On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government. As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ IoT devices by directing executive agencies to include specified clauses in contracts for the acquisition of Internet-connected devices.
The bill’s provisions leverage federal purchasing power to improve the security of IoT devices by requiring, among other things, IoT device, software, and firmware providers to certify compliance with specified security controls and requirements relating to vulnerability patching and notification, unless such contractors otherwise satisfy one of three waiver requirements.
The bill also directs the Department of Homeland Security (“DHS”) to issue vulnerability disclosure guidance for government contractors; to amend federal statutes, specifically the Computer Fraud and Abuse Act (“CFAA”) and Digital Millennium Copyright Act (“DMCA”), to exempt certain “good faith” activities by cybersecurity researchers; and require all executive branch agencies to maintain an inventory of IoT devices active on their networks.
In addition, the statute would require the Director of the Office of Management and Budget (“OMB”) to issue guidelines to federal agencies consistent with the bill within 180 days of enactment.
The bill is summarized below.
Obligations for Contractors
If passed, the bill will require the OMB Director, in consultation with other executive departments and agencies, to issue guidelines requiring each agency to include the below key clauses in future “contract[s] . . . for the acquisition of Internet-connected devices.”
– Written certification from the contractor that its devices:
- Do not contain components with any known security vulnerabilities or defects listed in the National Institute of Standards and Technology’s (“NIST”) National Vulnerability Database or a similar database identified by the OMB Director;
- Include components that are capable of receiving “properly authenticated and trusted” patches from vendors;
- Utilize industry-standard technology and components for communication, encryption, and interconnection with peripherals; and
- Do not include “fixed or hard-coded passwords” to receive updates or enable remote access.
– A requirement to notify the purchasing agency of any “known security vulnerabilities or defects subsequently disclosed to the vendor by a security researcher” or when a vendor becomes aware of such a vulnerability during the life of a federal contract.
– Update, replace, or remove, in a timely manner, vulnerabilities in software and firmware components in a properly authenticated and secure manner. This includes a requirement to provide information to the purchasing agency regarding the manner for such updates, as well as a timeline and formal notice when ending security support.
One potential issue contractors should consider is how broadly the proposed bill defines an “Internet-connected device,” specifically, as a “physical object that is capable of connecting to and is in regular connection with the Internet; and has computer processing capabilities that can collect, send, or receive data.” As a result of this expansive definition, contractors ought to consider the bill’s (and its implementing regulations’) impact on, among other things, end items and components that are connected to an Internet-connected device.
Waiver of Contract Clause Requirements
The measure also includes several exceptions. Contractors may submit an application for a waiver from certain prescribed contract clause requirements if they disclose known vulnerabilities in IoT devices marketed to the government. Executive agencies may also seek a waiver if procurement of IoT devices in compliance with required contract certification clauses would be “unfeasible or economically impractical.”
The proposed statute also permits executive agencies to procure IoT devices compliant with other existing security standards. Specifically, executive agencies would be permitted to purchase devices that comply with existing security standards set by a third-party or the purchasing agency if the standard provides an equivalent or greater level of security than those prescribed by the bill’s required contract clauses. For these purposes, NIST would develop third-party accreditation standards and ensure that an agency’s existing standards provide appropriate security protections.
Disclosure of Security Vulnerabilities and Defects
The legislation would require DHS’s National Protection and Programs Directorate to issue guidelines regarding “cybersecurity coordinated disclosure requirements” that contractors will be required to comply with if they sell IoT devices to the government. The guidelines will outline:
– Policies and procedures for research relating to the security of an IoT device based on Standard 29147 of the International Organization for Standardization or any comparable standard; and
– Requirements for researching and testing the security of an IoT device, including a provision that the same class, model, and type of device be used for research and testing purposes.
Amendments to Federal Statutes
The legislation would amend the CFAA and DMCA to exempt cybersecurity researchers and experts from liability who (1) “in good faith” engaged in researching the security of an IoT device of the same “class, model, or type” procured by a federal agency, and (2) complied with future DHS-issued guidelines for vulnerability disclosure that the contractor adopted.
IoT Device Inventory
The bill will require each executive agency to establish an inventory of Internet-connected devices within 180 days following the passage of the legislation. In support of this effort, the OMB Director, in consultation with the DHS Secretary, will issue guidelines 30 days after enactment detailing the organization and management of agency IoT device databases. The legislation would also require the OMB Director to create publicly accessible databases listing manufacturers and IoT devices that are afforded liability protections and manufacturers that have formally notified the government that support services for a particular device have been terminated. In addition to maintaining the databases, the OMB Director must also ensure the databases are updated at least once every 30 days.
Finally, the bill directs NIST to ensure that it establishes and uses best practices in identifying and tracking vulnerabilities for purposes of maintaining the NIST National Vulnerability Database.
Contractors should keep an eye on this this proposed bill because, if it becomes law, it will impose new, potentially onerous obligations on contractors.