Number:        116-19   
Date:             September 22, 2020

House Passes H.R. 1668, the
“Internet of Things (IoT) Cybersecurity Improvement Act of 2020”

On September 14, 2020, the House passed H.R. 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, with amendments by voice vote on motion to suspend the rules.  The legislation would require the National Institute of Standards and Technology (NIST) to develop and publish standards and guidelines for Federal Government use and management of IoT devices1.  The bill now moves to the Senate for action.

H.R. 1668 includes the following provisions of interest to SSA:

Section. 4. Security Standards and Guidelines for Agencies on Use and Management of Internet of Things Devices.

  • Within 90 days of enactment, would require the Director of the NIST (Director of the Institute) to develop and publish standards and guidelines for the Federal Government on the appropriate use and management of IoT devices owned or controlled by agencies.
  • Within 180 days after the Director of the Institute completes development of the standards and guidelines, would require the Director of the Office of Management and Budget (Director of OMB) to review agency information security policies pertaining to IoT devices and to issue guidance to ensure those policies are consistent with NIST standards and guidelines.

Section. 5. Guidelines on the Disclosure Process for Security Vulnerabilities Relating to Information System, Including Internet of Things Devices.

  • Within 180 days of enactment, would require the Director of the Institute, in consultation with cybersecurity researchers and private sector industry experts, to develop and publish guidelines:
    • for reporting, coordinating, publishing, and receiving information about a security vulnerability relating to an agency’s information systems (including IoT devices) and the resolution of the vulnerability; and
    • for a contractor providing an agency with an information system (including an IoT device).

Section. 6. Implementation of Coordinated Disclosure of Security Vulnerabilities Relating to Agency Information Systems, Including Internet of Things Devices.

  • Within 2 years of enactment, would require the Director of OMB in consultation with the Secretary of the Homeland Security (Secretary) to develop and oversee the implementation of policies, principles, standards, or guidelines to address security vulnerabilities of information systems (including IoT devices).
  • Would require the Secretary and Director of OMB to provide operational and technical assistance to agencies on reporting, coordinating, publishing, and receiving information about security vulnerabilities of information systems (including IoT devices).

Section. 7. Contractor Compliance with Coordinated Disclosure of Security Vulnerabilities Relating to Agency Internet of Things Devices.

  • Would prohibit the head of an agency from obtaining or using an IoT device if the agency Chief Information Officer (CIO) determines that such a device will prevent compliance with standards and guidelines published by the Director of the Institute.
  • Would allow the head of an agency to waive prohibiting use of such IoT devices if the agency CIO determines:
    • the waiver is necessary in the interest of national security;
    • obtaining or using the device is necessary for research purposes; or
    • the device is secured using alternative and effective methods to the function of the device.
  • Would require the Director of OMB to establish a standardized process for the CIO of each agency to follow in determining whether a waiver may be granted.

Unless otherwise stated, the provisions in this Act would be effective upon enactment.

_____________________________________

1Per NIST Internal Report 8259 page iv, IoT devices are not conventional Information Technology devices, such as smartphones and laptops, for which cybersecurity features are already understood.  They are devices that interact directly with the physical world and can function on their own, not only as a component of another devise.