Internet-connected devices contributing to the Internet of Things (IoT) are projected to exceed 50 billion devices by 2025, according to the Federal Trade Commission’s Bureau of Consumer Protection in its June 2018 comments on the Consumer Product Safety Commission’s notice of public hearing and request for written comments on “The Internet of Things and Consumer Product Hazards.” Such widespread use of and access to these internet-connected devices—which can collect personal data from their users—has spurred legislative movement toward introducing security standards for IoT devices. These initial steps start with the US government’s use of IoT devices through the Senate’s third proposed bill on the subject, S.734. The bill, known as the Internet of Things Cybersecurity Improvement Act of 2019, aims to manage cybersecurity risks regarding secure development, identity management, patching, and configuration management of “covered devices.” Under the proposed bill, a “covered device” is one that can connect to the internet, has data processing capabilities, and “is not a general-purpose computing device.” The covered devices at the focus of this bill refer to devices “owned or controlled by” the federal government.
The proposed bill would also require federal agencies to comply with processes to disclose a “security vulnerability relating to a covered device used by the Federal Government; and the resolution of such security vulnerability.” A “security vulnerability” is defined in the proposed bill as “any attribute of hardware, firmware, software, or combination of 2 or more of these factors that could enable the compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected.” Those who seek to contract with the government must also comply with these disclosure requirements.
Additionally, the bill tasks the National Institute of Standards and Technology with prescribing “minimum information security requirements for managing cybersecurity risks associated with such devices.” Reviews and revisions to the policies issued under this bill would take place at least every five years.
Last year, the Bureau of Consumer Protection acknowledged in its comments that the widespread use of IoT devices brings with it personal data security and privacy concerns as well as consumer product hazards. The proposed bill, while the third of its kind, would be among the first steps toward making IoT-related laws in the United States. While it applies only to government devices, it could lay the foundation for similar public standards in the future.