The bill excludes broad waivers that had concerned some cybersecurity professionals.
A bill that will bar federal agencies from purchasing certain devices that make up the internet of things unless they adhere to security guidelines issued by the National Institute of Standards and Technology has cleared Congress.
Cybersecurity professionals, including a senior former official, cheered unanimous passage of the bill—H.R. 1668, which the House passed in September—through the Senate Tuesday evening as it now heads to the president’s desk for a signature.
The bill calls for NIST to develop guidelines with basic security features the devices should have—within 90 days of enactment—and those for disclosing security vulnerabilities—within 180 days of enactment—that agencies must follow when making their procurement decisions.
NIST has already outlined certain capabilities manufacturers of IoT devices should include in their products and is developing a federal profile based on those, which is open for comment.
The bill, led in the House by Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, was originally proposed in 2017 by Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., and is seen as a way to drive better cybersecurity practices among product manufacturers across the economy.
“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” Warner said in a press release. “I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay.”
A version of the Senate bill contained broad waivers that would have allowed agencies to avoid the procurement rule based on the affordability of devices and whether they fit the functions they were intended for. Those, cybersecurity professionals at Rapid7 said, had the effect of essentially neutralizing the legislation, and Warner agreed it would be ideal if a final bill could get closer to the House version.
The prohibitions in the bill won’t apply until two years after its enactment, but members of the cybersecurity community were encouraged by its passage.
“Call me giddy,” tweeted Megan Stifel, executive director of the Americas for the non profit Global Cyber Alliance and director of international cyber policy for President Obama’s National Security Council.
She was responding to Harley Geiger, policy director of the cybersecurity firm Rapid7, who noted the bill did not get through the legislative process without friction. Various aspects of the legislation have been opposed by the U.S. Chamber of Commerce.
“@MarkWarner and his staff deserve special credit for years of work on this important legislation, as well as @RepRobinKelly, @SenCoryGardner, and @HurdOnTheHill. Passing a not-uncontroversial bill is a feat even without an election, a pandemic, and heightened partisanship,” Geiger wrote. “Kudos!”