2.17 Internet of Things Cybersecurity Improvement Act of 2020

Enacted in 2020 to establish minimum security standards for [Internet of Things (IoT)] devices owned and controlled by the federal government. This law gives authority to the CIO to prohibit the head of any agency from “procuring or obtaining, renewing a contract to procure or obtain, or using an [IoT] device” if they find through a mandatory review process that the use of the device prevents compliance with NIST standards and guidelines.

The CIO can waive this requirement only if:

the waiver is necessary in the interest of national security;
procuring, obtaining, or using such device is necessary for research purposes; or
such device is secured using alternative and effective methods appropriate to the function of such device. ( Public Law 116-207. IoT CyberSecurity Improvement Act of 2020.)