Senate Approves Internet of Things Cybersecurity Improvement Act

Sens. Mark Warner (D-VA) and Cory Gardner (R-CO) applauded congressional passage of their bipartisan legislation to require minimum security requirements for Internet of Things (IoT) devices purchased by the US government. Leveraging the purchasing power of the federal government, the bill will ultimately help move the wider market for IoT devices towards greater cybersecurity. The Internet of Things (IoT) Cybersecurity Improvement Act passed through the House of Representatives in September and was approved in the Senate by unanimous consent. It now heads to the President’s desk for signature. Specifically, the legislation would:

• Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
• Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including making any necessary revisions to the Federal Acquisition Regulation to implement new security standards and guidelines.
• Require any IoT devices  purchased by the federal government to comply with those recommendations.
• Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on vulnerability disclosure and remediation for federal information systems. 
• Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.