“Internet of Things” Guidance to be Added to Cybersecurity Requirements for Agencies and Federal Contractors

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

In 2019, cybersecurity has become top-of-mind for most federal government contractors and agencies that share sensitive information.  In addition to updated Department of Defense guidance and procedures for evaluating contractors’ compliance with cybersecurity requirements, as well as an increase in Department of Defense cybersecurity audits, the Federal Acquisition Regulation (FAR) council also has promised a new FAR clause that will require compliance with NIST SP 800-171 security controls for civilian agency contractors that receive or create Controlled Unclassified Information (CUI).

To date, the cybersecurity regulations directed at federal government contractors and their subcontractors focus on implementing safeguards to protect sensitive government data.   However, a gap in coverage has emerged where contractors provide the federal government with devices that are part of the “Internet of Things.”  These devices connect to the Internet and are capable of collecting, sending, and receiving data – and thus are susceptible to hacking and listening in.

Proposed legislation recently introduced in both the Senate (S.734) and the House (H.R. 1668) calls for new information security standards to manage cybersecurity risks for Internet of Things devices sold to government agencies.  This legislation would affect a wide range of devices – an “Internet of Things” device is generally defined as any device connected to the internet that is not a “general purpose computing device.”

As a part of this legislation, the National Institute of Standards and Technology (NIST) is being tasked with completing its review of considerations for managing the cybersecurity risks associated with Internet of Things devices by September 30, 2019.  This review should cover, at a minimum: secure development, identity management, patching, and configuration management.  NIST also is to propose recommendations for minimum information security requirements for managing cybersecurity risks associated with Internet of Things devices by March 31, 2020.

Additionally, within 180 days of enactment of the legislation, NIST is to publish guidance relating to “policies and procedures for the reporting, coordinating, publishing and receiving of information” on security vulnerabilities relating to devices used by the federal government, and resolution of those security vulnerabilities.  This guidance will apply to federal government contractors and vendors.  Any contractor or vendor for the federal government should take notice, as agencies will eventually be prohibited from acquiring or using devices from any contractor or vendor that fails to comply with this guidance.

What does this mean for you?  While still in the early stages, this legislation likely will impact most, if not all, organizations in the Internet of Things space – either directly, where an organization provides these devices to the federal government, or indirectly, where an organization may use the NIST standards as a baseline for the security of its devices. We will be paying close attention to the developments with this proposed legislation. Stay tuned!

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.