By Jeff Spielberg | November 25, 2020
On November 17, 2020 the senate passed H.R. 1668, the Internet of Things Cybersecurity Improvement Act of 2020, by unanimous consent. It is expected to be signed into law, making it a major step in describing and enforcing Internet of Things (IoT) cybersecurity.
In short, this bill requires that the National Institute of Standards and Technology (NIST) set standards, guidelines, and best practices for IoT devices that are procured or used by federal agencies. While the scope of the bill is limited to federal contracts (via the Federal Acquisition Regulations (FAR)), we believe it will have far-ranging consequences on the security of IoT and other embedded systems in the future.
What Does H.R. 1668 Stipulate?
First, for those still wondering what exactly IoT is, the bill adopts NIST’s definition, which says IoT devices “have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops […] and can function on their own and are not only able to function when acting as a component of another device, such as a processor.”1
This bill directs NIST to develop cybersecurity standards for IoT devices that are used, owned, controlled by, or connected to government agencies’ networks. NIST must develop these standards within 90 days of enactment, taking into account existing standards, best practices, and guidelines from both government and the private sector.
The bill requires that the NIST security standards address cybersecurity controls for: 1) Secure Development, 2) Identity Management, 3) Patching, and 4) Configuration Management.
Additionally, NIST is expected to provide guidance on how to manage security risks that exist in devices, as well as a process for “receiving information about […] a security vulnerability relating to information systems owned or controlled by an agency” and the “resolution of such a security vulnerability.”1
This will in essence establish a process for vulnerability disclosure and management for IoT.
What Are the Security Requirements?
We do not yet know what these new NIST IoT cybersecurity requirements will be. However, we expect that they will address common issues seen in IoT device development, including best practices around secure coding and deployment, security of accounts and credential management (e.g. restricting the use of widely known hardcoded passwords), and other measures. We expect that these requirements will follow many best practices that are being established – but ultimately we will have to wait and see what NIST releases. These types of issues, in addition to more complex ones, are core items which we assess in both our secure design and penetration testing engagements.
What Does All This Mean?
These requirements directly relate to the Federal Acquisition Regulation or FAR. As such, this bill will most immediately impact contractors selling IoT and related systems to government agencies. However, we would not be surprised to see these NIST guidelines, once published, to become a de-facto best practice for IoT across industries, potentially even impacting consumer devices.
We are closely watching the evolution of the Internet of Things Cybersecurity Improvement Act of 2020 as well as other cybersecurity standards, regulations, and best practices. Contact us any time to discuss how we can help proactively meet your needs with respect to device security.
- https://www.congress.gov/bill/116th-congress/house-bill/1668/text. Accessed November 23, 2020. [return]