House votes for new rules on federal IOT acquisition
Legislation from congressional tech stalwarts would add security requirements for connected devices purchased by the federal government.
The House of Representatives passed legislation Sept. 15 to impose minimum cybersecurity requirements on Internet of Things devices purchased by the federal government.
The Internet of Things Cybersecurity Improvement Act of 2020, backed by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), passed on a voice vote under suspension of the rules.
Legislators hope the acquisition framework established by the bill might serve as a set of minimum security standards for commercial IoT devices. The legislation would develop basic patching and remediation capabilities to correct vulnerabilities in IOT devices.
On a conference call with reporters, Hurd explained that bill would make the manufacturers of such systems plan out how they will deal with vulnerabilities, he said.
"If you're going to introduce a new widget to the federal infrastructure with known vulnerabilities, those vulnerabilities should be addressed," said Hurd.
The bill also tasks the National Institute of Standards and Technology with creating standards and guidelines for the federal government's use and management of IoT devices.
The bill has been kicking around for a few years. It was originally introduced in the Senate by Mark Warner (D-Va.). Warner, who was on the Sept. 15 call along with Hurd and Kelly, said the bill could set the stage for commercial adoption of NIST standards for non-government networks.
"We need a commercial standard. This is the art of the possible," Warner said of the legislation aimed at federal networks. "It's easier to do in the federal supply chain. I hope the standard would evolve into a default industry standard," he said.
The bill would also have the Office of Management and Budget review federal government information security policies and adjust them to meet NIST's recommendations. The bill also requires NIST and OMB to update IoT security standards, guidelines and policies at least every five years, as well as have those agencies report out and address device vulnerabilities.
A nearly identical Senate bill passed the Senate Homeland Security and Governmental Affairs Committee in June 2019 and still awaiting action on the Senate floor. Warner is hoping the bill can be fast-tracked for passage on unanimous consent because floor debate time is at a premium with government funding and COVID relief measure pending before the close of the fiscal year and with the November elections bearing down.