Security experts praised the newly approved IoT law as a step in the right direction for insecure connected federal devices.
Security experts are applauding the recent stamp of approval by the U.S. Senate on a groundbreaking internet-of-things (IoT) security regulatory effort.
The IoT Cybersecurity Improvement Act, which was led in bipartisan sponsorship by Reps. Will Hurd (R-Texas) and Robin Kelly (D-Ill.), would require the federal procurement and use of IoT devices to conform to basic security requirements. The act was unanimously passed by the House in September, and by the Senate earlier this week; the next step is for it to be sent to the president to be signed into law.
Security stalwarts praised the bill’s alignment with existing standards and best practices, as well as its meaning for IoT devices – which have long been plagued by security and privacy issues.
“Through the Act, the federal government can lead by example in implementing basic IoT security standards and best practices for devices it buys and manages, and drive contractors’ adoption of standards-based coordinated vulnerability disclosure processes,” according to Harley Geiger, director of Public Policy at Rapid7, in a recent post.
The IoT Cybersecurity Improvement Act
The IoT Cybersecurity Improvement Act has several different parts. First, it mandates that NIST must issue standards-based guidelines for the minimum security of IoT devices that are owned by the federal government. The Office of Management and Budget (OMB) must also implement requirements for federal civilian agencies to have information-security policies that are consistent with these NIST guidelines.
Under the law, federal agencies must also implement a vulnerability-disclosure policy for IoT devices, and they cannot procure devices that don’t meet the security guidelines.
Of note, NIST has been developing “considerations” for manufacturer-based IoT security measures, which they have recommended since 2019. And, NIST’s EU counterpart, the European Union Agency for Network and Information Security (ENISA), has already published baseline security recommendations for IoT devices.
Rapid7’s Geiger said that he hopes the bill signals strengthened commitment from the U.S. federal government to work on IoT security.
“While we support strong IoT security, we believe it is best implemented in a coordinated manner, avoiding a patchwork between U.S. states or internationally,” he said. “This will take sustained engagement from both the public and private sectors, but the passage of the IoT Cybersecurity Improvement Act and the lessons to be learned in its implementation will be invaluable to this process.”
IoT Regulatory Efforts
Regulatory efforts worldwide continue to solidify, including a California Senate Bill 327 (SB-327), which requires “reasonable security feature or features that are appropriate to the nature and function of the device.” SB-327 was first proposed in 2018 and became effective in January (although it did draw backlash from the security community for not going far enough).
Meanwhile, in 2019 the U.K. government announced a mandate promising new requirements for IoT manufacturers. Those include improvements around unique device passwords and policies around security updates.
“Fixing IoT security requires a concerted effort across the supply chain, not on fixing a singular technology or vulnerability. Establishing better standards and accountability for securing devices and their software is a positive development,” Jack Mannino, CEO at nVisium, told Threatpost. “Many devices have remained plagued by vulnerabilities for years, and if we want to do a better job in the future, we have to start now.”
Dirk Schrader, global vice president at New Net Technologies (NNT), said that security measures like the IoT Cybersecurity Improvement Act “improves the security posture overall.”
“Having basic cybersecurity requirements in place that vendors need to adhere to for any kind of internet-connected device is a good move,” Schrader told Threatpost. “It will be interesting to see how this is enforced and monitored, as we have already a few of these requirements out there, like the HIPAA security rule.”