If passed, the Internet of Things Cybersecurity Improvement Act of 2019, introduced in the Senate and House Monday, would compel the U.S. government to purchase only devices that meet the legislation’s minimum security requirements
“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Mark Warner, the co-chair of the Senate Cybersecurity Caucus, who introduced the bill with co-chair Sen. Cory Gardner, R-Colo., and Sens. Maggie Hassan, D-N.H., and Steve Daines, R-Mon. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
The bill would require the National Institute of Standards and Technology (NIST) to craft recommendations that address secure development, identity management, patching and configuration management for IoT devices as well as press the Office of Management and Budget (OMB) to come up with agency guidelines based on the NIST guidance. OMB would be required to review agency policies every three years. The government would be restricted to purchasing only those devices that comply with the NIST recommendations.
The legislation would also compel NIST to work with security researchers and the industry to coordinate vulnerability disclosure while requiring contractors and vendors to maintain coordinated vulnerability disclosure policies to ensure information on a vulnerability is disseminated out to government agencies.
“This bipartisan bill is an important step towards steering IoT manufacturers in the direction of stronger security for all devices that fuel our hyper-connected world,” said Phil Neray, vice president of industrial cybersecurity at CyberX.
For too long many IoT device makers “have deprioritized security in favor of faster time-to-market and lower costs,” said Neray, noting that many devices have weaker security and lack the basics of security including simple patching and hard-coded administrative password removal. “As a result, IoT devices present a particularly soft target for adversaries, who use them as convenient entry-points to compromise our smart buildings, smart cities, and smart factories.”
Companion legislation also was introduced in the House by Rep. Will Hurd, R-Texas, and Rep. Robin Kelly, D-Ill.