Upcoming Bill Would Lock Down Agencies' Internet-Connected Devices
But agency chief information officers could make exceptions, according to the legislation.
A House lawmaker wants federal agencies to prioritize cybersecurity when buying internet-connected devices.
The Internet of Things Federal Cybersecurity Improvement Act, which Rep. Robin Kelly, D-Ill., plans to introduce next week, would require all internet-connected devices purchased by the government to meet a set of basic cybersecurity standards. The bill would also pressure agencies to avoid using so-called "lowest price technically acceptable" criteria when choosing vendors for those devices.
Under the legislation, the government could only buy devices that accept security patches and allow users to change passwords. Vendors would also need to notify agencies of any security vulnerabilities they discover and issue software update as new threats arise.
“Everything from our national security to the personal information of American citizens could be vulnerable because of security holes in these devices,” Kelly said in an email to Nextgov. “As these devices positively revolutionize communication, we cannot allow them to become a backdoor to hackers or tools for cyberattacks.”
Under the bill, the Office of Management and Budget director would work with the General Services administrator, the secretaries of Defense, Commerce and Homeland Security, and leaders from the intelligence and national security communities to guarantee those standards and any others they deem necessary are included in federal contracts. They’d have 180 days to do so.
The Homeland Security secretary and OMB director would also have 180 days to create a database of non-compliant devices and list others that no longer receive security updates.
The legislation serves as the House counterpart to the Internet of Things Cybersecurity improvement Act, which Sen. Mark Warner, D-Va., introduced last year.
While the bills share much of the same language, Kelly’s version would give agency chief information officers more authority to waive device requirements in certain circumstances.
Her bill also explicitly requires the OMB director and GSA administrator to guide agencies in limiting the use of lowest price technically acceptable criteria when selecting device vendors. Doing so would give the government more leeway to buy from companies that place a high value on security, which could incentivize others to adopt stricter standards for their own tech.
The idea is that paying more for security upfront would save agencies money in the long run.
The bill "leverages federal purchasing power to create pro-security market pressure and … serves as a model for the implementation of similar standards elsewhere," said Harvard University law and computer science professor Jonathan Zittrain.
Kelly released a draft of the bill in August 2017 and updated the legislation to reflect feedback from OMB, security advocates and the tech industry, she said. The original version, for instance, would have created an advisory board to explore effective standards for the internet of things, but that measure was cut from the final text.
“My goal was to create the best possible legislation to harden government-purchased and used [internet of things] devices,” she said. “We have made significant changes in order to build support and ensure a definition appropriate for the ever-evolving world of [the internet of things].”
NEXT STORY: DHS risk agency eyes January policy push