GOVERNMENT CONTRACTING INSIGHTS CYBER
Keep an Eye on Internet of Things Legislation
A new bill introduced by Congress would require the development of detailed policy guidance that, if adopted, could significantly boost cybersecurity enhancements for the internet of things.
The internet of things, or IoT, is the network of web-enabled objects and devices in society that are able to collect, transmit and exchange data. In recent years, the Defense Department repeatedly has emphasized the need to bolster cybersecurity standards and policies for these systems.
A December 2016 report from the department’s chief information officer warned that “the immense promise of this technology comes with immense risks,” and that the proliferation of web-enabled devices means that “DoD is entering a quickly deepening pool of vulnerability.”
Despite an increasing recognition of the potential risks, the ubiquity and rapidly changing nature of the technology and the desire to not stifle innovation in this emerging area have resulted in few new legislative requirements.
However, in March a bipartisan group of lawmakers introduced the internet of things Cybersecurity Improvement Act of 2019. The bill seeks “[t]o leverage federal government procurement power to encourage increased cybersecurity for internet of things devices.” In other words, it aims to shore up cybersecurity requirements for devices purchased and used by the federal government, while affecting cybersecurity on these types of systems more broadly.
To accomplish this goal, the bill outlines several action items for the directors of the National Institute of Standards and Technology and the Office of Management and Budget.
NIST would be directed to complete, by Sept. 30, all ongoing efforts related to managing IoT cybersecurity, particularly its work in identifying cybersecurity capabilities. Those efforts are to address secure development, identity management, patching and configuration management for the devices.
NIST would also be tasked to develop, by March 31, 2020, recommendations on “the appropriate use and management” of IoT devices “owned or controlled by the federal government,” to include “minimum information security requirements.”
The Office of Management and Budget would then have 180 days to issue guidance to each agency, consistent with NIST’s recommendations.
Additionally, the legislation would require NIST to publish a draft report within 180 days of the bill’s enactment addressing considerations for managing cybersecurity risks associated with the “increasing convergence of traditional information technology devices, networks and systems with internet of things devices, networks and systems and operational technology devices, networks and systems.”
NIST would also have to consult with cybersecurity researchers and private-industry experts, and publish guidance relating to the reporting and resolution of security vulnerabilities discovered in federal government IoT devices. OMB would then have 180 days to issue guidelines for each government agency, based on NIST’s recommendations. Those recommendations must be consistent with the information security requirements that are imposed on federal information systems in Title 44 of the U.S. Code. The directives are also required to prohibit acquisition or use of IoT devices from a contractor or vendor that fails to comply with NIST’s security vulnerability guidance.
Once OMB issues its guidance, these requirements would be included in a revision to the Federal Acquisition Regulation. No specific date for when these regulations should be promulgated are included in the current draft of the bill.
Notably, the legislation recognizes the debate about what constitutes an IoT device. It would apply to a “covered device,” which is defined as a “physical object” that: is capable of connecting to and is in regular connection with the internet; has computer processing capabilities that can collect, send or receive data; and is not a general-purpose computing device to include smartphones. The act would direct OMB to establish a process for interested parties to petition for a decision that a device is not covered by this definition, potentially providing clarity for manufacturers about whether they are covered by the measure.
This bill represents a new approach after two failed legislative efforts from the last congressional term. The Internet of Things Cybersecurity Improvement Act of 2017 and the Internet of Things Federal Cybersecurity Improvement Act of 2018 both focused on “provid[ing] minimal cybersecurity operational standards for internet-connected devices purchased by federal agencies.” But unlike the current proposal, they contained only limited guidance to NIST and instead focused on OMB and imposing contractual requirements.
The new legislation dovetails with prior Defense Department recommendations. The chief information officer has declared that the department must adopt policies that enable it to “react to security incidents and ensure appropriate diligence with regard to the security, integrity, confidentially and safety of IoT devices.” To this end, the officer suggested the publication of an IoT-specific overlay to existing NIST security guidance and the promulgation of new Defense Federal Acquisition Regulation Supplement contract clauses, both of which are consistent with the bill’s recommendations.
In the years ahead, IoT cybersecurity will only take on greater significance. And while the prospects for enactment of this specific bill remain unclear, potential new requirements warrant the close attention of the defense contracting community going forward.
Susan Cassidy is a partner, and Micha Nandaraj Gallo and Katharine Goodloe are associates at Covington & Burling LLP.