Hurd, Kelly Bill Protecting American and Government Information from Hacking Passes

September 14, 2020
Press Release
The Internet of Things Cybersecurity Improvement Act of 2020 heads to the Senate for consideration

WASHINGTON – Today, Reps. Will Hurd (R-Texas) and Robin Kelly’s (D-Ill.) cybersecurity legislation, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, passed the House of Representatives. The IoT Cybersecurity Improvement Act would require all IoT devices purchased by the U.S. government meet certain minimum security requirements. This would result in greater security for the personal data and information of Americans and federal agencies. This legislation has also been championed by Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo.), co-chairs of the Senate Cybersecurity Caucus.

“Securing the Internet of Things is a key vulnerability Congress must address. While IoT devices improve and enhance nearly every aspect of our society, economy and everyday lives, these devices must be secure in order to protect Americans’ personal data. The IoT Cybersecurity Improvement Act would ensure that taxpayers dollars are only being used to purchase IoT devices that meet basic, minimum security requirements. This would ensure that we adequately mitigate vulnerabilities these devices might create on federal networks.

“The Internet of Things grows every single day, and, by the end of next year, it will include more than 20 billion devices. The result is an astounding, unimaginable amount of data—90% of the data in the entire world was created in the last two years. America needs to keep up with this incredible trend, and that means ensuring proper security and protections—the IoT Cybersecurity Improvement Act is a step in that direction,” said Hurd.

“Today, the House took a major and overdue step toward improving US Cybersecurity. The bipartisan Internet of Things Cybersecurity Improvement Act will ensure the US government purchases secure devices and existing vulnerabilities are closed,” said Kelly. “I want to thank my colleagues - Rep. Will Hurd and Sens. Mark Warner and Cory Gardner - for working with me on this bill as well as experts and partners inside and outside of government. As we face new challenges in the digital age, we must work together to solve them.”

The Internet of Things is the term used to describe the growing network of Internet-connected devices and sensors. Many IoT devices are often shipped with factory-set, hardcoded passwords and oftentimes unable to be updated or patched. IoT devices also can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. Bad actors have used IoT devices to launch devastating Distributed Denial of Service (DDoS) attacks against websites, web-hosting servers, and internet infrastructure providers. The Director of the Defense Intelligence Agency has called IoT devices one of “the most important emerging cyberthreats to our national security.”

The IoT Cybersecurity Improvement Act would address the supply chain risk to the federal government stemming from insecure IoT devices by establishing light-touch, minimum security requirements for procurement of connected devices by the government.

Specifically, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020 would:

  • Require the National Institute of Standards and Technology (NIST) to publish standards and guidelines on the use and management of IoT devices by the federal government, including minimum information security requirements for managing cybersecurity risks associated with IoT devices.
  • Direct the Office of Management and Budget (OMB) to review federal government information security policies and make any necessary change to ensure they are consistent with NIST’s recommendations.
  • Require NIST and OMB to update IoT security standards, guidelines and policies at least every five years.
  • Prohibit the procurement or use by federal agencies of IoT devices that do not comply with these security requirements, subject to a waiver process for devices necessary for national security, needed for research or that are secured using alternative and effective methods.
  • Require NIST to publish guidelines for reporting security vulnerabilities relating to federal agency information systems, including IoT devices.
  • Direct OMB to develop and implement policies that are necessary to address security vulnerabilities relating to federal agency information systems, including IoT devices, consistent with NIST’s published guidelines.
  • Require contractors providing IoT devices to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.