The Internet of Things Cybersecurity Improvement Act of 2019 was introduced to Congress back in March and if adopted, the new bill would require the development of detailed policy guidance that would significantly boost cybersecurity enhancements for the IoT. Introduced by a group of bipartisan lawmakers, the bill seeks “to leverage federal government procurement power to encourage increased cybersecurity for IoT devices.” The bill comes after two previous legislation attempts and years of the Defense Department’s repeated emphasis the need to bolster cybersecurity standards and policies for IoT systems.
According to a press release accompanying the introduction of the Senate bill, the IoT “is expected to include over 20 billion by 2020. While these devices and the data they collect and transmit present enormous benefits to consumers, the relative insecurity of many devices presents enormous challenges. Sometimes shipped with factory-set, hardcoded passwords and oftentimes unable to be undated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack.”
In short, the act aims to shore up cybersecurity requirements for devices purchased and used by the federal government, while affecting cybersecurity on these types of systems more broadly. To accomplish this goal, the bill outlines several action items for the directors of the National Institute Standards and Technology (NIST) as well as the Office of Management and Budget (OMB).
NIST would be directed to complete, by Sept. 30, all ongoing efforts related to managing IoT cybersecurity, particularly its work in identifying cybersecurity capabilities. Those efforts are to address secure development, identity management, patching and configuration management for the devices. Additionally, NIST would also be tasked to develop, by March 31, 2020, recommendations on “the appropriate use and management” of IoT devices “owned or controlled by the federal government,” to include “minimum information security requirements.” Following this, the OMB would then have 180 days to issue guidance to each agency, consistent with NIST’s recommendations.
This is a fresh approach for this type of bill. It’s two failed predecessors, the Internet of Things Cybersecurity Improvement Act of 2017 and the Internet of Things Federal Cybersecurity Improvement Act of 2018 both focused on “providing minimal cybersecurity operational standards for internet-connected devices purchased by federal agencies.” However, unlike the current proposal, they contained only limited guidance to NIST and instead focused on OMB and imposing contractual requirements.
In comparison, the 2019 legislation links to prior Defense Department recommendations. The chief information officer has declared that the department must adopt policies that enable it to “react to security incidents and ensure appropriate diligence with regard to the security, integrity, confidentially and safety of IoT devices.”
Looking ahead, IoT cybersecurity will only take on greater significance. And while the prospects for enactment of this specific bill remain unclear, potential new requirements warrant the close attention.