House votes for new rules on federal IOT acquisition
- By Mark Rockwell
- Sep 15, 2020
The House of Representatives passed legislation Sept. 15 to impose minimum cybersecurity requirements on Internet of Things devices purchased by the federal government.
The Internet of Things Cybersecurity Improvement Act of 2020, backed by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), passed on a voice vote under suspension of the rules.
Legislators hope the acquisition framework established by the bill might serve as a set of minimum security standards for commercial IoT devices. The legislation would develop basic patching and remediation capabilities to correct vulnerabilities in IOT devices.
On a conference call with reporters, Hurd explained that bill would make the manufacturers of such systems plan out how they will deal with vulnerabilities, he said.
"If you're going to introduce a new widget to the federal infrastructure with known vulnerabilities, those vulnerabilities should be addressed," said Hurd.
The bill also tasks the National Institute of Standards and Technology with creating standards and guidelines for the federal government's use and management of IoT devices.
The bill has been kicking around for a few years. It was originally introduced in the Senate by Mark Warner (D-Va.). Warner, who was on the Sept. 15 call along with Hurd and Kelly, said the bill could set the stage for commercial adoption of NIST standards for non-government networks.
"We need a commercial standard. This is the art of the possible," Warner said of the legislation aimed at federal networks. "It's easier to do in the federal supply chain. I hope the standard would evolve into a default industry standard," he said.
The bill would also have the Office of Management and Budget review federal government information security policies and adjust them to meet NIST's recommendations. The bill also requires NIST and OMB to update IoT security standards, guidelines and policies at least every five years, as well as have those agencies report out and address device vulnerabilities.
A nearly identical Senate bill passed the Senate Homeland Security and Governmental Affairs Committee in June 2019 and still awaiting action on the Senate floor. Warner is hoping the bill can be fast-tracked for passage on unanimous consent because floor debate time is at a premium with government funding and COVID relief measure pending before the close of the fiscal year and with the November elections bearing down.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.