted partners for consumers and businesses that increasingly care about the security of their connected devices.
Future developments and trends
IoT security regulation in the US is in a dynamic phase. The IoT Cybersecurity Improvement Act has already initiated important steps toward federal harmonization, but development is far from complete.
The framework created by the IoT Cybersecurity Improvement Act is likely to be expanded and refined. NIST standards are expected to be updated regularly to keep pace with a rapidly evolving threat landscape.
Initiatives such as the U.S. Cyber Trust Mark are likely to gain importance and could move from voluntary programs to quasi-mandatory market expectations, similar to energy-efficiency labels. Participation in such programs could become a decisive competitive factor for manufacturers.
With the growing role of artificial intelligence and machine learning in IoT security, future regulations may introduce specific requirements for the use of these technologies. This could include guidelines for transparent algorithms, bias prevention, and ethical AI use.
Given the increasing volumes of data collected by IoT devices, a closer integration of security and privacy regulations is likely. Future rules may demand holistic approaches that treat both aspects in an integrated manner.
These developments will continue to shape the US IoT landscape and present new challenges for manufacturers, while also offering opportunities for innovation and competitive advantage through proactive adaptation to higher security standards.
Conclusion
Cybersecurity regulation for IoT in the US is at a decisive stage. The combination of federal initiatives, state laws, and voluntary standards creates a complex but forward-looking regulatory framework. For IoT manufacturers this requires continuous adjustment of strategies but also offers opportunities for innovation and market differentiation.
The challenge is to balance security and technological progress. Going forward, AI-based security solutions, international standardization efforts, and tighter links between security and privacy are likely to gain importance.
Ultimately, the success of these regulations will be measured by whether they can create a secure and innovation-friendly IoT ecosystem. Decisions made in the US will undoubtedly influence the global IoT landscape.