On November 17, the U.S. Senate unanimously approved the Internet of Things Cybersecurity Improvement Act (H.R. 1668). The bill had strong bipartisan support and easily passed in the U.S. House of Representatives in September. The bill now waits to be signed by President Trump.
This bill mandates the creation of baseline security standards for all federal government purchases of internet-connected devices. The National Institute of Standards and Technology (“NIST”), which has published general best practices involving “Internet of Things” (“IoT”) before, will partner with the Office of Management and Budget (“OMB”) to draft these standards. The bill also requires IoT vendors to create vulnerability disclosure policies that detail security flaws to federal officials.
Representative Robin Kelly, D-Ill., a member of the bipartisan sponsor group for the bill’s House version stated that the bill “will ensure that the U.S. government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families.” Representative Kelly elaborated earlier this year on the need for the bill, stating “[w]e cannot wait as more devices are connected to government networks that could potentially become part of a botnet or an entryway for hackers.”
Internet-connected devices may include heating and cooling systems, lighting, elevators, medical devices, and potentially vehicles.
A prior version of the bill was introduced in 2017 but did not move out of the Senate. The current bill alleviates concerns raised that the prior bill was overbroad by explicitly excluding certain categories of devices, such as personal computers.
The current bill also has industry support, notably from the Software Allegiance, a trade group representing major tech companies such as Apple and Microsoft.
Troutman Pepper will provide updates on future movements regarding the Internet of Things Cybersecurity Improvement Act and other related statutes and regulations.