Senate passes minimum security standards for federal IoT devices

Vendors must notify federal customers of any cyber security flaws in their internet-connected devices

Alarm sign on a red background

The US Senate has unanimously passed a new piece of legislation that will create minimum cyber security standards for government purchased, internet-connected devices.

The Internet of Things (IoT) Cybersecurity Improvement Act (H.R. 1668), introduced by Congresswoman Robin Kelly (D-Illinois), would oblige all internet-connected devices purchased by the federal government to conform to a set of minimum security recommendations issued by the National Institute of Standards and Technology.

Private companies that sell devices to the federal government would also be required to notify agencies if the internet-connected device has a vulnerability that could leave the government open to attacks.

The act would require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.

It would also direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including making any necessary revisions to the Federal Acquisition Regulation to implement new security standards and guidelines.

The act would also make NIST to work with cyber security researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on vulnerability disclosure and remediation for federal information systems.

Congresswoman Kelly said in a statement that that the act would make sure that “the U.S. government purchases secure devices and closes existing vulnerabilities to protect our national security and the personal information of American families.”

The legislation was unanimously approved by the House in September, and passed on the Senate floor by unanimous consent on the evening of 17 November.

“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” said Sen. Mark Warner, D-Va., in a statement.

“I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay.” 

The bill now heads to the president to be signed into law.

Paul Bischoff, privacy advocate at Comparitech.com, told IT Pro that the establishment of minimum-security standards for government owned IoT devices is long overdue.

“I think it was wise to put NIST, a reputable non-partisan standards body, in charge of drafting guidelines and auditing devices, as opposed to writing fixed standards into law that would only be made obsolete in a few years’ time. Although government-level security standards might not be necessary on all devices, it would be helpful for consumers and businesses to know which devices meet NIST's standards,” he said.

Andrea Carcano, co-founder at Nozomi Networks, said that this is an important first step by the federal government to help ensure IoT device makers improve the security of their products.

“At the same time, you can never guarantee zero risk...that's why enterprise and industrial organizations must put additional security measures and technologies in place to shore up their IoT security,” he said.

“That includes using AI-powered solutions that can quickly identify the hundreds or even thousands of IoT devices connected to the network and assess their level of risk or vulnerability to help prioritize fixes and response. By effectively managing vulnerabilities of their IoT devices, security teams are one step closer to protecting against cyber threats and the risk of downtime due to cyberattacks.”

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Sopra Steria cyber attack costs to hit €50 million
Security

Sopra Steria cyber attack costs to hit €50 million

26 Nov 2020
Sophos warns customers of potential data leak
Security

Sophos warns customers of potential data leak

26 Nov 2020
Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron
Security

Weekly threat roundup: VMware, GitHub, Facebook, and MobileIron

26 Nov 2020
Egregor ransomware could take up where Maze left off
Security

Egregor ransomware could take up where Maze left off

26 Nov 2020

Most Popular

macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
350,000 Spotify users hacked in credential stuffing attack
Security

350,000 Spotify users hacked in credential stuffing attack

24 Nov 2020