GAO: Majority of Agencies Use Connected Devices But Hurdles Remain


Agencies frequently run into cybersecurity questions and interoperability issues when implementing the internet of things.

A new audit indicates many federal agencies use internet of things technologies and likely plan to continue using them into the future, but cybersecurity and interoperability concerns remain. 

The Government Accountability Office surveyed 115 chief information officers and senior information technology officials, largely based on CIO Council membership. In addition, GAO surveyed the Commerce and Homeland Security departments, the Environmental Protection Agency and NASA. Of the 90 respondents, 56 say their agency uses internet of things technologies. 

Most often, agencies report using IoT for controlling or monitoring systems or equipment, controlling access to devices or facilities or to track physical assets like fleet vehicles. In terms of benefits, agencies said IoT helps them collect more data and increase operational efficiencies. 

The case study of the EPA revealed an example of the benefits of using IoT to increase data collection. During a factory fire in New Jersey, according to the report, EPA used sensors to monitor the release of chlorine gas in order to understand how the gas was dispersing in real time. 

“According to EPA officials, this helped EPA and other emergency responders coordinate a proper response, including directing some civilians to shelter in place,” the report reads. 

One of IoT technology’s major selling points is that it frees up employees to perform higher-level work by streamlining and automating rote tasks. The GAO report confirms federal agencies saw higher levels of efficiency. IoT allowed 43 of the responding agencies “to accomplish more with the same resources.”

The National Oceanic and Atmospheric Administration also reported IoT allows the agencies to access places it otherwise wouldn’t have been able to go. With IoT, NOAA can place sensors around active volcanoes. 

The audit comes as a significant IoT cybersecurity bill advances in Congress. The House passed a bill Tuesday that would direct the National Institute of Standards and Technology to develop guidelines on the use of IoT devices and the management of their vulnerabilities. 

The Office of Management and Budget along with the Cybersecurity and Infrastructure Security Agency would use NIST’s guidelines to develop standards for agencies to follow when purchasing IoT devices. Federal contractors and subcontractors would also have to comply with the guidelines in order to coordinate vulnerability disclosures. 

The GAO audit appears to demonstrate the need for such a bill. In two instances documented in the report, cybersecurity problems prevented agencies from adopting or continuing to use IoT altogether. More than 40 agencies surveyed said cybersecurity was “somewhat” to “very” challenging for IoT. 

Interoperability presents another roadblock for IoT. It’s a theme across federal IT: There’s little value in adopting new technologies if they can’t work with legacy systems. For NASA, IoT devices had to be segregated from legacy systems developed pre-IoT so that the agency could control how the two types of systems interact with each other. 

“However, NASA officials said that systems segregation eliminates some of the benefits that can be achieved with IoT technologies because the IoT data have to be imported into the legacy systems,” the report reads. “NASA officials said they would like to take advantage of new technologies and are looking for ways to further address the interoperability issue.”

Two other issues also popped up in the audit—whether agencies have personnel knowledgeable enough to use IoT and whether privacy of personally identifiable information is being protected—though about the same number of agencies flagged these concerns as agencies that reported they weren’t a problem. 

One aspect of IoT agencies may need to take into consideration moving forward is whether a need for specific guidelines for IoT beyond general IT standards exists. Though many agencies told GAO applying IT standards to IoT technology is working just fine, NASA, NOAA and EPA officials all indicated it may be helpful to develop related to acquisition and use of IoT anway. 

“According to NIST officials, current government-wide IT policies include IoT technologies, and therefore there is no need for additional IoT-specific policies at this time, but as IoT use increases, NIST will continue to monitor whether there is a need for change,” the report reads.