[Senate Report 116-112] [From the U.S. Government Publishing Office] Calendar No. 215 116th Congress } { Report SENATE 1st Session } { 116-112 _______________________________________________________________________ INTERNET OF THINGS CYBERSECURITY IMPROVEMENT ACT __________ R E P O R T of the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE to accompany S. 734 TO LEVERAGE FEDERAL GOVERNMENT PROCUREMENT POWER TO ENCOURAGE INCREASED CYBERSECURITY FOR INTERNET OF THINGS DEVICES, AND FOR OTHER PURPOSES [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] September 23, 2019.--Ordered to be printed __________ U.S. GOVERNMENT PUBLISHING OFFICE 89-010 WASHINGTON : 2019 COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS RON JOHNSON, Wisconsin, Chairman ROB PORTMAN, Ohio GARY C. PETERS, Michigan RAND PAUL, Kentucky THOMAS R. CARPER, Delaware JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire MITT ROMNEY, Utah KAMALA D. HARRIS, California RICK SCOTT, Florida KYRSTEN SINEMA, Arizona MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada JOSH HAWLEY, Missouri Gabrielle D'Adamo Singer, Staff Director Joseph C. Folio III, Chief Counsel Michael J.R. Flynn, Senior Counsel David M. Weinberg, Minority Staff Director Zachary I. Schram, Minority Chief Counsel Michelle M. Benecke, Minority Senior Counsel Jeffrey D. Rothblum, Minority Fellow Laura W. Kilbride, Chief Clerk Calendar No. 215 116th Congress } { Report SENATE 1st Session } { 116-112 ====================================================================== INTERNET OF THINGS CYBERSECURITY IMPROVEMENT ACT _______ September 23, 2019.--Ordered to be printed _______ Mr. Johnson, from the Committee on Homeland Security and Governmental Affairs, submitted the following R E P O R T [To accompany S. 734] [Including cost estimate of the Congressional Budget Office] The Committee on Homeland Security and Governmental Affairs, to which was referred the bill (S. 734) to leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices, and for other purposes, having considered the same, reports favorably thereon with an amendment (in the nature of a substitute) and recommends that the bill, as amended, do pass. CONTENTS Page I. Purpose and Summary..............................................1 II. Background and Need for the Legislation..........................2 III. Legislative History..............................................4 IV. Section-by-Section Analysis......................................5 V. Evaluation of Regulatory Impact..................................6 VI. Congressional Budget Office Cost Estimate........................7 VII. Changes in Existing Law Made by the Bill, as Reported............8 I. PURPOSE AND SUMMARY The purpose of S. 734, the Internet of Things Cybersecurity Improvement Act of 2019, is to proactively mitigate the risks posed by inadequately-secured Internet of Things (IoT) devices through the establishment of minimum security standards for IoT devices purchased by the Federal Government. The bill codifies the ongoing work of the National Institute of Standards and Technology (NIST) to develop standards and guidelines, including minimum-security requirements, for the use of IoT devices by Federal agencies. The bill also directs the Office of Management and Budget (OMB), in consultation with the Department of Homeland Security (DHS), to issue the necessary policies and principles to implement the NIST standards and guidelines on IoT security and management. Additionally, the bill requires NIST, in consultation with cybersecurity researchers and industry experts, to publish guidelines for the reporting, coordinating, publishing, and receiving of information about Federal agencies' security vulnerabilities and the coordinate resolutions of the reported vulnerabilities. OMB will provide the policies and principles and DHS will develop and issue the procedures necessary to implement NIST's guidelines on coordinated vulnerability disclosure for Federal agencies. The bill includes a provision allowing Federal agency heads to waive the IoT use and management requirements issued by OMB for national security, functionality, alternative means, or economic reasons. II. BACKGROUND AND THE NEED FOR LEGISLATION More than eight billion IoT devices--devices that wirelessly connect to the internet and transmit data--are connected to our information systems and networks.\1\ According to industry reports, the number of IoT devices will be as high as 50 billion by 2025.\2\ This exponential increase of IoT devices introduces an unparalleled attack surface for hackers to exploit. According to industry experts, by 2020 approximately 25 percent of cyberattacks will target these devices.\3\ This is because many IoT devices lack necessary safeguards, leaving the systems and networks they are connected to vulnerable to cyberattacks.\4\ Peter Winston, Chief Executive Officer and Founder of Integrated Computer Solutions, commented on the need to ensure the security of IoT devices: --------------------------------------------------------------------------- \1\Matt Toomey, IoT Device Security Seriously-Neglected, Aberdeen (Feb. 15, 2018), https://www.aberdeen.com/techpro-essentials/iot- device-security-seriously-neglected/. \2\Mckinsey Global Institute, https://www.mckinsey.com//media/ McKinsey/Business%20 Functions/McKinsey%20Digital/Our%20Insights/ The%20Internet%20of%20Things%20The%20 value%20o%20digitizing%20the%20physical%20world/The-Internet-of-things- Mapping-the-value-beyond-the-hype.ashx. \3\Matt Toomey, supra note 1. \4\Id. Ultimately, security needs to be baked into every device at the operating system level. It shouldn't be up to an individual vendor at the application level. And the level of device security should match the audience. If you're selling your connected device to the [Central Intelligence Agency (CIA)]--if it has to work in a highly secure building, a place where a breach could be catastrophic--there's a different expectation than if you're selling a toy. Yes, they both require you to lock the doors and windows. But for the CIA, you also need to seal every crack and add multiple deadlocks to reinforced doors.\5\ --------------------------------------------------------------------------- \5\Id. The Committee recognizes the challenges Federal agencies face in leveraging limited resources and navigating a cumbersome Federal procurement process to acquire and securely modernize information technologies.\6\ Building upon recent Federal reports, the work of the Government Accountability Office (GAO), and congressional hearings, this legislation will ensure federal agencies are operating under policies and practices for IoT devices before they become prolific on federal networks. --------------------------------------------------------------------------- \6\Mitigating America's Cybersecurity Risks: Hearing Before the S. Comm. on Homeland Sec. & Governmental Affairs, 115th Cong. (2018) (testimony of Jeanette Manfra, Assistant Secretary, Department of Homeland Security), available at https://www.hsgac.senate.gov/imo/ media/doc/. --------------------------------------------------------------------------- The traditional challenges facing Federal information technology are exacerbated by the lack of widely adopted information security standards and best practices for IoT technologies.\7\ In April 2018, the Committee held a hearing entitled, Mitigating America's Cybersecurity Risks, to discuss a range of Federal cybersecurity challenges, including the exponential growth of IoT devices in use on Federal networks.\8\ Co-Director of the Harvard University Belfer Center for Science and International Affairs, Eric Rosenbach testified on the importance of ``establish[ing] baseline security standards for the manufacturers and distributors of [IoT] devices.''\9\ While cautioning against a regulatory approach, Mr. Rosenbach supported the idea of using government procurement reform as a ``good place to start'' in advancing the secure procurement and use of IoT devices.\10\ --------------------------------------------------------------------------- \7\Id.; see also U.S. Gov't Accountability Office, GAO-17-75, Technology Assessment: Internet of Things, Status and Implications of An Increasingly Connected World (May 2017), available at https:// www.gao.gov/assets/690/684590.pdf. \8\Mitigating America's Cybersecurity Risks, supra note 6. \9\Id. (Testimony of Eric Rosenbach). \10\Id. --------------------------------------------------------------------------- Security baselines for IoT devices are necessary as designers and manufactures are not producing IoT devices with basic cybersecurity measures baked into their products. In May 2017, GAO published a technology assessment of IoT. The assessment found, among other things, ``[widespread] concerns have been raised about the lack of security controls in many IoT devices, which is in part because many vehicles, equipment, and other increasingly IoT-enabled devices were built without anticipating threats associated with Internet connectivity or the requisite security controls.''\11\ The implications of these findings were illustrated by the 2016 Mirai botnet attack, which exploited basic vulnerabilities in IoT technology to compromise an estimated 493,000 devices.\12\ --------------------------------------------------------------------------- \11\GAO-17-75 at 28, supra note 7. \12\Joshua Abramson, DDoS Attacks: Bigger, Stronger, Scarier, SYMANTEC CORP. (Apr. 19, 2016), https://www.symantec.com/connect/blogs/ ddos-attacks-bigger-stronger-scarier. --------------------------------------------------------------------------- In May, 2019 the Secretaries of Commerce and Homeland Security published a report entitled, Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.\13\ Among the findings of this report are that IoT devices need to be secure during all stages of the technology lifecycle and that market incentives are not aligned with the cybersecurity best practices.\14\ In 2018, DHS Assistant Secretary for Cybersecurity and Communications, Janette Manfra, echoed this idea during testimony before the Committee by stating that the Federal Government needs a ``higher level framework'' led by OMB to manage cybersecurity risk related to IoT devices that includes basic authentication measures.\15\ --------------------------------------------------------------------------- \13\Sec. of Commerce, Sec. of Homeland Security, Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats. (May 22, 2018) available at https://www.commerce.gov/sites/default/files/media/files/2018/eo_13800_ botnet_report_-_finalv2.pdf. \14\Id. at 8. \15\Mitigating America's Cybersecurity Risks, supra note 6 (Testimony of Janette Manfra). --------------------------------------------------------------------------- As a result, IoT device security does not end with the design, manufacture, and procurement of the device; rather ongoing efforts are necessary to discover and remediate vulnerabilities that create the potential for exploitation by bad actors. The Federal Cybersecurity Risk Determination Report and Action Plan, published by OMB, found that ``[a]n agency's ability to mitigate security vulnerabilities is a direct function of its ability to identify those vulnerabilities across the enterprise.''\16\ To affectively secure IoT devices in use on Federal networks, a comprehensive vulnerability disclosure program is an important step in identifying vulnerable IoT on a network. --------------------------------------------------------------------------- \16\Office of Management and Budget, Executive Office of the President, Federal Cybersecurity Risk Determination Report and Action Plan, 12 (2018), available at https://www.whitehouse.gov/wp-content/ uploads/2018/05/Cybersecurity-Risk-Determination-Report-FINAL_May-2018- Release.pdf. --------------------------------------------------------------------------- The success of the ``Hack the Pentagon'' program led to the establishment of a formal Vulnerability Disclosure Policy (VDP),\17\ as well as legislation codifying DHS authority to create a process to easily report and mitigate vulnerabilities.\18\ Standards, policies, and practices for VDP of information technology, including IoT, consistent with the authorities and responsibilities established in the Federal Information Security Modernization Act of 2014 (FISMA14),\19\ is a fundamental aspect of securing networked technologies over the course of their life-cycle. --------------------------------------------------------------------------- \17\Id. \18\Pub. L. No. 115-390, Title I Sec. 101, (H.R. 7327, the ``SECURE'' Technology Act). \19\Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283, 44 U.S.C. Sec. 3553(a)(1). --------------------------------------------------------------------------- Federal agencies can better ensure the security of their networks with IoT devices that have basic cybersecurity requirements engineered into the devices, and with IT systems that are maintained throughout their life-cycle in a secure fashion. S. 734 codifies the ongoing work of NIST, OMB, and DHS to improve the resilience of IoT devices and Federal networks through enterprise-wide policies and procedures to manage this rapidly expanding emerging technology. The legislation ensures that the technical guidance developed by NIST on the security of IoT devices, from procurement to use, is implemented in policy and practice across the Federal enterprise. NIST has already begun to develop standards and guidelines necessary to help ``federal agencies and other organizations better understand and manage the cybersecurity and privacy risk associated with their IoT devices throughout the devices lifecycle.''\20\ Due to NIST's ongoing efforts to develop the information security standards and best practices for IoT management and use, this legislation did not further define the categories, computer functions, or types of devices covered under the term IoT to ensure NIST's work is not delayed. --------------------------------------------------------------------------- \20\National Institute of Standards and Technology, NIST IR 8228, Considerations for Managing IoT Cybersecurity and Privacy Risks (June 2019). --------------------------------------------------------------------------- III. LEGISLATIVE HISTORY Senator Mark R. Warner (D-VA) introduced S. 734 on June 19, 2019, with Senator Cory Gardner (R-CO), Senator Margaret Wood Hassan (D-NH), and Senator Steve Daines (R-MT). The Committee considered S. 734 at a business meeting on June 19, 2019. During the business meeting, Chairman Ron Johnson offered a substitute amendment as modified that removed the definition of IoT and clarified DHS's role in the development of OMB's guidelines for IoT devices, and in leading the VDP. S. 734 was ordered reported favorably as amended by the Johnson Substitute Amendment as modified by voice vote en bloc. The Senators present for the voice vote were Johnson, Portman, Paul, Lankford, Romney, Scott, Enzi, Hawley, Peters, Carper, Hassan, Sinema and Rosen. IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED Section 1. Short title This section established that the bill may be cited as the ``Internet of Things Cybersecurity Improvement Act of 2019'' or the ``IoT Cybersecurity Improvement Act of 2019.'' Section 2. Definitions This section includes definitions of the terms ``Agency,'' ``Director,'' ``Information System,'' ``Secretary,'' and ``Security Vulnerability.'' Section 3. National Institute of Standards and Technology considerations and recommendations regarding managing Internet of Things cybersecurity risks Subsection (a) requires the Director of the NIST to develop, consistent with ongoing efforts, standards and guidelines for the Federal government on the appropriate use and management of Internet of things devices, including cybersecurity risks. Subsection (b) requires the Director of NIST to brief appropriate committees of Congress on the increasing convergence of traditional information technology devices, networks, and systems. Section 4. Policies and principles for Federal agencies on use and management of Internet of Things devices Subsection (a) requires the Director of OMB, in consultation with the Secretary of Homeland Security, to issue policies and principles consistent on the use of IoT devices based on the standards and guidelines developed under section 3(a). Subsection (b) requires that the policies and guidelines developed by OMB for IoT devices is consistent with the Federal Information Security Management Act, as found in subchapter II of chapter 35 of title 44, of United States Code. Subsection (c) requires the Director of OMB and Secretary of Homeland Security to regularly review the policies and principles for the use and management of IoT devices. Section 5. Guidelines on coordinated disclosure of security vulnerabilities relating to information systems, including Internet of Things devices Subsection (a) requires the Director of NIST, in consultation with cybersecurity researchers and private-sector industry experts, to establish guidelines for reporting, coordinating, publishing, and receiving of information about and the resolution of security vulnerabilities related to agency information systems. Subsection (b) lays out the elements of the coordinated vulnerability disclosure guidelines. The guidelines shall be consistent with industry best practices and Standards 29147 and 30111 of the International Standards Organization; and shall incorporate vulnerability information on IoT devices and how to disseminate information on the resolution of security or personal information vulnerabilities on agency information systems. Subsection (c) requires the Director of OMB and Secretary of Homeland Security to regularly review the policies and principles for the use and management of IoT devices. Subsection (d) required the Director of OMB to provide oversight and implement the guidelines laid out in section 5 subsection (a) of this bill. Subsection (e) requires that the Secretary of DHS provide technical and operational assistance to implement section 5 subsection (a) of this bill. Section 6. Implementation of coordinated disclosure of security vulnerabilities relating to agency information systems, including Internet of Things devices Subsection (a) requires that, once the Director of NIST publishes guidelines required under section 5(a), within 180 days, the Director of OMB should publish policies on vulnerabilities regarding information systems and IoT devices. Subsection (b) establishes procedures whereby the Secretary of DHS and Director of OMB develop procedures for each Federal agency to publish and receive information on vulnerabilities regarding information systems and IoT devices. Subsection (c) creates a limitation to subsection (b) that prohibits agencies to use or acquire IoT devices from contractors if the contractors fail to comply with section 5(a). Subsection (d) requires the Secretary of DHS to ensure that procedures outlined by subsection (b) are consistent with NIST standards. Section 7. Waiver This section allows the head of an agency to use an IoT device without regard to any policy under several requirements. The requirements include that the IoT device is necessary for research or national security, appropriate to the function of a device, secured, and of a greater quality or of a lesser cost than one that already meets guidelines. V. EVALUATION OF REGULATORY IMPACT Pursuant to the requirements of paragraph 11(b) of rule XXVI of the Standing Rules of the Senate, the Committee has considered the regulatory impact of this bill and determined that the bill will have no regulatory impact within the meaning of the rules. The Committee agrees with the Congressional Budget Office's statement that the bill contains no intergovernmental or private-sector mandates as defined in the Unfunded Mandates Reform bill (UMRA) and would impose no costs on state, local, or tribal governments. VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE U.S. Congress, Congressional Budget Office, Washington, DC, September 13, 2019. Hon. Ron Johnson, Chairman, Committee on Homeland Security and Governmental Affairs, U.S. Senate, Washington, DC. Dear Mr. Chairman: The Congressional Budget Office has prepared the enclosed cost estimate for S. 734, the Internet of Things Cybersecurity Improvement Act of 2019. If you wish further details on this estimate, we will be pleased to provide them. The CBO staff contact is David Hughes. Sincerely, Phillip L. Swagel, Director. Enclosure. [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Under S. 734, the National Institute of Standards and Technology (NIST) would develop guidelines on the appropriate and secure use of Internet of things (IoT) devices by federal agencies and develop minimum information security requirements for agencies to manage security vulnerabilities for those devices.\1\ In addition, the Office of Management and Budget (OMB) would promulgate standards for federal IoT devices that are consistent with NIST's standards and guidelines. OMB would review and revise those standards at least once every five years and develop waivers to exclude certain IoT devices. OMB would report to the Congress annually from 2020 through 2025 on the effectiveness of the standards and on the types and number of excluded devices. --------------------------------------------------------------------------- \1\The IoT consists of devices connected to one another and to a network for exchanging data without human interaction. See Suzy E. Park, Internet of Things (IoT): An Introduction, In Focus Report 11239 (Congressional Research Service, June 4, 2019), https://go.usa.gov/ xVcdR. --------------------------------------------------------------------------- Under S. 734, NIST also would publish standards for federal agencies, contractors, and vendors to systematically report and resolve security vulnerabilities for IoT devices. Each agency's chief information officer would be required to ensure compliance. OMB would establish federal standards for that coordinated reporting process that are consistent with NIST's standards and guidelines. Using information from NIST, CBO estimates that implementing the bill would cost $35 million over the 2019-2024 period, assuming appropriation of the necessary amounts. The costs of the legislation (detailed in Table 1) fall within budget function 370 (commerce and housing credit). TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 734 ---------------------------------------------------------------------------------------------------------------- By fiscal year, millions of dollars-- ---------------------------------------------------------- 2019 2020 2021 2022 2023 2024 2019-2024 ---------------------------------------------------------------------------------------------------------------- Estimated Authorization.............................. 0 11 6 6 6 6 35 Estimated Outlays.................................... 0 11 6 6 6 6 35 ---------------------------------------------------------------------------------------------------------------- In 2020, CBO estimates that NIST and OMB would spend a total of $11 million to develop the IoT guidelines and standards. Of that amount CBO estimates that NIST would spend a little more than $3 million to hire 11 employees and that OMB would spend about $350,000 to hire 2 employees. Those newly hired NIST staff would develop the new federal guidelines and provide technical assistance to federal agencies. In addition, CBO estimates that NIST would spend a little more than $3 million to hire contractors and convene workshops to assist with guideline development. Finally, CBO estimates that NIST would spend around $4 million to update their National Vulnerability Database (NVD) to account for the vulnerability of IoT data. After 2020, CBO estimates that NIST and OMB would spend approximately $6 million annually to update the IoT guidelines and standards, report to Congress, and further update the NVD. On September 13, 2019, CBO transmitted a cost estimate for H.R. 1668, the Internet of Things Cybersecurity Improvement Act of 2019, as ordered reported by the House Committee on Oversight and Reform on June 12, 2019. S. 734 and H.R. 1668 are similar and CBO's cost estimates are the same for both pieces of legislation. The CBO staff contact for this estimate is David Hughes. The estimate was reviewed by H. Samuel Papenfuss, Deputy Assistant Director for Budget Analysis. VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED Because this legislation would not repeal or amend any provision of current law, it would not make changes in existing law within the meaning of clauses (a) and (b) of paragraph 12 of rule XXVI of the Standing Rules of the Senate. [all]