Internet of Things Improvement Act Requires Federal Government to Buy IoT Devices Meeting Minimum Security Standards


U.S. Sens. Cory Gardner (R-CO) and Mark R. Warner (D-VA) are co-chairs of the Senate Cybersecurity Caucus, and Sens. Steve Daines (R-MT) and Maggie Hassan (D-NH) introduced The Internet of Things Improvement Act. This Act calls for the U.S. government to buy only IoT devices that satisfy minimum security requirements. Reps. Will Hurd (R-TX) and Robin Kelly (D-IL) also introduced a companion bill in the House.

Ericcson forecasted that 18 billion IoT devices will be in use by 2022. IDC predicted that IoT spending in the same year is going to be $1.2 trillion. As the use of IoT devices grows, the concern caused by the devices’ security risk also grows.

Sen. Warner would like to be sure that there is a baseline for security before allowing any IoT device to be connected to a government network. Additionally, he wants the U.S. government’s purchasing power to help determine minimum security standards for IoT devices.

Presently, IoT devices are being introduced to the market short of cybersecurity protections. If cybersecurity controls are incorporated into IoT devices, it is usually as a follow through. The majority of IoT devices were not designed with security planned and the market often gives device manufacturers the impression to prioritize ease of use and price over security.

The bill requires NIST to give recommendations that IoT device manufacturers will consider with respect to secure development, configuration management, identity management, and patching all through the devices’ life-cycle. NIST will likewise be mandated to work with cybersecurity experts and industry specialists to create guidance on synchronized vulnerability notifications to make sure the flaws are resolved as soon as they are identified.

The Internet of Things Improvement Act requires the Office of Management and Budget (OMB) to give guidelines for every agency that is in line with NIST advice and to review policies every five years at the minimum.

All IoT devices utilized by the federal government should satisfy the security standards established by NIST. Contractors and vendors offering IoT devices to the government should observe synchronized vulnerability disclosure policies to make sure of the dissemination of information on vulnerabilities.

It is essential that IoT devices do not allow hackers a way into the government networks. With no minimum security requirements, the government is going to be susceptible to attack putting critical national security data at risk. With The Internet of Things Improvement Act, the U.S. government is set to lead by example in better managing cyber risks.

Many software and security companies and industry associations support the bill. Some of the supporters include BSA, Symantec, Mozilla, Tenable, CloudFlare, CTIA and Rapid7.