IoT Goes Federal under Newly Signed Law

Client Alert | 1 min read | 12.10.20

Last week, the President signed the Internet of Things (IoT) Cybersecurity Improvement Act into law, kicking off a multi-year process that will culminate in the first-ever federal requirements for IoT devices. Under the law, the National Institute of Standards & Technology (NIST) is now charged with drafting and finalizing security requirements for IoT devices, as well as guidelines for managing disclosures about those devices’ security vulnerabilities. In two short years, the federal government will then be prohibited from procuring IoT devices unless (1) the devices meet the pending NIST requirements; or (2) the devices are granted a formal waiver by an agency Chief Information Officer. In addition to creating yet another cybersecurity regime for the government contracting community, the law will create a new benchmark for consumer-facing companies to consider when assessing and complying with the growing number of states imposing their own “reasonable security” requirements for IoT devices.

Contacts

Jeffrey L. Poston
Partner
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2775
anBvc3RvbkBjcm93ZWxsLmNvbQ==
Kristin J. Madigan
Partner
- San Francisco
  - D | +1.415.365.7233
a21hZGlnYW5AY3Jvd2VsbC5jb20=
Kate M. Growley
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 8 min read | 10.01.25

BIS Issues “Affiliates Rule” to Dramatically Expand Applicability of Entity and Military End-User Lists

On September 29, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) announced a sweeping Interim Final Rule (IFR), (the “Affiliates Rule”) expanding which entities qualify as Entity List or Military End-User entities, thereby subjecting those entities to elevated export control restrictions under the Export Administration Regulations (EAR). U.S. export restrictions applicable to entities on the Entity List, Military End-User (MEU) List, and Specially Designated Nationals and Blocked Persons (SDN List) now apply to foreign affiliates that are, in the aggregate, owned 50% or more by one or more of the aforementioned entities. An entity that becomes subject to these restrictions because of its ownership structure will be subject to the most restrictive controls that attach to any of its parent entities, regardless of ownership stakes....

Client Alert | 2 min read | 10.01.25
CPSC Shutdown Plan: Continue Enforcement, Pause Public Engagement and Civil Penalties
Client Alert | 2 min read | 10.01.25
EPA’s New Data Center Policy Means Expedited TSCA Review of New Chemicals Related to AI and Data Center Projects
Client Alert | 2 min read | 09.30.25
CARB Issues Preliminary List of Entities Covered by California Climate Disclosure Laws

View All Insights