Data privacy and cybersecurity issues continue to be top of mind, as this week the U.S. Senate unanimously passed the Internet of Things (“IoT”) Cybersecurity Improvement Act (H.R. 1668), introduced by Congresswoman Robin Kelly (D-Illinois). In September, the House had passed the bill by voice vote after negotiation sessions with the Senate. The legislation provides for the establishment of minimum cybersecurity standards for government purchased, internet connected devices, with anticipated impact on manufacturers in the private sector. In a press release issued after the bill’s passage Congresswoman Kelly stated “[t]he bipartisan [IoT Cybersecurity Improvement Act] will ensure that the US government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families.”
The IoT Cybersecurity Improvement Act directs the National Institute of Standards and Technology (“NIST”) to “develop standards and guidelines” for the federal government on “the appropriate use and management by agencies of [IoT] devices owned or controlled by an agency and connected to information systems owned or controlled by an agency.”
This includes NIST developing “minimal informational security requirements” for managing cybersecurity risks associated with such devices. Along these lines, NIST is instructed to “consider relevant standards, guidelines, and best practices developed by the private sector, agencies, and public-private partnerships.” The IoT Cybersecurity Improvement Act also provides that any standards and guidelines developed should also be consistent with pre-existing NIST efforts in this area, including:
- Examples of possible security vulnerabilities of IoT devices;
- Considerations for managing the security vulnerabilities of IoT devices; and
- With respect to IoT devices, the following considerations: (i) secure development (ii) identity management, (iii) patching, and (iv) configuration management.
Additionally, NIST is also to develop guidelines as to how federal agencies and contractors/subcontractors should receive information about and resolve cybersecurity vulnerabilities in their IoT devices. The Office of Management and Budget (“OMB”) is charged with implementing NIST’s guidelines once promulgated.
The IoT Cybersecurity Improvement Act also contains a procurement provision. The head of any federal agency is prohibited from “procuring or obtaining, renewing a contract to procure or obtain, or using an [IoT] device,” if the Chief Information Officer of that agency determines during a required review for “a contract for such device that the use of such device prevents compliance with the standards and guidelines” developed by NIST. There are three limited grounds for waiver of this requirement – including if the CIO of the agency determines that:
- The waiver is necessary in the interest of national security;
- Procuring, obtaining, or using such device is necessary for research purposes; or
- Such device is secured using alternative and effective methods appropriate to the function of such device.
The final impact of the IoT Cybersecurity Improvement Act remains unknown, as the scope of the guidelines set by NIST have yet to be determined. Stay tuned.