As I noted
Tuesday night, the House passed a version of HR 1668, the Internet of
Things (IoT) Cybersecurity Improvement Act of 2020, that was different from
both the introduced
and reported
versions of the bill. Yesterday the GPO printed the version of the bill that
was passed
by the House. In this post I will look at the differences between the
version reported out of the House Oversight and Reform Committee and the
version passed in the House.
Sense of Congress
The passed bill inserted a new §2, Sense of Congress, in the
bill. That new section lays responsibility for cybersecurity of the executive
branch with the President working through the Director of the OMB and the
Secretary of Homeland Security. It further makes the claim that “the strength
of the cybersecurity of the Federal Government and the positive benefits of digital
technology transformation depend on proactively addressing cybersecurity
throughout the acquisition and operation of Internet of Things devices by the
Federal Government” {§2(3).
Finally it provides a description of ‘Internet of Things devices’
taken from the January
7th, 2020 draft of the National Institute of Standards draft
internal report 8259. The description in that report states:
“The IoT devices in scope for
this publication [emphasis added] have at least one transducer (sensor
or actuator) for interacting directly with the physical world and at least one
network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution [LTE],
Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world. The IoT
devices in scope for this publication [emphasis added] can
function on their own and are not only able to function when acting as a
component of another device, such as a processor.
Note: the text emphasized above was not included in the
description provide in §2(4).
Definitions
Section 2 of the reported bill included definitions of the
following terms:
• Agency,
• Covered device,
• Director of OMB,
• Director of the Institute
[National Institute of Standards and Technology (NIST)], and
• Security vulnerability.
Section 3 of the passed bill does not include definitions of
‘covered device’. It adds definitions for the following terms:
• Information system [IT-limited
definition from 44
USC 3502],
• National security system,
• Operational technology, and
• Secretary [of Homeland Security].
Ongoing NIST Activities
The reported bill contained a §3, Completion of Ongoing
Efforts Relating to Considerations for Managing Internet of Things
Cybersecurity Risks. This section included a requirement for NIST to publish a
report on “the following considerations for covered devices”:
• Secure development,
• Identity management,
• Patching, and
• Configuration management.
This section was not included in the passed version of the
bill.
Security Standards
Section 4(a) of the reported bill required NIST (within 6
months) to publish guidelines under 15
USC 278g-3 on {§4(a)}:
• The appropriate use and
management by the agencies of covered devices owned or controlled by the agencies,
and
• Minimum information security requirements for managing security
vulnerabilities associated with such devices.
Section 4(b) then went on to require the Cybersecurity and
Infrastructure Security Agency (CISA) to establish standards based upon those
guidelines for “covered devices owned or controlled by agencies, except those
considered national security systems” {§4(b)(1)(A)}.
In the passed version of the bill, NIST is required (within
90 days) to develop and publish (again under §278g-3) “standards and
[emphasis added] guidelines for the Federal Government on the appropriate use
and management by agencies of Internet of Things devices owned or controlled by
an agency and connected to information systems owned or controlled by an
agency, including minimum information security requirements for managing
cybersecurity risks associated with such devices” {§4(a)(1)}.
The OMB is then (within 180-days of the establishment of the
‘standards and guidelines’) required to review “agency information security
policies and principles” for IoT based upon the NIST developed standards and
guidelines; again with an exception for ‘national security systems’.
Petition to Exclude Devices
Section 5 of the reported bill would have required the OMB
to establish a process for agencies to petition to have devices not designated
as ‘covered devices’ subject to the guidelines established by NIST or standards
established by CISA.
There are no comparable requirements in the passed version
of the bill.
Coordinated Disclosure
Section 6 of the reported bill would have required NIST to
develop guidelines “for the reporting, coordinating, publishing, and receiving
of information about” {§6(a)(1)} security vulnerabilities for a covered device
owned, or controlled, by an agency (or a contractor providing a covered device
to an agency) and the resolution of such vulnerabilities. The developed guidelines
should align with ISO 29147
and ISO
30111 {§6(b)(2)}. The guidelines for contractors would include information on
“on the type of information about security vulnerabilities that should be
reported to the Federal Government, including examples thereof” {§6(a)(3)}.
Section 5 of the passed bill includes similar language
except that instead of ‘covered device’ the section refers to “information
systems owned or controlled by an agency (including Internet of Things devices
owned or controlled by an agency)”. In
addition to the requirement that the guidelines align with the two ISO
documents mentioned in the reported bill, §5 requires that the guidelines are “consistent
with the policies and procedures produced” {§5(b)(3)} under the coordinated disclosure
requirements of 6
USC 659(m).The requirement for contractor reporting was not included.
Finally, §5 concludes with establishing that DHS will be responsible for “the
implementation of the guidelines published” under this section.
The passed version of the bill includes an additional
section (§6) addressing the implementation of the coordinated disclosure
guidelines. Section 6(a) requires the OMB (within 2 years) to “develop and
oversee the implementation of policies, principles, standards, or guidelines as
may be necessary to address security vulnerabilities of information systems
(including Internet of Things devices).” Section 6(b) requires DHS to “provide
operational and technical assistance to agencies on reporting, coordinating,
publishing, and receiving information about security vulnerabilities of information
systems (including Internet of Things devices).”
Operational Technology
Section 8 of the passed bill has no counterpart in the reported
bill. It requires GAO (within one year) to brief Congress “on broader Internet
of Things efforts, including projects designed to assist in managing potential
security vulnerabilities associated with the use of traditional information
technology devices, networks, and systems” {§8(a)} with IoT devices and operational
technology devices, networks, and systems.
Moving Forward
The passage of this bill by a voice vote indicates that
there is some level of bipartisan support for this bill. This is important because
a bill of this sort is not ‘important’ enough to be considered under the normal
debate and amendment process in the Senate. This late in the session the only
way that this bill would be considered in the Senate is under the unanimous
consent process. Unfortunately, the only way that a bill makes it through that
process is for not one single Senator to voice opposition to the bill. I suspect
that this bill could make it through such a process, but it could be blocked by
a Senator making a point about, or needing support for, something completely
unrelated to this bill.
Commentary
First, let me address the unusual way this was brought to
the floor in the House. Rep Maloney (D,NY) was the one who actually brought the
bill to the floor for consideration. She began the consideration process by
saying: “Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 1668)
to leverage Federal Government procurement power to encourage increased
cybersecurity for Internet of Things devices, and for other purposes, as amended.”
That phrase ‘as amended’ can be used to cover a wide variety
situations. Typically, it is used to describe a bill that has been amended in
the Committee process. It is used from time to time to include a bill that has
been amended outside of the process by committee leadership when new
information has become available, changes are necessary to get some additional
floor support for the bill or to better reflect the intent of the leadership. I
suspect that in this case the final reason was the primary driver of the
changes being made to the bill. Maloney is the Chair of the House Oversight and
Government Reform Committee.
Looking at the bill as passed, it is clear that Maloney is
not really interested in IoT cybersecurity. The lack of a definition of the
term ‘Internet of Things device’, the discussion in §2 notwithstanding,
indicates how little Maloney cares about IoT. The changes to the bill, while still
including multiple references to ‘IoT devices’, make this a bill about
information system cybersecurity. It provides a small incremental increase in
the authority of OMB and DHS to address information system cybersecurity and
expands the authority for DHS to continue its recent mandate for government
agencies to implement vulnerability disclosure programs.
The addition of §8 of the bill reflects Maloney’s future commitment
to the authors and supporters of the bill that passed in Committee that the
Committee will continue to look at IoT cybersecurity and actually adds the expanded
topic of control system security to that future consideration.