IoT Security Facing Government Regulation

New legislation could be on the way to secure the devices we use in our everyday lives. From our smart phones to our garage door openers, the IoT space has revolutionized the way we organize and live out our daily routine. In recent months, the security of these devices has been scrutinized as vulnerabilities have been uncovered, and even worse, exploited.

Republicans Cory Gardner and Steve Daines along with Democrats Mark Warner and Ron Wyden are working to introduce a new bill that will work to prevent such attacks – Internet of Things Cybersecurity Improvement Act of 2017. The bill outlines “minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies, and for other purposes.” The legislation is intended to hold providers of devices that connect to the internet accountable for potential threats to the security of the connected products. These companies would need to provide patches, fixes, and other means to safeguard against attacks as they are uncovered.

The bill lays out several security focuses, including:

  • IoT companies that offer products purchased by the federal government must ensure their devices are patchable, rely on industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities
  • Requirements for alternative network-level security requirements for devices with limited data processing and software functionality, led by the Office of Management and Budget (OMB)
  • The development of new guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government, led by the Department of Homeland Security’s National Protection and Programs Directorate
  • An executive agency mandate to inventory all Internet-connected devices in use by the agency

This concept may be new to those within the growing IoT space, but it is already the status quo in many Federal agencies and heavily Regulated Industries around the globe. Security standards and procedures exist today in order to hold companies accountable for the technology they produce, and through an accredited security certification testing process, they are validated against potential threats to systems and infrastructure. This new movement to secure the IoT space has already taken lessons learned from other industries in order to quickly and effectively introduce protocols to protect user data and security. This new bill specifically “requires the contractor providing the Internet-connected device to provide written certification that the devices, does not contain, at the time of submitting the proposal, any hardware, software, or firmware component with any known security vulnerabilities or defects listed in the National Vulnerability Database of NIST.”

NIST oversees other security certifications such as FIPS 140-2, which is used to secure products sold into the U.S. federal government are required to complete FIPS 140-2 validation if they use cryptography in security systems that process sensitive but unclassified information.

If you would like more information regarding IoT Security, or how existing security certifications like: FIPS 140-2, Common Criteria, or the DoD’s APL, can be applied- then contact Corsec today to get started!

Subscribe to Corsec emails!