Back in March, we blogged about the IoT Cybersecurity Improvement Act of 2019 and shared a number of concerns over the language as it was drafted at the time. In general, we were and continue to be, extremely supportive of both the goal of encouraging IoT manufacturers to build their offerings secure-by-design, and the approach of leveraging the buying power of the U.S. federal government to encourage positive change in the market. Our challenge in supporting the bill lay in the drafting details, which we won’t rehash here, but if you’re interested, we recommend reading that post first.
So, why a second blog post? Well, in recent weeks, both the House (H.R.1668) and Senate (S.734) versions of the bill have gone through markup in their relevant committees. As a result of amendments during their markups, the bills now look quite different from their original language in March, and now, from each other.
Each bill has made improvements, but the Senate version now includes a problematic new section that undermines the bill’s purpose of improving federal IoT security, as we detail below.
If these bills move forward, we hope that this post and other similar efforts will help Congress keep what’s working and address what’s not.
Changes to H.R.1668
The revised House bill has addressed some of our major concerns, namely:
PLC definitions
It has improved the definitions section so that programmable logic controls (PLCs) are no longer referenced as an example of “general-purpose computing devices” (which they are not), and instead are now only exempted as follows:
“(iv) progra ..
Support the originator by clicking the read the rest link below.
