Federal IoT Guidelines Move Closer to Becoming LawIoT Products Would Have to Meet Minimum Security Requirements for Use by Government
Legislation that establishes minimum security standards for IoT devices procured by the federal government is moving closer to becoming law.
The House passed the Internet of Things Cybersecurity Improvement Act of 2020 on Sept. 14, and it now awaits a vote by the Senate. Whether that will happen in a tumultuous election year remains to be seen. But chances are better than ever for Senate support for the legislation, which has been in the works for three years, because the bill has been rewritten to make it less prescriptive, allowing for changes but without requiring Congress to pass new legislation.
Even in a contentious Congress, “securing government purchases is a great nonpartisan issue that I think most everyone can claim as a great victory,” says Brad Ree, CTO of the consultancy ioXt and board member at the ioXt Alliance, a trade group dedicated to securing IoT devices (see: Connected Devices and Security: Where Do We Stand?).
“I really do believe there will be some movement at the Senate level,” Ree says. “It will be interesting to see if it happens before November or even if it happens afterward. Security around government purchases – even in a lame-duck government – these are the kinds of things that most people can hang their hat on.”
The legislation would require the National Institute of Standards and Technology to develop minimum information security requirements for IoT devices purchased by the government. Those standards would be reviewed at least once every five years.
NIST also would develop a program for collecting and disseminating data on vulnerabilities, and vendors who wish to sell to the government would be required to disclose vulnerabilities. The Office of Management and Budget would work to ensure that agency policies are aligned with NIST’s guidelines.
NIST has been working for some time on IoT cybersecurity guidelines and issued a report - IoT Device Cybersecurity Capability Core Baseline - earlier this year for manufacturers. It's also referred to as NISTIR 8259A.
The report “outlines the device capabilities generally needed to support common cybersecurity controls, with the goal of protecting an organization’s devices, data, systems, and ecosystems,” writes Katerina Megas, the commercial adoption lead for the Trusted Identities Group and program manager for the cybersecurity for IoT program within NIST.
Although the bill would only apply to IoT devices procured by the federal government, Ree says the requirements are likely to broadly influence the IoT industry. He says there’s little difference between the IoT devices - such as connected lighting and communication systems - bought by the government, excluding the military, and those bought by commercial companies.
Ree says that once IoT companies invest in improving a software library to meet minimum cybersecurity standards, that same software library will likely go into commercial products as well. “Consumer companies will probably build toward this,” he says.
GAO: IoT Cybersecurity Worries
A survey of 90 federal agencies released last month by the U.S. Government Accountability Office found that 56 are using IoT for functions such as controlling equipment, controlling access to devices or facilities and tracking physical assets such as vehicles or property.
“Agencies also reported using IoT devices to perform tasks such as monitoring water quality, watching the nation’s borders and controlling ships in waterway locks,” the report says. “Furthermore, IoT use by federal agencies may increase in the future, as many agencies reported planning to begin or expand the use of IoT.”
Many agencies, however, cited cybersecurity issues as one of the most significant challenges in adopting IoT, but they said their IT policies were sufficient to counter the risks, the GAO writes. Some agencies, however, have abandoned IoT projects due to security concerns.
For example, the Department of Homeland Security’s Transportation Security Administration nixed its plan to connect airport security equipment to traveler data for analysis, the GAO writes. The reason was the massive 2015 breach of federal employee information belonging to the Office of Personnel Management (see: Chinese Man Allegedly Tied to OPM Breach Malware Arrested).
“According to officials, TSA stepped back from this program and removed all equipment from the network following OPM’s breach because the security equipment and systems TSA was using could not meet the new cybersecurity requirements put in place in response to the breach,” the GAO writes.