The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Congress Passes IoT Bill, Last Hurdle to Becoming Law

by Chris Brook on Wednesday November 18, 2020

Contact Us
Free Demo

The bill, which would establish cybersecurity guidelines for IoT devices purchased by the U.S. government, is on track to become law.

In a move that would have been nearly unthinkable as recently as even five years ago, Congress has passed a bipartisan bill around the security of Internet of Things (IoT) devices.

While it's difficult to predict the machinations behind anything that happens in Washington these days, the bill - the Internet of Things Cybersecurity Improvement Act - certainly seems poised to be signed into law imminently.

In its infancy, IoT technology revolved around advances in wireless networking technology like sensors, RFID and smartphone standards like NFC. These days, with the advent of Nest cameras, Ring doorbells, Sonos speakers, Alexa, Siri, and even Cortana, IoT has become an afterthought for many.

The problem, as politicians and experts alike have pointed out over the years, is that the devices that run this technology haven't faced any sort of accountability.

Despite being bipartisan and uncontroversial - the bill will require federal government procurement of IoT devices to conform to basic security - the bill has faced an uphill road.

A 2017 bill, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, introduced by Sen. Cory Gardner (R-Colo.), co-chair of the Senate Cybersecurity Caucus, and Sen. Mark Warner (D-Va.), failed to gain traction. Another bill, this one called the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, was reintroduced last March by Gardner with Warner and in the House by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas). It was advanced by the House Committee on Oversight and Reform last summer, showing it had promise.

The latest iteration, now known as the IoT Cybersecurity Improvement Act of 2020, was passed by the Senate unanimously without any amendments, on Tuesday; it passed the House in September. From here, it heads to the President's desk to be signed into law.

Warner, who introduced the bill last year, was enthusiastic about its passing Congress.

“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” said Sen. Warner. “I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay,” Warner said Tuesday.

If signed into law the bill would require the following:

  • Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including making any necessary revisions to the Federal Acquisition Regulation to implement new security standards and guidelines.
  • Require any IoT devices purchased by the federal government to comply with those recommendations.
  • Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on vulnerability disclosure and remediation for federal information systems.
  • Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.

Tags: IoT

Recommended Resources

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.