Senate Passes IoT Security Legislation to Protect Feds’ Device Procurement
The Senate has unanimously passed bipartisan legislation intended to ensure the security of internet-facing devices purchased by the federal government. The bill now heads to President Trump’s desk for signature.
The Internet of Things Cybersecurity Improvement Act of 2020 will require all computers, mobile devices and other systems connected to the internet to adhere to minimum security guidelines issued by the National Institute of Standards and Technology (NIST). Under the measure, device makers in the federal government’s procurement supply chain must inform agencies of any known vulnerabilities that hackers could exploit. Sens. Mark Warner (D-VA), Cory Gardner (R-CO), Maggie Hassan (D-NH) and Steve Daines (R-MT) sponsored the legislation.
Here’s what the law does:
- Requires the NIST to publish standards and guidelines on the use and management of IoT devices by the federal government, including minimum information security requirements for managing cybersecurity risks associated with IoT devices.
- Directs the Office of Management and Budget (OMB) to review federal government information security policies and make any necessary change to ensure they are consistent with NIST’s recommendations.
- Requires NIST and OMB to update IoT security standards, guidelines and policies at least every five years.
- Prohibits the procurement or use by federal agencies of IoT devices that do not comply with these security requirements, subject to a waiver process for devices necessary for national security, needed for research or that are secured using alternative and effective methods.
- Requires NIST to publish guidelines for reporting security vulnerabilities relating to federal agency information systems, including IoT devices.
- Directs OMB to develop and implement policies that are necessary to address security vulnerabilities relating to federal agency information systems, including IoT devices, consistent with NIST’s published guidelines.
- Requires contractors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” Warner said.
“Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand,” Gardner said. “We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks.”
Last September, the House unanimously passed the legislation, sponsored by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX). “Securing the Internet of Things is a key vulnerability Congress must address,” Hurd said at the time. “While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data.”
This is the third stab Congress has undertaken to mandate minimum national security standards for IoT devices. It’s similar in scope and requirements to the Internet of Things Cybersecurity Improvement Act of 2017 and the Internet of Things Federal Cybersecurity Improvement Act of 2018, both of which did not come to a Congressional vote. Critics of the federal government’s position on cybersecurity have often pointed to the absence of minimum national standards that device makers must meet to bring their devices to market.
California enacted the nation’s first IoT cybersecurity legislation in September, 2018, when then Governor Jerry Brown signed into law a cybersecurity bill that required smart devices makers to equip their gear with “reasonable” security features.
The Senate recently also passed the Information Technology Modernization Centers of Excellence Program Act designed to modernize how executive agencies use information technology and how customers interact with those agencies. The bipartisan bill, which is sponsored by Hassan and Sen Rob Portman (R-OH) and now awaits Trump’s signature, aims to help executive agencies with the planning and adoption of artificial intelligence and other emerging technologies. “Ensuring that our government has the capabilities and expertise to help navigate the impacts of the latest technology will be important in the coming years and decades,” Portman said.