The House this week took up and passed the Internet of Things (IoT) Cybersecurity Improvement Act, a bill originally introduced by U.S. Sens. Cory Gardner (R-CO) and Mark Werner (D-VA) in 2017, which would require Internet-connected devices purchased by the government to meet certain security requirements.
The Senate Homeland Security and Governmental Affairs Committee advanced the IoT Cybersecurity Improvement Act in June last year. Both versions of the bill would instate minimum requirements for Internet-connected devices bought by the government, as established by the National Institute of Standards and Technology (NIST) and enforced by the Office of Management and Budget. Those requirements will, at the very least, apply to development, identity management, patching, and configuration management.
“Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand,” Gardner said. “We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.”
The bill would also direct NIST to collaborate with cybersecurity researchers, industry experts, and the Department of Homeland Security to create guidance on coordinated vulnerability disclosure and guarantee such vulnerabilities on agency devices are addressed. Any contractors and vendors providing information systems to the government would also have to adopt coordinated vulnerability disclosure policies to ensure discovered vulnerabilities can be shared with vendors and remediation pursued.