Reed Smith Client Alerts

A recent Senate bill is yet another signal of the federal government’s increasing focus on the security of the Internet of Things. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017, introduced by Senator Mark Warner (D-Va.), seeks to impose heightened security standards on all IoT devices procured by any federal agency. Detractors of the legislation point to vague language and the large number of exceptions in questioning how much this bill actually does to improve cybersecurity. However, if enacted, the expectations regarding the security of IoT devices as set forth in the legislation could be interpreted by courts as the minimal floor for any IoT product sold to the federal government and, potentially, sold commercially.

Authors: Mildred Segura Maryanne C. Woo Christopher M. Butler

Bill sponsor Sen. Mark Warner (D-Va.) introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 to the Senate August 1, 2017.1 The bill’s stated purpose is “To provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.”2 The bill defines IoT expansively to include any device that is connected to and uses the internet. Further, the bill’s fact sheet contemplates there being in excess of 20 billion IoT devices by 2020.3 Therefore, the scope of this proposed bill goes beyond core connected devices, such as smartphones and computers, to implicate manufacturers, distributors and resellers in all sectors whose products are ultimately acquired by the federal government (collectively, “government contractors”).4