Hurd, Kelly Bill to Improve Cybersecurity Standards for Government Devices Signed into Law

Yesterday, a bipartisan bill introduced by Reps. Robin Kelly (D-Ill.) and I to require that any Internet of Things (IoT) device purchased with government money meet minimum security standards was signed into law.

My philosophy is simple and has remained the same: the only way we get big things done in Congress is by working together. My bipartisan effort with Rep. Kelly to ensure taxpayer dollars are only being used to purchase IoT devices that meet basic, minimum security requirements is the perfect example of that. While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data. I’m proud this is my 17th piece of legislation to be signed into law in 5 years, and I’m working to add to that number before the end of my term.

“The bipartisan Internet of Things Cybersecurity Improvement Act is a critical step towards strengthening U.S. government IT systems and will help officials patch existing vulnerabilities to protect our national security and the personal information of American families,” said Kelly. “This law would not have been possible without the leadership of Senators Warner and Gardner passing it through the Senate and Representative Hurd through the House. This is a perfect example of two sides coming together to make our country more secure and prosperous.”

The IoT Cybersecurity Improvement Act would address the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurement of connected devices by the government.

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 would:

• Require the National Institute of Standards and Technology (NIST) to publish standards and guidelines on the use and management of IoT devices by the federal government, including minimum information security requirements for managing cybersecurity risks associated with IoT devices.
• Direct the Office of Management and Budget (OMB) to review federal government information security policies and make any necessary changes to ensure they are consistent with NIST’s recommendations.
• Require NIST and OMB to update IoT security standards, guidelines and policies at least every five years.
• Prohibit the procurement or use by federal agencies of IoT devices that do not comply with these security requirements, subject to a waiver process for devices necessary for national security, needed for research or that are secured using alternative and effective methods.
• Require NIST to publish guidelines for reporting security vulnerabilities relating to federal agency information systems, including IoT devices.
• Direct OMB to develop and implement policies that are necessary to address security vulnerabilities relating to federal agency information systems, including IoT devices, consistent with NIST’s published guidelines.
• Require contractors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.

This bipartisan initiative marks my 17th piece of legislation to be signed into law since 2015 and continues my efforts to find long-term, bipartisan solutions to improve the cyber infrastructure of the federal government in an effort to bolster national security and save taxpayer dollars.