Lawmakers Revive Bill to Secure Agencies’ Connected Devices

Lawmakers have resurrected bipartisan legislation that would establish baseline security requirements for all internet-connected devices purchased by the government.

The Internet of Things Cyber Security Improvement Act was introduced this week in both branches of Congress by Sen. Mark Warner, D-Va., and Rep. Robin Kelly, D-Ill., and shares some of the same features as legislation both introduced last year that never made it to a vote.

Under the bill, the government could only purchase web-connected devices that accept security patches and allow users to change default passwords, options that aren’t always available in the billions of IoT devices sold in the consumer market each year.

In addition, companies would have to notify agencies of any security vulnerabilities they discover and issue software patches to deal with new threats.

“As the government continues to purchase and use more and more internet-connected devices, we must ensure that these devices are secure. Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” Kelly said in a statement. “As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”

However, as pointed out by Politico, the new IoT bill is not an exact replica of the legislation that died last year.

First, the bill’s authors tweaked what internet-connected devices would be covered under the law. The new bill excludes “a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic control and mainframe computing systems” from its definition of covered devices.

In addition, the new bill cancels out agency- or chief information officer-issued waivers found in the prior legislation.

“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” Warner said in a statement. “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”

According to a statement from Kelly, the the legislation would also:

• Require the National Institute of Standards and Technology to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
• Direct the Office of Management and Budget to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
• Require any internet-connected devices purchased by the federal government to comply with those recommendations.
• Require contractors and vendors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.
• Direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.

So far, the Senate version has the support of three co-sponsors and the House version has 13, including Reps. Gerry Connolly, D-Va., Will Hurd, R-Texas, and Mark Meadows, R-NC.