Sam Kaplan Discusses Impact of New IoT Act on Private Sector
Sam Kaplan, special counsel in Wiley’s Privacy, Cyber & Data Governance Practice, was quoted extensively in a Cybersecurity Law Report article discussing key provisions of the recently passed Internet of Things (IoT) law. The new legislation means government contractors will have to move quickly to comply with the standards of the Cybersecurity Improvement Act of 2020 (IoT Act) in order to conduct business with executive agencies.
Mr. Kaplan noted that the IoT Act, which requires increased security for federal devices, has broad applicability and “will eventually lead to the government being unable to acquire IoT devices from companies that are unable to represent that they have implemented the baseline security principles” set out by the National Institute for Standards and Technology (NIST).
While the sectors most impacted by the IoT Act will be critically important communications and technology services, the legislation will increasingly impact a range of “smart” devices, Mr. Kaplan pointed out. “Even companies that are providing smart TVs for government spaces, for example, will have to start thinking about issues like networking capabilities and security requirements,” he said. “The IoT Act really expands the aperture.”
With the government focusing more on supply chain issues, the IoT Act is “a first shot over the barrel,” observed Mr. Kaplan. “Requirements on third-party contractors, especially those that are providing services to the government, are only going to increase.” He anticipates there will be other “one-off legislative provisions” as the government telegraphs to the private sector that additional responsibilities will likely be required of companies seeking to do business with the government, Cybersecurity Law Report explained.
The IoT Act dictates that the Director of NIST will publish minimum security measures in the form of standards and guidelines (S&Gs), and agencies will have to revise their policies to meet those guidelines under the oversight of the OMB Director, according to Cybersecurity Law Report. The OMB review – which excludes policies related to IoT devices that are part of a national security system – will perform its review in consultation with the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security (DHS), the publication reported.
“CISA has really asserted itself as the Federal Government’s risk management advisor,” Mr. Kaplan commented. One recent CISA publication directs the federal community to develop and implement vulnerability disclosure policies, which dovetails with the IoT Act’s requirement for NIST to develop a vulnerability disclosure program, he added.
To achieve compliance, some companies may hire a third-party to conduct a self-assessment based on published government materials, according to the article. Mr. Kaplan pointed to federal cyber initiatives in 2020 and the Cyber Solarium’s reports as “quickly becoming the seminal documents in the cyber policy space that people are looking to for advanced recommendations.”
“I think the biggest tip in the near term is for companies and industries to proactively engage with DHS and other government agencies and have two-way discussions about technologies, capabilities and vulnerabilities,” Mr. Kaplan continued. “These conversations are always more constructive and fulsome during steady-state times. It never gets easier when there’s a problem or incident.”
To read the article, click here (subscription required).
Senior Communications Manager