IoT Cybersecurity Bill Advances to Full Senate

The IoT Cybersecurity bill, which was introduced in March, passed through the Senate Homeland Security and Governmental Affairs last week and is now headed to the full Senate for a vote.

• By Kaitlyn DeHaven
• Jun 25, 2019

The Internet of Things Cybersecurity Improvement Act passed through the Senate Homeland Security and Governmental Affairs on June 19 and is now headed to the full Senate for a vote.

The bill was introduced in March and would “require that devices purchased by the U.S. government meet certain minimum security requirements."

That version of the bill passed out of the House Committee on Oversight and Reform two weeks ago, and the Senate bill now includes vendors as well as devices.

As passed out of the Committee last week, the bill would specifically:

• Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IOT devices.
• Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
• Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
• Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
• Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.