This week, the Internet of Things Cybersecurity Improvement Act (HR 1668), which was first introduced in March 2019, passed the House vote. 

“Internet of Things” (or “IoT”) describes a network of physical devices embedded with sensors, software and other technology to connect and exchange date with other devices and systems through the internet.  While the benefit of IoT devices is substantial, data security related to these devices is challenging.  Weaknesses in one IoT device can result in vulnerabilities to the other devices on the network. 

Under the IoT Bill, devices purchased by the United States government must meet certain, minimum security requirements.  Pursuant to this legislation, the National Institute of Standards and Technology (the “NIST”) will be tasked with specifying particular measures for agencies to employ, which could include network segmentation, use of gateways, utilization of operating system containers, and micro-services.  The Office of Management and Budget (“OMB”) will issue specific guidelines that agencies must follow to comply with the IoT Bill and must review those guidelines on a regular basis.

Importantly, the IoT Bill places numerous obligations on vendors of IoT devices.  These vendors must ensure that their IoT devices are patchable, do not contain known vulnerabilities, rely on standard protocols, and do not contain hard-coded passwords.  If an agency believes that it must utilize a device that does not comply with these standards, it may ask the Office of Management and Budget (the “OMB”) for permission to purchase non-compliant devices if it can demonstrate that other security controls have been put in place. A companion bill (S 734) still awaits.  Meanwhile, it is crucial that vendors who develop and provide IoT devices have a clear understanding of this IoT legislation and how to comply with its mandates.