116 S734 RS: Internet of Things Cybersecurity Improvement Act of 2019 U.S. Senate 2019-03-11 text/xml EN Pursuant to Title 17 Section 105 of the United States Code, this file is not subject to copyright protection and is in the public domain.

IICalendar No. 215116th CONGRESS1st SessionS. 734[Report No. 116–112]IN THE SENATE OF THE UNITED STATESMarch 11, 2019Mr. Warner (for himself, Mr. Gardner, Ms. Hassan, Mr. Daines, Ms. Cortez Masto, and Mr. Rounds) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental AffairsSeptember 23, 2019Reported by Mr. Johnson, with an amendmentStrike out all after the enacting clause and insert the part printed in italicA BILLTo leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes.

1.

Short title

This Act may be cited as the Internet of Things Cybersecurity Improvement Act of 2019 or the IoT Cybersecurity Improvement Act of 2019.

2.

Definitions

In this Act: (1)

Agency

The term agency has the meaning given such term in section 3502 of title 44, United States Code. (2)

Covered device

(A)

In general

The term covered device means a physical object that— (i)is capable of connecting to and is in regular connection with the Internet; (ii)has computer processing capabilities that can collect, send, or receive data; and (iii)is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems. (B)

Modification of definition

The Director of the Office of Management and Budget shall establish a process by which— (i)interested parties may petition for a device that is not described in subparagraph (A) to be considered a device that is not a covered device; and (ii)the Director acts upon any petition submitted under clause (i) in a timely manner. (3)

Security vulnerability

The term security vulnerability means any attribute of hardware, firmware, software, or combination of 2 or more of these factors that could enable the compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected.

3.

National Institute of Standards and Technology considerations and recommendations regarding managing Internet of Things cybersecurity risks

(a)

Completion of ongoing efforts relating to considerations for managing internet of things cybersecurity risks

(1)

In general

The Director of the National Institute of Standards and Technology shall ensure that the efforts of the Institute in effect on the date of the enactment of this Act regarding considerations for managing Internet of Things cybersecurity risks, especially regarding examples of possible cybersecurity capabilities of Internet of Things devices, are completed no later than September 30, 2019. (2)

Matters addressed

In ensuring efforts are completed under paragraph (1), the Director shall also ensure that such efforts address, at a minimum, the following considerations for covered devices: (A)Secure Development. (B)Identity management. (C)Patching. (D)Configuration management. (b)

Development of recommended standards for use of internet of things devices by Federal Government

(1)

In general

Not later than March 31, 2020, the Director of the Institute shall develop recommendations for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government, including minimum information security requirements for managing cybersecurity risks associated with such devices. (2)

Consistency with ongoing efforts

The Director of the Institute shall ensure that the recommendations and standards developed under paragraph (1) are consistent with the efforts referred to in subsection (a), especially with respect to the examples of possible cybersecurity capabilities referred to in such subsection. (c)

Institute Report on cybersecurity considerations stemming from the convergence of Information Technology, Internet of Things, and Operational Technology devices, networks and systems

Not later than 180 days following the enactment of this Act, the Director of the Institute shall publish a draft report related to the increasing convergence of traditional Information Technology devices, networks, and systems with Internet of Things devices, networks and systems and Operational Technology devices, networks and systems, including considerations for managing cybersecurity risks associated with such trends.

4.

Policies for Federal agencies on use and management of Internet of Things devices

(a)

Revisions to the federal acquisition regulation

Not later than 180 days after the date on which the Director of the National Institute of Standards and Technology completes the development of the recommendations required under section 3(b), the Director of the Office of Management and Budget shall issue guidelines for each agency that are consistent with such recommendations. (b)

Requirement

In issuing the guidelines required under subsection (a), the Director of the Office of Management and Budget shall ensure that the guidelines are consistent with the information security requirements in subchapter II of chapter 35 of title 44, United States Code. (c)

Quinquennial reviews and revisions

Not less frequently than once every 5 years— (1)the Director of the Office of Management and Budget and the Director of the National Institute of Standards and Technology shall review the policies issued under subsection (a); and (2)the Director of the Office of Management and Budget shall, in consultation with the Director of the National Institute of Standards and Technology, revise such policies.

5.

National Institute of Standards and Technology guidance on coordinated disclosure of security vulnerabilities relating to Internet of Things devices

(a)

In general

Not later than 180 days after the date of the enactment of this Act, the Director of the National Institute of Standards and Technology shall, in consultation with such cybersecurity researchers and private-sector industry experts as the Director considers appropriate, publish guidance on policies and procedures for the reporting, coordinating, publishing, and receiving of information about— (1)a security vulnerability relating to a covered device used by the Federal Government; and (2)the resolution of such security vulnerability. (b)

Elements

The guidance published under subsection (a) shall include the following: (1)Policies and procedures described in subsection (a) that, to the maximum extent practicable, are aligned with Standards 29147 and 30111 of the International Standards Organization, or any successor standards. Such policies and procedures shall include policies and procedures for a contractor or vendor providing a covered device to the Federal Government on— (A)receiving information about a potential security vulnerability relating to the covered device; and (B)disseminating information about the resolution of a security vulnerability relating to the covered device. (2)Guidance, including example content, on the information items that should be produced through the implementation of the security vulnerability disclosure process of the contractor.

6.

Guidelines for Federal agencies on coordinated disclosure of security vulnerabilities relating to Internet of Things devices

(a)

Agency guidelines required

Not later than 180 days after the date on which the guidance required under section 4 is published, the Director of the Office of Management and Budget shall, in consultation with the Administrator of the General Services Administration, issue guidelines for each agency on reporting, coordinating, publishing, and receiving information about— (1)a security vulnerability relating to a covered device used by the agency; and (2)the resolution of such security vulnerability. (b)

Contractor and vendor compliance with National Institute of Standards and Technology guidance

The guidelines required by subsection (a) shall include a limitation that prohibits an agency from acquiring or using any covered device from a contractor or vendor if the contractor or vendor fails to comply with the guidance published under section 5(a). (c)

Consistency with guidance from National Institute of Standards and Technology

The Director shall ensure that the guidelines issued under subsection (a) are consistent with the guidance published under section 5(a).

1.

Short title

This Act may be cited as the Internet of Things Cybersecurity Improvement Act of 2019 or the IoT Cybersecurity Improvement Act of 2019.

2.

Definitions

In this Act: (1)

Agency

The term agency has the meaning given such term in section 3502 of title 44, United States Code. (2)

Director

The term Director means the Director of the National Institute of Standards and Technology. (3)

Information system

The term information system has the meaning given the term in section 3502 of title 44, United States Code. (4)

Secretary

The term Secretary means the Secretary of Homeland Security. (5)

Security vulnerability

The term security vulnerability has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

3.

National Institute of Standards and Technology considerations and recommendations regarding managing Internet of Things cybersecurity risks

(a)

Development of recommended guidelines for use of internet of things devices by Federal Government

(1)

In general

Not later than March 31, 2020, the Director shall develop standards and guidelines for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government, including minimum information security requirements for managing cybersecurity risks associated with such devices. (2)

Consistency with ongoing efforts

The Director shall ensure that the standards and guidelines developed under paragraph (1) are consistent with the efforts of the National Institute of Standards and Technology in effect on the date of enactment of this Act regarding considerations for managing Internet of Things cybersecurity risks, especially regarding examples of possible cybersecurity capabilities of Internet of Things devices, and in particular with respect to the following considerations for Internet of Things devices: (A)Secure development. (B)Identity management. (C)Patching. (D)Configuration management. (b)

Institute Report on cybersecurity considerations stemming from the convergence of Information Technology, Internet of Things, and Operational Technology devices, networks, and systems

Not later than 180 days after the date of enactment of this Act, the Director shall brief the appropriate committees of Congress on the increasing convergence of traditional information technology devices, networks, and systems with Internet of Things devices, networks, and systems and operational technology devices, networks, and systems, including considerations for managing cybersecurity risks and security vulnerabilities associated with such trends.

4.

Policies and principles for Federal agencies on use and management of Internet of Things devices

(a)

In general

Not later than 180 days after the date on which the Director completes the development of the standards and guidelines required under section 3(a), the Director of the Office of Management and Budget, in consultation with the Secretary, shall issue policies and principles for each agency that are consistent with such standards and guidelines. (b)

Requirement

In issuing the policies, principles, standards, or guidelines required under subsection (a), the Director of the Office of Management and Budget, in consultation with the Secretary, shall ensure that the policies and principles are consistent with the information security requirements in subchapter II of chapter 35 of title 44, United States Code. (c)

Reviews and revisions

The Director of the Office of Management and Budget, in consultation with the Secretary, shall— (1)review any policies, principles, standards, or guidelines issued under subsection (a); and (2)revise such policies, principles, standards, and guidelines.

5.

Guidelines on coordinated disclosure of security vulnerabilities relating to information systems, including Internet of Things devices

(a)

In general

Not later than 1 year after the date of enactment of this Act, the Director, in consultation with such cybersecurity researchers and private-sector industry experts as the Director considers appropriate, and in consultation with the Secretary, shall publish guidelines for the reporting, coordinating, publishing, and receiving of information about— (1)a security vulnerability relating to agency information systems, including Internet of Things devices; and (2)the resolution of such security vulnerability. (b)

Elements

The guidelines published under subsection (a) shall— (1)to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization, or any successor standards; and (2)incorporate guidelines on— (A)receiving information about a potential security or personal information vulnerability relating to agency information systems, and when relevant, Internet of Things devices; and (B)disseminating information about the resolution of a security or personal information vulnerability relating to agency information systems, and when relevant, Internet of Things devices. (c)

Information items

The guidelines published under subsection (a) shall include guidelines, including example content, on the information items that should be produced through the implementation of the security vulnerability disclosure process of a contractor or vendor providing Internet of Things devices to the Federal Government. (d)

Oversight

The Director of the Office of Management and Budget shall oversee the implementation of the guidelines published under subsection (a). (e)

Operational and technical assistance

The Secretary shall provide operational and technical assistance in implementing the guidelines published under subsection (a).

6.

Implementation of coordinated disclosure of security vulnerabilities relating to agency information systems, including Internet of Things devices

(a)

Agency guidelines required

Not later than 180 days after the date on which the Director publishes guidelines under section 5(a), the Director of the Office of Management and Budget shall issue policies and principles on security vulnerabilities of information systems, including Internet of Things devices. (b)

Procedures

The Secretary, in consultation with the Director of the Office of Management and Budget, shall develop and issue procedures for each agency on reporting, coordinating, publishing, and receiving information about security vulnerabilities of information systems, including Internet of Things devices. (c)

Contractor and vendor compliance with policies and procedures

The procedures required under subsection (b) shall include a limitation that prohibits an agency from acquiring or using any Internet of Things device from a contractor or vendor if the contractor or vendor fails to comply with the guidelines published under section 5(a). (d)

Consistency with guidelines from National Institute of Standards and Technology

The Secretary shall ensure that the procedures required under subsection (b) are consistent with applicable standards and publications established by the National Institute of Standards and Technology.

7.

Waiver

The head of an agency may use an Internet of Things device without regard to any policies, principles, standards, or guidelines issued under this Act if the use of the Internet of Things device is— (1)necessary for national security or for research purposes; (2)appropriate to the function of the covered device; (3)secured using alternative and effective methods; or (4)of substantially higher quality or affordability than a product that meets such policies, principles, standards, or guidelines.

September 23, 2019Reported with an amendment