Congress Passes the Internet of Things Cybersecurity Improvement Act

Congress recently passed the Internet of Things Cybersecurity Improvement Act, legislation that will require various security requirements for Internet of Things (IoT) devices purchased by federal agencies. The bill was passed by the House of Representatives in September and the Senate passed it on November 18, bringing to fruition legislation that has been three years in the making. The final bill has been sent to the White House for the president’s signature.

If signed into law, the National Institute of Standards and Technology (NIST) will need to issue standards and guidelines for federal agencies on the appropriate use and management of IoT devices, including their secure development, identity management, patching and configuration management.

NIST distinguishes IoT devices from conventional Information Technology (IT) devices (e.g. servers and laptops) and typical smart devices, (e.g. smartphones), since much of the cybersecurity issues and approaches are well known for these.  NIST contrasts these with IoT devices that have a network interface (e.g., Ethernet, Wi-Fi, Bluetooth, etc.) plus interact directly with the physical world and can function on their own. (See NIST publication NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers for more information.)

The Office of Management and Budget (OMB) would then issue guidelines for federal agencies based on the NIST standards. Further, the legislation directs NIST to work with the Department of Homeland Security (DHS) and outside experts to develop and publish guidelines on security vulnerability disclosure and remediation for federal information systems, including IoT devices. The scope of the guidelines would include contractor and subcontractor companies providing information systems and IoT devices to federal agencies. The vulnerability provisions in the bill also would require an update to the Federal Acquisition Regulation (FAR) as necessary to implement the provisions

Within two years after the law’s enactment, agencies will be prohibited “from procuring or obtaining, renewing a contract to procure or obtain, or using” an IoT device if that agency’s Chief Information Officer (CIO) determines that its use prevents compliance with the forthcoming NIST/OMB standards and guidelines. However, the agency CIO may grant a waiver for a device if it is in the interest of national security, for research purposes, or if the device is secured using appropriate alternative and effective methods.