Last month the US House of Representatives unanimously passed legislation to ensure that a minimum security requirement (set by the National Institute of Standards and Technology, NIST) is met by all Internet of Things (IoT) devices that are acquired by the federal government.
Named the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2020, the legislation is designed to cover a very wide variety of connected devices. As well as encompassing mobile phones and computers, the act also includes all other devices connected to federal networks.
Approved by the House Oversight and Reform Committee last year, the bill doesn’t include consumer IoT equipment, but it does require government suppliers of these connected devices to inform the relevant agencies of any known vulnerabilities that could be exploited by attackers.
House member, Will Hurd, a sponsor of the bill, thinks that this new legislation will tackle the federal governments supply chain risk. He said “Securing the Internet of Things is a key vulnerability Congress must address. While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data.”
Bipartisan Internet of Things Cybersecurity Improvement Act of 2020 require several things of the NIST, mainly revolving around the publishing of standards and guidelines regarding the use and management of IoT devices by the federal government. This also incorporates setting minimum information security requirements for IoT devices. The act also states that these guidelines, as well as any policies created, must be updated at least every five years.
Guidelines for the reporting of security vulnerabilities that relate to federal agency information systems is also to be published by the NIST. The Office of Management and Budget (OMB) has been instructed to make any changes needed to ensure any federal government information security policies are in line with the NIST’s guidelines. The new act also necessitates contractors who supply the US government with IoT devices to implement corresponding policies, to ensure that if a vulnerability is uncovered, the information is distributed.