WASHINGTON – Today the Senate Homeland Security and Governmental Affairs Committee advanced bipartisan legislation written by U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO), co-founders of the Senate Cybersecurity Caucus, to improve the cybersecurity of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2019 would require that devices purchased by the U.S. government meet certain minimum security requirements. The bill now awaits consideration in the full Senate.
“While I’m excited about their life-changing potential, many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Warner, a former technology entrepreneur and executive and Vice Chairman of the Senate Select Committee on Intelligence. “Today the Committee took an important step forward to proactively address the risks posed by improperly secured IoT devices, by using the purchasing power of the federal government to establish some minimum security standards for IoT devices.”
“I was pleased to see further action in the Senate on this important bill and I look forward to it being swiftly signed into law. The Internet of Things (IoT) landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” said Sen. Gardner. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks. Agencies like the National Institute of Standards and Technology (NIST), which has a major campus in Boulder, are key players in helping establish guidelines for improved IoT security and our bill builds on those efforts.”
Last week, the House of Representatives Committee on Oversight and Reform advanced companion legislation sponsored by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).
“This is an essential and bipartisan step toward improving our cybersecurity. We simply cannot allow IoT devices to become a backdoor for hackers and cybercriminals,” said Rep. Kelly. With the House and Senate taking action, Congress is signaling that it’s past time to address the issue of unsecure devices on federal networks.”
“Every single minute of every single day, hackers are trying to steal Americans’ information. From credit card numbers, to social security numbers, our personal information is targeted by bad actors around the globe. Internet of Things devices will improve and enhance nearly every aspect of our society, economy and everyday lives – and are growing rapidly. We must act now to ensure these devices are built with security in mind, not as an afterthought,” said Rep. Hurd. “I applaud Sens. Warner and Gardner for their hard work on moving this important, bipartisan cybersecurity bill forward in the Senate, and I’ll continue to work with Rep. Kelly and my colleagues in the House to bring this bill to the House floor.”
Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 as passed out of Committee today would:
- Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
- Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
- Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
- Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
- Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.