Bill SponsorBILLSPONSOR
Bill Sponsor
Politicians
Bills
House Bill 1668
116th Congress(2019-2020)
IoT Cybersecurity Improvement Act of 2020
Became Law
Became Law
Became Public Law 116-207 on Dec 4, 2020
Overview
Text
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
About Linkage
Multiple bills can contain the same text. This could be an identical bill in the opposite chamber or a smaller bill with a section embedded in a larger bill.
Bill Sponsor regularly scans bill texts to find sections that are contained in other bill texts. When a matching section is found, the bills containing that section can be viewed by clicking "View Bills" within the bill text section.
Bill Sponsor is currently only finding exact word-for-word section matches. In a future release, partial matches will be included.
Jump To
H. R. 1668 (Introduced-in-House)


116th CONGRESS
1st Session
H. R. 1668


To leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes.

IN THE HOUSE OF REPRESENTATIVES

March 11, 2019

Ms. Kelly of Illinois (for herself, Mr. Hurd of Texas, Mr. Khanna, Mr. Budd, Mr. Ruppersberger, Mr. Marshall, Mr. Ted Lieu of California, Mr. Ratcliffe, Mr. Meadows, Mr. Soto, Mr. Walker, Mr. Connolly, Mr. Foster, and Mr. Baird) introduced the following bill; which was referred to the Committee on Oversight and Reform, and in addition to the Committee on Science, Space, and Technology, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned

A BILL

To leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Internet of Things Cybersecurity Improvement Act of 2019” or the “IoT Cybersecurity Improvement Act of 2019”.

SEC. 2. Definitions.

In this Act:

(1) AGENCY.—The term “agency” has the meaning given such term in section 3502 of title 44, United States Code.

(2) COVERED DEVICE.—

(A) IN GENERAL.—The term “covered device” means a physical object that—

(i) is capable of connecting to and is in regular connection with the internet;

(ii) has computer processing capabilities that can collect, send, or receive data; and

(iii) is not a general-purpose computing device, including personal computing systems, smart mobile communications devices, programmable logic controls, and mainframe computing systems.

(B) MODIFICATION OF DEFINITION.—The Director of the Office of Management and Budget shall establish a process by which—

(i) interested parties may petition for a device that is not described in subparagraph (A) to be considered a device that is not a covered device; and

(ii) the Director acts upon any petition submitted under clause (i) in a timely manner.

(3) SECURITY VULNERABILITY.—The term “security vulnerability” means any attribute of hardware, firmware, software, or combination of 2 or more of these factors that could enable the compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected.

SEC. 3. National Institute of Standards and Technology considerations and rec­om­men­da­tions regarding managing Internet of Things cybersecurity risks.

(a) Completion of ongoing efforts relating to considerations for managing Internet of Things cybersecurity risks.—

(1) IN GENERAL.—The Director of the National Institute of Standards and Technology shall ensure that the efforts of the Institute in effect on the date of the enactment of this Act regarding considerations for managing Internet of Things cybersecurity risks, especially regarding examples of possible cybersecurity capabilities of Internet of Things devices, are completed no later than September 30, 2019.

(2) MATTERS ADDRESSED.—In ensuring efforts are completed under paragraph (1), the Director shall also ensure that such efforts address, at a minimum, the following considerations for covered devices:

(A) Secure Development.

(B) Identity management.

(C) Patching.

(D) Configuration management.

(b) Development of recommended standards for use of Internet of Things devices by Federal Government.—

(1) IN GENERAL.—Not later than March 31, 2020, the Director of the Institute shall develop recommendations for the Federal Government on the appropriate use and management by the Federal Government of Internet of Things devices owned or controlled by the Federal Government, including minimum information security requirements for managing cybersecurity risks associated with such devices.

(2) CONSISTENCY WITH ONGOING EFFORTS.—The Director of the Institute shall ensure that the recommendations and standards developed under paragraph (1) are consistent with the efforts referred to in subsection (a), especially with respect to the examples of possible cybersecurity capabilities referred to in such subsection.

(c) Institute Report on cybersecurity considerations stemming from the convergence of Information Technology, Internet of Things, and Operational Technology devices, networks and systems.—Not later than 180 days following the enactment of this Act, the Director of the Institute shall publish a draft report related to the increasing convergence of traditional Information Technology devices, networks, and systems with Internet of Things devices, networks and systems and Operational Technology devices, networks and systems, including considerations for managing cybersecurity risks associated with such trends.

SEC. 4. Policies for Federal agencies on use and management of Internet of Things devices.

(a) Revisions to the Federal acquisition regulation.—Not later than 180 days after the date on which the Director of the National Institute of Standards and Technology completes the development of the recommendations required under section 3(b), the Director of the Office of Management and Budget shall issue guidelines for each agency that are consistent with such recommendations.

(b) Requirement.—In issuing the guidelines required under subsection (a), the Director of the Office of Management and Budget shall ensure that the guidelines are consistent with the information security requirements in subchapter II of chapter 35 of title 44, United States Code.

(c) Quinquennial reviews and revisions.—Not less frequently than once every 5 years—

(1) the Director of the Office of Management and Budget and the Director of the National Institute of Standards and Technology shall review the policies issued under subsection (a); and

(2) the Director of the Office of Management and Budget shall, in consultation with the Director of the National Institute of Standards and Technology, revise such policies.

SEC. 5. National Institute of Standards and Technology guidance on coordinated disclosure of security vulnerabilities relating to Internet of Things devices.

(a) In general.—Not later than 180 days after the date of the enactment of this Act, the Director of the National Institute of Standards and Technology shall, in consultation with such cybersecurity researchers and private-sector industry experts as the Director considers appropriate, publish guidance on policies and procedures for the reporting, coordinating, publishing, and receiving of information about—

(1) a security vulnerability relating to a covered device used by the Federal Government; and

(2) the resolution of such security vulnerability.

(b) Elements.—The guidance published under subsection (a) shall include the following:

(1) Policies and procedures described in subsection (a) that, to the maximum extent practicable, are aligned with Standards 29147 and 30111 of the International Standards Organization, or any successor standards. Such policies and procedures shall include policies and procedures for a contractor or vendor providing a covered device to the Federal Government on—

(A) receiving information about a potential security vulnerability relating to the covered device; and

(B) disseminating information about the resolution of a security vulnerability relating to the covered device.

(2) Guidance, including example content, on the information items that should be produced through the implementation of the security vulnerability disclosure process of the contractor.

SEC. 6. Guidelines for Federal agencies on coordinated disclosure of security vul­ner­a­bil­i­ties relating to Internet of Things devices.

(a) Agency guidelines required.—Not later than 180 days after the date on which the guidance required under section 4 is published, the Director of the Office of Management and Budget shall, in consultation with the Administrator of the General Services Administration, issue guidelines for each agency on reporting, coordinating, publishing, and receiving information about—

(1) a security vulnerability relating to a covered device used by the agency; and

(2) the resolution of such security vulnerability.

(b) Contractor and vendor compliance with National Institute of Standards and Technology guidance.—The guidelines required by subsection (a) shall include a limitation that prohibits an agency from acquiring or using any covered device from a contractor or vendor if the contractor or vendor fails to comply with the guidance published under section 5(a).

(c) Consistency with guidance from National Institute of Standards and Technology.—The Director shall ensure that the guidelines issued under subsection (a) are consistent with the guidance published under section 5(a).