CISA is helping pave the way to secure IoT systems, FEMA official says

The Cybersecurity and Infrastructure Security Agency is playing a key role in guiding agencies towards ensuring their Internet of Things devices and systems are secure, according to a senior technology expert at the Federal Emergency Management Agency.

James Rodd, FEMA's cloud portfolio manager, said the agency is in constant communication with CISA as it continues working to develop best practices and a security framework for IoT systems, describing the issue as a "massive concern" for FEMA. 

“Responding to emergencies, the last thing we want to happen is to have some kind of security attack that would prevent us from doing that,” Rodd said at the ATARC 2022 Emerging Technology Summit on Tuesday, adding: “We meet with CISA regularly.”

Rodd also suggested that, while FEMA has the active standing tools to mitigate major cybersecurity vulnerabilities, CISA has provided agencies with effective guidance while renewing a focus on baseline security measures, from ensuring devices are immediately updated to the latest firmware, to identifying and resolving vulnerabilities.

CISA has released a score of guidance, technical materials and tips when it comes to IoT: The agency published over 30 pages of IoT security acquisition guidance, produced a report on IoT's "undeniable impact" on public safety communications and features advice on how to secure IoT devices on its website. 

The agency has meanwhile continued to launch initiatives like its Shields Up campaign, which encourages all organizations to adopt a heightened security posture while offering free cyber hygiene services like vulnerability scanning, as well as recommendations on how to respond to ransomware attacks and more. 

FEMA’s cloud architecture is still new, Rodd said, adding that it remains “relatively immature” in its governance framework. He added that other agencies have also played a key part in shaping ongoing cybersecurity practices around IoT devices, including the National Institute of Standards and Technology. The agency published SP 800-213 last year, providing guidelines for agencies on considering security for IoT devices.

“It’s relatively new, but it is quite a hefty baseline, and it’s all out there,” he added. “Anything we need to secure our networks is all out there—you just have to get your hands on it.”