Minimum Security Standards Required for IoT Devices by Internet of Things Improvement Act

The Internet of Things Improvement Act has been introduced by co-chairs of the Senate Cybersecurity Caucus, U.S. Sens. Mark R. Warner (D-VA) and Cory Gardner (R-CO) and Sens. Maggie Hassan (D-NH) and Steve Daines (R-MT). This act requires all IoT devices purchased by the U.S. government to meet minimum security standards. A companion bill has also been introduced in the House by Representatives by Reps. Robin Kelly (D-IL) and Will Hurd (R-TX).

It has been predicted by Ericcson that there will be 18 billion IoT devices in use by 2022. What’s more, IDC predicts IoT spending will hit$1.2 trillion in the same year. With growing numbers of IoT devices, the concern about the security risk posed by the devices also grows.

Sen. Warner wants to ensure that a basic standard for security is achieved before any IoT device is allowed to connect to a government network. He also wants to make use of the purchasing power of the U.S. government in order to help establish minimum standards of security for IoT devices.

IoT devices are currently entering the market with scant cybersecurity protections. Often when cybersecurity measures are integrated into IoT devices it is as an afterthought. The majority of IoT devices have not been designed with security as a priority. This is largely as a result of the market encouraging device manufacturers to prioritize convenience and cost over security.

NIST are called by the bill to issue recommendations for IoT device manufacturers on secure development, configuration management, identity management and patching throughout the life-cycle of the devices. It will also be required for NIST to work alongside cybersecurity researchers and industry experts to develop guidance on coordinated vulnerability disclosures to make sure flaws are ironed-out when they are discovered.

The Internet of Things Improvement Act calls for the Office of Management and Budget (OMB) to make guidelines available for every agency that is consistent with NIST recommendations and for policies to be reviewed at least every five years.

It will also be required for any IoT device used by the federal government to meet the security standards set by NIST. Additionally, contractors and vendors that provide IoT devices to the government will be asked to adopt coordinated vulnerability disclosure policies to ensure information on vulnerabilities is disseminated.

It is vital that IoT devices do not give hackers an opportunity to break into government networks. Without these minimum security standards, the government will be open to attack and critical national security information will be in a vulnerable state.

The Internet of Things Improvement Act will see the U.S. government lead by example and better manage cyber risks.