Days before taking a week-long Thanksgiving recess, the US Senate passed an almost mundane cybersecurity bill that, if approved by the President, will improve security guidelines and protocols for Internet of Things (IoT) devices purchased and owned by the Federal government.
The bill, called the Internet of Things Cybersecurity Improvement Act of 2020, was actually introduced into the US House of Representatives last year. The Senate agreed to pass the legislation on November 17 under “unanimous consent,” which means that one Senator—in this case Senator Rob Portman of Ohio—asked that the bill be passed without any single objection from any of his colleagues. It does not mean the bill received unanimous votes in its favor. The procedural move is rare when passing legislation in the Senate.
Upon passage, Harley Geiger, director of public policy at cybersecurity company Rapid7, spoke highly of the bill.
“This is arguably the most significant US IoT-specific cybersecurity law to date, as well as the most significant law promoting private sector adoption of coordinated vulnerability disclosure,” Geiger wrote in a company blog post. “IoT security is widely acknowledged as a global priority, and vulnerability disclosure processes are fundamental security practices, so passage of the bill should be seen as a very positive step forward for cybersecurity and the security community.”
The bill focuses primarily on guidelines and procedures.
First, the IoT Improvement Act of 2020, if signed into law, will require the Director of the National Institute of Standards and Technology (NIST) to develop and publish “standards and guidelines for the Federal government on the appropriate use and management by agencies of Internet of Things devices.”
Those standards will apply to IoT devices owned and controlled by Federal government agencies, and they must provide guidance on secure development, identity management, patching, and configuration management.
After the NIST director publishes those guidelines, the bill will require that the Director of the Office of Management and Budget review the current information security policies and principles of Federal civilian agencies, and make sure that those policies line up with the NIST’s newer guidelines. That review will also require coordination with the director of the Cybersecurity and Infrastructure Security Agency, or CISA, which until last week, was a position held by Chris Krebs.
Further, the current Federal acquisition rules for purchasing and owning IoT equipment must be updated in line with the required NIST guidelines to be published after the passage of the bill. As part of these requirements, a government agency will not be allowed to purchase IoT devices if that agency’s Chief Information Officer finds that such a device would fall short of the newly imposed rules.
Finally, the bill will require that NIST also develops guidelines for discovering and disclosing vulnerabilities in IoT devices that it owns or controls.
The IoT Cybersecurity Improvement Act of 2020 marks a significant first step for the Federal government into placing security regulations on IoT devices. As we have repeatedly written about—and spoken about—IoT security is a nascent landscape, and the lack of standardization across devices means that we are somehow both safer and more at risk to cybercriminals.
As Adam Kujawa said on our podcast about IoT cybersecurity this month, the best advantage we have for IoT security are that there are different platforms, different frameworks, and different protocols, which make it harder for any single group of cybercriminals to launch a wide-scale attack.
At the same time, though, Kujawa said that this scenario “works against us in the sense that developing security tools in order to protect these devices is just as difficult because you can’t create one solution that will necessarily work on every single device.”
The IoT Cybersecurity Improvement Act of 2020 could help usher in a future where IoT device-makers can look to a single set of guidelines for their products. While the bill does not require these standards to be applied to devices purchased by general consumers, the guidance itself could still be helpful in creating agreed-upon security goals.
With unanimous consent from the Senate, there should be little reason for the president not to sign the IoT Cybersecurity Improvement Act of 2020 into law.