The Senate Homeland Security and Governmental Affairs Committee has favorably reported out the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, a bill that will make sure government IoT devices are as secure as they can be, including by requiring transparency and disclosure from contractors. The bill now heads to the full Senate for a vote.
The bill, introduced in March, would "require that devices purchased by the U.S. government meet certain minimum security requirements."
The bill was introduced in the Senate by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.), co-chairs of the Senate Cybersecurity Caucus, as well as Sens. Maggie Hassan (D-N.H.) and Steve Daines (R-Mont.). Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas) are taking the lead on the bill in the House.
That version passed out of the House Committee on Oversight and Reform last week, but the Senate bill was broadened in committee to include vendors as well as devices, so they will have to be reconciled.
Specifically, the bill would:
· "Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
· "Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
· "Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
· "Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
· "Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation."
That was fine with NCTA-The Internet & Television Association, whose ISP members are on the front lines of IoT security.
“Maintaining strong, risk-based cybersecurity standards is paramount for effective business and government operations," it said. "The Internet of Things Cybersecurity Improvement Act of 2019 wisely directs OMB to heed the outcome of a review process currently underway at NIST when making IoT purchasing decisions. The requirements in this bill will have a positive ripple effect throughout the ecosystem since the government is such a large purchaser and user of IoT devices...."