The House Oversight and Reform Committee advanced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 out of Committee on June 12. The bipartisan legislation, cosponsored by Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas, would establish Federal baseline standards for all government-purchased Internet-connected devices.
“As technology changes and revolutionizes the delivery of services, the government is purchasing and using more and more Internet-connected devices. We have an obligation to prevent these devices from becoming a backdoor for hackers and tools for cybercriminals,” said Kelly.
The bill’s cosponsor praised the growing popularity of IoT devices, but also urged for greater regulation and an increased focus on cybersecurity.
“Internet of Things devices will improve and enhance nearly every aspect of our society, economy and everyday lives – and are growing rapidly. We must act now to ensure these devices are built with security in mind, not as an afterthought,” said Congressman Will Hurd (R-TX). “I am excited to see this important, bipartisan cybersecurity bill move forward in the legislative process and look forward to seeing it on the House floor.”
According to Kelly and Hurd, the legislation:
- “Require the National Institute of Standards and Technology (NIST) to publish a report and issue guidelines addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices;
- Direct the Office of Management and Budget (OMB) to promulgate security standards for IoT devices to the agencies that are consistent with the NIST’s work, and charge OMB with reviewing these policies at least every five years;
- Require any Internet-connected devices purchased by the federal government to comply with those standards;
- Direct NIST to work with cybersecurity researchers and industry experts to publish guidelines on coordinated vulnerability disclosure to ensure that vulnerabilities related to devices are addressed by the agencies; and
- Direct OMB to promulgate standards for coordinated vulnerability disclosure related to agency devices based on NIST guidelines and require contractors and vendors providing IoT devices to the U.S. government to follow these standards.”
The bill was initially introduced in March and has a companion bill in the Senate, cosponsored by Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo.
“Frankly, it’s alarming that we still lack basic security standards for these devices, particularly for government-owned connected technology. Right now, our nation faces a myriad of cyber threats and today’s markup of this bipartisan bill takes an important step in improving our nation’s cybersecurity posture,” said Warner in a June 12 statement.
Other legislators also spoke out on the importance of the legislation.
“As the capability of technology grows, the government has the responsibility to step up and modernize internet security systems to keep American families and businesses safe from cyber-criminals,” said Rep. Mark Meadows, R-N.C. “The Internet of Things Cybersecurity Improvement Act will better secure internet technology and close loopholes exploited by online hackers.”