Thursday, September 17, 2020

HR 1668 – Review of Text Passed in House

 As I noted Tuesday night, the House passed a version of HR 1668, the Internet of Things (IoT) Cybersecurity Improvement Act of 2020, that was different from both the introduced and reported versions of the bill. Yesterday the GPO printed the version of the bill that was passed by the House. In this post I will look at the differences between the version reported out of the House Oversight and Reform Committee and the version passed in the House.

Sense of Congress

The passed bill inserted a new §2, Sense of Congress, in the bill. That new section lays responsibility for cybersecurity of the executive branch with the President working through the Director of the OMB and the Secretary of Homeland Security. It further makes the claim that “the strength of the cybersecurity of the Federal Government and the positive benefits of digital technology transformation depend on proactively addressing cybersecurity throughout the acquisition and operation of Internet of Things devices by the Federal Government” {§2(3).

Finally it provides a description of ‘Internet of Things devices’ taken from the January 7th, 2020 draft of the National Institute of Standards draft internal report 8259. The description in that report states:

“The IoT devices in scope for this publication [emphasis added] have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long-Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world. The IoT devices in scope for this publication [emphasis added] can function on their own and are not only able to function when acting as a component of another device, such as a processor.

Note: the text emphasized above was not included in the description provide in §2(4).

Definitions

Section 2 of the reported bill included definitions of the following terms:

• Agency,

• Covered device,

• Director of OMB,

• Director of the Institute [National Institute of Standards and Technology (NIST)], and

• Security vulnerability.

Section 3 of the passed bill does not include definitions of ‘covered device’. It adds definitions for the following terms:

• Information system [IT-limited definition from 44 USC 3502],

• National security system,

• Operational technology, and

• Secretary [of Homeland Security].

Ongoing NIST Activities

The reported bill contained a §3, Completion of Ongoing Efforts Relating to Considerations for Managing Internet of Things Cybersecurity Risks. This section included a requirement for NIST to publish a report on “the following considerations for covered devices”:

• Secure development,

• Identity management,

• Patching, and

• Configuration management.

This section was not included in the passed version of the bill.

Security Standards

Section 4(a) of the reported bill required NIST (within 6 months) to publish guidelines under 15 USC 278g-3 on {§4(a)}:

• The appropriate use and management by the agencies of covered devices owned or controlled by the agencies, and
• Minimum information security requirements for managing security vulnerabilities associated with such devices.

Section 4(b) then went on to require the Cybersecurity and Infrastructure Security Agency (CISA) to establish standards based upon those guidelines for “covered devices owned or controlled by agencies, except those considered national security systems” {§4(b)(1)(A)}.

In the passed version of the bill, NIST is required (within 90 days) to develop and publish (again under §278g-3) “standards and [emphasis added] guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and connected to information systems owned or controlled by an agency, including minimum information security requirements for managing cybersecurity risks associated with such devices” {§4(a)(1)}.

The OMB is then (within 180-days of the establishment of the ‘standards and guidelines’) required to review “agency information security policies and principles” for IoT based upon the NIST developed standards and guidelines; again with an exception for ‘national security systems’.

Petition to Exclude Devices

Section 5 of the reported bill would have required the OMB to establish a process for agencies to petition to have devices not designated as ‘covered devices’ subject to the guidelines established by NIST or standards established by CISA.

There are no comparable requirements in the passed version of the bill.

Coordinated Disclosure

Section 6 of the reported bill would have required NIST to develop guidelines “for the reporting, coordinating, publishing, and receiving of information about” {§6(a)(1)} security vulnerabilities for a covered device owned, or controlled, by an agency (or a contractor providing a covered device to an agency) and the resolution of such vulnerabilities. The developed guidelines should align with ISO 29147 and ISO 30111 {§6(b)(2)}. The guidelines for contractors would include information on “on the type of information about security vulnerabilities that should be reported to the Federal Government, including examples thereof” {§6(a)(3)}.

Section 5 of the passed bill includes similar language except that instead of ‘covered device’ the section refers to “information systems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency)”.  In addition to the requirement that the guidelines align with the two ISO documents mentioned in the reported bill, §5 requires that the guidelines are “consistent with the policies and procedures produced” {§5(b)(3)} under the coordinated disclosure requirements of 6 USC 659(m).The requirement for contractor reporting was not included. Finally, §5 concludes with establishing that DHS will be responsible for “the implementation of the guidelines published” under this section.

The passed version of the bill includes an additional section (§6) addressing the implementation of the coordinated disclosure guidelines. Section 6(a) requires the OMB (within 2 years) to “develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems (including Internet of Things devices).” Section 6(b) requires DHS to “provide operational and technical assistance to agencies on reporting, coordinating, publishing, and receiving information about security vulnerabilities of information systems (including Internet of Things devices).”

Operational Technology

Section 8 of the passed bill has no counterpart in the reported bill. It requires GAO (within one year) to brief Congress “on broader Internet of Things efforts, including projects designed to assist in managing potential security vulnerabilities associated with the use of traditional information technology devices, networks, and systems” {§8(a)} with IoT devices and operational technology devices, networks, and systems.

Moving Forward

The passage of this bill by a voice vote indicates that there is some level of bipartisan support for this bill. This is important because a bill of this sort is not ‘important’ enough to be considered under the normal debate and amendment process in the Senate. This late in the session the only way that this bill would be considered in the Senate is under the unanimous consent process. Unfortunately, the only way that a bill makes it through that process is for not one single Senator to voice opposition to the bill. I suspect that this bill could make it through such a process, but it could be blocked by a Senator making a point about, or needing support for, something completely unrelated to this bill.

Commentary

First, let me address the unusual way this was brought to the floor in the House. Rep Maloney (D,NY) was the one who actually brought the bill to the floor for consideration. She began the consideration process by saying: “Mr. Speaker, I move to suspend the rules and pass the bill (H.R. 1668) to leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes, as amended.”

That phrase ‘as amended’ can be used to cover a wide variety situations. Typically, it is used to describe a bill that has been amended in the Committee process. It is used from time to time to include a bill that has been amended outside of the process by committee leadership when new information has become available, changes are necessary to get some additional floor support for the bill or to better reflect the intent of the leadership. I suspect that in this case the final reason was the primary driver of the changes being made to the bill. Maloney is the Chair of the House Oversight and Government Reform Committee.

Looking at the bill as passed, it is clear that Maloney is not really interested in IoT cybersecurity. The lack of a definition of the term ‘Internet of Things device’, the discussion in §2 notwithstanding, indicates how little Maloney cares about IoT. The changes to the bill, while still including multiple references to ‘IoT devices’, make this a bill about information system cybersecurity. It provides a small incremental increase in the authority of OMB and DHS to address information system cybersecurity and expands the authority for DHS to continue its recent mandate for government agencies to implement vulnerability disclosure programs.

The addition of §8 of the bill reflects Maloney’s future commitment to the authors and supporters of the bill that passed in Committee that the Committee will continue to look at IoT cybersecurity and actually adds the expanded topic of control system security to that future consideration.

No comments:

 
/* Use this with templates/template-twocol.html */