Bill Sponsor
Senate Bill 734
116th Congress(2019-2020)
IoT Cybersecurity Improvement Act of 2019
Introduced
Introduced
Introduced in Senate on Mar 11, 2019
Overview
Text
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
S. 734 (Reported-in-Senate)

Calendar No. 215

116th CONGRESS
1st Session
S. 734

[Report No. 116–112]


To leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes.


IN THE SENATE OF THE UNITED STATES

March 11, 2019

Mr. Warner (for himself, Mr. Gardner, Ms. Hassan, Mr. Daines, Ms. Cortez Masto, and Mr. Rounds) introduced the following bill; which was read twice and referred to the Committee on Homeland Security and Governmental Affairs

September 23, 2019

Reported by Mr. Johnson, with an amendment

[Strike out all after the enacting clause and insert the part printed in italic]


A BILL

To leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Internet of Things Cybersecurity Improvement Act of 2019” or the “IoT Cybersecurity Improvement Act of 2019”.

SEC. 2. Definitions.

In this Act:

(1) AGENCY.—The term “agency” has the meaning given such term in section 3502 of title 44, United States Code.

(2) COVERED DEVICE.—

(A) IN GENERAL.—The term “covered device” means a physical object that—

(i) is capable of connecting to and is in regular connection with the Internet;

(ii) has computer processing capabilities that can collect, send, or receive data; and

(iii) is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems.

(B) MODIFICATION OF DEFINITION.—The Director of the Office of Management and Budget shall establish a process by which—

(i) interested parties may petition for a device that is not described in subparagraph (A) to be considered a device that is not a covered device; and

(ii) the Director acts upon any petition submitted under clause (i) in a timely manner.

(3) SECURITY VULNERABILITY.—The term “security vulnerability” means any attribute of hardware, firmware, software, or combination of 2 or more of these factors that could enable the compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected.

SEC. 3. National Institute of Standards and Technology considerations and recommendations regarding managing Internet of Things cybersecurity risks.

(a) Completion of ongoing efforts relating to considerations for managing internet of things cybersecurity risks.—

(1) IN GENERAL.—The Director of the National Institute of Standards and Technology shall ensure that the efforts of the Institute in effect on the date of the enactment of this Act regarding considerations for managing Internet of Things cybersecurity risks, especially regarding examples of possible cybersecurity capabilities of Internet of Things devices, are completed no later than September 30, 2019.

(2) MATTERS ADDRESSED.—In ensuring efforts are completed under paragraph (1), the Director shall also ensure that such efforts address, at a minimum, the following considerations for covered devices:

(A) Secure Development.

(B) Identity management.

(C) Patching.

(D) Configuration management.

(b) Development of recommended standards for use of internet of things devices by Federal Government.—

(1) IN GENERAL.—Not later than March 31, 2020, the Director of the Institute shall develop recommendations for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government, including minimum information security requirements for managing cybersecurity risks associated with such devices.

(2) CONSISTENCY WITH ONGOING EFFORTS.—The Director of the Institute shall ensure that the recommendations and standards developed under paragraph (1) are consistent with the efforts referred to in subsection (a), especially with respect to the examples of possible cybersecurity capabilities referred to in such subsection.

(c) Institute Report on cybersecurity considerations stemming from the convergence of Information Technology, Internet of Things, and Operational Technology devices, networks and systems.—Not later than 180 days following the enactment of this Act, the Director of the Institute shall publish a draft report related to the increasing convergence of traditional Information Technology devices, networks, and systems with Internet of Things devices, networks and systems and Operational Technology devices, networks and systems, including considerations for managing cybersecurity risks associated with such trends.

SEC. 4. Policies for Federal agencies on use and management of Internet of Things devices.

(a) Revisions to the federal acquisition regulation.—Not later than 180 days after the date on which the Director of the National Institute of Standards and Technology completes the development of the recommendations required under section 3(b), the Director of the Office of Management and Budget shall issue guidelines for each agency that are consistent with such recommendations.

(b) Requirement.—In issuing the guidelines required under subsection (a), the Director of the Office of Management and Budget shall ensure that the guidelines are consistent with the information security requirements in subchapter II of chapter 35 of title 44, United States Code.

(c) Quinquennial reviews and revisions.—Not less frequently than once every 5 years—

(1) the Director of the Office of Management and Budget and the Director of the National Institute of Standards and Technology shall review the policies issued under subsection (a); and

(2) the Director of the Office of Management and Budget shall, in consultation with the Director of the National Institute of Standards and Technology, revise such policies.

SEC. 5. National Institute of Standards and Technology guidance on coordinated disclosure of security vulnerabilities relating to Internet of Things devices.

(a) In general.—Not later than 180 days after the date of the enactment of this Act, the Director of the National Institute of Standards and Technology shall, in consultation with such cybersecurity researchers and private-sector industry experts as the Director considers appropriate, publish guidance on policies and procedures for the reporting, coordinating, publishing, and receiving of information about—

(1) a security vulnerability relating to a covered device used by the Federal Government; and

(2) the resolution of such security vulnerability.

(b) Elements.—The guidance published under subsection (a) shall include the following:

(1) Policies and procedures described in subsection (a) that, to the maximum extent practicable, are aligned with Standards 29147 and 30111 of the International Standards Organization, or any successor standards. Such policies and procedures shall include policies and procedures for a contractor or vendor providing a covered device to the Federal Government on—

(A) receiving information about a potential security vulnerability relating to the covered device; and

(B) disseminating information about the resolution of a security vulnerability relating to the covered device.

(2) Guidance, including example content, on the information items that should be produced through the implementation of the security vulnerability disclosure process of the contractor.

SEC. 6. Guidelines for Federal agencies on coordinated disclosure of security vulnerabilities relating to Internet of Things devices.

(a) Agency guidelines required.—Not later than 180 days after the date on which the guidance required under section 4 is published, the Director of the Office of Management and Budget shall, in consultation with the Administrator of the General Services Administration, issue guidelines for each agency on reporting, coordinating, publishing, and receiving information about—

(1) a security vulnerability relating to a covered device used by the agency; and

(2) the resolution of such security vulnerability.

(b) Contractor and vendor compliance with National Institute of Standards and Technology guidance.—The guidelines required by subsection (a) shall include a limitation that prohibits an agency from acquiring or using any covered device from a contractor or vendor if the contractor or vendor fails to comply with the guidance published under section 5(a).

(c) Consistency with guidance from National Institute of Standards and Technology.—The Director shall ensure that the guidelines issued under subsection (a) are consistent with the guidance published under section 5(a).

SECTION 1. Short title.

This Act may be cited as the “Internet of Things Cybersecurity Improvement Act of 2019” or the “IoT Cybersecurity Improvement Act of 2019”.

SEC. 2. Definitions.

In this Act:

(1) AGENCY.—The term “agency” has the meaning given such term in section 3502 of title 44, United States Code.

(2) DIRECTOR.—The term “Director” means the Director of the National Institute of Standards and Technology.

(3) INFORMATION SYSTEM.—The term “information system” has the meaning given the term in section 3502 of title 44, United States Code.

(4) SECRETARY.—The term “Secretary” means the Secretary of Homeland Security.

(5) SECURITY VULNERABILITY.—The term “security vulnerability” has the meaning given the term in section 102 of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501).

SEC. 3. National Institute of Standards and Technology considerations and recommendations regarding managing Internet of Things cybersecurity risks.

(a) Development of recommended guidelines for use of internet of things devices by Federal Government.—

(1) IN GENERAL.—Not later than March 31, 2020, the Director shall develop standards and guidelines for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government, including minimum information security requirements for managing cybersecurity risks associated with such devices.

(2) CONSISTENCY WITH ONGOING EFFORTS.—The Director shall ensure that the standards and guidelines developed under paragraph (1) are consistent with the efforts of the National Institute of Standards and Technology in effect on the date of enactment of this Act regarding considerations for managing Internet of Things cybersecurity risks, especially regarding examples of possible cybersecurity capabilities of Internet of Things devices, and in particular with respect to the following considerations for Internet of Things devices:

(A) Secure development.

(B) Identity management.

(C) Patching.

(D) Configuration management.

(b) Institute Report on cybersecurity considerations stemming from the convergence of Information Technology, Internet of Things, and Operational Technology devices, networks, and systems.—Not later than 180 days after the date of enactment of this Act, the Director shall brief the appropriate committees of Congress on the increasing convergence of traditional information technology devices, networks, and systems with Internet of Things devices, networks, and systems and operational technology devices, networks, and systems, including considerations for managing cybersecurity risks and security vulnerabilities associated with such trends.

SEC. 4. Policies and principles for Federal agencies on use and management of Internet of Things devices.

(a) In general.—Not later than 180 days after the date on which the Director completes the development of the standards and guidelines required under section 3(a), the Director of the Office of Management and Budget, in consultation with the Secretary, shall issue policies and principles for each agency that are consistent with such standards and guidelines.

(b) Requirement.—In issuing the policies, principles, standards, or guidelines required under subsection (a), the Director of the Office of Management and Budget, in consultation with the Secretary, shall ensure that the policies and principles are consistent with the information security requirements in subchapter II of chapter 35 of title 44, United States Code.

(c) Reviews and revisions.—The Director of the Office of Management and Budget, in consultation with the Secretary, shall—

(1) review any policies, principles, standards, or guidelines issued under subsection (a); and

(2) revise such policies, principles, standards, and guidelines.

SEC. 5. Guidelines on coordinated disclosure of security vulnerabilities relating to information systems, including Internet of Things devices.

(a) In general.—Not later than 1 year after the date of enactment of this Act, the Director, in consultation with such cybersecurity researchers and private-sector industry experts as the Director considers appropriate, and in consultation with the Secretary, shall publish guidelines for the reporting, coordinating, publishing, and receiving of information about—

(1) a security vulnerability relating to agency information systems, including Internet of Things devices; and

(2) the resolution of such security vulnerability.

(b) Elements.—The guidelines published under subsection (a) shall—

(1) to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization, or any successor standards; and

(2) incorporate guidelines on—

(A) receiving information about a potential security or personal information vulnerability relating to agency information systems, and when relevant, Internet of Things devices; and

(B) disseminating information about the resolution of a security or personal information vulnerability relating to agency information systems, and when relevant, Internet of Things devices.

(c) Information items.—The guidelines published under subsection (a) shall include guidelines, including example content, on the information items that should be produced through the implementation of the security vulnerability disclosure process of a contractor or vendor providing Internet of Things devices to the Federal Government.

(d) Oversight.—The Director of the Office of Management and Budget shall oversee the implementation of the guidelines published under subsection (a).

(e) Operational and technical assistance.—The Secretary shall provide operational and technical assistance in implementing the guidelines published under subsection (a).

SEC. 6. Implementation of coordinated disclosure of security vulnerabilities relating to agency information systems, including Internet of Things devices.

(a) Agency guidelines required.—Not later than 180 days after the date on which the Director publishes guidelines under section 5(a), the Director of the Office of Management and Budget shall issue policies and principles on security vulnerabilities of information systems, including Internet of Things devices.

(b) Procedures.—The Secretary, in consultation with the Director of the Office of Management and Budget, shall develop and issue procedures for each agency on reporting, coordinating, publishing, and receiving information about security vulnerabilities of information systems, including Internet of Things devices.

(c) Contractor and vendor compliance with policies and procedures.—The procedures required under subsection (b) shall include a limitation that prohibits an agency from acquiring or using any Internet of Things device from a contractor or vendor if the contractor or vendor fails to comply with the guidelines published under section 5(a).

(d) Consistency with guidelines from National Institute of Standards and Technology.—The Secretary shall ensure that the procedures required under subsection (b) are consistent with applicable standards and publications established by the National Institute of Standards and Technology.

SEC. 7. Waiver.

The head of an agency may use an Internet of Things device without regard to any policies, principles, standards, or guidelines issued under this Act if the use of the Internet of Things device is—

(1) necessary for national security or for research purposes;

(2) appropriate to the function of the covered device;

(3) secured using alternative and effective methods; or

(4) of substantially higher quality or affordability than a product that meets such policies, principles, standards, or guidelines.


Calendar No. 215

116th CONGRESS
     1st Session
S. 734
[Report No. 116–112]

A BILL
To leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes.

September 23, 2019
Reported with an amendment