Committee Amended and Adopted HR 1668 – IoT Cybersecurity

This week the House Oversight and Reform Committee adopted substitute language for HR 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, by a voice vote. The new language was a complete re-write of the bill.

Changes in Definitions

In §2 of the bill there were significant changes in the definition provided. First the revised language added definitions for ‘Director of OMB’ and ‘Director of the Institute’ (NIST).

Next the definition of ‘covered device’ was substantially changed. The ‘connected to the internet’ and ‘computer processing capability’ portion of the original definition was kept (but reformatted), but the ‘is not a general-purpose computer’ exception portion of the definition was expanded and revised. The new language included a substantial revision of the ‘programmable logic controls’ language of the original bill to now read{§2(2)(C)(iv)}:

Programmable logic controller with an industrial control system specifically not designed for connection to the internet;

A new exception was also added to the definition{§2(2)(C)(v)}; ‘subcomponent of a device’. The new ‘covered device’ definition also removed provisions in the original bill that would have required OMB to establish a process for petitioning for a device to be specifically considered a ‘covered device’.

Finally, the freestanding definition of ‘security vulnerability’ was changed to an incorporation of the definition from 6 USC 1501. The earlier definition was essentially an expansion of the §1501 definition (it had added ‘firmware’ and ‘combination of 2 or more of these factors’), but the §1501 definition relies on the expanded definition of ‘information system’ that specifically includes control system language.

Security Standards

Section 3 of the original bill was spread out into two separate sections. The first would require the National Institute of Standards and Technology (NIST) to complete its current activities ‘regarding considerations for managing the security vulnerabilities of Internet of Things’ {§3} by December 31^st, 2019. This is essentially the same language from §3(a)(1) of the original bill with a revision of the date (extended three months) to complete the actions.

The provisions of §3(b) in the original bill were expanded and modified in §4 of the revised language. First the requirement for NIST to establish ‘standards’ for use of internet of things devices by federal government was changed to establishing ‘guidelines’ which the OMB would later convert to ‘standards’.

The closing paragraph of §4 of the revised language requires that “the Federal Acquisition Regulation shall be revised to implement” the standards required to be set by OMB in §4(b). The simplified language in this new paragraph was designed to accomplish the requirement of §4(a) and (b) of the original language.

New Petition Requirement

The petition requirement that was removed from the definition of ‘covered device’ was moved to and expanded in §5 of the revised language. The new section would allow an ‘interested party’ to petition for a covered device to be exempt from the standards set in §4(b). The petitioner would have to establish that the procurement of the covered device {§5(b)(3)(A)}:

• With limited data processing and software functionality would be unfeasible; or

• That does not meet the standards promulgated by the Director of OMB under this Act is necessary for national security or for research purposes.

Coordinated Disclosure

Section 6 of the revised language is a substantial rewrite of §5 and §6 of the original bill. It would still require NIST to establish guidelines with respect to “reporting, coordinating, publishing, and receiving of information” {§6(a)(1)} security vulnerabilities of covered devices and the resolution of those vulnerabilities. The new language does add a requirement for ‘consultation’ with the DHS Cybersecurity and Infrastructure Security Agency (CISA) in the development of the guidelines.

Another important new addition to the guideline requirements is found in §6(b)(3); ensure such guidelines are consistent with the policies and procedures developed by CISA under 6 USC 659(m).

OMB would be required to convert the guidelines developed by NIST into standards to be used by government agencies using covered devices. This requirement specifically applies to including those standards in Federal Acquisition Regulations (FAR).

Section 7 of the bill requires all contractors to comply with the requirements of the standards developed by OMB. It would specifically require each agency Chief Information Officer to “determine if such offeror or contractor has complied with each standard promulgated under section 6(c) with respect to such covered device” {§7(a)(1)(A)}.

Moving Forward

Technically, the House Science, Space, and Technology Committee still needs to act on this bill. This could end up being something as simple as a letter from the Chair saying that he agrees with the changes being offered by the Oversight Committee. Or we could see a full committee markup of the bill.

In any case, this bill may actually see its way to the floor of the House. With the bipartisan support that the revised language received in Committee, it is likely that it would be considered under the suspension of the rules process and would probably pass with similar support.

Commentary

Well, Rep. Kelly (D,IL), or more probably her staff, tried to correct the problems with the definition of ‘covered device’ that I had previously identified in the Senate version of this bill (S 734). Unfortunately the changes made just confuse the issue more.

First, we have a measure of grammatical confusion. As written “programmable logic controller with an industrial control system specifically not designed for connection to the internet” would make it seem that an ‘industrial control system’ was part of a PLC instead of the other way around. Next, there is some subject confusion with the phrase ‘specifically not designed for connection to the internet’ (not to mention the awkward word order); does it refer to the PLC or the ICS. If we are to keep the intended (I think) concept here I would suggest the following revision of this language{§2(2)(C)(iv)}:

“programmable logic controller that is a component of an industrial control system which is specifically designed not to connect to the internet;”

There are still problems with this definition, mainly because it uses terms that are not further defined in the bill nor are they a part of general government usage. Does an ICS include building environmental systems or access control systems? Does the existence of a port designed to allow network connections to the device equate to ‘connect to the internet’ or must the device be physically (cable or WiFi or Bluetooth, or radio) attached to a network that connects to the internet?

If Congress does not specify in legislation than agencies like NIST and OMB get to make the decision. In many ways this can make for more agile regulation development. Unfortunately, it may leave the efficacy and the impact of the regulations to the whims of the regulators. In this case, an aggressive NIST or OMB staffer could decide that a close interpretation of the current exemption language would only apply to the PLC of a building environmental control system, but not the HMI used by the system or the sensors or actuators attached to the PLCs. Since those devices were equipped with ports that could allow internet connections, they would be included in the ‘covered device’ definition and would be regulated by the OMB standards. Or they could go the other way and decide that no one would intend to connect these devices to the internet (even though they had components that could allow such a connection) so they were not ‘covered devices’ and thus not regulated.

While I understand that congresscritters are not technically equipped to make many of these decisions, I am still uncomfortable in allowing the kind of regulatory leeway that I describe above to be exercised by nameless bureaucrats who may (NIST probably, OMB not so sure) a better technical background to make such decisions.