A bipartisan bill directed at enhancing cybersecurity on internet-connected devices bought by the United States government cleared another hurdle in Congress June 19, passing through the Senate Homeland Security and Governmental Affairs Committee.
The bill, titled the “Internet of Things (IoT) Cybersecurity Improvement Act of 2019,” directs the National Institute of Standards and Technology to develop minimum security standards for federal IoT devices.
“While I’m excited about their life-changing potential, many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Mark Warner, D-Va., in a statement.
Under the legislation, NIST would have to issue recommendations regarding secure development, patching, identity management and configuration of internet-connected devices. If the standards becomes law, the Office of Management and Budget will be required to issue guidelines to agencies that follow the NIST recommendations.
“The internet of things landscape continues to expand, with most experts expecting tens of billions of devices to be operating on our networks within the next several years,” said Sen. Cory Gardner, R-Colo. “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure, particularly when they are integrated into the federal government’s networks.”
A growing number of IoT devices has prompted security concerns in the federal government because more devices connected to the internet gives hackers more potential points of entry. And if the device is connected to a wider network, the hacker can gain access to an agency’s sensitive data. A companion bill in the House of Representatives — sponsored by Reps. Robin Kelly, D-Ill., and Will Hurd, R-Texas — passed through the House Committee on Oversight and Reform June 12.
“As technology changes and revolutionizes the delivery of services, the government is purchasing and using more and more Internet-connected devices. We have an obligation to prevent these devices from becoming a backdoor for hackers and tools for cybercriminals," said Kelly in a statement June 14.
Both bills now await a floor vote.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.