On November 17, 2020, by unanimous consent, the United States Senate passed bipartisan legislation to secure internet connected devices—The Internet of Things (IoT) Cybersecurity Improvement Act of 2020. This bill, which was co-sponsored by Senator Warner (D-VA) and Senator Gardner (R-CO), co-founders of the Senate Cybersecurity Caucus, had already been passed by the House in September, so it is now headed to the President. If signed into law, the IoT Cybersecurity Improvement Act will represent a significant step in securing the federal cyber ecosystem and will undoubtably have cascading impacts throughout the private sector.
In sum, the IoT Cybersecurity Improvement Act requires baseline security standards for IoT or internet connected devices purchased by federal government agencies. In defining IoT, the Act cites previous NIST work and includes devices that have a network interface, interact with the “physical world,” and are able to function independently, not just as a component of the overall device.
Building on ongoing IoT security efforts underway at the National Institute of Standards and Technology (NIST), the Act will set various workstreams into motion, including to both study IoT security and to place requirements for baseline standards in the federal acquisition process. Specifically, the Act requires, among other things:
NIST, consistent with its ongoing efforts considering existing standards and best practices, to develop and publish standards and guidelines for the federal government on the appropriate use and management by agencies of IoT devices, including minimum security requirements.
NIST, in coordination with the Office of Management and Budget (OMB) and Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA), to review federal agencies’ IoT information security policies and principles—and issue policies and principles as needed—to ensure consistency with NIST’s standards and guidelines;
NIST to review and revise as appropriate its guidelines every 5 years;
NIST, in coordination with DHS, cybersecurity researchers and the private sector, to develop vulnerability disclosure policies and publish guidelines for the “reporting, coordinating, publishing and receiving” reports about vulnerabilities in federal agency systems – including IoT devices – and systems offered by contractors to federal agencies;
OMB to oversee the implementation of the vulnerability disclosure guidelines, with operation and technical assistance provided to agencies by DHS and OMB; and
OMB and DHS to develop and implement policies, principles, standards, or guidelines, as needed, to address security vulnerabilities of information systems, including IoT devices.
The Act also requires revision of the Federal Acquisition Regulation, as necessary, and prohibits federal agencies from procuring or using IoT devices, where use of such a device would prevent compliance with the minimum security and vulnerability disclosure guidelines listed above.
Each of these provisions could have significant impacts on companies doing business, or looking to do business, with the federal government. Further, leveraging NIST—and its authority and capabilities to set baseline IoT security standards—will have both direct and indirect cascading impacts throughout industry and critical infrastructure sectors. NIST publications regularly become doctrinal standards that feed into the international standards setting community, which are invariably adopted by the private sector.
On the IoT front for example, in May, NIST published NISTIR 8259, Foundational Cybersecurity Activities for IoT Manufacturers, and NISTR 8259A, IoT Device Cybersecurity Capability Core Baseline, and is currently in the process of completing a profile of standards for federal agencies’ use and deployment of IoT devices. The Act requires NIST to ensure that its guidelines and standards are consistent with these efforts, but exactly how these ongoing NIST initiatives will interact and/or satisfy requirements of the Act, once signed into law, remains to be seen.
Similarly, for the past several years, the federal government has been studying and employing vulnerability disclosure policies as a tool to help federal agencies secure internet-facing systems and networks. This past year, for example, CISA issued Binding Operational Directive 20-01, that directs federal civilian agencies to develop and publish a vulnerability disclosure policy that would both clarify the scope and type of vulnerability testing allowed on federal systems and give the research community assurances that their work will not expose them to legal liability. Concurrently, the Department of Defense has been running a vulnerability disclosure program since 2016, and is currently exploring how this practice could be extended to private sector members of the defense industrial base.
All told, passage of the IoT Cybersecurity Act will give these current programs and initiatives statutory footing upon which to build out additional requirements and standards on federal systems. Further, passage of the Act will have direct impacts on the private sector as these requirements come to fruition. Industry should diligently monitor implementation to ensure these IoT security standards remain flexible and are able to adapt to industry and context-specific needs so as not to become burdensome compliance requirements.