Update 12/04/20: The IoT Cybersecurity Improvement Act was signed into law and is now Public Law No: 116-207.
The US Senate unanimously passed the IoT Cybersecurity Improvement Act (H.R.1668) yesterday. The US House passed the bill in September, so it is highly likely to become law, barring a Presidential veto.
This is arguably the most significant US IoT-specific cybersecurity law to date, as well as the most significant law promoting private sector adoption of coordinated vulnerability disclosure. IoT security is widely acknowledged as a global priority, and vulnerability disclosure processes are fundamental security practices, so passage of the bill should be seen as a very positive step forward for cybersecurity and the security community.
Rapid7 applauds passage of the IoT Cybersecurity Improvement Act and looks forward to working with NIST and other stakeholders on its implementation. The bill's lead sponsors - Senators Warner and Gardner, and Representatives Kelly and Hurd - deserve great credit for years of work on this important issue, and for guiding the bill over the finish line through an election, a global pandemic, and a divided Congress. As longtime supporters of the bill, Rapid7 led group letters to Congress urging passage, testified before the Senate favorably on the legislation, and blogged extensively on the bill’s progress.
[For more detailed analysis of the bill, please check out this post.]
The unanimous passage (in both House and Senate) of the IoT Cybersecurity Improvement Act demonstrates bipartisan recognition of the importance of IoT security, and the need for action. Through the Act, the federal government can lead by example in implementing basic IoT security standards and best practices for devices it buys and manages, and drive contractors’ adoption of standards-based coordinated vulnerability disclosure processes. We also note the bill’s careful alignment with existing standards and best practices [Sec. 4(a)(3)], which will aid coordination and efficiency.
There is a lot more work ahead, and more opportunities for the security community to get involved. The Act directs NIST to issue standards-based guidelines for minimum security of IoT devices owned or controlled by the federal government [Sec. 4(a)], and federal acquisition rules and agency information security policies must be updated to be consistent with the NIST guidelines. [Sec. 4(b)-(d)] Similarly, NIST must develop coordinated vulnerability disclosure guidelines for agencies and contractors, who must then integrate the guidelines into their security practices. [Sec. 5-6] Many of these steps, rolling out in 2021, will include partnership and comments from security experts and practitioners.
In addition to raising the bar for federal security, we hope the bill signals strengthened commitment from the US federal government to work on IoT security. US states (such as California and Oregon), and non-US countries (such as the UK, Australia, Singapore, and more) are making bold strides in establishing IoT security norms and mandates. While we support strong IoT security, we believe it is best implemented in a coordinated manner, avoiding a patchwork between US states or internationally. This will take sustained engagement from both the public and private sectors, but the passage of the IoT Cybersecurity Improvement Act and the lessons to be learned in its implementation will be invaluable to this process.