The federal government dramatically has increased its spending in recent years on Internet of Things (“IoT”) devices, including biosensors that can gather medical and security data from soldiers and vehicles in the field; smart-building applications that reduce energy (such as desks that automatically power on when an employee scans his or her identification badge upon entering the building); and myriad other devices. Despite its rapid increase in procurement of IoT devices, the government has yet to adequately address critical issues, including risk and uncertainty about privacy and security of the devices.
In response, a bipartisan group of U.S. senators recently introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” to improve the cybersecurity of internet-connected devices. The bill seeks to impose minimum security requirements on devices purchased by the U.S. government and has widespread industry support. Although the bill does not apply to consumer devices, industry experts anticipate the proposed legislation is a stepping stone to broader regulation of security and privacy in all IoT devices.
In co-introducing the legislation, Sen. Cory Gardner (R-Colo.) underscored the necessity for strengthening cybersecurity defenses with regard to the government’s purchase of IoT devices, stating: “As these devices continue to transform our society and add countless new entry points into our networks, we need to make sure they are secure from malicious cyber-attacks. This bipartisan, commonsense legislation will ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems without halting the life-changing innovations that continue to develop in the IoT space.”
The bill will require agencies to include certain contract clauses in any contract for the acquisition of internet-connected devices. The proposed contract clauses impose a number of new responsibilities on contractors providing the U.S. government with IoT devices. For example, vendors will be required to ensure that their devices are patchable, do not include hard-coded passwords that can’t be changed, and are free of known security vulnerabilities, among other precautions. The bill also indicates contractors will be required to comply with certain “cybersecurity coordinated disclosure requirements” and policies pursuant to agency guidelines to be prepared by the Department of Homeland Security National Protection and Programs Directorate.
Government contractors who manufacture and/or supply IoT devices to the federal government should monitor the proposed legislation, as its passage will result in new procurement requirements and will impose new and potentially burdensome obligations on contractors. The bill also may result in increased market competition among manufacturers on the security of their products. Critically, contractors also should be aware that the bill broadly defines “internet-connected device” as “a physical object that (a) is capable of connecting to and is in regular connection with the Internet; and (b) has computer processing capabilities that can collect, send, or receive data.” Such an expansive definition will subject a wide range of suppliers and manufacturers to the terms of the legislation, particularly when not only end products but also their components are considered.
The bill has yet to be scheduled for markup or debate.