House Oversight Votes to Secure Connected Devices in Government

The House Oversight Committee on Wednesday gave its stamp of approval to legislation that aims to lock down government devices that connect to the internet.

The Internet of Things Cybersecurity Improvement Act, sponsored by Reps. Will Hurd, R-Texas, and Robin Kelly, D-Ill., would create a basic set of security standards for the myriad web-connected devices in the government’s IT ecosystem.

Under the legislation, agencies would only be able to buy devices that accept security patches and let users change default passwords, features that aren’t available for many of the billions of internet-connected devices sold every year. Vendors would also be responsible for alerting the government to security vulnerabilities as they arise and promptly patching those bugs.

Kelly and Hurd introduced a similar version of the bill last session of Congress, but it was never put to a vote. Sen. Mark Warner, D-Va., is sponsoring a companion bill in the Senate.

Unlike previous versions of the bill, the latest legislation excludes personal computers, smartphones and other full-fledged computing devices from its purview. While vendors are often incentivized to lock down these general purpose systems, security isn’t always a top priority for smaller networked devices, like smart toasters or internet-connected thermostats.

By raising the bar for federal vendors, the legislation aims to leverage the government’s substantial purchasing power to drive the broader market toward security.

“As technology changes and revolutionizes the delivery of services, the government is purchasing and using more and more Internet-connected devices,” Kelly said in a statement. “We have an obligation to prevent these devices from becoming a backdoor for hackers and tools for cybercriminals.”

Beyond specific security requirements, the legislation also includes a number of measures intended to help the government better manage the threats posed by the internet of things.

The bill would require the National Institute of Standards and Technology to create guidance for how the government should secure the network-connected devices in its ecosystem and charge the Office of Management and Budget with ensuring agencies implement those recommendations.

NIST, OMB and the General Services Administration would also work together to create and enforce vulnerability disclosure requirements for companies selling devices to the government.

“Internet of things devices will improve and enhance nearly every aspect of our society, economy and everyday lives—and are growing rapidly,” Hurd said in a statement. “We must act now to ensure these devices are built with security in mind, not as an afterthought.”