Congress recently advanced legislation that directs the National Institute of Standards and Technology (NIST) to create standards and guidelines for securing Internet of Things (“IoT”) devices used by Federal agencies and their contractors. We previously reported on this legislation in April of 2019 when it was introduced in the House (H.R. 1668) and the Senate (S. 734). On September 14, 2020, the House of Representatives passed the legislation on a voice vote.
Should this legislation become law, NIST will be tasked with developing standards and guidelines within 90 days of enactment on the security of IoT devices owned or controlled by a federal agency, or connected to information systems owned or controlled by an agency. These standards and guidelines are to be developed consistent with other NIST efforts regarding IoT devices, with a particular focus on secure development, identity management, patching and configuration management.
Within 180 days after enactment NIST also is to develop guidelines for reporting, coordinating, publishing, and receiving information about security vulnerabilities relating to agency information systems and for communicating about security vulnerabilities with contractors and subcontractors who provide information systems to an agency. This will apply to any federal government contractor or vendor.
Following these initial standards and guidelines, the Director of the Office of Management and Budget (“OMB”) then is tasked with issuing policies and principles consistent with such standards and guidelines. Within another two years from enactment, the Director of OMB is required to develop and oversee the implementation of policies, principles, standards, or guidelines to address security vulnerabilities of information systems (including IoT devices).
Finally, if passed, the legislation will prohibit an agency from procuring or using IoT devices that are not in compliance with the standards and guidelines developed by NIST, and the Federal Acquisition Regulation (“FAR”) will be revised as necessary to implement the standards and guidelines.
What does this mean for you? As we mentioned when this legislation first was proposed, this legislation likely will impact most, if not all, organizations in the Internet of Things space – either directly, where an organization provides these devices to the federal government, or indirectly, where an organization may use the NIST standards as a baseline for the security of its devices.
We will continue to pay close attention to developments regarding this legislation in the Senate and provide updates as they occur.