A step closer to stronger federal IoT security

A step closer to stronger federal IoT security

On Tuesday September 15th, the US House unanimously passed the IoT Cybersecurity Improvement Act [H.R. 1668]. The bill, sponsored by Reps. Kelly and Hurd, would require federal procurement and use of IoT devices to conform to basic security requirements. The version passed by the House makes several improvements compared to previous versions and the Senate companion, which we blogged about in detail a long time ago in the parallel dimension that was 2019. Although the chances of Senate passage are unclear, the bill’s resounding approval in the House is a big step closer to a meaningful IoT security framework across federal agencies.


Bill summary


The House-passed version of the IoT Cybersecurity Improvement Act retains its basic formula:


NIST must issue standards-based guidelines for minimum security of IoT devices owned or controlled by the federal government. [Sec. 4(a).]
The Office of Management and Budget (OMB) must issue rules requiring federal civilian agencies to have information security policies that are consistent with NIST’s guidelines. [Sec. 4(b).]
Federal acquisition rules must be updated to reflect the IoT security standards and guidelines. [Sec. 4(d).]
Federal agencies must implement a vulnerability disclosure policy, as well as contractors providing information systems to agencies. [Sec. 5-6.]
Federal agencies cannot procure, obtain, or renew contracts for IoT devices that cannot meet the security guidelines. [Sec. 7.]

Broadly speaking, this is pretty thoughtful and should have a meaningful impact on federal IoT security. Let’s zoom in on a few details: 1) The definition of IoT; 2) The waiver process; and 3) The contract amount threshold.


IoT Definition


We not ..

Support the originator by clicking the read the rest link below.