Sen. Mark Warner (D-Va.) is praising House passage of his Internet of Things (IoT) Cybersecurity Improvement Act, which requires minimum security requirements for IoT devices bought by the U.S. government, saying that there are not enough market incentives to secure devices.
Related: Sen. Warner Urges Internet Device Makers to Protect Products
The latest incarnation of the bill was introduced in March 2019 by Warner joined by Sen. Cory Gardner (R-Colo.), co-chair of the Senate Cybersecurity Caucus with Warner, and in the House by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas).
The bill has yet to pass the Senate, but did pass the Senate Homeland Security and Governmental Affairs Committee in June 2019.
It would:
1. "Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
2. "Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
3. "Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
4. "Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
5. "Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation."
“The House passage of this legislation is a major accomplishment in combating the threats that insecure IoT devices pose to our individual and national security," said Sen. Warner. "Frankly, manufacturers today just don’t have the appropriate market incentives to properly secure the devices they make and sell – that’s why this legislation is so important."
