‘Internet of things’ bill introduced in Congress

Bipartisan legislation intended to improve the cybersecurity of “internet of things” devices was introduced Monday in Congress.

The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require devices purchased by the U.S. government to meet certain minimum requirements, according to a statement issued by co-sponsor Sen. Mark R. Warner, D-Va.

The bill’s other sponsors are Sens. Cory Gardner, R-Colo., and Maggie Hassan, D-Mont.; and Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas.

S. 734 has been referred to the Senate Homeland Security and Government Affairs Committee.

Sen. Warner said in a statement, “While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security.”

Sen. Warner said, “This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices.”

Observers note that previous versions of this legislation that were introduced in 2017 and 2018 have failed.

Under provisions of the bill, according to the statement:

• The National Institute of Standards and Technology must issue recommendations addressing, at a minimum, secure development, identity management, patching and configuration management for internet of things devices.
   
• The Office of Management and Budget must issue guidelines for each agency that are consistent with the NIST recommendations, and OMB would be charged with reviewing these policies at least every five years.
   
• Any internet-connected devices purchased by the federal government must comply with those recommendations.
   
• NIST must work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability discloser to ensure vulnerabilities related to agency devices are addressed.
   
• Contractors and vendors that provide IoT devices to the U.S. government must adopt coordinated vulnerability disclosure polices, so if a vulnerability is uncovered, the information is disseminated.
   

The statement said internet-connected devices are expected to total more than 20 billion by 2020.

A report issued last year by U.S.-based research firm Ponemon Institute LLC and the Shared Assessments Program found that 97% of risk professionals believe businesses could face a significant cyberattack due to unsecured Internet-of-things devices.