Several agencies aren’t as secure as they need to be after missing deadlines to meet Internet of Things (IoT) cybersecurity requirements, the Government Accountability Office (GAO) revealed.  

IoT technology – networked devices and technologies used within infrastructure and vehicles – is susceptible to a variety of cyberattacks such as botnet attacks, malware, and denial-of-service attacks. The IoT Cybersecurity Improvement Act of 2020 addressed vulnerabilities by directing the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to develop and enforce IoT security guidelines for 23 Federal civilian agencies. 

In its Dec. 4 report, GAO found that three agencies claimed they wouldn’t be able to finish their IoT inventories by Sept. 30, and six others didn’t provide time frames for doing so. Only three agencies had completed their inventories – including the State and Treasury departments and the Nuclear Regulatory Commission. 

The Small Business Administration said they wouldn’t be creating an inventory because they didn’t have IoT technology. 

“Until OMB and agencies ensure that agencies are meeting OMB’s requirements, the agencies will not be effectively positioned to assess risks so that they can impose appropriate security requirements and take other mitigating actions,” said GAO.  

LLM Innovation
Harness the power of GenAI through the testing and implementation of LLM Learn more.
IoT devices are often designed with limited security features, making them easy targets for attackers, GAO said. However, the technologies are frequently used by the Federal government to control access to devices or facilities, to monitor systems and equipment, and even in specialized networked hospital equipment – making cybersecurity protocols vital.  

GAO said that based on preliminary inventory reports, there are up to 137 systems containing IoT or operational technology (OT) across agencies covered by the IoT cybersecurity act.  

“These technologies are subject to serious cyber threats that can have adverse impacts on organizational operations and assets, individuals, critical infrastructure, and the nation,” said GAO. “As cyber threats grow increasingly sophisticated, the need to manage and bolster the cybersecurity of IoT and OT products and services is also magnified.” 

Most agencies are in the process of establishing inventories of secured IoT and documentation of IoT cybersecurity controls, GAO added.  

Waivers permitted by the act – and overseen by OMB – require detailed documentation on the waived devices. GAO said that six waivers reported to OMB were inconsistent with IoT cybersecurity requirements, and that the information about the waivers relayed to Congress by OMB wasn’t verified beforehand for accuracy. 

The government watchdog provided 11 recommendations including that OMB should verify waivers submitted by agencies. Additional recommendations direct the agencies reporting no time frame or a revised time frame for inventory completion to either develop a plan or meet its deadline.  

Agencies that failed to provide a timeline for inventory completion include the Department of Veterans Affairs, the General Services Administration, NASA, the Office of Personnel Management, and the Social Security Administration.  

GAO also noted that following the completion of the report’s first draft, the Departments of Justice and Transportation, the National Science Foundation, and the U.S. Agency for International Development reported they had completed their inventories.  

Read More About
Emerging Tech
Internet of Things
Recent
More Topics

Categories

About
Weslan Hansen
Weslan Hansen
Weslan Hansen is a MeriTalk Staff Reporter covering the intersection of government and technology.
Tags