On March 11, 2019 the Internet of Things Cybersecurity Improvement Act of 2019 (the “Act”), a bill which would require minimum of security standards for any Internet of Things (IoT) devices purchased by the US federal government, was introduced in the US House and Senate.

By establishing minimum security requirements for the procurement of connected devices, the Act addresses both the supply chain risk to the US federal government stemming from insecure IoT devices and market forces that reward low-price and convenience at the expense of security.

Although the Act is restricted to improving security standards for federal government, one of the largest customers for IoT devices, commentators are hopeful that improvements in standards across the entire industry will follow.

Specifically, the Act would:

  • mandate the National Institute of Standards and Technology (NIST) to issue recommendations addressing the secure development, identity management, patching, and configuration of IoT devices; 
  • direct the Office of Management and Budget to issue guidelines consistent with NIST’s recommendations for each federal agency; and
  • require these agencies to ensure that any IoT devices they acquire comply with these guidelines.

IoT vendors would also be obligated to adopt coordinated vulnerability disclosure policies so that government can learn of potential cyber threats.

The bill has found support from a number of companies including BSA|The Software Alliance, Symantec, Mozilla, Cloudflare, Tenable, CTIA and Rapid7.  Bruce Schneier, a prominent computer security expert, and representatives of Stanford University and Harvard have also shown their support.

For more information, please see US Senator Mark R. Warner’s press release here.

Summary By: Jae Morris

E-TIPS® ISSUE

19 03 21