The U.S. House of Representatives passed the IoT Cybersecurity Improvement Act, which is intended to improve the security of Internet of Things (IoT) devices in the country. The bipartisan bill, which was introduced in 2017 and reintroduced in 2019, will now have to pass the Senate. As per the proposed bill, all the IoT devices purchased by the government must fulfill minimum security requirements.
The bill is supported by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), and Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo), along with several cybersecurity companies including Rapid7, BSA, Mozilla, Tenable, Cloudflare, and CTIA.
Once the bill is signed into a law by the president, the IoT Cybersecurity Improvement Act would address various cyber risks from the incursion of insecure IoT devices, which threaten user or national security. The specific requirements of the bill include:
- The National Institute of Standards and Technology (NIST) is required to publish standards and guidelines on the use and management of IoT devices by the federal government, including minimum information security requirements for managing cybersecurity risks associated with IoT devices.
- Direct the Office of Management and Budget (OMB) to review federal government information security policies and make any necessary changes to ensure they are consistent with NIST’s recommendations.
- The NIST and OMB are required to update IoT security standards, guidelines, and policies at least every five years.
- Prohibit the procurement or use by federal agencies of IoT devices that do not comply with these security requirements, subject to a waiver process for devices necessary for national security, needed for research or that are secured using alternative and effective methods.
- The NIST is required to publish guidelines for reporting security vulnerabilities relating to federal agency information systems, including IoT devices.
- Direct the OMB to develop and implement policies that are necessary to address security vulnerabilities relating to federal agency information systems, including IoT devices, consistent with NIST’s published guidelines.
- Contractors providing IoT devices to the U.S. government are required to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
Commenting on the new development, Will Hurd said, “Securing the Internet of Things is a key vulnerability Congress must address. While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure to protect Americans’ personal data. The IoT Cybersecurity Improvement Act would ensure that taxpayers’ dollars are only being used to purchase IoT devices that meet basic, minimum security requirements. This would ensure that we adequately mitigate vulnerabilities these devices might create on federal networks.”
“The Internet of Things grows every single day, and, by the end of next year, it will include more than 20 billion devices. The result is an astounding, unimaginable amount of data, 90% of the data in the entire world was created in the last two years. America needs to keep up with this incredible trend, and that means ensuring proper security and protections—the IoT Cybersecurity Improvement Act is a step in that direction,” Hurd added.