Federal Cybersecurity – Agencies Must Now Inventory Their “Internet of Things” Devices

The Office of Management and Budget (OMB) is raising the cybersecurity compliance bar for federal agencies using Internet of Things (IoT) devices on their networks. In its Fiscal Year (FY) 2024 Guidance on Federal Information Security and Privacy Management Requirements, released last week, OMB is requiring agencies to develop and deliver an inventory of their “covered IoT assets” by the end of FY 2024.

OMB defines these covered assets as “IoT devices that are embedded with programmable controllers, integrated circuits, sensors, and other technologies for the purpose of collecting and exchanging data with other devices and/or systems over a network...” These IoT technologies may function as operational technology (OT) as part of building management, fire control and physical access control systems, or as industrial control systems.

Required IoT Asset Inventories and Risk Mitigations

After engaging with agencies over the last two years to learn about the diversity of IoT devices that agencies are using, OMB is now requiring agency Chief Information Officers (CIOs) to compile and provide an enterprise-wide inventory of their IoT assets.

Some of the specific details about the covered IoT/OT assets are to include:

• Asset Identification and detailed description/specifications, including serial/asset tag numbers
• Device function, location, and criticality, including a description of specific agency FISMA and high-value asset (HVA) systems associated with the asset
• Agency owner/point of contact, vendor/manufacturer information and software and firmware versions
• Network connectivity, integrations and API information, and security controls that align with National Institute of Standards and Technology (NIST) standards and protocols

OMB also directs agency CIOs to “evaluate critical attack or disruption pathways adversaries could leverage to compromise critical devices and connected information systems” for the purpose of prioritizing risk mitigation.

IoT Security Best Practices Coming

In the guidance, OMB says that the federal CISO Council will establish a working group within the next four months to provide agencies with specialized IoT and OT security best practice playbooks for various uses, e.g., building management systems, industrial control systems, health and medical devices and systems, scientific laboratories, aerospace systems, etc.).

IoT Acquisition Rules Under Development

This focus on improving the cybersecurity around agency use of IoT devices is a major element of the White House’s latest National Cybersecurity Strategy Implementation Plan as well as to meet statutory requirements of the Internet of Things Improvement Act of 2020. The Act required the Office of Federal Procurement Policy (OFPP) and the Federal Acquisition Regulatory (FAR) Council to propose FAR changes by the end of FY 2023 to improve the cybersecurity of Internet of Things (IoT) devices, etc.

Section 2 of Executive Order 14028 “Improving the Nation’s Cybersecurity” required the Cybersecurity and Infrastructure Security Agency (CISA) to review agency-specific cybersecurity requirements and recommend standard language for federal contracts, including the security of IoT devices.

The Department of Defense (DOD), General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA) proposed a rule to revise the FAR based on those recommendations, which would add a new subpart (FAR 39.X, “Federal Information Systems”) to provide the policies and procedures agencies should follow when acquiring services to develop, implement, operate, or maintain a Federal Information System (FIS). This proposed rule encompasses the acquisition of IoT devices.

The public comment period for the proposed rule has been extended until to February 2, 2024 (per Federal Register 88 FR 74970).