Any Internet of Things (IoT) device purchased with federal dollars must meet minimum security standards under a bipartisan bill introduced by U.S. Rep. Will Hurd (R-TX) that became law on Dec. 4 with President Donald Trump’s signature.
“While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data,” Rep. Hurd said. “I’m proud this is my 17th piece of legislation to be signed into law in five years, and I’m working to add to that number before the end of my term.”
The IoT Cybersecurity Improvement Act of 2020, H.R. 1668, which Rep. Hurd cosponsored in March 2019 with bill sponsor U.S. Rep. Robin Kelly (D-IL), requires the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) to take specific steps to increase cybersecurity for IoT devices, which extend internet connectivity into physical devices and everyday objects, according to the congressional record bill summary.
“My philosophy is simple and has remained the same: the only way we get big things done in Congress is by working together,” said Rep. Hurd, who leaves office in January 2021. “My bipartisan effort with Rep. Kelly to ensure taxpayer dollars are only being used to purchase IoT devices that meet basic, minimum security requirements is the perfect example of that.”
Specifically, the newly signed law dictates that NIST and OMB must update IoT security standards, guidelines and policies at least every five years, according to a bill summary provided by Rep. Hurd’s office.
The procurement or use by federal agencies of IoT devices that do not comply with these security requirements are prohibited, subject to a waiver process for devices necessary for national security, needed for research, or that are secured using alternative and effective methods, the summary says.
NIST also must publish guidelines for reporting security vulnerabilities relating to federal agency information systems, including IoT devices, and OMB then must develop and implement policies aligned with those guidelines that address the security vulnerabilities of federal agency information systems, including IoT devices.