While the recently passed IoT Cybersecurity Improvement Act of 2020 may only apply to Internet of Things (IoT) devices purchased by the federal government, lawyers say it may become a de facto IoT cybersecurity baseline for the private sector. 

After previous IoT cybersecurity bills fizzled, on Dec. 4, 2020, the IoT Cybersecurity Improvement Act was signed into law. The measure placed a 90-day deadline on the National Institute of Standards and Technology's (NIST) to develop and publish standards and guidelines for the federal government's use and management of IoT devices. After NIST submits its guidelines, the Office of Management and Budget (OMB) has roughly six months to review and enact those standards. NIST is required to review and potentially revise its guidelines at least every five years, according to the law.

Roughly two weeks after the law was passed, NIST released four draft IoT cybersecurity documents. The documents included suggested frameworks manufacturers should consider when building IoT devices for the federal government and guidance on what federal agencies should ask when they purchase IoT devices. Once public comment concludes on Feb. 12 and the guidelines are finalized, they could provide a definitive framework for reasonable IoT cybersecurity.