The attached dataset collects U.S. regulations at the federal and state levels regarding Internet of Things (IoT) devices. Our dataset covers all existing regulation to the year 2022. We do not include pending legislation in this dataset.
Although the number of Internet of Things (IoT) devices and device systems continues to proliferate in our built environment, legal standards and regulation of IoT is still in its infancy. There are not many policies at the federal or state level focusing on the regulation of IoT devices in general. Most IoT guidance comes from National Institute of Standards & Technology (NIST) standards and guidelines, which are generally advisory and non-binding. Even EO 14028, which was seen to have implications for IoT device security and so is included in the dataset, makes bare mention of IoT security, only mentioning IoT devices in the document as related to the need to educate the public about IoT device security capabilities.
In addition, when looking across existing regulations and guidelines the exact definition of what constitutes an IoT device differs in some way with even NIST publications slightly differing in their definitions from each other. Greater unity in understanding what an IoT devices is would greatly assist all stakeholders in standardization of security measures.
Further, when policies discuss “reasonable security features” for IoT devices, they usually appear to mean that devices should come with the ability to set passwords. Generally, this compliance burden fell to manufacturers rather than the consumer side, tasking vendors with meeting security standards, educating customers about the product, and post-sale product support. When consumers appear in regulations, it mainly focuses on big organizations such as federal agencies, with a focus on acquisition and safe implementation of IoT devices into systems. However, considering the proliferation of personal and household IoT devices the focus on organizations rather than individual consumers may leave many security issues unaddressed.
While our dataset focuses on device security rather than data security, data regulation is an essential element of IoT device and system security. Issues such as where data collected by the device is stored, who has access to that data, and what type of data should be illegal to collect all impact IoT device security in fundamental ways.
Dataset citation: Beyer, J., Jacob, S., Lii, E., Osburn, L., Pierson, S., Quirk, C., Su, D., and Tanaka, C. (2023). “U.S. Federal and State Regulation of Internet of Things (IoT) Devices.” JSIS Cybersecurity Initiative. https://jsis.washington.edu/news/u-s-federal-and-state-regulation-of-internet-of-things-iot-devices-2019-2022
This work was funded by NSF #1932769, “SaTC: CORE: Medium: Knowledge Work and Coordination to Improve O&M and IT Collaboration to Keep Our Buildings Smart AND Secure.”