Skip to content

Internet of Things (IoT)

On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”).  The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.

The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.”  The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.”  The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.

The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products.  We should expect that the framework established by NIST in this publication will serve as a model for these requirements.

IoT Criteria Framework.  The IoT Criteria establish recommended considerations for three key aspects of a potential cybersecurity IoT labeling program:

  1. Baseline Product Criteria
  2. Labeling
  3. Conformity Assessments

Continue Reading NIST Publishes Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products

This is the ninth in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the secondthirdfourthfifthsixthseventh, and eighth blogs described the actions taken by various government agencies to implement the EO from June through December 2021, respectively.

This blog summarizes key actions taken to implement the Cyber EO during January 2022.  As with steps taken during prior months, the actions described below reflect the implementation of the EO within Government.  However, these activities portend further actions in February 2022 that are likely to impact government contractors, particularly those who provide software products or services to government agencies.

National Security Memorandum Issued on Application of Cyber EO Requirements to National Security Systems

On January 19, 2022, President Biden signed National Security Memorandum-8, “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems” (the NSM).  The NSM sets forth requirements for National Security Systems (NSS) that are equivalent to or exceed the cyber requirements for Federal Information Systems set forth in the Cyber EO. The NSM also establishes methods for obtaining exceptions to these requirements for unique mission needs.

Section 1 of the NSM addresses how requirements set forth in the Cyber EO will be applied to NSS.  In general, NSS are systems that involve:  intelligence activities, cryptologic activities related to national security, command and control of military forces, equipment that is an integral part of a weapon or weapons system, or are critical to the direct fulfillment of military or intelligence missions.[1]  The NSM states that Cyber EO Sections 1 (“Policy”) and 2 (“Removing Barriers to Sharing Threat Information”) apply to NSS in their entirety, except that the Director of the National Security Agency (“NSA”) (defined as the “National Manager”) shall exercise with respect to NSS the authorities granted the OMB Director and the Secretary of Homeland Security under Section 2 of the Cyber EO.  This means, among other things, that companies that contract with DOD and other national security agencies and whose performance involves NSS, may be subject to the cyber incident reporting and standard contractual clauses promulgated in the Federal Acquisition Regulation pursuant to section 2 of the Cyber EO.

Section 1 of the NSM also requires the Committee on National Security Systems (CNSS) and the national security/intelligence agencies to take several actions to modernize NSS consistent with Section 3 of the Cyber EO.  For example, the NSM requires all agencies that own or operate NSS to update their existing plans to use cloud technology and to develop plans to implement Zero Trust Architecture by March 18, 2022.  The NSM further requires owners or operators of NSS to implement multifactor authentication and encryption of data-in-transit and data-at-rest on such systems by July 18, 2022.  The NSM also requires NSS owners and operators to adhere to the standards for enhancing software supply chain security developed under section 4 of the Cyber EO except where “otherwise authorized by law” or where the National Manager grants an exception.  Section 3 of the NSM sets forth the procedures and conditions for granting exceptions to NSS from the requirements of the Cyber EO.

In addition to the requirements described above, the NSM requires national security agencies to adhere to a process to be developed by the Director of NSA to identify and then inventory the NSS under their control according by April 19, 2022.  This guidance and inventory will be critical to defining the scope of application of the requirements of the memorandum.

The NSM also requires such agencies to report all known or suspected compromises of or unauthorized access to such NSS to the Director of NSA in accordance with procedures to be developed by the Director of NSA.  The NSM authorizes the Director of NSA to issue Emergency Directives and Binding Operational Directives to NSS owners and operators that are similar to the directives that the Cybersecurity and Infrastructure Security Agency (CISA) is authorized to issue to civilian agencies.
Continue Reading January 2022 Developments Under President Biden’s Cybersecurity Executive Order

As 2021 comes to a close, we will be sharing the key legislative and regulatory updates for artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and privacy this month.  Lawmakers introduced a range of proposals to regulate AI, IoT, CAVs, and privacy as well as appropriate funds to study developments

If there is a silver lining to most crises, the accelerated move toward digitized commerce globally and in Africa may be one positive outcome of the COVID-enforced lockdown. It is welcome news there that the South African Minister of Communications and Digital Technologies (“Minister”) published the Draft National Data and Cloud Policy (in Government Gazette

Last week, the office of Acting FCC Chairwoman Jessica Rosenworcel released a draft Notice of Inquiry (NOI) regarding spectrum availability and requirements to support the growth of Internet of Things (IoT).  The FCC will consider this NOI, which is intended to collect information and does not propose rules, in its next Open Commission Meeting scheduled

Last Thursday, the Federal Communications Commission (“FCC”) announced that it will consider a Report and Order at its June 21, 2021 open meeting that would permit the importation and conditional sale of radiofrequency (RF) devices prior to obtaining equipment authorization in some circumstances.  The consumer electronics industry has advocated for this rule change, which will

On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.”  The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response.  The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely.  Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.In particular, and among other things, the Order:
  • seeks to remove obstacles to sharing threat information between the private sector and federal agencies;
  • mandates that software purchased by the federal government meet new cybersecurity standards;
  • discusses securing cloud-based systems, including information technology (IT) systems that process data, and operational technology (OT) systems that run vital machinery and infrastructure;
  • seeks to impose new cyber incident[1] reporting requirements on certain IT and OT providers and software product and service vendors and establishes a Cyber Safety Review Board to review and assess such cyber incidents and other cyber incidents; and
  • addresses the creation of pilot programs related to consumer labeling in connection with the cybersecurity capabilities of Internet of Things (IoT) devices.

The Order contains eight substantive sections, which are listed here, and discussed in more detail below:

  • Section 2 – Removing Barriers to Sharing Threat Information
  • Section 3 – Modernizing Federal Government Cybersecurity
  • Section 4 – Enhancing Software Supply Chain Security
  • Section 5 – Establishing a Cyber Safety Review Board
  • Section 6 – Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents
  • Section 7 – Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Section 8 – Improving the Federal Government’s Investigative and Remediation Capabilities
  • Section 9 – National Security Systems

The summaries below discuss highlights from these sections, and the full text of the Order can be found here.


Continue Reading President Biden Signs Executive Order Aimed at Improving Government Cybersecurity