December 3, 2020
The Internet of Things (“IoT”) Cybersecurity Improvement Act of 2020 (S. 734, H.R. 1668) is about to be signed into law. Billions of devices are operating on federal government networks, many of them remotely connecting via the internet. The COVID-19 pandemic has accelerated this trend as many federal workers and contractors are performing in remote work environments.
Remote devices connecting to federal networks and systems pose serious security threats. According to a 2020 threat intelligence report, these devices are responsible for almost a third of all mobile and wireless network infections. Another report warns that the rapid introduction of edge remote connection devices will create opportunities for invasive activities.
The purpose of the IoT Act is to mitigate the potential for malicious cyber-attacks and establish baseline standards to ensure the security of any devices used by, or connected to, federal government systems.
- What does the IoT Act require?
The IoT Act will require anyone selling internet connected devices to the federal government to ensure that they meet minimum cybersecurity standards and guidelines developed by the National Institute of Standards and Technology or NIST. NIST is required to develop and publish these standards within 90-days. NIST’s guidance will include appropriate use and management by agencies of IoT devices, including minimum information security requirements for managing cybersecurity risks associated with these devices. The controls for IoT devices will have to account for:
- secure development,
- identity management,
- patching, and
- configuration management.
All contractors and subcontractors involved in developing and selling IoT products to the federal government will need to establish programs and processes to disclose security vulnerabilities in their products and supply chain. The Comptroller General is required to report to Congress every 2 years on the effectiveness of processes, vulnerabilities, and recommended best practices. The Director of OMB, in consultation with the Director of NIST, is also required to update policies to resolve security vulnerabilities. Agency Chief Information Officers (CIOs) will have the power to prohibit their agencies from procuring or obtaining any contract using IoT devices that do not comply with NIST’s guidance.
- What are covered devices?
The IoT Act will apply to any physical object that connects to the internet. This can be computer desktops, laptops, mobile devices, tablets, but extends to other equipment and appliances, such as heating and cooling systems that are connected to each other and other systems via the internet.
- When is the effective date of the prohibition?
The effective date of the prohibition is two years after the date of enactment.
- Are there exceptions?
As with any rule, there are exceptions. A waiver may be provided by the head of an agency if:
- in the interest of national security;
- procuring, obtaining, or using such device is necessary for research purposes; or
- the device is secured using alternative and effective methods appropriate to the function.
Conclusion
After enactment of the IoT bill, government agencies are expected to collaborate with industry experts and academia to develop within three months security standards for IoT devices that will close security loopholes and have practical applications. NIST’s IoT device standards and guidelines will be compatible with NIST’s existing efforts. The IoT Act will ultimately increase end-user transparency on IoT devices and will better inform the government of their cyber security risks.
If you have questions regarding this legislation, please contact Shiva Hamidinia at shamidinia@nicholsliu.com or 202-846-9829.
About the author:
Shiva helps high growth government contractors win, keep, and successfully perform projects. Intimately familiar with the pitfalls of federal contract documents and jobsite realities, Shiva provides concise business-minded legal advice to help contractors mitigate risks and increase opportunities.
Disclaimer
The information provided in this blog does not, and is not intended to, constitute legal advice; instead, all information, content, and materials available on this site are for general informational purposes only. Information on this website may not constitute the most up-to-date legal or other information. Readers of this website should contact their attorney to obtain advice with respect to any particular legal matter.
