New IoT Cyber Law

On December 4th, the President of the U.S. signed the IoT Cybersecurity Improvement Act of 2020, which directs the National Institute of Standards and Technology (NIST) to create standards and guidelines on the use and management of internet of things devices by federal agencies and to develop guidance on vulnerability disclosure and the resolution of disclosed vulnerabilities.

Federal Computer Week published a summary here.

The full text of the law is here.

Of course this new law, like many of its predecessors, pushes responsibility onto NIST and asks NIST to orchestrate efforts. However, NIST will not go far enough. So many manufacturers ship products without any testing whatsoever! What if the U.S. Congress drafted laws that imposed financial penalties on manufacturers who shipped products with vulnerabilities, especially for known vulnerabilities?