The IoT Cybersecurity Improvement Act, a bill that aims to improve the security of Internet of Things (IoT) devices, passed the Senate on Tuesday and is heading to the White House for the president’s signature.
The bill was first introduced in 2017 and it was reintroduced in 2019, passing the U.S. House of Representatives in September 2020.
Backers of the legislation include Reps. Will Hurd (R-Tex.) and Robin Kelly (D-Ill.), and Sens. Mark Warner (D-Va.) and Cory Gardner (R-Colo). The bill is also backed by several major cybersecurity and tech companies, including BSA, Mozilla, Rapid7, Cloudflare, CTIA and Tenable.
“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” Sen. Warner said in a statement emailed to SecurityWeek. “I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay.”
Sen. Gardner commented, “I applaud the Senate for passing our bipartisan and bicameral legislation to ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from accessing government systems.”
He added, “Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand. We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks.”
The IoT Cybersecurity Improvement Act requires NIST to issue guidelines and standards for the development, patching, and identity and configuration management of IoT devices. The law also states that government organizations can only acquire IoT devices that meet NIST’s recommendations.
The bill also focuses on making it easier to report and patch vulnerabilities found in IoT devices.
Related: Vulnerability in Thales Product Could Expose Millions of IoT Devices to Attacks
Related: Black Hat Wrap-Up: IoT and Hardware Vulnerabilities Take the Spotlight
Related: IoT Devices at Major Manufacturers Infected With Malware via Supply Chain Attack