New IoT Bill Mandates Minimum Cybersecurity Standards for Device Makers
Lawmakers are taking a third stab at mandating minimum national security standards for IoT devices, introducing The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 in both chambers of Congress.
The bipartisan bill requires that IoT-related devices procured by the U.S. government meet certain minimum security criteria but does not extend to consumer equipment. Its Senate sponsors include Sens. Mark Warner (D-VA), Cory Gardner(R-CO), Maggie Hassan (D-NH) and Steve Daines (R-MT). Companion legislation in the House is being introduced by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).
The bill is similar in scope and requirements to the Internet of Things Cybersecurity Improvement Act of 2017 and the Internet of Things Federal Cybersecurity Improvement Act of 2018, both of which did not come to a Congressional vote. Critics of the federal government’s position on cybersecurity have often pointed to the absence of minimum national standards that device makers must meet to bring their devices to market.
Terms of the 2019 version of the IoT cybersecurity bill:
- Requires the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
- Directs the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
- Requires any Internet-connected devices purchased by the federal government to comply with those recommendations.
- Directs NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
- Requires contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
Researcher Gartner has projected some 20 billion IoT devices will be on the market by next year.
The bill’s sponsors believe it will address the supply chain risk to the federal government. “I’m concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Warner. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
Industry backers include Cloudflare, Mozilla, Rapid7, Symantec and Tenable.
At this point the only IoT cybersecurity legislation either federal or state has been enacted by California. In late September, then California Governor Jerry Brown signed into law a cybersecurity bill that required smart devices makers to equip their gear with “reasonable” security features.
Under the California law, an IoT manufacturer of a connected device must equip it with “reasonable” security features:
- Appropriate to the nature and function of the device.
- Appropriate to the information it may collect, contain, or transmit.
- Designed to protect the device and any information it contains from unauthorized access, destruction, use, modification, or disclosure.
- The pre-programmed password is unique to each device manufactured.
- The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.
The California bill has been met with mixed reviews, criticized by some as too limited and applauded by others as a step in the right direction.