In December 2020, the US enacted its Internet of Things Cybersecurity Improvement Act of 2020. The law establishes the minimum security requirements for IoT devices owned or controlled by the federal government.
The law focuses on two aspects of cybersecurity, both of which can impact IoT device security in a meaningful way. It calls for the definition of standards, guidelines, and minimum-security requirements that IoT devices will need if connected to federal government information systems. It also outlines a requirement for a vulnerability disclosure process, which will clear the way for ethical hackers to test IoT devices used in federal government systems for vulnerabilities and report them responsibly.
The National Institute of Standards and Technology (NIST) is required to specify the minimum-security requirements and publish them by March 2021, and issue the guidelines on vulnerability disclosures by June 2021.
While the law applies only to devices owned or controlled by the federal government, manufacturers of such devices will hopefully use this same secure technology and standards in the development of consumer IoT devices.