August 22, 2017

August 21, 2017

Subscribe to Latest Legal News and Analysis

A Summary of the Recently Introduced “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”

On August 1, 2017, a bipartisan group of Senators introduced legislation (fact sheet) that would establish minimum cybersecurity standards for Internet of Things (“IoT”) devices sold to the U.S. Government.  As Internet-connected devices become increasingly ubiquitous and susceptible to evolving and complex cyber threats, the proposed bill attempts to safeguard the security of executive agencies’ IoT devices by directing executive agencies to include specified clauses in contracts for the acquisition of Internet-connected devices.

The bill’s provisions leverage federal purchasing power to improve the security of IoT devices by requiring, among other things, IoT device, software, and firmware providers to certify compliance with specified security controls and requirements relating to vulnerability patching and notification, unless such contractors otherwise satisfy one of three waiver requirements.

The bill also directs the Department of Homeland Security (“DHS”) to issue vulnerability disclosure guidance for government contractors; to amend federal statutes, specifically the Computer Fraud and Abuse Act (“CFAA”) and Digital Millennium Copyright Act (“DMCA”), to exempt certain “good faith” activities by cybersecurity researchers; and require all executive branch agencies to maintain an inventory of IoT devices active on their networks.

In addition, the statute would require the Director of the Office of Management and Budget (“OMB”) to issue guidelines to federal agencies consistent with the bill within 180 days of enactment.

The bill is summarized below.

Obligations for Contractors

If passed, the bill will require the OMB Director, in consultation with other executive departments and agencies, to issue guidelines requiring each agency to include the below key clauses in future “contract[s] . . . for the acquisition of Internet-connected devices.”

– Written certification from the contractor that its devices:

  • Do not contain components with any known security vulnerabilities or defects listed in the National Institute of Standards and Technology’s (“NIST”) National Vulnerability Database or a similar database identified by the OMB Director;

  • Include components that are capable of receiving “properly authenticated and trusted” patches from vendors;

  • Utilize industry-standard technology and components for communication, encryption, and interconnection with peripherals; and

  • Do not include “fixed or hard-coded passwords” to receive updates or enable remote access.

– A requirement to notify the purchasing agency of any “known security vulnerabilities or defects subsequently disclosed to the vendor by a security researcher” or when a vendor becomes aware of such a vulnerability during the life of a federal contract.

– Update, replace, or remove, in a timely manner, vulnerabilities in software and firmware components in a properly authenticated and secure manner.  This includes a requirement to provide information to the purchasing agency regarding the manner for such updates, as well as a timeline and formal notice when ending security support.

One potential issue contractors should consider is how broadly the proposed bill defines an “Internet-connected device,” specifically, as a “physical object that is capable of connecting to and is in regular connection with the Internet; and has computer processing capabilities that can collect, send, or receive data.”  As a result of this expansive definition, contractors ought to consider the bill’s (and its implementing regulations’) impact on, among other things, end items and components that are connected to an Internet-connected device.

Waiver of Contract Clause Requirements

The measure also includes several exceptions.  Contractors may submit an application for a waiver from certain prescribed contract clause requirements if they disclose known vulnerabilities in IoT devices marketed to the government.  Executive agencies may also seek a waiver if procurement of IoT devices in compliance with required contract certification clauses would be “unfeasible or economically impractical.”

The proposed statute also permits executive agencies to procure IoT devices compliant with other existing security standards.  Specifically, executive agencies would be permitted to purchase devices that comply with existing security standards set by a third-party or the purchasing agency if the standard provides an equivalent or greater level of security than those prescribed by the bill’s required contract clauses.  For these purposes, NIST would develop third-party accreditation standards and ensure that an agency’s existing standards provide appropriate security protections.

Disclosure of Security Vulnerabilities and Defects

The legislation would require DHS’s National Protection and Programs Directorate to issue guidelines regarding “cybersecurity coordinated disclosure requirements” that contractors will be required to comply with if they sell IoT devices to the government.  The guidelines will outline:

– Policies and procedures for research relating to the security of an IoT device based on Standard 29147 of the International Organization for Standardization or any comparable standard; and

– Requirements for researching and testing the security of an IoT device, including a provision that the same class, model, and type of device be used for research and testing purposes.

Amendments to Federal Statutes

The legislation would amend the CFAA and DMCA to exempt cybersecurity researchers and experts from liability who (1) “in good faith” engaged in researching the security of an IoT device of the same “class, model, or type” procured by a federal agency, and (2) complied with future DHS-issued guidelines for vulnerability disclosure that the contractor adopted.

IoT Device Inventory

The bill will require each executive agency to establish an inventory of Internet-connected devices within 180 days following the passage of the legislation.  In support of this effort, the OMB Director, in consultation with the DHS Secretary, will issue guidelines 30 days after enactment detailing the organization and management of agency IoT device databases.  The legislation would also require the OMB Director to create publicly accessible databases listing manufacturers and IoT devices that are afforded liability protections and manufacturers that have formally notified the government that support services for a particular device have been terminated.  In addition to maintaining the databases, the OMB Director must also ensure the databases are updated at least once every 30 days.

Finally, the bill directs NIST to ensure that it establishes and uses best practices in identifying and tracking vulnerabilities for purposes of maintaining the NIST National Vulnerability Database.

Conclusion

Contractors should keep an eye on this this proposed bill because, if it becomes law, it will impose new, potentially onerous obligations on contractors.

© 2017 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Jennifer R. Martin, Covington, cyber incident response lawyer, forensics consulting attorney
Of Counsel

Jennifer Martin has worked at the intersection of law and cybersecurity for the past 15 years. Her expertise in this area has been uniquely honed through her experience managing cyber risks and responding to threats from a variety of perspectives: as the director of cyber incident response and operations, and as lead in-house internal investigations counsel at Symantec; as a managing director of a top cybersecurity and forensics consulting firm; and as a federal and local cybercrime prosecutor and policymaker.

As both in-house counsel and as a...

212 841 1018
Catlin M. Meade, Government Contracts Attorney, Covington & Burling Law Firm
Associate

Catlin Meade is an associate in the firm’s Washington, DC office.  

Ms. Meade is a member of the Maryland Bar. She is currently not admitted in the District of Columbia, but is supervised by principals of the firm.

Representative Matters

  • Advised Fortune 100 financial services corporation on all aspects of federal novation and various state procurement restrictions on the transfer of assets in connection with the company's global reorganization of various business units.

  • Represented top ten defense contractor in connection with an internal False Claims Act investigation.

  • Represented defense contractor in connection with an internal investigation regarding allegations of improper use of government funds for prohibited lobbying activities.

  • Key member of team that successfully represented commercial services contractor in a post-award agency protest convincing agency to reopen procurement and allow opportunity for new proposal submissions.

  • Key member of team that successfully represented protestor at GAO, obtaining new opportunity for client to participate in the procurement. 

202-662-5889
Weiss Nusraty, Covington, cybersecurity lawyer, national security matters attorney
Associate

Weiss Nusraty advises clients on cybersecurity and national security matters, including cyber and data security incident response, and government and internal investigations.

Mr. Nusraty joined Covington from the U.S. Department of the Treasury where he served as a Policy Advisor within the Office of Terrorism and Financial Intelligence. In that role, Mr. Nusraty developed and implemented strategies on a range of matters, including financial sanctions, anti-money laundering and counter-terrorist financing. He worked closely with the intelligence...

202-662-5703