On March 11, 2019, a bipartisan group of lawmakers including Sen. Mark Warner and Sen. Cory Gardner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019. The Act seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.To accomplish this goal, the Act puts forth several action items for the Director of the National Institute of Standards and Technology (“NIST”) and the Office of Management and Budget (“OMB”). Details of these action items and their deadlines are discussed below.
- NIST is directed to complete, by September 30, 2019, all ongoing efforts related to managing IoT cybersecurity, particularly its work in identifying cybersecurity capabilities for IoT devices. Under the bill, those NIST efforts are to address at least: (i) secure development, (ii) identity management, (iii) patching, and (iv) configuration management for IoT devices.
- NIST is directed to develop, by March 31, 2020, recommendations on “the appropriate use and management” of IoT devices “owned or controlled by the Federal Government.” These recommendations are expected to include “minimum information security requirements” that address the cybersecurity risks of IoT devices owned or controlled by the federal government. Once these recommendations are issued, OMB will have 180 days to issue guidance to each agency, consistent with NIST’s recommendations.
Additionally, the bill would require NIST to do the following within 180 days of its enactment:
- Publish a draft report addressing considerations for managing cybersecurity risks associated with the “increasing convergence of traditional Information Technology devices, networks, and systems with Internet of Things devices, networks, and systems and Operational Technology devices, networks and systems.”
- Consult with cybersecurity researchers and private-industry experts to publish guidance relating to the reporting and resolution of security vulnerabilities discovered in federal government IoT devices.
– OMB will then have 180 days to issue guidelines for each government agency, based on NIST’s recommendations. Those recommendations are required to be consistent with the information security requirements that are imposed on federal information systems in Title 44. OMB’s guidelines are also required to prohibit acquisition or use of IoT devices from a contractor or vendor that fails to comply with NIST’s security vulnerability guidance.
– Once OMB issues its guidance to agencies, these requirements will need to be included in a revision to the Federal Acquisition Regulation (FAR), which governs all federal procurement of goods and services using appropriated funds. No specific date for when these regulations should be promulgated are included in the current draft of the bill.
Notably, the Act also recognizes the debate about what constitutes an “IoT device.” It would apply to a “covered device,” which is defined as a “physical object” that: (1) is capable of connecting to and is in regular connection with the internet, (2) has computer processing capabilities that can collect, send, or receive data; and (3) is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems. At the same time, it directs OMB to establish a process for interested parties to petition for a decision that a device is not covered by this definition, potentially providing clarity for makers of devices about whether they are covered by the measure.
This bill follows two failed bills from the last congressional term: the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 and the Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018. The 2017 and 2018 Acts both focused on “provid[ing] minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies.” The prior bills contained only limited guidance to NIST and instead focused on OMB. For example, the 2017 bill required OMB to provide guidelines on specific, enumerated contractual terms in vendor contracts for IoT devices. The 2018 bill directed OMB to consider “voluntary consensus standards” in its promulgation of guidelines on contractual terms.
The current bill also follows increasing efforts by NIST to focus on IoT cybersecurity. Its efforts include development of a “baseline” set of cybersecurity capabilities for IoT devices. NIST announced earlier this month that it is seeking feedback on its proposal, especially insights into identifying those cybersecurity capabilities that could be achieved across the widest set of IoT devices.