...WASHINGTON – Today, U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) applauded congressional passage of their bipartisan legislation to require minimum security requirements for Internet of Things (IoT) devices purchased by the U.S. government. Leveraging the purchasing power of the federal government, the bill will ultimately help move the wider market for IoT devices towards greater cybersecurity. The Internet of Things (IoT) Cybersecurity Improvement Act passed through the U.S. House of Representatives in September and was approved in the Senate today by unanimous consent. It now heads to the President’s desk for signature.
“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” said Sen. Warner. “I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay.”
“I applaud the Senate for passing our bipartisan and bicameral legislation to ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from accessing government systems,” said Sen. Gardner. “Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand. We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.”
Sens. Warner and Gardner originally authored and introduced this legislation in the Senate back in August 2017. They reintroduced the bill in the 116th Congress and saw its passage through the Senate Homeland Security and Governmental Affairs Committee in June 2019.
Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act would:
• Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
• Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including making any necessary revisions to the Federal Acquisition Regulation to implement new security standards and guidelines.
• Require any IoT devices purchased by the federal government to comply with those recommendations.
• Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on vulnerability disclosure and remediation for federal information systems.
• Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.
Sens. Warner and Gardner are co-chairs of the Senate Cybersecurity Caucus. Sen. Warner – a former technology entrepreneur and Vice Chairman of the Senate Select Committee on Intelligence – is also leader in Congress on security issues related to the Internet of Things.