IoT Cybersecurity Improvement Act 2020

Section 5: (Guidelines on the Disclosure Process for Security Vulnerabilities Relating to Information Systems, Including IOT Devices) NIST must create guidelines "(1) for the reporting, coordinating, publishing, and receiving of information about—(A) a security vulnerability relating to information systems owned or controlled by an agency (including Internetof Things devices owned or controlled by an agency); and B) the resolution of such security vulnerability; and (2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcontractor thereof at any tier providing such information system to such contractor, on—(A) receiving information about a potential security vulnerability relating to the information system; and (B) disseminating information about the resolution of a security vulnerability relating to the information system."  Section 6: (Implementation of Coordinated Disclosure of Security Vulnerabilities Relating to Agency Information Systems, Including IOT Devices) Federal agencies—in collaboration with OMB—must develop "policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems". These programs should be consistnet with NIST guidelines and standards. Moreover, "the Federal Acquisition Regulation shall be revised as necessary to implement the provisions under this section."  Section 7: (Contractor Compliance With Coordinated Disclosure of Security Vulnerabilities Relating to Agency IOT Devices) The head of a federal agency is prohibited from "procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device" if the Chief Informatoin Officer determines that doing so would prevent compliance with the guidelines published under section 5.