[Congressional Bills 116th Congress]
[From the U.S. Government Publishing Office]
[S. 734 Reported in Senate (RS)]

<DOC>





                                                       Calendar No. 215
116th CONGRESS
  1st Session
                                 S. 734

                          [Report No. 116-112]

To leverage Federal Government procurement power to encourage increased 
 cybersecurity for Internet of Things devices, and for other purposes.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                             March 11, 2019

   Mr. Warner (for himself, Mr. Gardner, Ms. Hassan, Mr. Daines, Ms. 
Cortez Masto, and Mr. Rounds) introduced the following bill; which was 
   read twice and referred to the Committee on Homeland Security and 
                          Governmental Affairs

                           September 23, 2019

               Reported by Mr. Johnson, with an amendment
 [Strike out all after the enacting clause and insert the part printed 
                               in italic]

_______________________________________________________________________

                                 A BILL


 
To leverage Federal Government procurement power to encourage increased 
 cybersecurity for Internet of Things devices, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

<DELETED>SECTION 1. SHORT TITLE.</DELETED>

<DELETED>    This Act may be cited as the ``Internet of Things 
Cybersecurity Improvement Act of 2019'' or the ``IoT Cybersecurity 
Improvement Act of 2019''.</DELETED>

<DELETED>SEC. 2. DEFINITIONS.</DELETED>

<DELETED>    In this Act:</DELETED>
        <DELETED>    (1) Agency.--The term ``agency'' has the meaning 
        given such term in section 3502 of title 44, United States 
        Code.</DELETED>
        <DELETED>    (2) Covered device.--</DELETED>
                <DELETED>    (A) In general.--The term ``covered 
                device'' means a physical object that--</DELETED>
                        <DELETED>    (i) is capable of connecting to 
                        and is in regular connection with the 
                        Internet;</DELETED>
                        <DELETED>    (ii) has computer processing 
                        capabilities that can collect, send, or receive 
                        data; and</DELETED>
                        <DELETED>    (iii) is not a general-purpose 
                        computing device, including personal computing 
                        systems, smart mobile communications devices, 
                        programmable logic controls, and mainframe 
                        computing systems.</DELETED>
                <DELETED>    (B) Modification of definition.--The 
                Director of the Office of Management and Budget shall 
                establish a process by which--</DELETED>
                        <DELETED>    (i) interested parties may 
                        petition for a device that is not described in 
                        subparagraph (A) to be considered a device that 
                        is not a covered device; and</DELETED>
                        <DELETED>    (ii) the Director acts upon any 
                        petition submitted under clause (i) in a timely 
                        manner.</DELETED>
        <DELETED>    (3) Security vulnerability.--The term ``security 
        vulnerability'' means any attribute of hardware, firmware, 
        software, or combination of 2 or more of these factors that 
        could enable the compromise of the confidentiality, integrity, 
        or availability of an information system or its information or 
        physical devices to which it is connected.</DELETED>

<DELETED>SEC. 3. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 
              CONSIDERATIONS AND RECOMMENDATIONS REGARDING MANAGING 
              INTERNET OF THINGS CYBERSECURITY RISKS.</DELETED>

<DELETED>    (a) Completion of Ongoing Efforts Relating to 
Considerations for Managing Internet of Things Cybersecurity Risks.--
</DELETED>
        <DELETED>    (1) In general.--The Director of the National 
        Institute of Standards and Technology shall ensure that the 
        efforts of the Institute in effect on the date of the enactment 
        of this Act regarding considerations for managing Internet of 
        Things cybersecurity risks, especially regarding examples of 
        possible cybersecurity capabilities of Internet of Things 
        devices, are completed no later than September 30, 
        2019.</DELETED>
        <DELETED>    (2) Matters addressed.--In ensuring efforts are 
        completed under paragraph (1), the Director shall also ensure 
        that such efforts address, at a minimum, the following 
        considerations for covered devices:</DELETED>
                <DELETED>    (A) Secure Development.</DELETED>
                <DELETED>    (B) Identity management.</DELETED>
                <DELETED>    (C) Patching.</DELETED>
                <DELETED>    (D) Configuration management.</DELETED>
<DELETED>    (b) Development of Recommended Standards for Use of 
Internet of Things Devices by Federal Government.--</DELETED>
        <DELETED>    (1) In general.--Not later than March 31, 2020, 
        the Director of the Institute shall develop recommendations for 
        the Federal Government on the appropriate use and management by 
        the Federal Government of Internet of Things devices owned or 
        controlled by the Federal Government, including minimum 
        information security requirements for managing cybersecurity 
        risks associated with such devices.</DELETED>
        <DELETED>    (2) Consistency with ongoing efforts.--The 
        Director of the Institute shall ensure that the recommendations 
        and standards developed under paragraph (1) are consistent with 
        the efforts referred to in subsection (a), especially with 
        respect to the examples of possible cybersecurity capabilities 
        referred to in such subsection.</DELETED>
<DELETED>    (c)  Institute Report on Cybersecurity Considerations 
Stemming From the Convergence of Information Technology, Internet of 
Things, and Operational Technology Devices, Networks and Systems.--Not 
later than 180 days following the enactment of this Act, the Director 
of the Institute shall publish a draft report related to the increasing 
convergence of traditional Information Technology devices, networks, 
and systems with Internet of Things devices, networks and systems and 
Operational Technology devices, networks and systems, including 
considerations for managing cybersecurity risks associated with such 
trends.</DELETED>

<DELETED>SEC. 4. POLICIES FOR FEDERAL AGENCIES ON USE AND MANAGEMENT OF 
              INTERNET OF THINGS DEVICES.</DELETED>

<DELETED>    (a) Revisions to the Federal Acquisition Regulation.--Not 
later than 180 days after the date on which the Director of the 
National Institute of Standards and Technology completes the 
development of the recommendations required under section 3(b), the 
Director of the Office of Management and Budget shall issue guidelines 
for each agency that are consistent with such 
recommendations.</DELETED>
<DELETED>    (b) Requirement.--In issuing the guidelines required under 
subsection (a), the Director of the Office of Management and Budget 
shall ensure that the guidelines are consistent with the information 
security requirements in subchapter II of chapter 35 of title 44, 
United States Code.</DELETED>
<DELETED>    (c) Quinquennial Reviews and Revisions.--Not less 
frequently than once every 5 years--</DELETED>
        <DELETED>    (1) the Director of the Office of Management and 
        Budget and the Director of the National Institute of Standards 
        and Technology shall review the policies issued under 
        subsection (a); and</DELETED>
        <DELETED>    (2) the Director of the Office of Management and 
        Budget shall, in consultation with the Director of the National 
        Institute of Standards and Technology, revise such 
        policies.</DELETED>

<DELETED>SEC. 5. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 
              GUIDANCE ON COORDINATED DISCLOSURE OF SECURITY 
              VULNERABILITIES RELATING TO INTERNET OF THINGS 
              DEVICES.</DELETED>

<DELETED>    (a) In General.--Not later than 180 days after the date of 
the enactment of this Act, the Director of the National Institute of 
Standards and Technology shall, in consultation with such cybersecurity 
researchers and private-sector industry experts as the Director 
considers appropriate, publish guidance on policies and procedures for 
the reporting, coordinating, publishing, and receiving of information 
about--</DELETED>
        <DELETED>    (1) a security vulnerability relating to a covered 
        device used by the Federal Government; and</DELETED>
        <DELETED>    (2) the resolution of such security 
        vulnerability.</DELETED>
<DELETED>    (b) Elements.--The guidance published under subsection (a) 
shall include the following:</DELETED>
        <DELETED>    (1) Policies and procedures described in 
        subsection (a) that, to the maximum extent practicable, are 
        aligned with Standards 29147 and 30111 of the International 
        Standards Organization, or any successor standards. Such 
        policies and procedures shall include policies and procedures 
        for a contractor or vendor providing a covered device to the 
        Federal Government on--</DELETED>
                <DELETED>    (A) receiving information about a 
                potential security vulnerability relating to the 
                covered device; and</DELETED>
                <DELETED>    (B) disseminating information about the 
                resolution of a security vulnerability relating to the 
                covered device.</DELETED>
        <DELETED>    (2) Guidance, including example content, on the 
        information items that should be produced through the 
        implementation of the security vulnerability disclosure process 
        of the contractor.</DELETED>

<DELETED>SEC. 6. GUIDELINES FOR FEDERAL AGENCIES ON COORDINATED 
              DISCLOSURE OF SECURITY VULNERABILITIES RELATING TO 
              INTERNET OF THINGS DEVICES.</DELETED>

<DELETED>    (a) Agency Guidelines Required.--Not later than 180 days 
after the date on which the guidance required under section 4 is 
published, the Director of the Office of Management and Budget shall, 
in consultation with the Administrator of the General Services 
Administration, issue guidelines for each agency on reporting, 
coordinating, publishing, and receiving information about--</DELETED>
        <DELETED>    (1) a security vulnerability relating to a covered 
        device used by the agency; and</DELETED>
        <DELETED>    (2) the resolution of such security 
        vulnerability.</DELETED>
<DELETED>    (b) Contractor and Vendor Compliance With National 
Institute of Standards and Technology Guidance.--The guidelines 
required by subsection (a) shall include a limitation that prohibits an 
agency from acquiring or using any covered device from a contractor or 
vendor if the contractor or vendor fails to comply with the guidance 
published under section 5(a).</DELETED>
<DELETED>    (c) Consistency With Guidance From National Institute of 
Standards and Technology.--The Director shall ensure that the 
guidelines issued under subsection (a) are consistent with the guidance 
published under section 5(a).</DELETED>

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Internet of Things Cybersecurity 
Improvement Act of 2019'' or the ``IoT Cybersecurity Improvement Act of 
2019''.

SEC. 2. DEFINITIONS.

    In this Act:
            (1) Agency.--The term ``agency'' has the meaning given such 
        term in section 3502 of title 44, United States Code.
            (2) Director.--The term ``Director'' means the Director of 
        the National Institute of Standards and Technology.
            (3) Information system.--The term ``information system'' 
        has the meaning given the term in section 3502 of title 44, 
        United States Code.
            (4) Secretary.--The term ``Secretary'' means the Secretary 
        of Homeland Security.
            (5) Security vulnerability.--The term ``security 
        vulnerability'' has the meaning given the term in section 102 
        of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 
        1501).

SEC. 3. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY CONSIDERATIONS 
              AND RECOMMENDATIONS REGARDING MANAGING INTERNET OF THINGS 
              CYBERSECURITY RISKS.

    (a) Development of Recommended Guidelines for Use of Internet of 
Things Devices by Federal Government.--
            (1) In general.--Not later than March 31, 2020, the 
        Director shall develop standards and guidelines for the Federal 
        Government on the appropriate use and management by the Federal 
        Government of Internet of Things devices owned or controlled by 
        the Federal Government, including minimum information security 
        requirements for managing cybersecurity risks associated with 
        such devices.
            (2) Consistency with ongoing efforts.--The Director shall 
        ensure that the standards and guidelines developed under 
        paragraph (1) are consistent with the efforts of the National 
        Institute of Standards and Technology in effect on the date of 
        enactment of this Act regarding considerations for managing 
        Internet of Things cybersecurity risks, especially regarding 
        examples of possible cybersecurity capabilities of Internet of 
        Things devices, and in particular with respect to the following 
        considerations for Internet of Things devices:
                    (A) Secure development.
                    (B) Identity management.
                    (C) Patching.
                    (D) Configuration management.
    (b)  Institute Report on Cybersecurity Considerations Stemming From 
the Convergence of Information Technology, Internet of Things, and 
Operational Technology Devices, Networks, and Systems.--Not later than 
180 days after the date of enactment of this Act, the Director shall 
brief the appropriate committees of Congress on the increasing 
convergence of traditional information technology devices, networks, 
and systems with Internet of Things devices, networks, and systems and 
operational technology devices, networks, and systems, including 
considerations for managing cybersecurity risks and security 
vulnerabilities associated with such trends.

SEC. 4. POLICIES AND PRINCIPLES FOR FEDERAL AGENCIES ON USE AND 
              MANAGEMENT OF INTERNET OF THINGS DEVICES.

    (a) In General.--Not later than 180 days after the date on which 
the Director completes the development of the standards and guidelines 
required under section 3(a), the Director of the Office of Management 
and Budget, in consultation with the Secretary, shall issue policies 
and principles for each agency that are consistent with such standards 
and guidelines.
    (b) Requirement.--In issuing the policies, principles, standards, 
or guidelines required under subsection (a), the Director of the Office 
of Management and Budget, in consultation with the Secretary, shall 
ensure that the policies and principles are consistent with the 
information security requirements in subchapter II of chapter 35 of 
title 44, United States Code.
    (c) Reviews and Revisions.--The Director of the Office of 
Management and Budget, in consultation with the Secretary, shall--
            (1) review any policies, principles, standards, or 
        guidelines issued under subsection (a); and
            (2) revise such policies, principles, standards, and 
        guidelines.

SEC. 5. GUIDELINES ON COORDINATED DISCLOSURE OF SECURITY 
              VULNERABILITIES RELATING TO INFORMATION SYSTEMS, 
              INCLUDING INTERNET OF THINGS DEVICES.

    (a) In General.--Not later than 1 year after the date of enactment 
of this Act, the Director, in consultation with such cybersecurity 
researchers and private-sector industry experts as the Director 
considers appropriate, and in consultation with the Secretary, shall 
publish guidelines for the reporting, coordinating, publishing, and 
receiving of information about--
            (1) a security vulnerability relating to agency information 
        systems, including Internet of Things devices; and
            (2) the resolution of such security vulnerability.
    (b) Elements.--The guidelines published under subsection (a) 
shall--
            (1) to the maximum extent practicable, be aligned with 
        industry best practices and Standards 29147 and 30111 of the 
        International Standards Organization, or any successor 
        standards; and
            (2) incorporate guidelines on--
                    (A) receiving information about a potential 
                security or personal information vulnerability relating 
                to agency information systems, and when relevant, 
                Internet of Things devices; and
                    (B) disseminating information about the resolution 
                of a security or personal information vulnerability 
                relating to agency information systems, and when 
                relevant, Internet of Things devices.
    (c) Information Items.--The guidelines published under subsection 
(a) shall include guidelines, including example content, on the 
information items that should be produced through the implementation of 
the security vulnerability disclosure process of a contractor or vendor 
providing Internet of Things devices to the Federal Government.
    (d) Oversight.--The Director of the Office of Management and Budget 
shall oversee the implementation of the guidelines published under 
subsection (a).
    (e) Operational and Technical Assistance.--The Secretary shall 
provide operational and technical assistance in implementing the 
guidelines published under subsection (a).

SEC. 6. IMPLEMENTATION OF COORDINATED DISCLOSURE OF SECURITY 
              VULNERABILITIES RELATING TO AGENCY INFORMATION SYSTEMS, 
              INCLUDING INTERNET OF THINGS DEVICES.

    (a) Agency Guidelines Required.--Not later than 180 days after the 
date on which the Director publishes guidelines under section 5(a), the 
Director of the Office of Management and Budget shall issue policies 
and principles on security vulnerabilities of information systems, 
including Internet of Things devices.
    (b) Procedures.--The Secretary, in consultation with the Director 
of the Office of Management and Budget, shall develop and issue 
procedures for each agency on reporting, coordinating, publishing, and 
receiving information about security vulnerabilities of information 
systems, including Internet of Things devices.
    (c) Contractor and Vendor Compliance With Policies and 
Procedures.--The procedures required under subsection (b) shall include 
a limitation that prohibits an agency from acquiring or using any 
Internet of Things device from a contractor or vendor if the contractor 
or vendor fails to comply with the guidelines published under section 
5(a).
    (d) Consistency With Guidelines From National Institute of 
Standards and Technology.--The Secretary shall ensure that the 
procedures required under subsection (b) are consistent with applicable 
standards and publications established by the National Institute of 
Standards and Technology.

SEC. 7. WAIVER.

    The head of an agency may use an Internet of Things device without 
regard to any policies, principles, standards, or guidelines issued 
under this Act if the use of the Internet of Things device is--
            (1) necessary for national security or for research 
        purposes;
            (2) appropriate to the function of the covered device;
            (3) secured using alternative and effective methods; or
            (4) of substantially higher quality or affordability than a 
        product that meets such policies, principles, standards, or 
        guidelines.
                                                       Calendar No. 215

116th CONGRESS

  1st Session

                                 S. 734

                          [Report No. 116-112]

_______________________________________________________________________

                                 A BILL

To leverage Federal Government procurement power to encourage increased 
 cybersecurity for Internet of Things devices, and for other purposes.

_______________________________________________________________________

                           September 23, 2019

                       Reported with an amendment