|A long awaited bill to revamp how the U.S. government secures its IOT is on its way to the White House.|
Last night, the Senate agreed to a House passed bill that would remake how the United States (U.S.) government buys Internet of Things (IOT) items, with the idea that requiring security standards in government IOT will drive greater security across the U.S. IOT market. Of course, such legislation, if implemented as intended, would also have the salutary effect of strengthening government networks. Incidentally, there is language in the bill that would seem to give the White House additional muscle to drive better information security across the civilian government.
The effort to pass this bill started in the last Congress and continued into this Congress. The bill will require the Office of Management and Budget (OMB) to set standards and practices that private sector contractors will need to meet in selling IOT to federal agencies. The OMB’s work is to be based on a series of IOT guidance documents the National Institute of Standards and Technology (NIST) has issued.
In September, the United States House of Representatives took up and passed a revised version of “Internet of Things Cybersecurity Improvement Act of 2020” (H.R. 1668) by voice vote. As noted, the United States Senate passed the same bill by unanimous consent yesterday, sending the legislation to the White House. While OMB did not issue a Statement of Administration Policy on H.R. 1668 or any of its previous iterations, Senate Republicans, particularly Majority Leader Mitch McConnell (R-KY), have not shown a willingness to even consider any bill the White House has not greenlit. Therefore, it may be reasonable to assume the President will sign this bill into law.
H.R. 1668 requires NIST to publish “standards and guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices.” These standards and guidelines are to be consistent with existing NIST standards and guidance on IOT, and the agency has issued a series of such documents described in some detail later in this article.
Six months after NIST issues such standards and guidelines, OMB must judge current agency standards and practices with IOT against NIST’s (excepting “national security systems, meaning almost all the Department of Defense and Intelligence Community). OMB is required to then issue policies and principles necessary to rectify shortcomings in agency IOT security after consulting with the United States’ (U.S.) Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). At least once every five years after the initial policies and procedures are issued, OMB must revisit, assess, and adjust them as needed. Moreover, U.S. acquisition regulations must be amended to implement these standards and guidelines, meaning these would be binding in the purchase and use of IOT by civilian agencies.
NIST must also create and operate a system under which vulnerabilities and fixes in agency owned or operated IOT can be reported. OMB would oversee the establishment of this process, and DHS would administer the guidelines, possibly through its powers to issue Binding Operational Directives to federal civilian agencies.
Now, we come to a curious section of H.R.1668 that may well have implications for government bought or used technology beyond just IOT. Within two years of becoming law, OMB, in consultation with DHS, must “develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems (including Internet of Things devices) (emphasis added.) This is a seemingly open-ended grant of authority for OMB to put in place binding policies and procedures for all information systems, a very broad term that encompasses information technology and other resources, across federal agencies. OMB already possesses power and means to do much of this, begging the question why such authority was needed. The bill is not clear on this point, and OMB may well use this additional authority in areas not strictly pertaining to IOT.
And now the hammer to drive better IOT security. Civilian agencies will not be able to buy or use IOT until its Chief Information Officer (CIO) has certified such IOT meets the aforementioned standards developed along the dual tracks the bill requires. There are, of course, loopholes to this requirement since industry and agency stakeholders likely insisted on them. First, any purchase below the simplified acquisition threshold (which is currently $250,000) would be exempt from this requirement, and the agency could waive the need for the CIO to agree if
- the waiver is necessary in the interest of national security;
- procuring, obtaining, or using such device is necessary for research purposes; or
- such device is secured using alternative and effective methods appropriate to the function of such device.
And so, these three grounds for waivers may be the exceptions that eat the rule. Time will tell.
In June, the Senate and House committees of jurisdictions marked up their versions of the “Internet of Things (IOT) Cybersecurity Improvement Act of 2020” (H.R. 1668/S. 734). The bill text as released in March 2019 for both bills was identical signaling agreement between the two chambers’ sponsors, but the process of marking up the bills resulted in different versions, requiring negotiation on a final bill. The House Oversight and Reform Committee marked up and reported out H.R. 1668 after adopting an amendment in the nature of a substitute that narrowed the scope of the bill and is more directive than the bill initially introduced in March. The Senate Homeland Security Committee marked up S. 734 a week later, making their own changes from the March bill. The March version of the legislation unified two similar bills from the 115th Congress of the same title: the “Internet of Things (IOT) Cybersecurity Improvement Act of 2017” (S. 1691) and the “Internet of Things (IOT) Federal Cybersecurity Improvement Act of 2018” (H.R. 7283).
Per the Committee Report for S. 734, the purpose of bill
is to proactively mitigate the risks posed by inadequately-secured Internet of Things (IOT) devices through the establishment of minimum security standards for IOT devices purchased by the Federal Government. The bill codifies the ongoing work of the NIST to develop standards and guidelines, including minimum-security requirements, for the use of IOT devices by Federal agencies. The bill also directs OMB, in consultation with DHS, to issue the necessary policies and principles to implement the NIST standards and guidelines on IOT security and management. Additionally, the bill requires NIST, in consultation with cybersecurity researchers and industry experts, to publish guidelines for the reporting, coordinating, publishing, and receiving of information about Federal agencies’ security vulnerabilities and the coordinate resolutions of the reported vulnerabilities. OMB will provide the policies and principles and DHS will develop and issue the procedures necessary to implement NIST’s guidelines on coordinated vulnerability disclosure for Federal agencies. The bill includes a provision allowing Federal agency heads to waive the IOT use and management requirements issued by OMB for national security, functionality, alternative means, or economic reasons.
According to a staff memorandum, H.R. 1668
would require the NIST to develop guidelines for managing cybersecurity risks of IOT devices by June 30, 2020. The bill would require OMB to issue standards for implementing those guidelines by December 31, 2020. The bill also would require similar guidelines from NIST and standards from OMB on reporting, coordinating, and publishing security vulnerabilities of IOT devices.
As noted earlier, NIST has worked on and published a suite of guidance documents on IOT. In June, NIST published final guidance as part of its follow up to A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats and NIST’s Botnet Roadmap. Neither document is binding on federal agencies or private sector entities, but given the respect the agency enjoys, these will likely become referenced extensively by other standards.
NIST explained in a blog post:
- NISTIR 8259A – IOT Device Cybersecurity Capability Core Baseline, the NIST Cybersecurity for IOT Program identifies a core baseline of IOT device cybersecurity capabilities for manufacturers — i.e. device capabilities generally needed to support common cybersecurity controls.
- NISTIR 8259 – Foundational Cybersecurity Activities for IOT Device Manufacturers, provides specific recommended activities to help manufacturers address customer needs for IOT cybersecurity in their product development processes.
In NISTIR 8259A, NIST explained the purpose of the publication as defining an “IOT device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems.” NIST stated “[t]he purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IOT devices they will manufacture, integrate, or acquire…[and] can be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IOT Device Manufacturers.”
NIST further explained how the core baseline was developed:
- The IOT device cybersecurity capability core baseline (core baseline) defined in this publication is a set of device capabilities generally needed to support commonly used cybersecurity controls that protect devices as well as device data, systems, and ecosystems.
- The core baseline has been derived from researching common cybersecurity risk management approaches and commonly used capabilities for addressing cybersecurity risks to IOT devices, which were refined and validated using a collaborative public-private process to incorporate all viewpoints.
- Regardless of an organization’s role, this baseline is intended to give all organizations a starting point for IOT device cybersecurity risk management, but the implementation of all capabilities is not considered mandatory. The individual capabilities in the baseline may be implemented in full, in part, or not at all. It is left to the implementing organization to understand the unique risk context in which it operates and what is appropriate for its given circumstance.
NIST 8259 is designed “give manufacturers recommendations for improving how securable the IOT devices they make are…[and] [t]his means the IOT devices offer device cybersecurity capabilities—cybersecurity features or functions the devices provide through their own technical means (i.e., device hardware and software)—that customers, both organizations and individuals, need to secure the devices when used within their systems and environments.”
NIST stated “[t]his publication describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IOT devices they make…[and] [f]our of the six activities primarily impact decisions and actions performed by the manufacturer before a device is sent out for sale (pre-market), and the remaining two activities primarily impact decisions and actions performed by the manufacturer after device sale (post-market).” NIST claimed “[p]erforming all six activities can help manufacturers provide IOT devices that better support the cybersecurity-related efforts needed by IOT device customers, which in turn can reduce the prevalence and severity of IOT device compromises and the attacks performed using compromised IOT devices.” NIST asserted “[t]hese activities are intended to fit within a manufacturer’s existing development process and may already be achieved in whole or part by that existing process.”
In June 2019, NIST issued “Considerations for Managing Internet of Things (IOT) Cybersecurity and Privacy Risks” (NISTIR 8228) which is designed “to help organizations better understand and manage the cybersecurity and privacy risks associated with individual IOT devices throughout the devices’ lifecycles.” The agency claims the publication “provides insights to inform organizations’ risk management processes and “[a]fter reading this publication, an organization should be able to improve the quality of its risk assessments for IOT devices and its response to the identified risk through the lens of cybersecurity and privacy.” It bears note that from the onset of tackling IOT standards that NIST paired cybersecurity and privacy unlike its Cybersecurity Framework which addresses privacy as an important but ancillary concern to cybersecurity.
NIST explained that NIST Interagency or Internal Report 8228: Considerations for Managing Internet of Things (IOT) Cybersecurity and Privacy Risks is aimed at “personnel at federal agencies with responsibilities related to managing cybersecurity and privacy risks for IOT devices, although personnel at other organizations may also find value in the content.” NIST stated that “[t]his publication emphasizes what makes managing these risks different for IOT devices in general, including consumer, enterprise, and industrial IOT devices, than conventional information technology (IT) devices…[and] omits all aspects of risk management that are largely the same for IOT and conventional IT, including all aspects of risk management beyond the IOT devices themselves, because these are already addressed by many other risk management publications.”
NIST explained that “[t]his publication identifies three high-level considerations that may affect the management of cybersecurity and privacy risks for IOT devices as compared to conventional IT devices:
1. Many IOT devices interact with the physical world in ways conventional IT devices usually do not. The potential impact of some IOT devices making changes to physical systems and thus affecting the physical world needs to be explicitly recognized and addressed from cybersecurity and privacy perspectives. Also, operational requirements for performance, reliability, resilience, and safety may be at odds with common cybersecurity and privacy practices for conventional IT devices.
2. Many IOT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can. This can necessitate doing tasks manually for large numbers of IOT devices, expanding staff knowledge and tools to include a much wider variety of IOT device software, and addressing risks with manufacturers and other third parties having remote access or control over IOT devices.
3. The availability, efficiency, and effectiveness of cybersecurity and privacy capabilities are often different for IOT devices than conventional IT devices. This means organizations may have to select, implement, and manage additional controls, as well as determine how to respond to risk when sufficient controls for mitigating risk are not available.
NIST laid out “[c]ybersecurity and privacy risks for IOT devices can be thought of in terms of three high-level risk mitigation goals:
1. Protect device security. In other words, prevent a device from being used to conduct attacks, including participating in distributed denial of service (DDoS) attacks against other organizations, and eavesdropping on network traffic or compromising other devices on the same network segment. This goal applies to all IOT devices.
2. Protect data security. Protect the confidentiality, integrity, and/or availability of data (including personally identifiable information [PII]) collected by, stored on, processed by, or transmitted to or from the IOT device. This goal applies to each IOT device except those without any data that needs protection.
3. Protect individuals’ privacy. Protect individuals’ privacy impacted by PII processing beyond risks managed through device and data security protection. This goal applies to all IOT devices that process PII or that directly or indirectly impact individuals.
© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.