[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[H.R. 1668 Reported in House (RH)]

<DOC>





                                                 Union Calendar No. 402
116th CONGRESS
  2d Session
                                H. R. 1668

                      [Report No. 116-501, Part I]

To leverage Federal Government procurement power to encourage increased 
 cybersecurity for Internet of Things devices, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                             March 11, 2019

Ms. Kelly of Illinois (for herself, Mr. Hurd of Texas, Mr. Khanna, Mr. 
Budd, Mr. Ruppersberger, Mr. Marshall, Mr. Ted Lieu of California, Mr. 
Ratcliffe, Mr. Meadows, Mr. Soto, Mr. Walker, Mr. Connolly, Mr. Foster, 
and Mr. Baird) introduced the following bill; which was referred to the 
Committee on Oversight and Reform, and in addition to the Committee on 
    Science, Space, and Technology, for a period to be subsequently 
   determined by the Speaker, in each case for consideration of such 
 provisions as fall within the jurisdiction of the committee concerned

                           September 14, 2020

      Additional sponsors: Mr. Olson, Ms. Hill of California, Mr. 
Fitzpatrick, Mr. O'Halleran, Mrs. Brooks of Indiana, Ms. Clarke of New 
York, Ms. Stevens, Mr. Harder of California, Mr. Norman, Mr. Rouda, Mr. 
       Graves of Georgia, Ms. Wasserman Schultz, and Ms. DelBene

                           September 14, 2020

 Reported from the Committee on Oversight and Reform with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]


                           September 14, 2020

 Committee on Science, Space, and Technology discharged; committed to 
the Committee of the Whole House on the State of the Union and ordered 
                             to be printed
 [For text of introduced bill, see copy of bill as introduced on March 
                               11, 2019]

_______________________________________________________________________

                                 A BILL


 
To leverage Federal Government procurement power to encourage increased 
 cybersecurity for Internet of Things devices, and for other purposes.


 


    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Internet of Things Cybersecurity 
Improvement Act of 2019'' or the ``IoT Cybersecurity Improvement Act of 
2019''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the meaning given such 
        term in section 3502 of title 44, United States Code.
            (2) Covered device.--The term ``covered device'' means a 
        physical object that--
                    (A) is capable of being in regular connection 
                with--
                            (i) the Internet; or
                            (ii) a network that is connected to the 
                        Internet on a recurring basis;
                    (B) has computer processing capabilities of 
                collecting, sending, or receiving data; and
                    (C) is not a--
                            (i) general-purpose computing device;
                            (ii) personal computing system;
                            (iii) smart mobile communications device;
                            (iv) programmable logic controller with an 
                        industrial control system specifically not 
                        designed for connection to the internet;
                            (v) mainframe computing system; or
                            (vi) subcomponent of a device.
            (3) Director of omb.--The term ``Director of OMB'' means 
        the Director of the Office of Management and Budget.
            (4) Director of the institute.--The term ``Director of the 
        Institute'' means the Director of the National Institute of 
        Standards and Technology.
            (5) Security vulnerability.--The term ``security 
        vulnerability'' has the meaning given that term under section 
        102(17) of the Cybersecurity Information Sharing Act of 2015 (6 
        U.S.C. 1501(17)).

SEC. 3. COMPLETION OF ONGOING EFFORTS RELATING TO CONSIDERATIONS FOR 
              MANAGING INTERNET OF THINGS CYBERSECURITY RISKS.

    Not later than December 31, 2019, the Director of the National 
Institute of Standards and Technology shall complete the efforts of the 
Institute in effect on the date of the enactment of this Act regarding 
considerations for managing the security vulnerabilities of Internet of 
Things devices and examples of possible cybersecurity capabilities of 
such devices by publishing a report that includes, at a minimum, the 
following considerations for covered devices:
            (1) Secure development.
            (2) Identity management.
            (3) Patching.
            (4) Configuration management.

SEC. 4. SECURITY STANDARDS FOR USE OF COVERED DEVICES BY THE FEDERAL 
              GOVERNMENT.

    (a) Guidelines Required.--
            (1) Guidelines.--Not later than 6 months after the date on 
        which the report under section 3 is completed, the Director of 
        the Institute shall develop under section 20 of the National 
        Institute of Standards and Technology Act (15 U.S.C. 278g-3), 
        and submit to the Director of OMB, guidelines on--
                    (A) the appropriate use and management by the 
                agencies of covered devices owned or controlled by the 
                agencies; and
                    (B) minimum information security requirements for 
                managing security vulnerabilities associated with such 
                devices.
            (2) Development of guidelines.--In developing the 
        guidelines submitted under paragraph (1), the Director of the 
        Institute shall--
                    (A) consider relevant standards and best practices 
                developed by the private sector, agencies, and public-
                private partnerships; and
                    (B) ensure that such guidelines are consistent with 
                the considerations published in the report described 
                under section 3.
    (b) Promulgation of Standards.--
            (1) Standards.--Not later than 180 days after the date on 
        which the Director of the Institute completes the development 
        of the guidelines required under subsection (a), the Director 
        of OMB, in consultation with the Director of the Cybersecurity 
        and Infrastructure Security Agency of the Department of 
        Homeland Security, shall--
                    (A) promulgate standards on the basis of the 
                guidelines submitted under subsection (a) pertaining to 
                covered devices owned or controlled by agencies, except 
                those considered national security systems as defined 
                by section 3552(b)(6) of title 44, United States Code; 
                and
                    (B) ensure such standards are consistent with the 
                information security requirements under subchapter II 
                of chapter 35 of title 44, United States Code.
            (2) Quinquennial review and revision.--Not later than 5 
        years after the date on which the Director of OMB promulgates 
        the standards under paragraph (1), and not less frequently than 
        once every 5 years thereafter, the Director of OMB, in 
        consultation with and the Director of the Institute and the 
        Director of the Cybersecurity and Infrastructure Security 
        Agency of the Department of Homeland Security, shall--
                    (A) review such standards; and
                    (B) revise such standards as appropriate.
    (c) Revision of Federal Acquisition Regulation.--The Federal 
Acquisition Regulation shall be revised to implement any standard 
promulgated under subsection (b).

SEC. 5. PETITION TO EXCLUDE CERTAIN DEVICES.

    (a) Petition.--The Director of OMB shall establish a process by 
which an interested party may petition the Director of OMB for a device 
described in section 2(2) to not be considered a covered device for the 
purpose of standards promulgated under section 4(b).
    (b) Grants of Petition.--The Director of OMB shall grant a petition 
under subsection (a)--
            (1) on a limited basis;
            (2) in a timely manner; and
            (3) only if the interested party demonstrates that--
                    (A) the procurement of such a covered device with 
                limited data processing and software functionality 
                would be unfeasible; or
                    (B) the procurement of a covered device that does 
                not meet the standards promulgated by the Director of 
                OMB under this Act is necessary for national security 
                or for research purposes.
    (c) Report.--
            (1) In general.--Not later than one year after the date of 
        the enactment of this Act, and annually thereafter for each of 
        the following four years, the Director of OMB shall submit to 
        the appropriate congressional committees a report on the 
        process established by the Director of OMB for granting or 
        denying waivers under this section.
            (2) Assessment of implementation.--The reports required 
        under paragraph (1) shall include, at a minimum, the following:
                    (A) An assessment of the waiver evaluation process.
                    (B) A description of the methods established to 
                carry out such assessment.
                    (C) A classified appendix listing the types and 
                number of devices for each agency granted a waiver and 
                the reasons for such waiver.
            (3) Appropriate congressional committees defined.--In this 
        subsection, the term ``appropriate congressional committees'' 
        means the Committees on Oversight and Reform and Homeland 
        Security of the House of Representatives and the Committee on 
        Homeland Security and Governmental Affairs of the Senate.

SEC. 6. COORDINATED DISCLOSURE OF SECURITY VULNERABILITIES RELATING TO 
              COVERED DEVICES.

    (a) In General.--Not later than 180 days after the date of the 
enactment of this Act, the Director of the Institute, in consultation 
with the Director of Cybersecurity and Infrastructure Security Agency 
of the Department of Homeland Security, shall develop under section 20 
of the National Institute of Standards and Technology Act (15 U.S.C. 
278g-3) and submit to the Director of OMB, guidelines--
            (1) for the reporting, coordinating, publishing, and 
        receiving of information about--
                    (A) a security vulnerability relating to a covered 
                device owned or controlled by an agency; and
                    (B) the resolution of such security vulnerability;
            (2) for contractors providing a covered device to the 
        Federal Government, and any subcontractor thereof at any tier 
        providing such device to such contractors on--
                    (A) receiving information about a potential 
                security vulnerability relating to the covered device; 
                and
                    (B) disseminating information about the resolution 
                of a security vulnerability relating to the covered 
                device; and
            (3) on the type of information about security 
        vulnerabilities that should be reported to the Federal 
        Government, including examples thereof.
    (b) Development of Guidelines.--In developing the guidelines under 
subsection (a), the Director of the Institute shall--
            (1) consult with such cybersecurity researchers and private 
        sector industry experts as the Director considers appropriate;
            (2) to the maximum extent practicable, align such 
        guidelines with Standards 29147 and 30111 of the International 
        Standards Organization, or any successor standards thereof; and
            (3) ensure such guidelines are consistent with the policies 
        and procedures developed under section 2209(m) of the Homeland 
        Security Act of 2002 (6 U.S.C. 659(m)).
    (c) Promulgation of Standards.--
            (1) In general.--Not later than 180 days after the date on 
        which the guidelines under subsection (a) are submitted, the 
        Director of OMB, in consultation with the Administrator of 
        General Services and the Secretary of Homeland Security, shall 
        promulgate standards on the basis of such guidelines.
            (2) Contract requirement for subcontracts.--The standards 
        promulgated under paragraph (1) shall include a requirement for 
        any contract related to a covered device to include a clause 
        that requires each contractor that provides a covered device 
        under the contract to an agency to ensure that any covered 
        device obtained through a subcontract, at any tier, complies 
        with the standards and regulations promulgated under this 
        section with respect to such covered device.
            (3) Consistency with the strengthening and enhancing cyber-
        capabilities by utilizing risk exposure technology act.--The 
        Director of OMB shall ensure that the standards promulgated 
        under paragraph (1) are consistent with section 101 of the 
        Strengthening and Enhancing Cyber-capabilities by Utilizing 
        Risk Exposure Technology Act (6 U.S.C. 663 note; Public Law 
        115-390).
    (d) Revision of Federal Acquisition Regulation.--The Federal 
Acquisition Regulation shall be revised to implement the standards 
promulgated under subsection (c).

SEC. 7. CONTRACTOR COMPLIANCE WITH STANDARDS AND REGULATIONS.

    (a) In General.--
            (1) Determination.--
                    (A) Compliance required.--Before awarding a 
                contract to an offeror for the procurement of a covered 
                device, or renewing a contract to procure or obtain a 
                covered device from a contractor, the agency Chief 
                Information Officer shall determine if such offeror or 
                contractor has complied with each standard promulgated 
                under section 6(c) with respect to such covered device.
                    (B) Simplified acquisition threshold.--
                Notwithstanding section 1905 of title 41, United States 
                Code, the requirements under subparagraph (A) shall 
                apply to a contract or subcontract in amounts not 
                greater than the simplified acquisition threshold.
            (2) Prohibition on use or procurement.--The head of an 
        agency may not procure or obtain, or renew a contract to 
        procure or obtain, a covered device if the agency Chief 
        Information Officer determines under paragraph (1)(A) that such 
        offeror or contractor has not complied with a standard 
        promulgated under section 6(c) with respect to such covered 
        device.
    (b) Waiver.--The head of an agency may waive the prohibition under 
subsection (a)(2) if the procurement of such covered device is 
necessary for national security or for research purposes.
    (c) Effective Date.--The prohibition under subsection (a) shall 
take effect one year after the date of the enactment of this Act.

SEC. 8. INSTITUTE REPORT ON CYBERSECURITY CONSIDERATIONS STEMMING FROM 
              THE CONVERGENCE OF INFORMATION TECHNOLOGY, INTERNET OF 
              THINGS, AND OPERATIONAL TECHNOLOGY DEVICES, NETWORKS AND 
              SYSTEMS.

    Not later than 1 year after the date of the enactment of this Act, 
the Director of the Institute shall publish a report on the increasing 
convergence, including considerations for managing potential security 
vulnerabilities associated with such convergence, of traditional 
information technology devices, networks, and systems with--
            (1) covered devices, networks and systems; and
            (2) operational technology devices, networks and systems.
                                                 Union Calendar No. 402

116th CONGRESS

  2d Session

                               H. R. 1668

                      [Report No. 116-501, Part I]

_______________________________________________________________________

                                 A BILL

To leverage Federal Government procurement power to encourage increased 
 cybersecurity for Internet of Things devices, and for other purposes.

_______________________________________________________________________

                           September 14, 2020

 Reported from the Committee on Oversight and Reform with an amendment

                           September 14, 2020

 Committee on Science, Space, and Technology discharged; committed to 
the Committee of the Whole House on the State of the Union and ordered 
                             to be printed