A new bill introduced in Congress is trying to tackle smart device security, and it would give NIST a key role in the work.
Senator Mark Warner introduced the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, and it says the Director of NIST (National Institute of Standards and Technology) should settle on IoT security standards in the following areas by the end of September 2019:
- Secure development standards for IoT devices
- Identity management standards for smart devices
- Patching standards for IoT devices
- Configuration management of connected devices
The cybersecurity act would also task NIST with setting protocols and evaluating cybersecurity risks from IoT use in the U.S. government, including the way these devices are interacting with other parts of the government network.
The Director of the Institute shall publish a report related to the increasing convergence of traditional Information Technology devices, networks, and systems with
This federal IoT security bill is worth watching for a couple of reasons.
First of all, it carves out an exception in the definition of IoT devices—an exception that was missing from a previous version of the bill.
It says an IoT device:
is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems.
This exception is expected to help the bill's chances in Congress.
And secondly, if IoT devices must meet certain security standards to be purchased by the U.S. government, that will push more of them to be built with security in mind, and help make organizations more secure as a result.
We've heard repeatedly from leaders at our SecureWorld conferences that the "bolt on security afterward" mentality of many smart device manufacturers is putting all of us at risk.
Read the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 if you'd like, and check out InfoSec's top security and privacy concerns about the IoT and IIoT, which is a thoughtful article by The Privacy Professor Rebecca Herold on what she is hearing on this topic.