President Trump signed the Internet of Things (IoT) Cybersecurity Improvement Act into law Dec. 7.
The bipartisan legislation, sponsored by Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, and Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., requires that any IoT device purchased with government money meet minimum security standards.
“The bipartisan Internet of Things Cybersecurity Improvement Act is a critical step towards strengthening U.S. government IT systems and will help officials patch existing vulnerabilities to protect our national security and the personal information of American families,” said Rep. Kelly.
Rep. Hurd, who is leaving Congress in January, highlighted the double-edged sword that IoT devices play in society – offering vast benefits while carrying real security concerns.
“While IoT devices improve and enhance nearly every aspect of our society, economy, and everyday lives, these devices must be secure in order to protect Americans’ personal data,” Hurd said.
In a statement, Kelly and Hurd said the bill addresses the supply chain risk to the Federal government caused by insecure IoT devices by “establishing light-touch, minimum security requirements for procurement of connected devices by the government.”
The legislation requires the National Institute of Standards and Technology (NIST) to publish standards and guidelines on Federal use of IoT devices, and directs the Office of Management and Budget to review government policies to ensure they are in line with NIST guides.
The bill also mandates that NIST and the Office of Management and Budget (OMB) update IoT security standards, guidelines, and policies at least every five years. NIST will also have to publish guidelines for reporting security vulnerabilities relating to Federal agency information systems, including IoT devices.
Federal agencies will be prohibited from procuring IoT devices that do not apply with the security requirements, with a waiver process for devices necessary for national security, needed for research, or that are secured using alternative and effective methods.
As for contractors, the legislation requires contractors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies so that if a vulnerability is uncovered, that information is disseminated.
The legislation has been a long time in the making. It was initially introduced in 2017 by Sens. Warner and Gardner. Then, Reps. Kelly and Hurd introduced it in 2018. It has been introduced in every subsequent Congress, before finally being passed in the House in September and the Senate in November of this year.