Keep an Eye on Internet of Things Legislation.

• Author: Cassidy, Susan
• Position: Government Contracting Insights

A new bill introduced by Congress would require the development of detailed policy guidance that, if adopted, could significantly boost cybersecurity enhancements for the internet of things.

The internet of things, or IoT, is the network of web-enabled objects and devices in society that are able to collect, transmit and exchange data. In recent years, the Defense Department repeatedly has emphasized the need to bolster cybersecurity standards and policies for these systems.

A December 2016 report from the department's chief information officer warned that "the immense promise of this technology comes with immense risks," and that the proliferation of web-enabled devices means that "DoD is entering a quickly deepening pool of vulnerability."

Despite an increasing recognition of the potential risks, the ubiquity and rapidly changing nature of the technology and the desire to not stifle innovation in this emerging area have resulted in few new legislative requirements.

However, in March a bipartisan group of lawmakers introduced the internet of things Cybersecurity Improvement Act of 2019. The bill seeks "[t]o leverage federal government procurement power to encourage increased cybersecurity for internet of things devices." In other words, it aims to shore up cybersecurity requirements for devices purchased and used by the federal government, while affecting cybersecurity on these types of systems more broadly.

To accomplish this goal, the bill outlines several action items for the directors of the National Institute of Standards and Technology and the Office of Management and Budget.

NIST would be directed to complete, by Sept. 30, all ongoing efforts related to managing IoT cybersecurity, particularly its work in identifying cybersecurity capabilities. Those efforts are to address secure development, identity management, patching and configuration management for the devices.

NIST would also be tasked to develop, by March 31, 2020, recommendations on "the appropriate use and management" of IoT devices "owned or controlled by the federal government," to include "minimum information security requirements."

The Office of Management and Budget would then have 180 days to issue guidance to each agency, consistent with NIST's recommendations.

Additionally, the legislation would require NIST to publish a draft report within 180 days of the bill's enactment addressing considerations for managing cybersecurity risks associated with the "increasing...