Laws, Standards & Guidelines

A shortlist of relevant frameworks that relate to the security of IoT devices and their contents.

California Law SB-327

Security of Connected Devices

Effective Date:  January 1, 2020

Governing Body:  USA, California, Legislature 

Full Description:  Security of Connected Devices: Title 1.81.26, Part 4 of Division 3 of the Civil Code

Summary:  Requires a manufacturer of a connected device, as those terms are defined, to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.

Key Requirements:

  • Protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.
  • For devices equipped with a means for authentication outside a local area network: 
    • Any preprogrammed password should be  unique to each device manufactured, or/and
    • The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time


NIST 8259A Information Report

IoT Device Cybersecurity Capability Core Baseline

Publish Date:  July 14, 2020

Issuing Body:  USA, NIST (National Institute of Standards and Technology)

Full Description:  IoT Device Cybersecurity Capability Core Baseline

Summary: This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire.

Key Requirements:

  • Device Identification
  • Device Configuration
  • Data Protection
  • Logical Access to Interfaces
  • Software Update
  • Cybersecurity State Awareness


USA Executive Order

Improving the Nation’s Cybersecurity

Publish Date:  May 12,  2021

Issuing Body:  USA Government, Executive Branch, White House

Full Description:  Policy for Improving the Nation’s Cybersecurity

Summary: “It is the policy of my Administration that the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security.  The Federal Government must lead by example.  All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.”

Key Sections of Policy:

  • Removing Barriers to Sharing Threat Information
  • Modernizing Federal Government Cybersecurity
  • Enhancing Software Supply Chain Security
  • Establishing a Cyber Safety Review Board
  • Standardizing Responses to Cybersecurity Vulnerabilities and Incidents
  • Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks
  • Improving the Federal Government’s Investigative and Remediation Capabilities
  • National Security Systems

UK Government Code of Practice

Consumer IoT Security

Publish Date:  October 14, 2018

Issuing Body:  UK Government

Full Description:  Code of Practice for Consumer IoT Security

Summary: This Code of Practice sets out practical steps for IoT manufacturers and other industry stakeholders to improve the security of consumer IoT products and associated services. Implementing its thirteen guidelines will contribute to protecting consumers’ privacy and safety, whilst making it easier for them to use their products securely. It will also mitigate against the threat of Distributed Denial of Service (DDoS) attacks that are launched from poorly secured IoT devices and services.

Key Guidelines of Code:

  • No default passwords
  • Implement a vulnerability disclosure policy
  • Keep software updated
  • Securely store credentials and security-sensitive data
  • Communicate securely
  • Minimize exposed attack surfaces
  • Ensure software integrity
  • Ensure that personal data is protected 
  • Make systems resilient to outages 
  • Monitor system telemetry data 
  • Make it easy for consumers to delete personal data 
  • Make installation and maintenance of devices easy 
  • Validate input data

120 Cremona Drive, Goleta, 

California, 93117, USA

+1 (805) 481 4570


Subscribe to email updates.