Representative Robin Kelly (D-IL), the Ranking Member of the Information Technology Subcommittee of the House Oversight and Government Reform Committee, is planning on introducing legislation to bolster cybersecurity surrounding the Internet of Things. A discussion draft of Kelly’s Internet of Things (“IoT”) Cybersecurity Improvement Act 2017 follows and seeks to build upon S. 1691, a companion measure introduced in the Senate earlier this year by Senators Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT).
The Senate IoT bill “would require that devices purchased by the US government meet certain minimum security requirements.” Perhaps most importantly, “vendors who supply the US government with IoT devices would have to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other basic requirements.” The legislation also proposes to:
Direct the Office of Management and Budget to develop alternative network-level security requirements for devices with limited data processing and software functionality;
Direct the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government; and
Require each executive agency to inventory all Internet-connected devices in use by the agency.
According to Senator Warner, “This legislation would establish thorough, yet flexible, guidelines for Federal Government procurements of connected devices. My hope is that this legislation will remedy the obvious market failure that has occurred and encourage device manufacturers to compete on the security of their products.”
Representative Kelly’s bill aims to closely track S. 1691, but will include additional provisions to, for example, create an Emerging Technologies Advisory Board. This Board is to include representatives from the National Institute of Standards and Technology, the Department of Homeland Security, the General Services Administration, the National Telecommunications and Information Administration, the Federal Communications Commission, the Federal Trade Commission, and the Attorney General’s office. Representative Kelly’s bill also lays the groundwork for “guidelines regarding the coordinated disclosure of security vulnerabilities and defects.”