Today the Senate Homeland Security and Governmental Affairs Committee advanced bipartisan legislation written by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-founders of the Senate Cybersecurity Caucus, to improve the cybersecurity of Internet-connected devices.
The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements. The bill now awaits consideration in the full Senate.
“While I’m excited about their life-changing potential, many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, a former technology entrepreneur and executive and Vice Chairman of the Senate Select Committee on Intelligence.
“Today the Committee took an important step forward to proactively address the risks posed by improperly secured IoT devices, by using the purchasing power of the federal government to establish some minimum security standards for IoT devices,” Warner said.
Billions of devices
“The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” said Sen. Gardner. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks.”
Last week, the House of Representatives Committee on Oversight and Reform advanced companion legislation sponsored by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).
“Every single minute of every single day, hackers are trying to steal Americans’ information. From credit card numbers, to social security numbers, our personal information is targeted by bad actors around the globe. Internet of Things devices will improve and enhance nearly every aspect of our society, economy and everyday lives – and are growing rapidly. We must act now to ensure these devices are built with security in mind, not as an afterthought,” said Rep. Hurd.
Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 as passed out of Committee today would:
· Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
· Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
· Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
· Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
· Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.