The U.S. Senate passed a bill aimed at improving the cybersecurity of internet of things (IoT) devices. The bill was passed by the House in September and now moves to the president for approval.
Commerce Awards AIRT Grant to Support Standardized Public-Safety Drone TestingFCC Announces Plans to Re-Establish CSRIC with Focus on 5G Security
LMCC Files Opposition to TV Station’s Request for a Channel Substitution
The IoT Cybersecurity Improvement Act of 2020 requires the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines for the federal government on the appropriate use and management of IoT devices owned by federal agencies, as well as IoT devices connected to systems owned by those agencies. The standards are due 90 days after enactment of the act.
The act also requires the NIST director to ensure that the standards and guidelines include key information such as:
• Examples of possible security vulnerabilities of IoT devices;
• Considerations for managing those security vulnerabilities; and
• Secure development, identity management, patching and configuration management for IoT devices.
No later than 180 days after those standards are developed, the director of the Office of Management and Budget (OMB) is required to review agency information security policies and principles based on the standards to ensure they are consistent with those standards. After that review, the OMB is responsible for issued any policies or principles that are necessary to ensure agency policies are consistent with the NIST standards and guidelines.
No more than 180 days after the act goes into effect, NIST must develop and publish guidelines that cover:
• The reporting, coordinating, publishing and receiving information about security vulnerabilities related to agency systems and the resolution of those vulnerabilities
• Information from contractors providing an IoT system or device about potential security vulnerability and how to resolve that vulnerability.
Two years after the enactment of the bill, the OMB must develop and oversee implementation of policies, principles, standards or guidelines necessary to address any security vulnerabilities. The bill prohibits an agency from procuring an IoT system or device from a contractor if the chief information officer (CIO) of that agency determines that the use of that device prevents compliance with the guidelines.
The act requires NIST to review the policies and guidelines every five years and make any necessary revisions.
Would you like to comment on this story? Find our comments system below.