WASHINGTON – Today, U.S. Sen. Mark R. Warner (D-VA), Chairman of the Senate Select Committee on Intelligence, wrote to Office of Management and Budget (OMB) Director Shalanda Young, calling on OMB to fulfill requirements outlined in his Internet of Things Cybersecurity Improvement Act of 2020. Under the law, OMB was directed to complete a review of agency policies pertaining to IoT devices to ensure they are consistent with the National Institute of Standards and Technology (NIST) cybersecurity guidelines. Almost three years later, OMB has yet to complete this review.

“I acknowledge that the law has far-reaching impacts across the federal government, which may require extensive interagency coordination, but I believe that IoT cybersecurity is of critical importance to our national security,” Sen. Warner wrote. “I am disappointed to see that OMB has not yet fulfilled its obligation to ensure that IoT devices procured by the Federal government meet the NIST guidance.”

Sen. Warner recognized the progress made by the agency to issue guidance, but voiced frustration over the lack of urgency to review agency policies.

He continued, “We were happy to see some forward progress – namely, the inclusion of information on the IoT Cybersecurity waiver process in OMB’s December, 2022 FISMA guidance – and we know that you intend to include additional guidelines in the upcoming Fall 2023 FISMA guidance. However, I am concerned by the pace that OMB has taken to meet its statutory obligations under federal law.”

In order to ensure that OMB is taking appropriate steps to fulfill its obligations outlined in the Internet of Things Cybersecurity Improvement Act of 2020, Sen. Warner posed a series of questions to Director Young:

• Where is OMB in the review of agency information security policies and principles to ensure that they align with NIST guidelines?
• What policies and principles has OMB issued to date to:
• ensure agency policies and principles are consistent with the NIST standards and guidelines?
• address security vulnerabilities of information systems?
• Which agencies have aligned policies with NIST guidelines, and which have yet to do so?
• Is OMB tracking the volume of waivers that agencies are granting? Can you provide my office with a summary of these numbers?

Sen. Warner, a former technology entrepreneur, is co-Chair of Senate Cybersecurity Caucus and is a leader in the Senate on security issues related to the Internet of Things.

Text of the letter can be found here and below.

Dear Director Young,

I write today to express my concern and emphasize my support for the implementation of the Internet of Things Cybersecurity Improvement Act of 2020 (Public Law No: 116-207). This Act, signed into law on December 4, 2020, requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take steps to increase the cybersecurity of Internet of Things (IoT) devices acquired by the Federal Government. NIST completed its statutory obligation – publishing IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements – on November 29, 2021. However, OMB has yet to uphold its own statutory obligation under the law – to review agency policies and principles pertaining to IoT devices to ensure those policies and principles are consistent with the NIST guidelines. Under the law, OMB was supposed to complete the agency review within 180 days of NIST’s publication but has yet to make significant progress on a key piece of implementation.

I acknowledge that the law has far-reaching impacts across the Federal government, which may require extensive interagency coordination, but I believe that IoT cybersecurity is of critical importance to our national security. The security of the Federal government’s IoT devices is a priority the Administration and I share, as outlined by Executive Order 14028, Improving the Nation’s Cybersecurity (EO 14028). Despite the requirements under this law and the aforementioned EO, I am disappointed to see that OMB has not yet fulfilled its obligation to ensure that IoT devices procured by the Federal government meet the NIST guidance.

Throughout 2022 and 2023, my office has been engaged with you in order to better understand where OMB stands in their implementation of this law. We were happy to see some forward progress – namely, the inclusion of information on the IoT Cybersecurity waiver process in OMB’s December, 2022 FISMA guidance – and we know that you intend to include additional guidelines in the upcoming Fall 2023 FISMA guidance. However, I am concerned by the pace that OMB has taken to meet its statutory obligations under federal law.  

We intended the IoT Cybersecurity Improvement Act to harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I would like to emphasize the importance of OMB’s implementation of the IoT Cybersecurity Improvement Act of 2020 and ask that you provide responses to the following questions within 60 days:

1. Where is OMB in the review of agency information security policies and principles to ensure that they align with NIST guidelines?
2. What policies and principles has OMB issued to date to:
1. ensure agency policies and principles are consistent with the NIST standards and guidelines?
2. address security vulnerabilities of information systems?
3. Which agencies have aligned policies with NIST guidelines, and which have yet to do so?
4. Is OMB tracking the volume of waivers that agencies are granting? Can you provide my office with a summary of these numbers?

I applaud OMB’s continued efforts to improve Federal government cybersecurity, and look forward to continued engagement as you make progress with implementation of the IoT Cybersecurity Improvement Act of 2020.

Sincerely,

###