There’s a nice article on CNET with updates on proposed US legislation which would require basic security standards for any IoT devices that the federal government uses. Note, this does not propose to cover consumers or the general market simply mandate standards that suppliers and manufacturers would have to meet if they want to sell to the USA government. Apparently it is likely to borrow heavily from California’s SB 327 legislation.
The Californian legislation has nice specific elements such as mandating that device makers have to include specific security features such as removing default passwords and requiring users to generate their own passwords before allowing device access. However, this is functionality so basic for security that you appreciate how vulnerable the domestic market currently is to attacks at the moment.