“Internet of Things” Guidance to be Added to Cybersecurity Requirements for Agencies and Federal Contractors
In 2019, cybersecurity has become top-of-mind for most federal government contractors and agencies that share sensitive information. In addition to updated Department of Defense guidance and procedures for evaluating contractors’ compliance with cybersecurity requirements, as well as an increase in Department of Defense cybersecurity audits, the Federal Acquisition Regulation (FAR) council also has promised a new FAR clause that will require compliance with NIST SP 800-171 security controls for civilian agency contractors that receive or create Controlled Unclassified Information (CUI).
To date, the cybersecurity regulations directed at federal government contractors and their subcontractors focus on implementing safeguards to protect sensitive government data. However, a gap in coverage has emerged where contractors provide the federal government with devices that are part of the “Internet of Things.” These devices connect to the Internet and are capable of collecting, sending, and receiving data – and thus are susceptible to hacking and listening in.
Proposed legislation recently introduced in both the Senate (S.734) and the House (H.R. 1668) calls for new information security standards to manage cybersecurity risks for Internet of Things devices sold to government agencies. This legislation would affect a wide range of devices – an “Internet of Things” device is generally defined as any device connected to the internet that is not a “general purpose computing device.”
As a part of this legislation, the National Institute of Standards and Technology (NIST) is being tasked with completing its review of considerations for managing the cybersecurity risks associated with Internet of Things devices by September 30, 2019. This review should cover, at a minimum: secure development, identity management, patching, and configuration management. NIST also is to propose recommendations for minimum information security requirements for managing cybersecurity risks associated with Internet of Things devices by March 31, 2020.
Additionally, within 180 days of enactment of the legislation, NIST is to publish guidance relating to “policies and procedures for the reporting, coordinating, publishing and receiving of information” on security vulnerabilities relating to devices used by the federal government, and resolution of those security vulnerabilities. This guidance will apply to federal government contractors and vendors. Any contractor or vendor for the federal government should take notice, as agencies will eventually be prohibited from acquiring or using devices from any contractor or vendor that fails to comply with this guidance.
What does this mean for you? While still in the early stages, this legislation likely will impact most, if not all, organizations in the Internet of Things space – either directly, where an organization provides these devices to the federal government, or indirectly, where an organization may use the NIST standards as a baseline for the security of its devices. We will be paying close attention to the developments with this proposed legislation. Stay tuned!