Bill that requires security standards for government purchases of IoT devices signed into law

Legislation requiring security standards for any Internet of Things (IoT) device purchased with government money was signed into law this week.

The IoT Cybersecurity Improvement Act, introduced by Reps. Will Hurd (R-TX) and Robin Kelly (D-IL), requires the National Institute of Standards and Technology (NIST) to publish standards and guidelines on the use and management of IoT devices by the federal government. This should include minimum information security requirements for managing cybersecurity risks associated with IoT devices. The law also directs the Office of Management and Budget (OMB) to review federal government information security policies and make any necessary changes to ensure they are consistent with NIST’s recommendations. Also, NIST and OMB are required to update IoT security standards, guidelines, and policies at least every five years.

“My philosophy is simple and has remained the same: the only way we get big things done in Congress is by working together. My bipartisan effort with Rep. Kelly to ensure taxpayer dollars are only being used to purchase IoT devices that meet basic, minimum security requirements is the perfect example of that,” Hurd said. “While IoT devices improve and enhance nearly every aspect of our society, economy, and everyday lives, these devices must be secure in order to protect Americans’ personal data. I’m proud this is my 17th piece of legislation to be signed into law in 5 years, and I’m working to add to that number before the end of my term.”

The law also prohibits the procurement or use by federal agencies of IoT devices that do not comply with these security requirements. It also directs the OMB to develop and implement policies necessary to address security vulnerabilities relating to federal agency information systems, including IoT devices, consistent with NIST’s guidelines.
Require contractors providing IoT devices to the U.S. government to adopt coordinated vulnerability

“The bipartisan Internet of Things Cybersecurity Improvement Act is a critical step towards strengthening U.S. government IT systems and will help officials patch existing vulnerabilities to protect our national security and the personal information of American families,” Kelly said. “This law would not have been possible without the leadership of Senators Warner and Gardner passing it through the Senate and Representative Hurd through the House. This is a perfect example of two sides coming together to make our country more secure and prosperous.”