The Senate has unanimously passed IoT Cybersecurity Improvement Act (H.R.1668). Barring a presidential veto, the bill will soon become law. 

If you’ve been paying attention to IoT laws and regulations in recent months, it should come as no surprise that this bill has moved forward. IoT and connected device security has been a major priority both globally and nationally, as we’ve seen from high profile discussions around 5G and Huawei networking devices as well as recent policy pushes surrounding connected devices in our critical infrastructure. 

H.R. 1668 is a significant step in the federal government recognizing the importance of IoT security. The growing number of attacks on connected devices has made it imperative that we act. The IoT Cybersecurity Improvement Act is a significant step toward ensuring that we have the right standards in place to keep our critical systems secure. Given Finite State’s commitment to connected device security, we are grateful for the steps that Congress has taken to address this topic and are eager to help our customers and our community take action.   

What does the IoT Cybersecurity Improvement Act do?

H.R. 1668 directs the National Institute of Standards and Technology (“NIST”) to issue standards and guidelines for the federal government on “the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency.” This includes NIST developing “minimal informational security requirements” for managing cybersecurity risks associated with these devices.  

Additionally, NIST must “consider relevant standards, guidelines, and best practices developed by the private sector, agencies, and public-private partnerships.”  Any standards and guidelines that are developed under this Act must be consistent with already-existing NIST guidelines. You can read the full text of the Act act Congress.gov.

How does the IoT Cybersecurity Improvement Act affect device manufacturers?

Since NIST has yet to actually develop these guidelines, the impact of the H.R. 1668 isn’t fully known. What we do know is this: the Act includes a procurement provision, which prohibits the head of any federal agency from “procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device,” if the Chief Information Officer of that agency determines during a required review for “a contract for such device that the use of such device prevents compliance with the standards and guidelines developed” by NIST.

If you want the federal government to utilize (or continue to utilize) your products, you must be able to ensure that they will not pose a significant risk. You cannot eliminate all risks from your devices, but you can monitor, manage, and mitigate factors including:

• Vendor geopolitical, regulatory, and compliance risk
• Supply chain risk
• Software vulnerabilities
• Configuration vulnerabilities
• Device hardening measures
• Active threats

By assessing the above, remediating any issues you find, and being able to report the results to NIST, you will undoubtedly be able to achieve compliance with the Act, whatever the specific guidelines end up being. If you don’t currently have the tooling that will allow you to uncover and analyze those factors listed above, schedule a demo with Finite State and we can show you how the Finite State Platform can analyze your device portfolio automatically and at scale. 

There is still much work to do to improve connected device security

H.R. 1668 has the potential to improve the security of connected devices and critical infrastructure by creating a demand and incentive for higher quality devices. However, this is only one step in what must be a comprehensive system of transparency and verification in the development and deployment of connected devices.

No device can be regarded as 100% secure. The federal government, and indeed private entities as well, will have to continually assess true device risk in order to determine whether or not connected devices will pose a threat. In order to do that, they must have access and insight into software components and supply chain risks for each device, and they must be able to achieve that quickly and at scale. Here at Finite State we are committed to helping facilitate collaboration between device manufacturers, asset owners, and regulators as we continue to provide the tooling necessary to uncover the risks in connected devices.