As the Internet of Things (IoT) continues to become more prevalent in our everyday lives – both at home and in the workplace – security of connected devices remains an ongoing priority of Open Connectivity Foundation specifications (OCF). OCF technology is at the forefront of IoT security and OCF members regularly monitor industry cybersecurity guidelines to remain abreast of new trends, guidelines and regulations. This is made evident by OCF’s alignment with five key industry security baselines.
One such regulation OCF is closely following this year is the IoT Cybersecurity Improvement Act. Passed in late 2020 with bipartisan support, the law requires device manufacturers or OEMs selling to US government agencies to demonstrate compliance with cybersecurity guidelines. Although the act currently only applies to federal government agencies, the regulations are expected to trickle down to the private sector.
The act requires the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines on the appropriate use and management of IoT devices, including minimum security requirements for managing cybersecurity risks associated with those devices. These guidelines will build upon previous NIST initiatives, such as the IoT Device Cybersecurity Capability Core Baseline. OCF actively contributed to this document, with NIST identifying OCF as an example reference for each of its six core cybersecurity baseline capabilities. While this document applies to pre-market activities for IoT device manufacturers, the IoT Cybersecurity Improvement Act will shift its focus to what happens after the devices are purchased and deployed.
While the act currently only applies to IoT devices deployed within federal government agencies, it is a step in the right direction to confronting the larger scope of IoT device vulnerabilities. IoT security is one of the most widely discussed industry concerns, yet a standardized approach does not currently exist. Without agreed upon standards for the secure interoperability of IoT devices, the industry will be slower to advance and become increasingly vulnerable to security threats. Security should be inherent to IoT and part of its DNA, rather than added later as an afterthought. Regionally and globally adopted industry standards will help to ensure this security-first approach is taken with all IoT devices.
OCF applauds the ongoing efforts of the NIST to confront cybersecurity threats within the IoT ecosystem. We are hopeful that their work will result in wider adoption of IoT security standards within the private sector. Looking forward, OCF will continue to monitor new federal and state guidelines for IoT security and map the OCF specifications to them accordingly.
For a more in-depth look into the IoT Cybersecurity Improvement Act, read the following article from Security InfoWatch.