Bipartisan bills reintroduced in the House and Senate (HR-1668 and S-734) would set new security standards for devices that agencies purchase that are connectible to the “Internet of Things” or IoT.
“It’s estimated that by 2020 there will be 30 million internet-connected devices in use. As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks,” sponsors said in a statement on introduction.
The bills would require the National Institute of Standards and Technology to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices. OMB would issue guidelines for each agency consistent with the NIST recommendations, and any Internet-connected devices purchased by the federal government would have to comply with those recommendations.
The bills also would direct the NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed. Also, contractors and vendors providing IoT devices to the government would have to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.