A bipartisan, bicameral bill is being introduced Monday (March 11), the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, to try to get at Hill concerns over network and telecom security.
The bill would require the government to make sure that any devices it purchases meet minimum security requirements.
It is being introduced in the Senate by Sens. Mark R. Warner (D-Va.) and Cory Gardner (R-Colo.), co-chairs of the Senate Cybersecurity Caucus, and in the House by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Tex.).
Related: First IoT Device Gets CTIA Certification
The bill would try to prevent security vulnerabilities, which it defines as "any attribute of hardware, firmware, software, or combination of or more of these factors that could enable the compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected."
Specifically, the bill would:
1) "Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years;
2) "Require any Internet-connected devices purchased by the federal government to comply with those recommendations. Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed, and;.
3) :Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated".
"While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, vice chairman of the Senate Select Committee on Intelligence and a former tech exec. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
Just last week, CTIA, the wireless internet association, certified the first Iot device under its Internet of Things (IoT) Cybersecurity Device Program.
The CTIA certification verifies the devices security features against a set of best practices on everything from the storage of consumers’ information and password and security management, to "standards and the availability of an over-the-air mechanism for security software."