U.S. IoT Security Law Sets New Standards and Liability Requirements

Many IoT teams still treat security as a low‑priority add‑on, citing cost and effort. Buyers rarely demand extra spending for stronger cyber‑security, and many products lack such features. Yet lawmakers are beginning to make robust security a statutory requirement for consumer‑grade IoT devices.

Speaking at IoT World Today’s IoT Security Summit, NIST program manager Katerina Megas highlighted that several states already have laws mandating that connected devices include “reasonable security features.” In January 2020, California and Oregon enacted such statutes, and Illinois, Massachusetts, New York, and Virginia have similar bills pending or under consideration.

On the federal level, the House introduced H.R. 1668 – the Internet of Things Cybersecurity Improvement Act of 2020 – in March. The bill directs the creation of “standards and guidelines for the Federal Government on the appropriate use and management of Internet of Things devices owned or controlled by an agency,” including minimum information‑security requirements. The legislation passed both chambers and was signed into law on December 4; the required standards and guidelines must be published within 90 days.

Laws mandating that security features be implemented in IoT devices are now starting to be enacted.

While H.R. 1668 applies only to devices used by the U.S. government, it signals the beginning of broader cybersecurity mandates that will eventually cover industrial and consumer systems nationwide. In 2019, Congress established the Cyberspace Solarium Commission, whose first report contained more than 80 recommendations, including 50+ legislative proposals to support a layered defense strategy. Many of those proposals impact both government and commercial IoT deployments.

Three proposals deserve particular attention from IoT developers:

• A federal IoT security law mandating “reasonable security measures” in line with NIST guidance such as NISTIR 8259 – Foundational Cybersecurity Activities for IoT Device Manufacturers.
• The creation of a National Cybersecurity Certification and Labeling Authority to verify device compliance, extending beyond federal and industrial systems to personal and consumer electronics.
• A liability framework that holds final goods assemblers responsible for damages if their devices fail to defend against known vulnerabilities, making robust security a legal “must‑have” regardless of consumer willingness to pay extra.

The term “reasonable security features” remains broadly defined. In California and Oregon, “reasonable” simply requires measures that match the device’s function and the data it processes, aiming to prevent unauthorized access, disclosure, use, modification, or destruction. Specific controls are not prescribed.

Following NIST’s outcome‑based philosophy, these laws avoid prescribing exact technical solutions. Instead, they demand a security posture that aligns with the device’s purpose and threat profile, leaving the choice of safeguards to the development teams. As the legal landscape evolves, the implementation of IoT security will shift from good practice to mandatory compliance.

>> This article was originally published on our sister site, EDN.