Bipartisan legislation has been introduced in the Senate and the House of Representative to improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements. 

The legislation is being introduced in the Senate by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner(R-CO), co-chairs of the Senate Cybersecurity Caucus, along with Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT), while Reps. Robin Kelly (D-IL) and Will Hurd (R-TX) are introducing companion legislation in the House of Representatives.

“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, a former technology entrepreneur and executive and Vice Chairman of the Senate Select Committee on Intelligence. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.” 

“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” Sen. Gardner said. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts. As co-chairs of the Senate Cybersecurity Caucus, Senator Warner and I remain committed to advancing our nation’s cybersecurity defenses.”

At a hearing of the Senate Armed Services Committee last year, the Director of the Defense Intelligence Agency, Lt. General Robert Ashley, described exploitation of insecure IoT devices as one of the two “most important emerging cyber threats to our national security.” Last May, the Departments of Commerce and Homeland Security published a report highlighting the IoT market forces that reward low-price and convenience at the expense of security. The signature recommendation of the May 2018 report was that the Federal government should “lead by example” by requiring the acquisition of more secure and resilient products and services, particularly IoT. The IoT Cybersecurity Improvement Act will address both this market failure and the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurements of connected devices by the government. 

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would:

• Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.

• Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.

• Require any Internet-connected devices purchased by the federal government to comply with those recommendations.

• Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.

• Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.

The bill is also supported by Rapid7, CTIA, and Tenable. Similar legislation was previously introduced in the 115th Congress.