I'm outside your jurisdiction so I presumably can't comment using the official channels, but here are some points:
The most fundamental thing is a commitment to maintaining devices for a published (and readily-available before purchase) period of time. However the problem is that the average consumer doesn't know the full implications of this. There have been some outrages over times when the server that supports a product is shut down and the product no longer works, but people should realise the problem is just as severe for all IoT devices once updates stop being produced. The IoT device transforms from being a useful device into a potentially-malicious vulnerability that most consumers will continue to use because it still vaguely works. The consumers don't care if their Android device is a few releases behind - to them it is just a phone that is a little clunky but still does the job, while in reality it is a security nightmare waiting to unfold. That is the issue that needs resolving. Until it is resolved, then a large proportion of the devices on the internet will be unmaintained security holes.
This can be improved in two ways - firstly the manufacturers should be forced to state how long they will provide updates, and this should be worded in a way that makes it very clear that after that time the device should be viewed as a danger and should be destroyed. Secondly, when a device is no longer being updated, it should very clearly inform the user that it should be considered broken, with wording along the lines of "This device is no longer supported by $MANUFACTURER and cannot be considered secure. Criminals may be able to break in to this device and steal all your data and use it to hack into your bank account. From this point onwards $MANUFACTURER rejects any responsibility for any consequences of this device being hacked."
The consumer needs to know that this is important. It is only when the consumer know that it is important that they will start to differentiate their purchases based on the maintenance commitments, and therefore the maintenance commitments might start to be a matter for competition. I think this is the only way that you will reasonably get manufacturers to commit to long-range support, and also the only way that the proportion of unmaintained devices on the internet can be reduced significantly.
Secondly, I really hope you are thinking of collaborating with other legal systems like the EU on this one. The manufacturers won't want to divide their products and provide support to just a subset of the world, because the sunk cost of providing support to one country is far larger than supporting the devices in the rest of the world. The EU is also going to want the proportion of vulnerable systems on the internet reduced. If just the US were to try to put through laws like I have suggested above then the manufacturers are likely to try very hard to lobby against it, but if these laws are being pushed through in the EU as well, then their lobbying is much less likely to be effective.
The most fundamental thing is a commitment to maintaining devices for a published (and readily-available before purchase) period of time. However the problem is that the average consumer doesn't know the full implications of this. There have been some outrages over times when the server that supports a product is shut down and the product no longer works, but people should realise the problem is just as severe for all IoT devices once updates stop being produced. The IoT device transforms from being a useful device into a potentially-malicious vulnerability that most consumers will continue to use because it still vaguely works. The consumers don't care if their Android device is a few releases behind - to them it is just a phone that is a little clunky but still does the job, while in reality it is a security nightmare waiting to unfold. That is the issue that needs resolving. Until it is resolved, then a large proportion of the devices on the internet will be unmaintained security holes.
This can be improved in two ways - firstly the manufacturers should be forced to state how long they will provide updates, and this should be worded in a way that makes it very clear that after that time the device should be viewed as a danger and should be destroyed. Secondly, when a device is no longer being updated, it should very clearly inform the user that it should be considered broken, with wording along the lines of "This device is no longer supported by $MANUFACTURER and cannot be considered secure. Criminals may be able to break in to this device and steal all your data and use it to hack into your bank account. From this point onwards $MANUFACTURER rejects any responsibility for any consequences of this device being hacked."
The consumer needs to know that this is important. It is only when the consumer know that it is important that they will start to differentiate their purchases based on the maintenance commitments, and therefore the maintenance commitments might start to be a matter for competition. I think this is the only way that you will reasonably get manufacturers to commit to long-range support, and also the only way that the proportion of unmaintained devices on the internet can be reduced significantly.
Secondly, I really hope you are thinking of collaborating with other legal systems like the EU on this one. The manufacturers won't want to divide their products and provide support to just a subset of the world, because the sunk cost of providing support to one country is far larger than supporting the devices in the rest of the world. The EU is also going to want the proportion of vulnerable systems on the internet reduced. If just the US were to try to put through laws like I have suggested above then the manufacturers are likely to try very hard to lobby against it, but if these laws are being pushed through in the EU as well, then their lobbying is much less likely to be effective.