Draft Bill Would Create Connected Device Advisory Board for Agencies

A House lawmaker wants to make sure federal agencies using internet-connected devices can keep them safe—and she wants industry’s help to do it.

Rep. Robin Kelly, D-Ill., released a discussion draft of the Internet of Things Cybersecurity Improvement Act—a companion to one already in the Senate—to gather feedback from industry and policymakers about cyber protections.

“The private sector is developing these devices so they understand them better than anyone,” Kelly said in a statement to Nextgov.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Like its Senate counterpart, the bill aims to create “minimal cybersecurity operational standards” to reduce the vulnerabilities sensors and internet-connected devices introduce to federal networks. Contractors also would be required to share written certification that devices do not contain known security flaws or defects before agencies purchase them.

As connected devices proliferate, federal agencies must ramp up cybersecurity protections for “vital infrastructure, classified materials and citizen’s sensitive personal data,” Kelly said.

The two versions differ in that the House bill would also establish an advisory board that would look into definitions and goals for effective internet-of-things standards. The Office of Management and Budget director would lead the emerging technologies advisory board, which would include the heads of the Homeland Security Department, the General Services Administration, the Federal Communications Commission, and the National Telecommunications and Information Administration.

Within six months of enacting the bill, the OMB director, along with other agency leaders, would be required to issue guidelines for requirements for agencies when buying those devices. Contractors also would need to share with the agencies information about how easily the devices can be updated, how those updates take place, and what kind of security support they provide. They would formally notify agencies when support for specific devices ends.

Agencies can define conditions under which devices do not need to comply with these requirements, if it’s “infeasible or economically impractical,” the draft notes. The bill also directs agencies to maintain an inventory of all the devices in use; the OMB director and Homeland Security secretary would issue guidelines for that inventory within a month of enactment.

Five years after enactment, the OMB director would submit a report to Congress on the effectiveness of such guidelines.

The legislation is intended to prevent incidents like a distributed denial-of-service attack leveled on Dyn last year, in which malware caused widespread internet outages, Kelly said. That attack demonstrates how hackers can “turn Internet-connected devices into an army of bots.”

Kelly may introduce the bill in the fall, according to her office.