The House this week unanimously passed legislation that ensures Internet of Things (IoT) devices purchased by the federal government meet minimum security requirements as issued by the National Institute of Standards and Technology (NIST).
The bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2020 covers all manner of connected devices, including computers, mobile phones and hundreds of “things” connected to federal networks. It would additionally require private sector organizations selling such gear to the federal government to notify agencies of known vulnerabilities that could provide an avenue for hackers. The bill, which was approved by the House Oversight and Reform Committee last year, does not include consumer IoT equipment.
House members Robin Kelly (D-IL) and Will Hurd (R-TX) sponsored the bill while companion legislation in the Senate is sponsored by Sens. Mark Warner (D-VA), Cory Gardner(R-CO), Maggie Hassan (D-NH) and Steve Daines (R-MT).
The bill’s sponsors believe it will address the supply chain risk to the federal government. “Securing the Internet of Things is a key vulnerability Congress must address. While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data,” Hurd said.
Here’s what the Act does:
- Requires the NIST to publish standards and guidelines on the use and management of IoT devices by the federal government, including minimum information security requirements for managing cybersecurity risks associated with IoT devices.
- Directs the Office of Management and Budget (OMB) to review federal government information security policies and make any necessary change to ensure they are consistent with NIST’s recommendations.
- Requires NIST and OMB to update IoT security standards, guidelines and policies at least every five years.
- Prohibits the procurement or use by federal agencies of IoT devices that do not comply with these security requirements, subject to a waiver process for devices necessary for national security, needed for research or that are secured using alternative and effective methods.
- Requires NIST to publish guidelines for reporting security vulnerabilities relating to federal agency information systems, including IoT devices.
- Directs OMB to develop and implement policies that are necessary to address security vulnerabilities relating to federal agency information systems, including IoT devices, consistent with NIST’s published guidelines.
- Requires contractors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
“Today, the House took a major and overdue step toward improving U.S. cybersecurity," Kelly said. "The bipartisan Internet of Things Cybersecurity Improvement Act will ensure the US government purchases secure devices and existing vulnerabilities are closed.”
The legislation is the third stab at mandating minimum national security standards for IoT devices. It's similar in scope and requirements to the Internet of Things Cybersecurity Improvement Act of 2017 and the Internet of Things Federal Cybersecurity Improvement Act of 2018, both of which did not come to a Congressional vote. Critics of the federal government’s position on cybersecurity have often pointed to the absence of minimum national standards that device makers must meet to bring their devices to market.
At this point the only IoT cybersecurity legislation either federal or state has been enacted by California. In September, 2018, then California Governor Jerry Brown signed into law a cybersecurity bill that required smart devices makers to equip their gear with “reasonable” security features.