[House Report 116-501]
[From the U.S. Government Publishing Office]
116th Congress } { Rept. 116-501
HOUSE OF REPRESENTATIVES
2d Session } { Part 1
======================================================================
INTERNET OF THINGS CYBERSECURITY IMPROVEMENT ACT OF 2019
_______
September 14, 2020.--Committed to the Committee of the Whole House on
the State of the Union and Ordered to be printed
_______
Mrs. Carolyn B. Maloney, of New York, from the Committee on Oversight
and Reform, submitted the following
R E P O R T
together with
ADDITIONAL VIEWS
[To accompany H.R. 1668]
[Including cost estimate of the Congressional Budget Office]
The Committee on Oversight and Reform, to whom was referred
the bill (H.R. 1668) to leverage Federal Government procurement
power to encourage increased cybersecurity for Internet of
Things devices, and for other purposes, having considered the
same, reports favorably thereon with an amendment and
recommends that the bill as amended do pass.
CONTENTS
Page
Summary and Purpose of Legislation............................... 5
Background and Need for Legislation.............................. 5
Section-by-Section Analysis...................................... 6
Legislative History.............................................. 8
Committee Consideration.......................................... 9
Explanation of Amendments........................................ 9
List of Related Committee Hearings............................... 9
Statement of Oversight Findings and Recommendations of the
Committee...................................................... 9
Statement of General Performance Goals and Objectives............ 9
Application of Law to the Legislative Branch..................... 9
Duplication of Federal Programs.................................. 10
Disclosure of Directed Rule Makings.............................. 10
Federal Advisory Committee Act Statement......................... 10
Unfunded Mandate Reform Act Statement............................ 10
Earmark Identification........................................... 10
Committee Cost Estimate.......................................... 10
New Budget Authority and Congressional Budget Office Cost
Estimate....................................................... 10
Additional Views................................................. 13
The amendment is as follows:
Strike all after the enacting clause and insert the
following:
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Internet of Things Cybersecurity
Improvement Act of 2019'' or the ``IoT Cybersecurity Improvement Act of
2019''.
SEC. 2. DEFINITIONS.
In this Act:
(1) Agency.--The term ``agency'' has the meaning given such
term in section 3502 of title 44, United States Code.
(2) Covered device.--The term ``covered device'' means a
physical object that--
(A) is capable of being in regular connection with--
(i) the Internet; or
(ii) a network that is connected to the
Internet on a recurring basis;
(B) has computer processing capabilities of
collecting, sending, or receiving data; and
(C) is not a--
(i) general-purpose computing device;
(ii) personal computing system;
(iii) smart mobile communications device;
(iv) programmable logic controller with an
industrial control system specifically not
designed for connection to the internet;
(v) mainframe computing system; or
(vi) subcomponent of a device.
(3) Director of omb.--The term ``Director of OMB'' means the
Director of the Office of Management and Budget.
(4) Director of the institute.--The term ``Director of the
Institute'' means the Director of the National Institute of
Standards and Technology.
(5) Security vulnerability.--The term ``security
vulnerability'' has the meaning given that term under section
102(17) of the Cybersecurity Information Sharing Act of 2015 (6
U.S.C. 1501(17)).
SEC. 3. COMPLETION OF ONGOING EFFORTS RELATING TO CONSIDERATIONS FOR
MANAGING INTERNET OF THINGS CYBERSECURITY RISKS.
Not later than December 31, 2019, the Director of the National
Institute of Standards and Technology shall complete the efforts of the
Institute in effect on the date of the enactment of this Act regarding
considerations for managing the security vulnerabilities of Internet of
Things devices and examples of possible cybersecurity capabilities of
such devices by publishing a report that includes, at a minimum, the
following considerations for covered devices:
(1) Secure development.
(2) Identity management.
(3) Patching.
(4) Configuration management.
SEC. 4. SECURITY STANDARDS FOR USE OF COVERED DEVICES BY THE FEDERAL
GOVERNMENT.
(a) Guidelines Required.--
(1) Guidelines.--Not later than 6 months after the date on
which the report under section 3 is completed, the Director of
the Institute shall develop under section 20 of the National
Institute of Standards and Technology Act (15 U.S.C. 278g-3),
and submit to the Director of OMB, guidelines on--
(A) the appropriate use and management by the
agencies of covered devices owned or controlled by the
agencies; and
(B) minimum information security requirements for
managing security vulnerabilities associated with such
devices.
(2) Development of guidelines.--In developing the guidelines
submitted under paragraph (1), the Director of the Institute
shall--
(A) consider relevant standards and best practices
developed by the private sector, agencies, and public-
private partnerships; and
(B) ensure that such guidelines are consistent with
the considerations published in the report described
under section 3.
(b) Promulgation of Standards.--
(1) Standards.--Not later than 180 days after the date on
which the Director of the Institute completes the development
of the guidelines required under subsection (a), the Director
of OMB, in consultation with the Director of the Cybersecurity
and Infrastructure Security Agency of the Department of
Homeland Security, shall--
(A) promulgate standards on the basis of the
guidelines submitted under subsection (a) pertaining to
covered devices owned or controlled by agencies, except
those considered national security systems as defined
by section 3552(b)(6) of title 44, United States Code;
and
(B) ensure such standards are consistent with the
information security requirements under subchapter II
of chapter 35 of title 44, United States Code.
(2) Quinquennial review and revision.--Not later than 5 years
after the date on which the Director of OMB promulgates the
standards under paragraph (1), and not less frequently than
once every 5 years thereafter, the Director of OMB, in
consultation with and the Director of the Institute and the
Director of the Cybersecurity and Infrastructure Security
Agency of the Department of Homeland Security, shall--
(A) review such standards; and
(B) revise such standards as appropriate.
(c) Revision of Federal Acquisition Regulation.--The Federal
Acquisition Regulation shall be revised to implement any standard
promulgated under subsection (b).
SEC. 5. PETITION TO EXCLUDE CERTAIN DEVICES.
(a) Petition.--The Director of OMB shall establish a process by which
an interested party may petition the Director of OMB for a device
described in section 2(2) to not be considered a covered device for the
purpose of standards promulgated under section 4(b).
(b) Grants of Petition.--The Director of OMB shall grant a petition
under subsection (a)--
(1) on a limited basis;
(2) in a timely manner; and
(3) only if the interested party demonstrates that--
(A) the procurement of such a covered device with
limited data processing and software functionality
would be unfeasible; or
(B) the procurement of a covered device that does not
meet the standards promulgated by the Director of OMB
under this Act is necessary for national security or
for research purposes.
(c) Report.--
(1) In general.--Not later than one year after the date of
the enactment of this Act, and annually thereafter for each of
the following four years, the Director of OMB shall submit to
the appropriate congressional committees a report on the
process established by the Director of OMB for granting or
denying waivers under this section.
(2) Assessment of implementation.--The reports required under
paragraph (1) shall include, at a minimum, the following:
(A) An assessment of the waiver evaluation process.
(B) A description of the methods established to carry
out such assessment.
(C) A classified appendix listing the types and
number of devices for each agency granted a waiver and
the reasons for such waiver.
(3) Appropriate congressional committees defined.--In this
subsection, the term ``appropriate congressional committees''
means the Committees on Oversight and Reform and Homeland
Security of the House of Representatives and the Committee on
Homeland Security and Governmental Affairs of the Senate.
SEC. 6. COORDINATED DISCLOSURE OF SECURITY VULNERABILITIES RELATING TO
COVERED DEVICES.
(a) In General.--Not later than 180 days after the date of the
enactment of this Act, the Director of the Institute, in consultation
with the Director of Cybersecurity and Infrastructure Security Agency
of the Department of Homeland Security, shall develop under section 20
of the National Institute of Standards and Technology Act (15 U.S.C.
278g-3) and submit to the Director of OMB, guidelines--
(1) for the reporting, coordinating, publishing, and
receiving of information about--
(A) a security vulnerability relating to a covered
device owned or controlled by an agency; and
(B) the resolution of such security vulnerability;
(2) for contractors providing a covered device to the Federal
Government, and any subcontractor thereof at any tier providing
such device to such contractors on--
(A) receiving information about a potential security
vulnerability relating to the covered device; and
(B) disseminating information about the resolution of
a security vulnerability relating to the covered
device; and
(3) on the type of information about security vulnerabilities
that should be reported to the Federal Government, including
examples thereof.
(b) Development of Guidelines.--In developing the guidelines under
subsection (a), the Director of the Institute shall--
(1) consult with such cybersecurity researchers and private
sector industry experts as the Director considers appropriate;
(2) to the maximum extent practicable, align such guidelines
with Standards 29147 and 30111 of the International Standards
Organization, or any successor standards thereof; and
(3) ensure such guidelines are consistent with the policies
and procedures developed under section 2209(m) of the Homeland
Security Act of 2002 (6 U.S.C. 659(m)).
(c) Promulgation of Standards.--
(1) In general.--Not later than 180 days after the date on
which the guidelines under subsection (a) are submitted, the
Director of OMB, in consultation with the Administrator of
General Services and the Secretary of Homeland Security, shall
promulgate standards on the basis of such guidelines.
(2) Contract requirement for subcontracts.--The standards
promulgated under paragraph (1) shall include a requirement for
any contract related to a covered device to include a clause
that requires each contractor that provides a covered device
under the contract to an agency to ensure that any covered
device obtained through a subcontract, at any tier, complies
with the standards and regulations promulgated under this
section with respect to such covered device.
(3) Consistency with the strengthening and enhancing cyber-
capabilities by utilizing risk exposure technology act.--The
Director of OMB shall ensure that the standards promulgated
under paragraph (1) are consistent with section 101 of the
Strengthening and Enhancing Cyber-capabilities by Utilizing
Risk Exposure Technology Act (6 U.S.C. 663 note; Public Law
115-390).
(d) Revision of Federal Acquisition Regulation.--The Federal
Acquisition Regulation shall be revised to implement the standards
promulgated under subsection (c).
SEC. 7. CONTRACTOR COMPLIANCE WITH STANDARDS AND REGULATIONS.
(a) In General.--
(1) Determination.--
(A) Compliance required.--Before awarding a contract
to an offeror for the procurement of a covered device,
or renewing a contract to procure or obtain a covered
device from a contractor, the agency Chief Information
Officer shall determine if such offeror or contractor
has complied with each standard promulgated under
section 6(c) with respect to such covered device.
(B) Simplified acquisition threshold.--
Notwithstanding section 1905 of title 41, United States
Code, the requirements under subparagraph (A) shall
apply to a contract or subcontract in amounts not
greater than the simplified acquisition threshold.
(2) Prohibition on use or procurement.--The head of an agency
may not procure or obtain, or renew a contract to procure or
obtain, a covered device if the agency Chief Information
Officer determines under paragraph (1)(A) that such offeror or
contractor has not complied with a standard promulgated under
section 6(c) with respect to such covered device.
(b) Waiver.--The head of an agency may waive the prohibition under
subsection (a)(2) if the procurement of such covered device is
necessary for national security or for research purposes.
(c) Effective Date.--The prohibition under subsection (a) shall take
effect one year after the date of the enactment of this Act.
SEC. 8. INSTITUTE REPORT ON CYBERSECURITY CONSIDERATIONS STEMMING FROM
THE CONVERGENCE OF INFORMATION TECHNOLOGY, INTERNET
OF THINGS, AND OPERATIONAL TECHNOLOGY DEVICES,
NETWORKS AND SYSTEMS.
Not later than 1 year after the date of the enactment of this Act,
the Director of the Institute shall publish a report on the increasing
convergence, including considerations for managing potential security
vulnerabilities associated with such convergence, of traditional
information technology devices, networks, and systems with--
(1) covered devices, networks and systems; and
(2) operational technology devices, networks and systems.
SUMMARY AND PURPOSE OF LEGISLATION
The Internet of Things Cybersecurity Improvement Act of
2019 would require enhanced levels of cybersecurity for
federally procured Internet of Things devices.
BACKGROUND AND NEED FOR LEGISLATION
H.R. 1668 would establish cybersecurity standards for
federal devices that are connected to the internet.\1\ At the
moment, there are no national standards to ensure the security
of Internet of Things Devices (IoT).\2\ As such, hackers
frequently target IoT devices, ``leading to problems like
default passwords and vulnerabilities that can't be fixed.''\3\
---------------------------------------------------------------------------
\1\House Committee on Oversight and Reform, Statement of Chairman
Elijah E. Cummings, Business Meeting (June 12, 2019).
\2\Congress Introduces Bill to Improve `Internet of Things'
Security, C/Net (Mar. 11, 2019) (online at www.cnet.com/news/congress-
introduces-bill-to-improve-internet-of-things-security/).
\3\Id.
---------------------------------------------------------------------------
In 2016, internet access was denied for millions on the
East Coast due to a distributed denial of service attack
facilitated by ``hundreds of thousands of compromised unsecured
IoT devices.''\4\ Device vulnerability can pose a threat to the
Federal Government because ``these devices can serve as
gateways to accessing a network and launching
cyberattacks.''\5\
---------------------------------------------------------------------------
\4\House Committee on Oversight and Reform, Statement of Rep. Robin
Kelly, Business Meeting (June 12, 2019).
\5\Id.
---------------------------------------------------------------------------
In a 2018 Senate hearing, Director of Defense Intelligence
Agency Lt. General Robert Ashley testified that ``insecure IoT
devices are one of the `most important emerging cyberthreats'
to US national security.''\6\
---------------------------------------------------------------------------
\6\Senate Committee on Armed Services, Written Testimony of
Lieutenant General Robert Ashley, Director, Defense Intelligence
Agency, Worldwide Threat Assessment, 115th Cong. (Mar. 6, 2018) (online
at www.armed-services.senate.gov/imo/media/doc/Ashley_03-06-18.pdf).
---------------------------------------------------------------------------
The bill would require any contractor or vendor at any tier
that provides IoT devices to the Federal Government to meet
minimum cybersecurity standards based on guidelines by the
National Institute of Standards and Technology (NIST).\7\
Exceptions from this requirement could be approved be the
Director of the Office of Management and Budget (OMB) if an
interested party demonstrated that the covered device is
required for national security or research purposes.\8\
---------------------------------------------------------------------------
\7\Congress Introduces Bill to Improve `Internet of Things'
Security, C/Net (Mar. 11, 2019) (online at www.cnet.com/news/congress-
introduces-bill-to-improve-internet-of-things-security/).
\8\House Committee on Oversight and Reform, Statement of Rep. Robin
Kelly, Business Meeting (June 12, 2019).
---------------------------------------------------------------------------
The NIST security guidelines for managing risk would be
established by September 20, 2019 and reviewed every five
years. OMB would promulgate standards for agency implementation
based on the NIST guidelines by March 30, 2020. The bill would
also require vendors of IoT devices to disclose when devices
are vulnerable to cyberattacks.
The number of connected devices is expected to surpass 20
billion by 2020.\9\ These standards may encourage IoT
manufacturers to increase the level of security of their
devices.\10\
---------------------------------------------------------------------------
\9\Gartner, Inc., Gartner Says 8.4 Billion Connected ``Things''
Will Be in Use in 2017, Up 31 Percent from 2016 (Feb. 7, 2017) (online
at www.gartner.com/en/newsroom/press-releases/2017-02-07-gartner-says-
8-billion-connected-things-will-be-in-use-in-2017-up-31-percent-from-
2016).
\10\Congress Introduces Bill to Improve `Internet of Things'
Security, C/Net (Mar. 11, 2019) (online at www.cnet.com/news/congress-
introduces-bill-to-improve-internet-of-things-security/).
---------------------------------------------------------------------------
SECTION-BY-SECTION ANALYSIS
Section 1. Short titles
Short titles for the bill include: ``Internet of Things
Cybersecurity Improvement Act of 2019'' and ``IoT Cybersecurity
Improvement Act of 2019.''
Section 2. Definitions
Section 2 provides certain definitions, including for a
``covered device.'' A covered device refers to a physical
object that can maintain regular connection with the Internet
or a network connected to the internet on a recurring basis;
has computer processing capabilities to collect, send, or
receive data; and is not a general-purpose computing device,
personal computing system, smart mobile communications device,
programmable logic controller with an industrial control system
not designed for connection to the internet, mainframe
computing system, or subcomponent of a device.
Section 3. Completion of ongoing efforts relating to considerations for
managing Internet of Things cybersecurity risks
Section 3 requires the Director of NIST to publish a report
by December 31, 2019, regarding management and security
vulnerabilities of IoT devices, including consideration of
secure development, identity management, patching, and
configuration management for covered devices.
Section 4. Security standards for use of covered devices by the Federal
Government
Subsection (a)--Guidelines required
Subsection (a) requires the Director of NIST to submit to
the Director of OMB guidelines on appropriate use and
management of covered devices and minimum information security
requirements for managing security vulnerabilities associated
with connected devices not later than six months after the
report required by section 3 is completed. When developing
these guidelines, the Director shall consider best practices
from the private sector, agencies, and public-private
partnerships and ensure that guidelines are consistent with the
report.
Subsection (b)--Promulgation of Standards
Subsection (b) requires the Director of OMB, in
consultation with the Director of the Cybersecurity and
Infrastructure Security Agency at the Department of Homeland
Security, to promulgate standards based on the guidelines
submitted under subsection (a), except for devices considered
national security systems as defined by section 3552 (b)(6) of
title 44, United States Code. These standards must be
consistent with information security requirements under
subchapter II of chapter 35 of title 44, United States Code.
The standards shall be reviewed at least once every five
years and revised as appropriate. The Federal Acquisition
Regulation shall be revised to implement any standard
promulgated under subsection (b).
Section 5. Petition to exclude certain devices
Subsection (a)--Petition the director
Subsection (a) would require the Director of OMB to
establish a process for interested parties to petition that a
covered device not be considered a covered device for the
purpose of standards promulgated under section 4(b).
Subsection (b)--Grants of petition
Subsection (b) requires the Director of OMB to grant
petitions under subsection (a) on a limited basis, in a timely
manner, and only if the interested party demonstrates that the
procurement of such a covered device with limited data
processing and software functionality would be unfeasible, or
the procurement of a covered device that does not meet the
standards promulgated by the Director of OMB is necessary for
national security or for research purposes.
Subsection (c)--Report
Subsection (c) requires the Director of OMB shall submit a
report to the appropriate congressional committee detailing the
process established by the Director for granting or denying
waivers under this section annually for five years. The reports
shall include, at a minimum, an assessment of the waiver
evaluation process, a description of the methods used in the
waiver evaluation process, and a classified listing in the
appendix with the types and number of devices for each agency
granted a waiver and the reasons for such waiver.
Section 6. Coordinated Disclosure of Security Vulnerabilities Relating
to Covered Devices
Subsection (a)--In general
Subsection (a) requires the Director of NIST, in
consultation with the Director of Cybersecurity and
Infrastructure Security Agency of the Department of Homeland
Security, to develop and submit to the Director of OMB
guidelines for reporting, coordinating, publishing, and
receiving information about a security vulnerability in a
covered device owned or controlled by an agency and the
resolution of the vulnerability within 180 days of enactment.
The subsection also requires such guidelines for contractors
and subcontractors providing a covered device to the Federal
Government on receiving information about a potential security
vulnerability relating to the covered device and disseminating
information about the resolution of a security vulnerability
and on the type of information about security vulnerabilities
that should be reported to the Federal Government, including
examples.
Subsection (b)--Development of guidelines
Subsection (b) requires the Director of NIST to consult
with cybersecurity researchers and private sector industry
experts as appropriate, align the guidelines a closely as
possible with Standards 29147 and 30111 of the International
Standards Organization, and ensure consistency of guidelines
with policies and procedures under section 2209 (m) of the
Homeland Security Act of 2002 (6 U.S.C. 659(m)).
Subsection (c)--Promulgation of standards
Subsection (c) requires the Director of OMB, in
consultation with the Administrator of General Services and the
Secretary of Homeland Security, to promulgate standards based
on the guidelines required by subsection (a). The standards
shall extend to contracts for covered devices from contractors
or subcontractors at any tier and be consistent with section
101 of the Strengthening and Enhancing Cyber-Capabilities by
Utilizing Risk Exposure Technology Act.
Section 7. Contractor compliance with standards and regulations
Subsection (a)--In general
Subsection (a) requires agency Chief Information Officers
(CIOs) to determine that offerors of covered devices are in
compliance with each standard promulgated under section 6(c)
with respect to covered devices before awarding a contract.
This requirement would apply to contracts below the simplified
acquisition threshold. Agency heads would be prohibited from
purchasing covered devices if the CIO has not issued a positive
determination.
Subsection (b)--Waiver
Subsection (b) would allow the head of an agency to waive
the prohibition under subsection (a) if the procurement of the
covered device is necessary for national security or research
purposes.
Subsection (c)--Effective date
The prohibition against non-compliant devices shall take
effect one year after the Act is enacted.
Section 8. Institute report on cybersecurity considerations stemming
from the convergence of information technology, Internet of
Things, and operational technology devices, networks, and
systems
Section 8 requires the Director of NIST to publish a report
on the increasing convergence, including considerations for
managing potential security vulnerabilities associated with
such convergence, of traditional information technology
devices, networks, and systems with covered devices, networks,
and systems, and operational technology devices, networks, and
systems within one year of enactment of the Act.
LEGISLATIVE HISTORY
On March 11, 2019, Representative Robin Kelly (D-IL)
introduced H.R. 1668, the Internet of Things Cybersecurity
Improvement Act of 2019. The bill was referred to the Committee
as well as the Committee on Science, Space, and Technology.
On June 12, 2019, the Committee considered H.R. 1668 at a
business meeting with a quorum present. The Committee ordered
the bill reported favorably, as amended, by voice vote.
COMMITTEE CONSIDERATION
On June 12, 2019, the Committee considered H.R. 1668 at a
business meeting with a quorum present. Representative Robin
Kelly (D-IL) offered an Amendment in the Nature of a Substitute
(ANS), which passed by voice vote.\11\
---------------------------------------------------------------------------
\11\House Committee on Oversight and Reform, Business Meeting,
Voice Vote on Adoption of a Substitute Amendment (June 12, 2019).
---------------------------------------------------------------------------
EXPLANATION OF AMENDMENTS
During Committee consideration of the bill, Representative
Robin Kelly (D-IL), offered an ANS. The Committee adopted the
ANS by voice vote. The substance of the amendment is reflected
in the Section-by Section analysis above.
LIST OF RELATED COMMITTEE HEARINGS
In accordance with section 103(i) of H. Res. 6, the
Committee held a markup on June 12, 2019, to consider the
proposals set forth in the Internet of Things Cybersecurity Act
of 2019 and to examine the proposals in H.R. 1668 that were in
the Committee's jurisdiction. Committee consideration extended
from a hearing on the Cybersecurity of the Internet of Things
before the Subcommittee on Information and Technology on
October 3, 2017.
STATEMENT OF OVERSIGHT FINDINGS AND RECOMMENDATIONS OF THE COMMITTEE
In compliance with clause 3(c)(1) of rule XIII and clause
(2)(b)(1) of rule X of the Rules of the House of
Representatives, the Committee finds that the security
vulnerabilities of Internet of Things devices pose a
significant threat to federal information security, such that
the Committee recommends the adoption of this bill (H.R. 1668)
to require vendor compliance with security standards prior to
Federal Government procurement of an Internet of Things device.
STATEMENT OF GENERAL PERFORMANCE GOALS AND OBJECTIVES
In accordance with clause 3(c)(4) of rule XIII of the Rules
of the House of Representatives, the Committee's performance
goal or objective of this bill is to leverage Federal
Government procurement power to encourage increased
cybersecurity for Internet of Things devices, and for other
purposes.
APPLICATION OF LAW TO THE LEGISLATIVE BRANCH
Section 102 (b)(3) of Public Law 104-1 requires a
description of the application of this bill to the legislative
branch when the bill relates to the terms and conditions of
employment or access to public services and accommodations.
This bill is to leverage Federal Government procurement power
to encourage increased cybersecurity for Internet of Things
devices, and for other purposes. As such, this bill does not
relate to employment or access to public services and
accommodations in the legislative branch.
DUPLICATION OF FEDERAL PROGRAMS
In accordance with clause 3(c)(5) of rule XIII, no
provision of this bill establishes or reauthorizes a program of
the Federal Government known to be duplicative of another
Federal program, a program that was included in any report from
the Government Accountability Office to Congress pursuant to
section 21 of Public Law 111-139, or a program related to a
program identified in the most recent Catalog of Federal
Domestic Assistance.
DISCLOSURE OF DIRECTED RULE MAKINGS
Within the meaning of section 551 of Title 5, United States
Code, this bill requires the Federal Acquisition Regulation to
be amended to implement the security standards and coordinated
disclosure of vulnerabilities standards required by the bill.
FEDERAL ADVISORY COMMITTEE ACT STATEMENT
The legislation does not establish or authorize the
establishment of an advisory committee within the definition of
section 5(b) of the appendix to Title 5, United States Code.
UNFUNDED MANDATE REFORM ACT STATEMENT
Pursuant to section 423 of the Congressional Budget Act of
1974, the Committee has included a letter received from the
Congressional Budget Office below.
EARMARK IDENTIFICATION
This bill does not include any congressional earmarks,
limited tax benefits, or limited tariff benefits as defined in
clause 9 of rule XXI of the House of Representatives.
COMMITTEE COST ESTIMATE
Pursuant to clause 3(d)(2)(B) of rule XIII of the Rules of
the House of Representatives, the Committee includes below a
cost estimate of the bill prepared by the Director of the
Congressional Budget Office under section 402 of the
Congressional Budget Act of 1974.
NEW BUDGET AUTHORITY AND CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
Pursuant to clause 3(c)(3) of rule XIII of the House of
Representatives, the cost estimate prepared by the
Congressional Budget Office and submitted pursuant to section
402 of the Congressional Budget Act of 1974 is as follows:
U.S. Congress,
Congressional Budget Office,
Washington, DC, September 13, 2019.
Hon. Elijah E. Cummings,
Chairman, Committee on Oversight and Reform,
House of Representatives, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for H.R. 1668, the Internet
of Things Cybersecurity Improvement Act of 2019.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is David Hughes.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Under H.R. 1668, the National Institute of Standards and
Technology (NIST) would develop guidelines on the appropriate
and secure use of Internet of things (IoT) devices by federal
agencies and develop minimum information security requirements
for agencies to manage security vulnerabilities for those
devices.\1\ In addition, the Office of Management and Budget
(OMB) would promulgate standards for federal IoT devices that
are consistent with NIST's standards and guidelines. OMB would
review and revise those standards at least once every five
years and develop waivers to exclude certain IoT devices from
the new standards. OMB would report to the Congress annually
from 2020 through 2025 on the effectiveness of the standards
and on the types and number of excluded devices.
---------------------------------------------------------------------------
\1\The IoT consists of devices connected one another and to a
network for exchanging data without human interaction. See Suzy E.
Park, Internet of Things (IoT): An Introduction, In Focus Report 11239
(Congressional Research Service, June 4, 2019), https://go.usa.gov/
xVcdR.
---------------------------------------------------------------------------
Under H.R. 1668, NIST also would publish standards for
federal agencies, contractors, and vendors to systematically
report and resolve security vulnerabilities for IoT devices.
Each agency's chief information officer would be required to
ensure compliance. OMB would establish federal standards for
that coordinated reporting process that are consistent with
NIST's standards and guidelines.
Using information from NIST, CBO estimates that
implementing the bill would cost $35 million over the 2019-2024
period, assuming appropriation of the necessary amounts.
The costs of the legislation (detailed in Table 1) fall
within budget function 370 (commerce and housing credit).
TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER H.R. 1668
----------------------------------------------------------------------------------------------------------------
By fiscal year, millions of dollars--
----------------------------------------------------
2019 2020 2021 2022 2023 2024 2019-2024
----------------------------------------------------------------------------------------------------------------
Estimated Authorization.................................... 0 11 6 6 6 6 35
Estimated Outlays.......................................... 0 11 6 6 6 6 35
----------------------------------------------------------------------------------------------------------------
In 2020, CBO estimates that NIST and OMB would spend a
total of $11 million to develop the IoT guidelines and
standards. Of that amount CBO estimates that NIST would spend a
little more than $3 million to hire 11 employees and that OMB
would spend about $350,000 to hire 2 employees. Those newly
hired NIST staff would develop the new federal guidelines and
provide technical assistance to federal agencies. In addition,
CBO estimates that NIST would spend a little more than $3
million to hire contractors and convene workshops to assist
with guideline development. Finally, CBO estimates that NIST
would spend around $4 million to update their National
Vulnerability Database (NVD) to account for the vulnerability
of IoT data.
After 2020, CBO estimates that NIST and OMB would spend
approximately $6 million annually to update the IoT guidelines
and standards, report to Congress, and further update the NVD.
On September 13, 2019, CBO transmitted a cost estimate for
S. 734, the Internet of Things Cybersecurity Improvement Act of
2019, as ordered reported by the Senate Committee on Homeland
Security and Governmental Affairs on June 19, 2019. H.R. 1668
and S. 734 are similar and CBO's cost estimates are the same
for both pieces of legislation.
The CBO staff contact for this estimate is David Hughes.
The estimate was reviewed by H. Samuel Papenfuss, Deputy
Assistant Director for Budget Analysis.
ADDITIONAL VIEWS
Internet of Things (IoT) refers to the concept of
connecting commercial products, appliances, or sensors to
either the open internet or an organization's closed network
information system. Generally, IoT devices have lower computing
power and lack mature security architecture found in widely
used general purpose computing devices and network
infrastructure, such as personal laptops, tablets, and routers.
IoT adoption rapidly expands the size and complexity of
networks. Network complexity leads to new cybersecurity
complexities and associated vulnerabilities, which bad actors
can exploit. Security limitations should be fully understood
and accounted for before any IoT device is connected to an
agency's network. IoT devices could pose real risks to federal
systems if information security procedures are not effectively
implemented and monitored.
However, H.R. 1668 does not adequately account for the
federal government's existing security framework. As such, it
is potentially redundant and may add unnecessary complexity or
burdens to our federal security workforce. Principally, the
Federal Information Security Modernization Act (FISMA) (44
U.S.C. Sec. 3551) established a government-wide cybersecurity
management framework.\1\ Under the law, the Office of
Management and Budget oversees agency information security
policies and the Department of Homeland Security administers
associated requirements,\2\ which incorporate baseline
information security standards maintained by the National
Institute of Standards and Technology.\3\ Agencies are required
to implement these security protocols, and other additional
protections as necessary, in the context of their own
organizational risk management and operational needs.
---------------------------------------------------------------------------
\1\Federal Information Security Modernization Act of 2014, Pub. L.
No. 113-283, 128 Stat. 3073-3088 (2014).
\2\44. U.S.C. Sec. 3553.
\3\Id. See also, 40 U.S.C. Sec. 11331.
---------------------------------------------------------------------------
Additionally, this bill seeks to ``leverage Federal
Government procurement power to encourage increased
cybersecurity for Internet of Things devices'' beyond federal
government specific applications.\4\ This is not an appropriate
use of the government's established contracting procedures,
which are designed to ensure the integrity of the federal
acquisition process.
---------------------------------------------------------------------------
\4\See H.R. 1668, 116th Cong. (2019) (preamble).
---------------------------------------------------------------------------
Finally, the private sector is incentivized to meet the
needs of consumers and will respond as consumer demands arise.
Private industry groups are actively working to address IoT
security concerns through consensus-based standards.\5\
Responding to existing market incentives, companies offering
IoT products are coordinating to develop best practices and
ensure the networked interoperability of consumer products. At
a minimum, H.R. 1668 could duplicate these private sector
efforts.
---------------------------------------------------------------------------
\5\Gary Shapiro and Jonathan Spalter, The C2 Consensus on IoT
Device Security Baseline Capabilities, Council to Secure the Digital
Economy: The Convene the Conveners Project (Sept. 17, 2019), https://
www.tiaonline.org/wp-content/uploads/2019/09/CSDE_IoT-C2-Consensus-
Report_FINAL.pdf See also, Chris Doman, et al., Securing Edge Devices,
Cyber Threat Alliance (April 2019), https://
www.cyberthreatalliance.org/wp-content/uploads/2019/04/CTA-Network-
Edge-Joint-Analysis_Final.pdf.
---------------------------------------------------------------------------
Jim Jordan.
[all]