The Senate has approved a bipartisan bill, the Internet of Things (IoT) Cybersecurity Improvement Act, which requires that any IoT devices purchased with government money meet minimum security standards.
The latest incarnation of the bill was introduced in March 2019 by Sen. Cory Gardner (R-Colo.), co-chair of the Senate Cybersecurity Caucus with Mark Warner (D-Va.), and in the House by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas).
It passed the House in September and heads to the President's desk for his signature.
The bill:
1. "Requires the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
2. "Directs the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
3. "Requires any Internet-connected devices purchased by the federal government to comply with those recommendations.
4. "Directs NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
5. "Requires contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation."
“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” said Warner. “I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay.”
“I applaud the Senate for passing our bipartisan and bicameral legislation to ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from accessing government systems,” said Gardner. “Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand. We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.”
