‘Relatively few’ agency policies met standards for IoT security, OMB reports

Most agencies did not have policies in place to address a swath of federally mandated cybersecurity requirements for procured internet of things devices at the beginning of last year, according to a previously unreported Office of Management and Budget letter sent to Congress last month and obtained by Nextgov/FCW.

The Dec. 15 missive from OMB Associate Legislative Affairs Director Wintta Woldemariam was addressed to Senate Intelligence Committee Chair Mark Warner, D-Va., in response to his September request that OMB provide an update on how the federal oversight agency was implementing requirements in his 2020 Internet of Things Cybersecurity Improvement Act. 

That legislation, which was designed to leverage the purchasing power of the federal government to influence security standards in the IoT ecosystem, directed OMB to run a review of agency policies on obtaining IoT devices to ensure they were aligned with National Institute of Standards and Technology IoT cybersecurity guidelines.

“Beginning in early 2023, OMB assessed agency policies for consistency with NIST’s standards and guidelines by conducting a time- and labor-intensive series of meetings with a diverse set of agencies to better understand how they are deploying, managing, and securing IoT assets,” Woldemariam wrote. “Based on those engagements, OMB concluded that relatively few formal agency policies address the selection of cybersecurity requirements specifically for IoT devices,” the letter added.

An exact number of assessed agencies was not provided. Nextgov/FCW has reached out to OMB for comment.

The letter later adds that four computer systems across the entire federal enterprise overseen by OMB had IoT devices that did not comply with NIST guidelines but were granted exceptions via a waiver provision that allowed the devices to be obtained for national security or research purposes, or if the devices were secured in an alternate way. Those four systems accounted for under 2% of the total number of systems with IoT devices that agencies reported to OMB, and no agency possessed more than one system with a waiver, the letter notes.

OMB anticipates that recently updated Federal Information Security and Privacy Management guidance — required under the Federal Information Security Modernization Act of 2014 — will help lay groundwork for improved federal IoT security policy. The Chief Information Security Officers’ Council will also work with agencies on IoT best practices.

As it pertains to IoT devices, the guidance, released in early December, directs agencies to list out an inventory of their IoT assets that contain programmable controllers, sensors, integrated circuits and other components that allow for data collection and transmission.

“I’m encouraged by the progress that OMB has made in recent months, especially in completing the assessment of agency policies, and defining a series of firm deadlines for crucial steps towards full implementation,” Warner said in remarks provided to Nextgov/FCW.

The Federal Communications Commission is taking the lead on a Cyber Trust Mark program that would provide information to consumers about the security of internet-connected devices. OMB, which is serving as a key player in the label development, argued in the letter that such a program would simplify government IoT procurement and reduce technology security risks within the government.

The release of the OMB letter follows news that the General Services Administration used “egregiously flawed” market research in its decision to purchase 150 Chinese-made video conferencing cameras that did not comply with U.S. trade standards, the agency’s oversight office said in an analysis released last week.