2020 US Code
Title 15 - Commerce and Trade
Chapter 7 - National Institute of Standards and Technology
Sec. 278g-3b - Security standards and guidelines for agencies on use and management of Internet of Things devices

Download PDF
Citation 15 U.S.C. § 278g-3b (2020)
Section Name §278g–3b. Security standards and guidelines for agencies on use and management of Internet of Things devices
Section Text (a) National Institute of Standards and Technology development of standards and guidelines for use of Internet of Things devices by agencies (1) In general

Not later than 90 days after December 4, 2020, the Director of the Institute shall develop and publish under section 278g–3 of this title standards and guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.

(2) Consistency with ongoing efforts

The Director of the Institute shall ensure that the standards and guidelines developed under paragraph (1) are consistent with the efforts of the National Institute of Standards and Technology in effect on December 4, 2020—

(A) regarding—

(i) examples of possible security vulnerabilities of Internet of Things devices; and

(ii) considerations for managing the security vulnerabilities of Internet of Things devices; and


(B) with respect to the following considerations for Internet of Things devices:

(i) Secure Development.

(ii) Identity management.

(iii) Patching.

(iv) Configuration management.

(3) Considering relevant standards

In developing the standards and guidelines under paragraph (1), the Director of the Institute shall consider relevant standards, guidelines, and best practices developed by the private sector, agencies, and public-private partnerships.

(b) Review of agency information security policies and principles (1) Requirement

Not later than 180 days after the date on which the Director of the Institute completes the development of the standards and guidelines required under subsection (a), the Director of OMB shall review agency information security policies and principles on the basis of the standards and guidelines published under subsection (a) pertaining to Internet of Things devices owned or controlled by agencies (excluding agency information security policies and principles pertaining to Internet of Things of devices owned or controlled by agencies that are or comprise a national security system) for consistency with the standards and guidelines submitted under subsection (a) and issue such policies and principles as may be necessary to ensure those policies and principles are consistent with such standards and guidelines.

(2) Review

In reviewing agency information security policies and principles under paragraph (1) and issuing policies and principles under such paragraph, as may be necessary, the Director of OMB shall—

(A) consult with the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security; and

(B) ensure such policies and principles are consistent with the information security requirements under subchapter II of chapter 35 of title 44.

(3) National security systems

Any policy or principle issued by the Director of OMB under paragraph (1) shall not apply to national security systems.

(c) Quinquennial review and revision (1) Review and revision of NIST standards and guidelines

Not later than 5 years after the date on which the Director of the Institute publishes the standards and guidelines under subsection (a), and not less frequently than once every 5 years thereafter, the Director of the Institute, shall—

(A) review such standards and guidelines; and

(B) revise such standards and guidelines as appropriate.

(2) Updated OMB policies and principles for agencies

Not later than 180 days after the Director of the Institute makes a revision pursuant to paragraph (1), the Director of OMB, in consultation with the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, shall update any policy or principle issued under subsection (b)(1) as necessary to ensure those policies and principles are consistent with the review and any revision under paragraph (1) under this subsection and paragraphs (2) and (3) of subsection (b).

(d) Revision of Federal Acquisition Regulation

The Federal Acquisition Regulation shall be revised as necessary to implement any standards and guidelines promulgated in this section.

Source Credit

(Pub. L. 116–207, §4, Dec. 4, 2020, 134 Stat. 1002.)

Editorial Notes CODIFICATION

Section was enacted as part of the Internet of Things Cybersecurity Improvement Act of 2020, also known as the IoT Cybersecurity Improvement Act of 2020, and not as part of the National Institute of Standards and Technology Act which comprises this chapter.

DEFINITIONS

For definitions of terms used in this section, see section 278g–3a of this title.

Publication Title United States Code, 2018 Edition, Supplement 2, Title 15 - COMMERCE AND TRADE
Category Bills and Statutes
Collection United States Code
SuDoc Class Number Y 1.2/5:
Contained Within Title 15 - COMMERCE AND TRADE
CHAPTER 7 - NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
Sec. 278g-3b - Security standards and guidelines for agencies on use and management of Internet of Things devices
Contains section 278g-3b
Date 2020
Laws In Effect As Of Date January 13, 2021
Positive Law No
Disposition standard
Statutes at Large References 134 Stat. 1002
Public Law References Public Law 116-207
Disclaimer: These codes may not be the most recent version. United States may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.