On March 11, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 was introduced in the U.S. Senate in an effort to get control over the purchasing of insecure devices by the U.S. government. Until now, there have been no real security standards covering the purchasing of IoT devices, in large part because actual IoT security ranged between nonexistent and rare. The Act seeks to change this by imposing minimum required standards for any IoT device purchased by the U.S. government.
Once the rules go into effect in 2020, the new requirements include making IoT devices patchable, certifying that they are free from known vulnerabilities and that the devices use standard protocols. The rules will also require that if vulnerabilities become known, that vendors must disclose them to the agency that bought or otherwise acquired the device, and the vendor must include the means of limiting or fixing the vulnerability.
In addition, the Act requires a major change from one of the worst of the IoT practices, which is the use of hard-coded credentials. This means that it must be possible for users to install their own credentials, such as a user name and password.
Because there are certain to be some devices that can’t be made compliant with the new security rules, agencies can petition to have noncompliant devices allowed, but they have to be able to show how they’re going to secure them. The National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) will then specify a minimum level of security compensations that must be used if a noncompliant device is used on a government network. Those steps can include network segmentation, gateways, container use or the use of microservices.
Agencies can waive the required security standards if they can come up with better standards that still meet the other requirements, or if industry standards are developed that exceed those the government puts in place. Meanwhile, the Department of Homeland Security is directed to develop coordinated disclosure standards and then allow researchers to find and report vulnerabilities without fear of violations of the Copyright Act.
There’s also a warranty clause that requires vendors to patch vulnerabilities or to replace the devices in a timely manner. To make things easier, the senators released a fact sheet that includes a detailed rundown of the requirements.
“While I’m excited about their life-changing potential, I’m also concerned that many IoT devices are being sold without appropriate safeguards and protections in place, with the device market prioritizing convenience and price over security,” said Sen. Mark Warner, D-Va., one of the bill’s co-sponsors and co-chair of the Senate Cybersecurity Caucus, in a prepared statement provided to eWEEK.
“This legislation will use the purchasing power of the federal government to establish some minimum security standards for IoT devices,” Warner added. Warner is also vice-chair of the Senate Select Committee on Intelligence.
If this bill and a companion bill that’s going to be introduced into the U.S. House of Representatives on Monday, March 18, are passed as expected, then they will create a set of minimum security standards for IoT devices purchased by the government.
One notable change over many procurement bills that have found their way through Congress is that this one eliminates many of the loopholes that allow agencies and vendors to skirt regulations. While waivers are available for products that can’t be made secure, agencies are required to find some other way to impose the same level of security—they can’t just make up an excuse and ignore the rule otherwise.
How the New Rules Help Enterprises
What this means for the larger IT community is that a wide range of secure IoT devices are going to be made so they meet the minimum federal standards. While their vendors aren’t required to meet those same standards for non-federal purchases, it means that those secure versions will be available, and your organization will also be able to order them.
In addition, many vendors will simply make a default version that meets federal standards. When you’re making items in the billions, it eases your supply chain problems to reduce the number of variations available, so if they can make just one version of a device, it’ll cost less and it’ll be the federal version.
The new law, when it takes effect as expected, won’t actually change anything until the second half of 2020 at the earliest. Between passage and when the legislation takes effect, NIST must draft requirements, OMB must set purchasing standards and publish them, and the agencies and the General Services Administration must put forth RFPs. What will probably happen is that the GSA will put together a list of approved IoT devices for common purposes and then allow agencies to buy from that list.
More unique and specialized items will still require a detailed RFP, and that will take a while.
But the good news is that there will be security standards. The current level of really dumb designs will eventually pass out of the system as new products are acquired, and eventually some level of basic security will be available. But remember, it’s a minimum level, so while it might be better than nothing, it’s still not really adequate.