Content
IoT bill would require gov’t use devices meeting cybersecurity standards
If passed, the Internet of Things Cybersecurity Improvement
Act of 2019, introduced in the Senate and House Monday, would compel the
U.S. government to purchase only devices that meet the legislation’s minimum
security requirements“While I’m excited about
their life-changing potential, I’m also concerned that many IoT devices
are being sold without appropriate safeguards and protections in place, with
the device market prioritizing convenience and price over security,” said Sen. Mark Warner, the co-chair of the
Senate Cybersecurity Caucus, who introduced the bill
with co-chair Sen. Cory Gardner, R-Colo., and Sens. Maggie Hassan, D-N.H., and
Steve Daines, R-Mon. “This legislation will use the purchasing power of
the federal government to establish some minimum security standards for IoT devices.”The bill would require the
National Institute of Standards and Technology (NIST) to craft recommendations that
address secure development, identity management, patching and configuration
management for IoT devices as well as press the
Office of Management and Budget (OMB) to come up with agency guidelines based
on the NIST guidance. OMB would be required to review agency policies every
three years. The government would be restricted to purchasing only those
devices that comply with the NIST recommendations.The legislation would
also compel NIST to work with security researchers and the industry to
coordinate vulnerability disclosure while requiring contractors and vendors to maintain
coordinated vulnerability disclosure policies to ensure information on a
vulnerability is disseminated out to government agencies. “This bipartisan bill is an important
step towards steering IoT manufacturers in the direction of stronger
security for all devices that fuel our hyper-connected world," said Phil
Neray, vice president of industrial cybersecurity at CyberX.For too long many IoT device makers “have deprioritized security in favor of faster time-to-market and lower costs,” said Neray, noting that many devices have weaker security and lack the basics of security including simple patching and hard-coded administrative password removal. “As a result, IoT devices present a particularly soft target for adversaries, who use them as convenient entry-points to compromise our smart buildings, smart cities, and smart factories.”Companion legislation also
was introduced in the House by Rep. Will Hurd, R-Texas, and Rep. Robin Kelly, D-Ill.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds