A bipartisan bill that sets specific cybersecurity standards for Internet of Things (IoT) devices used by all American government agencies has been passed in the US Senate. Called the IoT Cybersecurity Improvement Act 2020, it makes it mandatory for the director of National Institute of Standards and Technology (NIST) to evolve standards for government acquisition and use of such devices, and create a policy around disclosing security vulnerabilities in them. This Act would come into force latest within two years of enactment. The bill is currently waiting the American president’s signature to be enacted into law.
This bill, if enacted, would apply to all establishments in the executive branch of the US government, except the Government Accountability Office (GAO), Federal Election Commission, governments of DC and of territories and possessions of the US, and government-owned contractor-operated facilities. The Bill borrows the definition of IoT devices from a May 2020 report from the National Institute of Standards and Technology (NIST) as per which,
IoT devices “have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface [such as ethernet, Wi-Fi, Bluetooth, etc.], and are not conventional Information Technology devices, such as smartphones and laptops” and “can function on their own and are not only able to function when acting as a component of another devices, such as a processor”.
The bill had been introduced by Democratic Representative Robin L. Kelly in November 2019 and was co-sponsored by multiple representatives across the political aisle.
Set standards for IoT devices, review cybersecurity policies of government agencies
As per the bill, within 90 days of its enactment, the director of NIST must develop and publish standards and guidelines for the federal government on the appropriate use and management of IoT devices. These guidelines must include mimimum information security requirements for managing cybersecurity risks associated with such devices.
These standards and guidelines must be compatible with NIST’s existing efforts related to:
- Possible security vulnerabilities of IoT devices
- Standards must look at: secure development, identity management, patching, and configuration management.
180 days after these standards are published, the director of Office of Management and Budget (OMB) must review the information security policies of each of the government agencies on the basis of the standards published by the NIST director. To do that, the OMB director must consult with the Director of the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security. However, any policy that the OMB director issues would not apply to national security systems, that is, telecommunication or information systems that involve intelligence, military and weapon activities.
The OMB director must update any policy or principles within 180 days of the NIST director reviewing and revising the standards and guidelines for IoT devices, which must happen at least once every five years.
Heads of government agencies are prohibited from procuring or using IoT devices that do not comply with these standards and guidelines. This prohibition can be waived by the head of the agency only if the Chief Information Officer of the agency determines that the waiver is necessary for national security, or such device is necessary for research, or will be secured using alternative and effective methods. The OMB director will establish a standardised process for the CIO to follow to assess whether or not the prohibition can be waived.
Set guidelines for disclosing vulnerabilities in information systems
Within 180 days of the enactment of the act, the NIST director, in consultation with cybersecurity researchers and private sector industry experts, must publish guidelines to report, coordinate, publish and receive information about any security vulnerabilities, and resolutions, in information systems owned or used by government agencies. This includes IoT devices used by the agency.
The NIST director will also publish guidelines for contractors and subcontractors for reporting such a vulnerability and disseminating information about it.
These guidelines must adhere, as much as possible, to industry best practices and Standards 29147 and 30111 of the International Standards Organisation (ISO) that determine the vulnerability disclosure processes and standards.
Implementation of these guidelines will be seen by the OMB director.
Every two years, the Comptroller General of the US will submit an unclassified report to the House Committees on Oversight and Reform, and on Homeland Security, and the Senate Committee on Homeland Security and Governmental Affairs with the following details:
- Effectiveness of the standardised process set up by the OMB director to assess waivers of prohibition
- Recommended best practices for the procurement of IoT devices
- Number and type of each IoT device that received a waiver from the head of an agency along with the reason for such waiver.
A year after the Act is enforced, the Comptroller General will brief the aforementioned committees about broader IoT efforts that have been undertaken to manage potential security vulnerabilities. A report related to this must be submitted within two years of enactment of the Act.