Share this article on:
U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-chairs of the Senate Cybersecurity Caucus, and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT) have introduced The Internet of Things Improvement Act, which requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).
Ericcson has predicted there will be 18 billion IoT devices in use by 2022 and IDC predicts IoT spending will reach $1.2 trillion the same year. As the number of IoT devices in use grows, so does concern about the security risk posed by the devices.
Sen. Warner wants to make sure that a baseline for security is achieved before any IoT device is allowed to connect to a government network and wants to use the purchasing power of the U.S. government to help establish minimum standards of security for IoT devices.
Currently IoT devices are coming to market with scant cybersecurity protections. When cybersecurity measures are integrated into IoT devices, it is often as an afterthought. Most IoT devices have not been designed with security in mind and the market encourages device manufacturers to prioritize convenience and cost over security.
The bill calls for NIST to issue recommendations for IoT device manufacturers on secure development, identity management, configuration management, and patching throughout the life-cycle of the devices. NIST will also be required to work with cybersecurity researchers and industry experts to develop guidance on coordinated vulnerability disclosures to ensure flaws are addressed when they are discovered.
The Internet of Things Improvement Act calls for the Office of Management and Budget (OMB) to issue guidelines for each agency that is consistent with NIST recommendations and for policies to be reviewed at least every five years.
Any IoT device used by the federal government will be required to meet the security standards set by NIST and contractors and vendors that provide IoT devices to the government will be required to adopt coordinated vulnerability disclosure policies to ensure information on vulnerabilities is disseminated.
It is important that IoT devices do not give hackers a backdoor into government networks. Without minimum security standards, the government will be vulnerable to attack and critical national security information will be placed at risk.
The Internet of Things Improvement Act will see the U.S. government lead by example and better manage cyber risks.
The bill is supported by many software and security firms and industry associations, including BSA, Symantec, Tenable, Mozilla, CloudFlare, Rapid7, and CTIA.