[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 734 Reported in Senate (RS)]
<DOC>
Calendar No. 215
116th CONGRESS
1st Session
S. 734
[Report No. 116-112]
To leverage Federal Government procurement power to encourage increased
cybersecurity for Internet of Things devices, and for other purposes.
_______________________________________________________________________
IN THE SENATE OF THE UNITED STATES
March 11, 2019
Mr. Warner (for himself, Mr. Gardner, Ms. Hassan, Mr. Daines, Ms.
Cortez Masto, and Mr. Rounds) introduced the following bill; which was
read twice and referred to the Committee on Homeland Security and
Governmental Affairs
September 23, 2019
Reported by Mr. Johnson, with an amendment
[Strike out all after the enacting clause and insert the part printed
in italic]
_______________________________________________________________________
A BILL
To leverage Federal Government procurement power to encourage increased
cybersecurity for Internet of Things devices, and for other purposes.
Be it enacted by the Senate and House of Representatives of the
United States of America in Congress assembled,
<DELETED>SECTION 1. SHORT TITLE.</DELETED>
<DELETED> This Act may be cited as the ``Internet of Things
Cybersecurity Improvement Act of 2019'' or the ``IoT Cybersecurity
Improvement Act of 2019''.</DELETED>
<DELETED>SEC. 2. DEFINITIONS.</DELETED>
<DELETED> In this Act:</DELETED>
<DELETED> (1) Agency.--The term ``agency'' has the meaning
given such term in section 3502 of title 44, United States
Code.</DELETED>
<DELETED> (2) Covered device.--</DELETED>
<DELETED> (A) In general.--The term ``covered
device'' means a physical object that--</DELETED>
<DELETED> (i) is capable of connecting to
and is in regular connection with the
Internet;</DELETED>
<DELETED> (ii) has computer processing
capabilities that can collect, send, or receive
data; and</DELETED>
<DELETED> (iii) is not a general-purpose
computing device, including personal computing
systems, smart mobile communications devices,
programmable logic controls, and mainframe
computing systems.</DELETED>
<DELETED> (B) Modification of definition.--The
Director of the Office of Management and Budget shall
establish a process by which--</DELETED>
<DELETED> (i) interested parties may
petition for a device that is not described in
subparagraph (A) to be considered a device that
is not a covered device; and</DELETED>
<DELETED> (ii) the Director acts upon any
petition submitted under clause (i) in a timely
manner.</DELETED>
<DELETED> (3) Security vulnerability.--The term ``security
vulnerability'' means any attribute of hardware, firmware,
software, or combination of 2 or more of these factors that
could enable the compromise of the confidentiality, integrity,
or availability of an information system or its information or
physical devices to which it is connected.</DELETED>
<DELETED>SEC. 3. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
CONSIDERATIONS AND RECOMMENDATIONS REGARDING MANAGING
INTERNET OF THINGS CYBERSECURITY RISKS.</DELETED>
<DELETED> (a) Completion of Ongoing Efforts Relating to
Considerations for Managing Internet of Things Cybersecurity Risks.--
</DELETED>
<DELETED> (1) In general.--The Director of the National
Institute of Standards and Technology shall ensure that the
efforts of the Institute in effect on the date of the enactment
of this Act regarding considerations for managing Internet of
Things cybersecurity risks, especially regarding examples of
possible cybersecurity capabilities of Internet of Things
devices, are completed no later than September 30,
2019.</DELETED>
<DELETED> (2) Matters addressed.--In ensuring efforts are
completed under paragraph (1), the Director shall also ensure
that such efforts address, at a minimum, the following
considerations for covered devices:</DELETED>
<DELETED> (A) Secure Development.</DELETED>
<DELETED> (B) Identity management.</DELETED>
<DELETED> (C) Patching.</DELETED>
<DELETED> (D) Configuration management.</DELETED>
<DELETED> (b) Development of Recommended Standards for Use of
Internet of Things Devices by Federal Government.--</DELETED>
<DELETED> (1) In general.--Not later than March 31, 2020,
the Director of the Institute shall develop recommendations for
the Federal Government on the appropriate use and management by
the Federal Government of Internet of Things devices owned or
controlled by the Federal Government, including minimum
information security requirements for managing cybersecurity
risks associated with such devices.</DELETED>
<DELETED> (2) Consistency with ongoing efforts.--The
Director of the Institute shall ensure that the recommendations
and standards developed under paragraph (1) are consistent with
the efforts referred to in subsection (a), especially with
respect to the examples of possible cybersecurity capabilities
referred to in such subsection.</DELETED>
<DELETED> (c) Institute Report on Cybersecurity Considerations
Stemming From the Convergence of Information Technology, Internet of
Things, and Operational Technology Devices, Networks and Systems.--Not
later than 180 days following the enactment of this Act, the Director
of the Institute shall publish a draft report related to the increasing
convergence of traditional Information Technology devices, networks,
and systems with Internet of Things devices, networks and systems and
Operational Technology devices, networks and systems, including
considerations for managing cybersecurity risks associated with such
trends.</DELETED>
<DELETED>SEC. 4. POLICIES FOR FEDERAL AGENCIES ON USE AND MANAGEMENT OF
INTERNET OF THINGS DEVICES.</DELETED>
<DELETED> (a) Revisions to the Federal Acquisition Regulation.--Not
later than 180 days after the date on which the Director of the
National Institute of Standards and Technology completes the
development of the recommendations required under section 3(b), the
Director of the Office of Management and Budget shall issue guidelines
for each agency that are consistent with such
recommendations.</DELETED>
<DELETED> (b) Requirement.--In issuing the guidelines required under
subsection (a), the Director of the Office of Management and Budget
shall ensure that the guidelines are consistent with the information
security requirements in subchapter II of chapter 35 of title 44,
United States Code.</DELETED>
<DELETED> (c) Quinquennial Reviews and Revisions.--Not less
frequently than once every 5 years--</DELETED>
<DELETED> (1) the Director of the Office of Management and
Budget and the Director of the National Institute of Standards
and Technology shall review the policies issued under
subsection (a); and</DELETED>
<DELETED> (2) the Director of the Office of Management and
Budget shall, in consultation with the Director of the National
Institute of Standards and Technology, revise such
policies.</DELETED>
<DELETED>SEC. 5. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
GUIDANCE ON COORDINATED DISCLOSURE OF SECURITY
VULNERABILITIES RELATING TO INTERNET OF THINGS
DEVICES.</DELETED>
<DELETED> (a) In General.--Not later than 180 days after the date of
the enactment of this Act, the Director of the National Institute of
Standards and Technology shall, in consultation with such cybersecurity
researchers and private-sector industry experts as the Director
considers appropriate, publish guidance on policies and procedures for
the reporting, coordinating, publishing, and receiving of information
about--</DELETED>
<DELETED> (1) a security vulnerability relating to a covered
device used by the Federal Government; and</DELETED>
<DELETED> (2) the resolution of such security
vulnerability.</DELETED>
<DELETED> (b) Elements.--The guidance published under subsection (a)
shall include the following:</DELETED>
<DELETED> (1) Policies and procedures described in
subsection (a) that, to the maximum extent practicable, are
aligned with Standards 29147 and 30111 of the International
Standards Organization, or any successor standards. Such
policies and procedures shall include policies and procedures
for a contractor or vendor providing a covered device to the
Federal Government on--</DELETED>
<DELETED> (A) receiving information about a
potential security vulnerability relating to the
covered device; and</DELETED>
<DELETED> (B) disseminating information about the
resolution of a security vulnerability relating to the
covered device.</DELETED>
<DELETED> (2) Guidance, including example content, on the
information items that should be produced through the
implementation of the security vulnerability disclosure process
of the contractor.</DELETED>
<DELETED>SEC. 6. GUIDELINES FOR FEDERAL AGENCIES ON COORDINATED
DISCLOSURE OF SECURITY VULNERABILITIES RELATING TO
INTERNET OF THINGS DEVICES.</DELETED>
<DELETED> (a) Agency Guidelines Required.--Not later than 180 days
after the date on which the guidance required under section 4 is
published, the Director of the Office of Management and Budget shall,
in consultation with the Administrator of the General Services
Administration, issue guidelines for each agency on reporting,
coordinating, publishing, and receiving information about--</DELETED>
<DELETED> (1) a security vulnerability relating to a covered
device used by the agency; and</DELETED>
<DELETED> (2) the resolution of such security
vulnerability.</DELETED>
<DELETED> (b) Contractor and Vendor Compliance With National
Institute of Standards and Technology Guidance.--The guidelines
required by subsection (a) shall include a limitation that prohibits an
agency from acquiring or using any covered device from a contractor or
vendor if the contractor or vendor fails to comply with the guidance
published under section 5(a).</DELETED>
<DELETED> (c) Consistency With Guidance From National Institute of
Standards and Technology.--The Director shall ensure that the
guidelines issued under subsection (a) are consistent with the guidance
published under section 5(a).</DELETED>
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Internet of Things Cybersecurity
Improvement Act of 2019'' or the ``IoT Cybersecurity Improvement Act of
2019''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given such
term in section 3502 of title 44, United States Code.
(2) Director.--The term ``Director'' means the Director of
the National Institute of Standards and Technology.
(3) Information system.--The term ``information system''
has the meaning given the term in section 3502 of title 44,
United States Code.
(4) Secretary.--The term ``Secretary'' means the Secretary
of Homeland Security.
(5) Security vulnerability.--The term ``security
vulnerability'' has the meaning given the term in section 102
of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C.
1501).
SEC. 3. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CONSIDERATIONS
AND RECOMMENDATIONS REGARDING MANAGING INTERNET OF THINGS
CYBERSECURITY RISKS.
(a) Development of Recommended Guidelines for Use of Internet of
Things Devices by Federal Government.--
(1) In general.--Not later than March 31, 2020, the
Director shall develop standards and guidelines for the Federal
Government on the appropriate use and management by the Federal
Government of Internet of Things devices owned or controlled by
the Federal Government, including minimum information security
requirements for managing cybersecurity risks associated with
such devices.
(2) Consistency with ongoing efforts.--The Director shall
ensure that the standards and guidelines developed under
paragraph (1) are consistent with the efforts of the National
Institute of Standards and Technology in effect on the date of
enactment of this Act regarding considerations for managing
Internet of Things cybersecurity risks, especially regarding
examples of possible cybersecurity capabilities of Internet of
Things devices, and in particular with respect to the following
considerations for Internet of Things devices:
(A) Secure development.
(B) Identity management.
(C) Patching.
(D) Configuration management.
(b) Institute Report on Cybersecurity Considerations Stemming From
the Convergence of Information Technology, Internet of Things, and
Operational Technology Devices, Networks, and Systems.--Not later than
180 days after the date of enactment of this Act, the Director shall
brief the appropriate committees of Congress on the increasing
convergence of traditional information technology devices, networks,
and systems with Internet of Things devices, networks, and systems and
operational technology devices, networks, and systems, including
considerations for managing cybersecurity risks and security
vulnerabilities associated with such trends.
SEC. 4. POLICIES AND PRINCIPLES FOR FEDERAL AGENCIES ON USE AND
MANAGEMENT OF INTERNET OF THINGS DEVICES.
(a) In General.--Not later than 180 days after the date on which
the Director completes the development of the standards and guidelines
required under section 3(a), the Director of the Office of Management
and Budget, in consultation with the Secretary, shall issue policies
and principles for each agency that are consistent with such standards
and guidelines.
(b) Requirement.--In issuing the policies, principles, standards,
or guidelines required under subsection (a), the Director of the Office
of Management and Budget, in consultation with the Secretary, shall
ensure that the policies and principles are consistent with the
information security requirements in subchapter II of chapter 35 of
title 44, United States Code.
(c) Reviews and Revisions.--The Director of the Office of
Management and Budget, in consultation with the Secretary, shall--
(1) review any policies, principles, standards, or
guidelines issued under subsection (a); and
(2) revise such policies, principles, standards, and
guidelines.
SEC. 5. GUIDELINES ON COORDINATED DISCLOSURE OF SECURITY
VULNERABILITIES RELATING TO INFORMATION SYSTEMS,
INCLUDING INTERNET OF THINGS DEVICES.
(a) In General.--Not later than 1 year after the date of enactment
of this Act, the Director, in consultation with such cybersecurity
researchers and private-sector industry experts as the Director
considers appropriate, and in consultation with the Secretary, shall
publish guidelines for the reporting, coordinating, publishing, and
receiving of information about--
(1) a security vulnerability relating to agency information
systems, including Internet of Things devices; and
(2) the resolution of such security vulnerability.
(b) Elements.--The guidelines published under subsection (a)
shall--
(1) to the maximum extent practicable, be aligned with
industry best practices and Standards 29147 and 30111 of the
International Standards Organization, or any successor
standards; and
(2) incorporate guidelines on--
(A) receiving information about a potential
security or personal information vulnerability relating
to agency information systems, and when relevant,
Internet of Things devices; and
(B) disseminating information about the resolution
of a security or personal information vulnerability
relating to agency information systems, and when
relevant, Internet of Things devices.
(c) Information Items.--The guidelines published under subsection
(a) shall include guidelines, including example content, on the
information items that should be produced through the implementation of
the security vulnerability disclosure process of a contractor or vendor
providing Internet of Things devices to the Federal Government.
(d) Oversight.--The Director of the Office of Management and Budget
shall oversee the implementation of the guidelines published under
subsection (a).
(e) Operational and Technical Assistance.--The Secretary shall
provide operational and technical assistance in implementing the
guidelines published under subsection (a).
SEC. 6. IMPLEMENTATION OF COORDINATED DISCLOSURE OF SECURITY
VULNERABILITIES RELATING TO AGENCY INFORMATION SYSTEMS,
INCLUDING INTERNET OF THINGS DEVICES.
(a) Agency Guidelines Required.--Not later than 180 days after the
date on which the Director publishes guidelines under section 5(a), the
Director of the Office of Management and Budget shall issue policies
and principles on security vulnerabilities of information systems,
including Internet of Things devices.
(b) Procedures.--The Secretary, in consultation with the Director
of the Office of Management and Budget, shall develop and issue
procedures for each agency on reporting, coordinating, publishing, and
receiving information about security vulnerabilities of information
systems, including Internet of Things devices.
(c) Contractor and Vendor Compliance With Policies and
Procedures.--The procedures required under subsection (b) shall include
a limitation that prohibits an agency from acquiring or using any
Internet of Things device from a contractor or vendor if the contractor
or vendor fails to comply with the guidelines published under section
5(a).
(d) Consistency With Guidelines From National Institute of
Standards and Technology.--The Secretary shall ensure that the
procedures required under subsection (b) are consistent with applicable
standards and publications established by the National Institute of
Standards and Technology.
SEC. 7. WAIVER.
The head of an agency may use an Internet of Things device without
regard to any policies, principles, standards, or guidelines issued
under this Act if the use of the Internet of Things device is--
(1) necessary for national security or for research
purposes;
(2) appropriate to the function of the covered device;
(3) secured using alternative and effective methods; or
(4) of substantially higher quality or affordability than a
product that meets such policies, principles, standards, or
guidelines.
Calendar No. 215
116th CONGRESS
1st Session
S. 734
[Report No. 116-112]
_______________________________________________________________________
A BILL
To leverage Federal Government procurement power to encourage increased
cybersecurity for Internet of Things devices, and for other purposes.
_______________________________________________________________________
September 23, 2019
Reported with an amendment