Congress has unanimously passed the bipartisan IoT Cybersecurity Improvement Act, which would set minimum security requirements for developing, patching, and configuring Internet of Things.
The IoT Cybersecurity Improvement Act requires all IoT devices purchased by the government meet minimum security requirements, such as how vulnerabilities are patched. Under the new law, the National Institute of Standards and Technology would create the security standards for development, patching, and identity and configuration management of IoT. Government agencies are required to make sure all IoT purchases follow the NIST recommendations. Device vendors will also be required to have a formal process of how vulnerabilities would be reported.
The road for the bipartisan bill was a slow one, despite the fact that there was broad bipartisan support for the bill and it was not controversial at all. It was a bill that simply said that Internet devices should be secure and meet some standards. The bill was first introduced in 2017 and reintroduced in 2019. The House of Representatives unanimously passed the bill back in September. The bill passed the Senate, also unanimously, and now needs to be signed into law by the president.
The legislation was supported by Sen. Mark Warner (D-Va.) and outgoing Sen. Cory Gardner (R-Colo), as well as Reps. Will Hurd (R-Tex.) and Robin Kelly (D-Ill.). It also has industry backing from major security cand technology companies. The Senators, Representatives, and their staff “deserve special credit for years of work on this important legislation, as well as,” Harley Lorenz Geiger, director of public policy at Rapid7, wrote on Twitter. “Passing a not-uncontroversial bill is a feat even without an election, a pandemic, and heightened partisanship. Kudos!”
The IoT Cybersecurity Improvement Act has several key provisions. Along with requiring NIST to issue standards-based guidelines for devices owned or controlled by the federal government, the law specifies that federal acquisition rules must be updated to reflect the security standard and guidelines. Federal agencies cannot procure, obtain, or renew contracts for devices that cannot meet these guidelines. The Office of Management and Budget will also be issuing rules requiring federal civilian agencies to have information security policies consistent with NIST guidelines.
One of the sections also focuses on federal agencies implementing a vulnerability disclosure policy, a requirement that extends to contractors providing information systems to agencies. This will be particularly important since this will guide both the public and private sector on how to disclose vulnerabilities in these devices, and potentially encourage more public coordination.
While there has been some efforts within different parts of the federal government to carve out basic security requirements for IoT, this law is the first substantial government action, to date. Some federal agencies have required devices within their scope to have some level of security, such as the Food and Drug Administration issuing regulations for medical devices, but most of the leadership has been on the state level (California and Oregon) or internationally (the United Kingdom).
Once the bill is signed into law, the United States can claim a leadership position on IoT security “at a time when most bold IoT security initiatives seem to emanate from US states and non-US countries,” Geiger said.
The bill applies only to IoT used in federal networks and not broadly across every internet-enabled device. The responsibility for secure and trustworthy IoT lies ultimately with the manufacturers, so they can choose not to follow the NIST recommendations and still be able to sell outside the federal government. While that seems like the law would have a limited impact, setting government standards is actually a good way to get the broader marketplace to follow because it is setting an example.
Consumers can demand better security—they may not know exactly what they are getting, but the fact that some devices are more secure than others will drive their purchasing decisions. It’s a little similar to how consumers may look for the phrase “military-grade encryption” in their devices, because it sounds more secure.
Without consumer pressure, “it’s unlikely we’ll see the level of action required to turn the IoT security tides across the board,” Geiger wrote for Rapid7 back in September after the House passed its version of the bill.
The Cybersecurity Solarium Commission made more than 75 recommendations on how the executive and legislative branches of government could overhaul its cybersecurity strategy, and the security of Internet-enabled devices was one of the things it focused on. Since the report was released earlier this year, the commission has continued to make other recommendations for elevating the security of all IoT devices—not just in federal government—such as unique authentication by default, which would require IoT devices to have new identification once plugged into a network.
“The U.S. government is setting the tone from the top, and until guidelines or formal regulations are implemented at an end user level, it’s a shared responsibility to be smart when it comes to IoT usage,” Geiger said.