If you’ve been following IoT security, then you’re likely familiar with the IoT security law that California passedOpens a new window in 2018. SB-327, as it was known, requires IoT device manufacturers to use what it calls “reasonable†security measures on its devices so that malicious actors cannot compromise them. While the Californian law is not perfect or comprehensive in scope, it does represent an early step toward making sure that IoT device manufacturers implement something closer to security by design when creating the over connected devices upon which consumers, businesses, and governments will rely in the near future. As it turns out, the federal government is beginning to consider taking similar measures. Here’s where federal IoT legislation stands and how it could affect the IoT security landscape.
The IoT Cybersecurity Act of 2019
A bipartisan group of senators had introduced the IoT Cybersecurity Act of 2019Opens a new window in March 2019, aiming to use the federal government’s procurement process to influence IoT device manufacturers to strengthen the security of the devices they sell. A companion House bill, H.R. 1668, was introduced in the House of Representatives around the same time. Both versions have been voted out of their respective committees and differ from one another in some key respects, which likely means that they would have to be reconciled in order to ensure passage through both chambers of Congress.
Although the IoT Cybersecurity Act of 2019 technically concerns only those IoT devices that the federal government procures and uses, it could still end up having a beneficial knock-on effect on IoT security as a whole. The federal government spends billions of dollars on technology, and its purchasing power could wield considerable influence on the IoT market as a whole. As with California, IoT device makers would likely rather not create separate devices with separate security standards just to access individual markets, and so they would have an incentive to comply with the proposed federal requirements were they to become law.
Potential Federal IoT Security Oversight
One notable aspect of the IoT Cybersecurity Improvement Act of 2019 is that it requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specific action regarding IoT security both once the law is passed and on an ongoing basis. In broad strokes, NIST would be responsible for addressing IoT security concerns and OMB would advise government agencies on any procurement policies and requirements that would flow from NIST’s IoT security recommendations.
Were the law to be passed in its current form, NIST would be charged with issuing recommendations regarding the secure development, identity management, patching, and configuration of IoT devices. OMB, for its part, would have to issue guidelines aligned with NIST’s recommendations and review them every five years. All government agencies would be bound to comply with these guidelines, and contractors or vendors selling IoT devices or services to the federal government would also be required to disclose any vulnerabilities they discover so that government agencies would be appropriately notified in a timely manner.
What’s Next for Federal IoT Legislation
The IoT Cybersecurity Improvement Act of 2019 and its House sibling still need to be reconciled with one another, and once that happens each chamber must pass their respective versions before the final bill makes its way to the President’s desk for either a signature or a veto. While it’s still possible the federal IoT legislation under consideration could advance in this way, Congress has a full plate to say the least between its current plate of proposed legislation and the impeachment proceedings that are now underway in the House. Whether this federal legislation will be passed in 2019 remains to be seen, but for now it can be viewed as a largely positive step toward greater federal oversight of IoT security and an important IoT security development to keep tabs on in the coming months.