On December 4, 2020 the President signed into law the IoT
Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207 (the
“IoT Act”). The legislative purpose behind the new law is
to ensure the highest level of cybersecurity at federal agencies by
working collaboratively within government, industry and academia.
Pub. L. No. 116-207 § 2.
The IoT Act mandates specific actions by the National Institute
of Standards and Technology (NIST), the Office of Management and
Budget (OMB) and the Department of Homeland Security (DHS)
regarding: (i) standards and guidelines for IoT devices, (ii)
determining whether federal agencies adhere to those standards,
(iii)implementing guidelines to disclose security vulnerabilities
to contractors and report the resolution of those
vulnerabilities.
Beginning on December 5, 2022, the IoT Act will prohibit federal
agencies from signing or renewing contracts that cannot comply with
NIST’s IoT security standards or disclosure guidelines.
Keypoint: The new law only applies to IoT devices
bought by the federal government, but as the largest single
‘customer’ in the world, the government’s purchasing
power could make the law’s security standards the cornerstone
of a comprehensive security standard for IoT devices in the private
sector as well.
New and Useful Pre-Existing Definitions
The law begins by defining IoT devices as physical objects
equipped with at least one sensor or actuator “for interacting
with the physical world, hav[ing] at least one network interface, .
function[ing] on their own and are not only able to function when
acting as a component of another devices, such as a
processor.” Pub. L. No. 116-207 § 2(4).
Notably, this definition of IoT devices would include equipment
such as heating and air conditioning systems that are connected to
the Internet. The definition expressly excludes computers, laptops
tablets and smart phones that are considered conventional
Information Technology (IT) devices, which are defined in 40 U.S.C.
§ 11101.
Although the U.S. Code already refers to ‘operational
technologies’ in the definition of industrial control systems,
operational technologies were not defined. The IoT Act introduces a
definition for Operational Technology to mean “hardware and
software that detects or causes a change through the direct
monitoring or control of physical devices, processes, and events in
the enterprise.” Pub. L. No. 116-207 § 3(6).
The new law also references four authorizations and definitions
in the U.S. Code that provide useful context:
- The Computer Security Act of 1987 gave NIST the mission of
developing “standards and guidelines, including minimum
requirements, for information systems used or operated by an agency
or by a contractor of an agency ..” 15 U.S.C. §
278g-3(a). - The 2015 National Defense Authorization Act amended the U.S.
Code to require all non-defense contracts for the procurement of
information technology must be reviewed by the respective federal
agency’s chief information officer. 40 U.S.C. §
11319(b)(1)(C). - Information Systems are defined in the Paperwork Reduction Act
of 1995 to mean “a discrete set of information resources
organized for the collection, processing, maintenance, use,
sharing, dissemination, or disposition of information;” 44
U.S.C. § 3502. - Security Vulnerabilities are defined in the Cybersecurity
Information Sharing Act of 2015 to mean “any attribute of
hardware, software, process, or procedure that could enable or
facilitate the defeat of a security control.” 6 U.S.C. §
1501(17).
The IoT Act’s Teeth – Prohibiting Federal Contracts for
Non-Compliant IoT Devices
As discussed in greater detail below, and consistent NIST’s
requirements under the Computer Security Act of 1987 to develop
standards and guidelines for information systems, the IoT Act
directs NIST to promulgate standards and guidelines for federal
agencies on the appropriate use of their IoT devices, and to
promulgate guidelines for disclosing and resolving security
vulnerabilities on federal information systems, to include IoT
devices. 15 U.S.C. § 278g-3(a); Pub. L. No. 116-207 §
4(a).
In the event that the chief information officer determines the
entry or renewal of contracts involving the use of IoT devices will
prevent the agency from complying with the NIST security standards
or the NIST disclosure guidelines described below, the agency is
prohibited from entering or renewing those contracts. This
prohibition goes into effect on December 5, 2022. Pub. L. No.
116-207 § 7(a).
December 5, 2022 is also the deadline by which OMB and DHS are
required to develop and oversee the implementation of policies and
principles necessary to address security vulnerabilities of federal
information systems, including IoT devices. Id. §
6(a). Congress authorized that the Federal Acquisition Regulation
be revised as necessary to implement these policies and principles.
Id. § 6(d).
NIST Requirement #1 – Security Standards and Guidelines for IoT
Devices
No later than March 5, 2021, NIST must develop, publish and
update security standards and guidelines on the appropriate use of
IoT devices connected to government information systems. As NIST
develops these standards and guidelines for IoT devices, NIST is
required to address the following issues:
- Identifying and managing security vulnerabilities;
- Secure development;
- Identity management;
- Patching; and
- Con?guration management.
Id. § 4(a). Congress directed that when NIST
develops these standards, that they be consistent with previous
NIST guidance for IoT devices, and that NIST consider well-accepted
recommendations from the private sector. Within six months after
NIST’s standards and guidelines are developed, OMB and DHS are
required to review federal agencies’ security policies for
consistency with these NIST standards. Id. § 4(b).
Congress also required that the Federal Acquisition Regulation be
revised as necessary to implement NIST’s security standards and
guidelines. Id. § 4(d).
Historically, IoT devices have had a checkered past with respect
to security. IoT security was often put second to the economic
pressures in getting a functional product into the market. In
addition, designing IoT devices which could be easily used by
consumer also caused IoT developers to simplify security
provisions. Further, laziness sometimes controlled with
manufacturers delivering products with default password of
“password.” Without a governing regulation, these other
design factors inevitably conflicted with the time and expense
needed to install effective security measures on the devices. This
resulted in many IoT devices being easy targets for cybercriminals
to plunder, not only for sensitive data but also for entry points
into unsuspecting networks or being used for denial of service
attacks.
In addition to recent laws in California and the promulgation of
consumer privacy laws, the IoT Act is another regulatory driver
which necessarily creates an economic incentive for IoT
manufacturers to put greater emphasis on security protections for
their devices, particularly those going into government networks.
Further, economies of scale should spur some manufacturers to build
those protections into all of their IoT devices, regardless of the
anticipated customer. The IoT Act also sets an important set of
standards, which other nations and/or industry standards
organizations may adopt or mimic. These scenarios would be welcome
steps to increase the likelihood that the security of IoT devices
becomes a more important design factor, particularly when they are
connected to “high-priority networks, such as those used in
government facilities.”
NIST Requirement #2 – Guidelines for Receiving and Disclosing
Security Vulnerabilities
By June 3, 2021, NIST must develop and publish guidelines for
the reporting, coordinating, publishing and receiving information
regarding security vulnerabilities related to federal information
systems, IoT devices owned or controlled by federal agencies, and
the resolution of those vulnerabilities. The disclosure guidelines
will also apply to contractors and subcontractors that provide
information systems, including IoT devices, to a federal agency.
Id. § 5(a). To follow these guidelines, contractors
and subcontractors will most likely have to establish programs and
processes to receive information about potential security
vulnerabilities on their IoT devices, and to disseminate the
solutions for those vulnerabilities.
Greater information sharing and transparency are generally
viewed as net positives in the cybersecurity community, but these
new guidelines have the potential to create some challenges for the
government and the private sector. For example, these guidelines
may require the government to lay more ‘cards on the table’
regarding vulnerability detection and resolution capabilities.
Also, increased awareness of the disclosed but uncorrected
vulnerabilities can create new security risks or magnify existing
risks for users of the affected IoT devices who are slow to take
corrective actions. However, the guidelines will ultimately provide
examples of the specificity of this information.
No doubt, the IoT Act will have the greatest impact on
businesses selling IoT products and services to the federal
government in the near-term. Nevertheless, these comprehensive IoT
security requirements will be a fundamental shift in United States
law, which has historically applied an industry-sectoral model to
cybersecurity and data privacy. Once these standards are set, they
may become the floor for contractual obligations and/or industry
standards for manufacturers of IoT devices sold to the private
sector. Accordingly, the effect of IoT Act could be transformative
in the industry and far-reaching.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
===========
Website of source