Iowa Becomes Fourth State to Incentivize Cybersecurity Best Practices for Businesses

Bill mentions the use of the CIS Critical Security Controls as part of a reasonable cybersecurity program

DES MOINES, Iowa, June 29, 2023 — In a law that goes into effect July 1, Iowa will become the fourth state in the U.S. to incentivize cybersecurity best practices for businesses.

Iowa Governor Kim Reynolds recently signed into law a bill intended to improve Iowa’s cyber defenses by incentivizing organizations to voluntarily adopt cyber best practices, including the Center for Internet Security Critical Security Controls (CIS Controls).   

The Iowa law, House File 553, “An Act Relating to Affirmative Defenses for Entities Using Cybersecurity Programs,” creates liability protections for businesses. In particular, it provides that any “covered entity that satisfies all requirements…is entitled to an affirmative defense to any tort lawsuit brought against the organization for a cyber breach.”

Iowa joins Ohio, Utah, and Connecticut in legislative efforts to adopt an incentive-based approach for businesses to implement cybersecurity best practices.

“There is no national statutory minimum standard of information security, which makes it difficult to improve cybersecurity on a wholesale basis,” said CIS Executive Vice President & General Manager, Security Best Practices, Curtis Dukes. “Iowa’s cybersecurity bill is a step in that direction by incentivizing the adoption of cyber best practices to both improve cybersecurity and protect citizen data.”

The CIS Controls are a set of internationally-recognized, prioritized actions that form the foundation of essential cyber hygiene and effective cyber defense. Implementing the CIS Controls provides a critical, measurable security value against a wide range of potential attacks. Analysis shows that implementing the CIS Controls mitigates the majority of cyber attacks when evaluated against attack patterns in the widely referenced ATT&CK framework published by the MITRE Corporation. Specifically, the CIS Controls mitigate:

  • 86% of all attack Techniques found in the MITRE ATT&CK Framework
  • 92% of ransomware ATT&CK Techniques
  • 95% of targeted intrusion techniques
  • 98% of instances of web-application hacking techniques

Under the bill, organizations have to conform with revisions and amendments to identified industry-recognized cybersecurity frameworks (like the CIS Controls), laws, and regulations within one year after the revised document is published.

For more information, or to speak with CIS about House File 553, contact Kelly Wyland, Media Relations Manager at [email protected] or call/text 518-256-6978.


About CIS

The Center for Internet Security, Inc. (CIS®) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Critical Security Controls® and CIS Benchmarks™, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously evolve these standards and provide products and services to proactively safeguard against emerging threats. Our CIS Hardened Images® provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center® (EI-ISAC®), which supports the rapidly changing cybersecurity needs of U.S. election offices. To learn more, visit or follow us on Twitter: @CISecurity.