Calendar No. 215
116th CONGRESS 1st Session |
[Report No. 116–112]
To leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes.
March 11, 2019
Mr. Warner (for himself, Mr. Gardner, Ms. Hassan, Mr. Daines, Ms. Cortez Masto, and Mr. Rounds) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs
September 23, 2019
Reported by Mr. Johnson, with an amendment
[Strike out all after the enacting clause and insert the part printed in italic]
To leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes.
Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,
This Act may be cited as the “Internet of Things Cybersecurity Improvement Act of 2019” or the “IoT Cybersecurity Improvement Act of 2019”.
In this Act:
(1) AGENCY.—The term “agency” has the meaning given such term in section 3502 of title 44, United States Code.
(A) IN GENERAL.—The term “covered device” means a physical object that—
(i) is capable of connecting to and is in regular connection with the Internet;
(ii) has computer processing capabilities that can collect, send, or receive data; and
(iii) is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems.
(B) MODIFICATION OF DEFINITION.—The Director of the Office of Management and Budget shall establish a process by which—
(i) interested parties may petition for a device that is not described in subparagraph (A) to be considered a device that is not a covered device; and
(ii) the Director acts upon any petition submitted under clause (i) in a timely manner.
(3) SECURITY VULNERABILITY.—The term “security vulnerability” means any attribute of hardware, firmware, software, or combination of 2 or more of these factors that could enable the compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected.
SEC. 3. National Institute of Standards and Technology considerations and recommendations regarding managing Internet of Things cybersecurity risks.
(a) Completion of ongoing efforts relating to considerations for managing internet of things cybersecurity risks.—
(1) IN GENERAL.—The Director of the National Institute of Standards and Technology shall ensure that the efforts of the Institute in effect on the date of the enactment of this Act regarding considerations for managing Internet of Things cybersecurity risks, especially regarding examples of possible cybersecurity capabilities of Internet of Things devices, are completed no later than September 30, 2019.
(2) MATTERS ADDRESSED.—In ensuring efforts are completed under paragraph (1), the Director shall also ensure that such efforts address, at a minimum, the following considerations for covered devices:
(A) Secure Development.
(B) Identity management.
(C) Patching.
(D) Configuration management.
(b) Development of recommended standards for use of internet of things devices by Federal Government.—
(1) IN GENERAL.—Not later than March 31, 2020, the Director of the Institute shall develop recommendations for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government, including minimum information security requirements for managing cybersecurity risks associated with such devices.
(2) CONSISTENCY WITH ONGOING EFFORTS.—The Director of the Institute shall ensure that the recommendations and standards developed under paragraph (1) are consistent with the efforts referred to in subsection (a), especially with respect to the examples of possible cybersecurity capabilities referred to in such subsection.
(c) Institute Report on cybersecurity considerations stemming from the convergence of Information Technology, Internet of Things, and Operational Technology devices, networks and systems.—Not later than 180 days following the enactment of this Act, the Director of the Institute shall publish a draft report related to the increasing convergence of traditional Information Technology devices, networks, and systems with Internet of Things devices, networks and systems and Operational Technology devices, networks and systems, including considerations for managing cybersecurity risks associated with such trends.
SEC. 4. Policies for Federal agencies on use and management of Internet of Things devices.
(a) Revisions to the federal acquisition regulation.—Not later than 180 days after the date on which the Director of the National Institute of Standards and Technology completes the development of the recommendations required under section 3(b), the Director of the Office of Management and Budget shall issue guidelines for each agency that are consistent with such recommendations.
(b) Requirement.—In issuing the guidelines required under subsection (a), the Director of the Office of Management and Budget shall ensure that the guidelines are consistent with the information security requirements in subchapter II of chapter 35 of title 44, United States Code.
(c) Quinquennial reviews and revisions.—Not less frequently than once every 5 years—
(1) the Director of the Office of Management and Budget and the Director of the National Institute of Standards and Technology shall review the policies issued under subsection (a); and
(2) the Director of the Office of Management and Budget shall, in consultation with the Director of the National Institute of Standards and Technology, revise such policies.
SEC. 5. National Institute of Standards and Technology guidance on coordinated disclosure of security vulnerabilities relating to Internet of Things devices.
(a) In general.—Not later than 180 days after the date of the enactment of this Act, the Director of the National Institute of Standards and Technology shall, in consultation with such cybersecurity researchers and private-sector industry experts as the Director considers appropriate, publish guidance on policies and procedures for the reporting, coordinating, publishing, and receiving of information about—
(1) a security vulnerability relating to a covered device used by the Federal Government; and
(2) the resolution of such security vulnerability.
(b) Elements.—The guidance published under subsection (a) shall include the following:
(1) Policies and procedures described in subsection (a) that, to the maximum extent practicable, are aligned with Standards 29147 and 30111 of the International Standards Organization, or any successor standards. Such policies and procedures shall include policies and procedures for a contractor or vendor providing a covered device to the Federal Government on—
(A) receiving information about a potential security vulnerability relating to the covered device; and
(B) disseminating information about the resolution of a security vulnerability relating to the covered device.
(2) Guidance, including example content, on the information items that should be produced through the implementation of the security vulnerability disclosure process of the contractor.
SEC. 6. Guidelines for Federal agencies on coordinated disclosure of security vulnerabilities relating to Internet of Things devices.
(a) Agency guidelines required.—Not later than 180 days after the date on which the guidance required under section 4 is published, the Director of the Office of Management and Budget shall, in consultation with the Administrator of the General Services Administration, issue guidelines for each agency on reporting, coordinating, publishing, and receiving information about—
(1) a security vulnerability relating to a covered device used by the agency; and
(2) the resolution of such security vulnerability.
(b) Contractor and vendor compliance with National Institute of Standards and Technology guidance.—The guidelines required by subsection (a) shall include a limitation that prohibits an agency from acquiring or using any covered device from a contractor or vendor if the contractor or vendor fails to comply with the guidance published under section 5(a).
This Act may be cited as the “Internet of Things Cybersecurity Improvement Act of 2019” or the “IoT Cybersecurity Improvement Act of 2019”.
In this Act:
(1) AGENCY.—The term “agency” has the meaning given such term in section 3502 of title 44, United States Code.
(2) DIRECTOR.—The term “Director” means the Director of the National Institute of Standards and Technology.
(3) INFORMATION SYSTEM.—The term “information system” has the meaning given the term in section 3502 of title 44, United States Code.
(5) SECURITY VULNERABILITY.—The term “security vulnerability” has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).
SEC. 3. National Institute of Standards and Technology considerations and recommendations regarding managing Internet of Things cybersecurity risks.
(a) Development of recommended guidelines for use of internet of things devices by Federal Government.—
(1) IN GENERAL.—Not later than March 31, 2020, the Director shall develop standards and guidelines for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government, including minimum information security requirements for managing cybersecurity risks associated with such devices.
(2) CONSISTENCY WITH ONGOING EFFORTS.—The Director shall ensure that the standards and guidelines developed under paragraph (1) are consistent with the efforts of the National Institute of Standards and Technology in effect on the date of enactment of this Act regarding considerations for managing Internet of Things cybersecurity risks, especially regarding examples of possible cybersecurity capabilities of Internet of Things devices, and in particular with respect to the following considerations for Internet of Things devices:
(b) Institute Report on cybersecurity considerations stemming from the convergence of Information Technology, Internet of Things, and Operational Technology devices, networks, and systems.—Not later than 180 days after the date of enactment of this Act, the Director shall brief the appropriate committees of Congress on the increasing convergence of traditional information technology devices, networks, and systems with Internet of Things devices, networks, and systems and operational technology devices, networks, and systems, including considerations for managing cybersecurity risks and security vulnerabilities associated with such trends.
SEC. 4. Policies and principles for Federal agencies on use and management of Internet of Things devices.
(a) In general.—Not later than 180 days after the date on which the Director completes the development of the standards and guidelines required under section 3(a), the Director of the Office of Management and Budget, in consultation with the Secretary, shall issue policies and principles for each agency that are consistent with such standards and guidelines.
(b) Requirement.—In issuing the policies, principles, standards, or guidelines required under subsection (a), the Director of the Office of Management and Budget, in consultation with the Secretary, shall ensure that the policies and principles are consistent with the information security requirements in subchapter II of chapter 35 of title 44, United States Code.
SEC. 5. Guidelines on coordinated disclosure of security vulnerabilities relating to information systems, including Internet of Things devices.
(a) In general.—Not later than 1 year after the date of enactment of this Act, the Director, in consultation with such cybersecurity researchers and private-sector industry experts as the Director considers appropriate, and in consultation with the Secretary, shall publish guidelines for the reporting, coordinating, publishing, and receiving of information about—
(b) Elements.—The guidelines published under subsection (a) shall—
(1) to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization, or any successor standards; and
(c) Information items.—The guidelines published under subsection (a) shall include guidelines, including example content, on the information items that should be produced through the implementation of the security vulnerability disclosure process of a contractor or vendor providing Internet of Things devices to the Federal Government.
SEC. 6. Implementation of coordinated disclosure of security vulnerabilities relating to agency information systems, including Internet of Things devices.
(a) Agency guidelines required.—Not later than 180 days after the date on which the Director publishes guidelines under section 5(a), the Director of the Office of Management and Budget shall issue policies and principles on security vulnerabilities of information systems, including Internet of Things devices.
(b) Procedures.—The Secretary, in consultation with the Director of the Office of Management and Budget, shall develop and issue procedures for each agency on reporting, coordinating, publishing, and receiving information about security vulnerabilities of information systems, including Internet of Things devices.
(c) Contractor and vendor compliance with policies and procedures.—The procedures required under subsection (b) shall include a limitation that prohibits an agency from acquiring or using any Internet of Things device from a contractor or vendor if the contractor or vendor fails to comply with the guidelines published under section 5(a).
The head of an agency may use an Internet of Things device without regard to any policies, principles, standards, or guidelines issued under this Act if the use of the Internet of Things device is—
Calendar No. 215 | |||||
| |||||
[Report No. 116–112] | |||||
A BILL | |||||
To leverage Federal Government procurement power to encourage increased cybersecurity for Internet
of Things devices, and for other purposes. | |||||
September 23, 2019 | |||||
Reported with an amendment |