A draft bill floating around Capitol Hill would require that the federal government create baseline cybersecurity standards for all internet-connected devices in government.
Rep. Robin Kelly, D-Ill., plans to introduce the Internet of Things (IoT) Federal Cybersecurity Improvement Act of 2018 soon — it’s a House version of a similar bill Sen. Mark Warner, D-Va., introduced in August 2017.
Among other things, the legislation would require that internet-connected devices in government accept security patches and have passwords that can be changed. Contractors would be required to attest that their devices meet these standards, and they would be required to participate in vulnerability disclosure programs. It would require the director of the White House Office of Management and Budget as well as leaders from the General Services Administration, Department of Commerce and Department of Homeland Security to develop security principles through a “transparent process” of consultation and “based on technology-neutral, outcome-based security principles,” the bill states.
In contrast to the Senate bill, Rep. Kelly’s proposition would give agency CIOs the power to waive security requirements in certain circumstances.
Both bills, however, would require the director of OMB to create and maintain a database of devices and manufacturers that don’t meet the necessary cybersecurity standards.
Rep. Kelly’s bill has received industry support. “Unsecured IoT devices are an enormous — and growing — risk,” Jeff Greene, vice president of global government affairs at Symantec, said in a statement. “But it does not have to be that way; IoT devices can be secured, and the federal government can set an example for the private sector.”
Perhaps the coming introduction of Kelly’s bill will put additional impetus behind its Senate counterpart — that bill has been referred to the Committee on Homeland Security and Governmental Affairs but hasn’t seen any action there so far.