[Senate Report 116-112]
[From the U.S. Government Publishing Office]
Calendar No. 215
116th Congress } { Report
SENATE
1st Session } { 116-112
_______________________________________________________________________
INTERNET OF THINGS CYBERSECURITY IMPROVEMENT ACT
__________
R E P O R T
of the
COMMITTEE ON HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
to accompany
S. 734
TO LEVERAGE FEDERAL GOVERNMENT PROCUREMENT
POWER TO ENCOURAGE INCREASED CYBERSECURITY FOR
INTERNET OF THINGS DEVICES, AND FOR OTHER PURPOSES
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
September 23, 2019.--Ordered to be printed
__________
U.S. GOVERNMENT PUBLISHING OFFICE
89-010 WASHINGTON : 2019
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
RON JOHNSON, Wisconsin, Chairman
ROB PORTMAN, Ohio GARY C. PETERS, Michigan
RAND PAUL, Kentucky THOMAS R. CARPER, Delaware
JAMES LANKFORD, Oklahoma MAGGIE HASSAN, New Hampshire
MITT ROMNEY, Utah KAMALA D. HARRIS, California
RICK SCOTT, Florida KYRSTEN SINEMA, Arizona
MICHAEL B. ENZI, Wyoming JACKY ROSEN, Nevada
JOSH HAWLEY, Missouri
Gabrielle D'Adamo Singer, Staff Director
Joseph C. Folio III, Chief Counsel
Michael J.R. Flynn, Senior Counsel
David M. Weinberg, Minority Staff Director
Zachary I. Schram, Minority Chief Counsel
Michelle M. Benecke, Minority Senior Counsel
Jeffrey D. Rothblum, Minority Fellow
Laura W. Kilbride, Chief Clerk
Calendar No. 215
116th Congress } { Report
SENATE
1st Session } { 116-112
======================================================================
INTERNET OF THINGS CYBERSECURITY IMPROVEMENT ACT
_______
September 23, 2019.--Ordered to be printed
_______
Mr. Johnson, from the Committee on Homeland Security and Governmental
Affairs, submitted the following
R E P O R T
[To accompany S. 734]
[Including cost estimate of the Congressional Budget Office]
The Committee on Homeland Security and Governmental
Affairs, to which was referred the bill (S. 734) to leverage
Federal Government procurement power to encourage increased
cybersecurity for Internet of Things devices, and for other
purposes, having considered the same, reports favorably thereon
with an amendment (in the nature of a substitute) and
recommends that the bill, as amended, do pass.
CONTENTS
Page
I. Purpose and Summary..............................................1
II. Background and Need for the Legislation..........................2
III. Legislative History..............................................4
IV. Section-by-Section Analysis......................................5
V. Evaluation of Regulatory Impact..................................6
VI. Congressional Budget Office Cost Estimate........................7
VII. Changes in Existing Law Made by the Bill, as Reported............8
I. PURPOSE AND SUMMARY
The purpose of S. 734, the Internet of Things Cybersecurity
Improvement Act of 2019, is to proactively mitigate the risks
posed by inadequately-secured Internet of Things (IoT) devices
through the establishment of minimum security standards for IoT
devices purchased by the Federal Government. The bill codifies
the ongoing work of the National Institute of Standards and
Technology (NIST) to develop standards and guidelines,
including minimum-security requirements, for the use of IoT
devices by Federal agencies. The bill also directs the Office
of Management and Budget (OMB), in consultation with the
Department of Homeland Security (DHS), to issue the necessary
policies and principles to implement the NIST standards and
guidelines on IoT security and management.
Additionally, the bill requires NIST, in consultation with
cybersecurity researchers and industry experts, to publish
guidelines for the reporting, coordinating, publishing, and
receiving of information about Federal agencies' security
vulnerabilities and the coordinate resolutions of the reported
vulnerabilities. OMB will provide the policies and principles
and DHS will develop and issue the procedures necessary to
implement NIST's guidelines on coordinated vulnerability
disclosure for Federal agencies. The bill includes a provision
allowing Federal agency heads to waive the IoT use and
management requirements issued by OMB for national security,
functionality, alternative means, or economic reasons.
II. BACKGROUND AND THE NEED FOR LEGISLATION
More than eight billion IoT devices--devices that
wirelessly connect to the internet and transmit data--are
connected to our information systems and networks.\1\ According
to industry reports, the number of IoT devices will be as high
as 50 billion by 2025.\2\ This exponential increase of IoT
devices introduces an unparalleled attack surface for hackers
to exploit. According to industry experts, by 2020
approximately 25 percent of cyberattacks will target these
devices.\3\ This is because many IoT devices lack necessary
safeguards, leaving the systems and networks they are connected
to vulnerable to cyberattacks.\4\ Peter Winston, Chief
Executive Officer and Founder of Integrated Computer Solutions,
commented on the need to ensure the security of IoT devices:
---------------------------------------------------------------------------
\1\Matt Toomey, IoT Device Security Seriously-Neglected, Aberdeen
(Feb. 15, 2018), https://www.aberdeen.com/techpro-essentials/iot-
device-security-seriously-neglected/.
\2\Mckinsey Global Institute, https://www.mckinsey.com/�/media/
McKinsey/Business%20 Functions/McKinsey%20Digital/Our%20Insights/
The%20Internet%20of%20Things%20The%20
value%20o%20digitizing%20the%20physical%20world/The-Internet-of-things-
Mapping-the-value-beyond-the-hype.ashx.
\3\Matt Toomey, supra note 1.
\4\Id.
Ultimately, security needs to be baked into every device at
the operating system level. It shouldn't be up to an individual
vendor at the application level. And the level of device
security should match the audience. If you're selling your
connected device to the [Central Intelligence Agency (CIA)]--if
it has to work in a highly secure building, a place where a
breach could be catastrophic--there's a different expectation
than if you're selling a toy. Yes, they both require you to
lock the doors and windows. But for the CIA, you also need to
seal every crack and add multiple deadlocks to reinforced
doors.\5\
---------------------------------------------------------------------------
\5\Id.
The Committee recognizes the challenges Federal agencies
face in leveraging limited resources and navigating a
cumbersome Federal procurement process to acquire and securely
modernize information technologies.\6\ Building upon recent
Federal reports, the work of the Government Accountability
Office (GAO), and congressional hearings, this legislation will
ensure federal agencies are operating under policies and
practices for IoT devices before they become prolific on
federal networks.
---------------------------------------------------------------------------
\6\Mitigating America's Cybersecurity Risks: Hearing Before the S.
Comm. on Homeland Sec. & Governmental Affairs, 115th Cong. (2018)
(testimony of Jeanette Manfra, Assistant Secretary, Department of
Homeland Security), available at https://www.hsgac.senate.gov/imo/
media/doc/.
---------------------------------------------------------------------------
The traditional challenges facing Federal information
technology are exacerbated by the lack of widely adopted
information security standards and best practices for IoT
technologies.\7\ In April 2018, the Committee held a hearing
entitled, Mitigating America's Cybersecurity Risks, to discuss
a range of Federal cybersecurity challenges, including the
exponential growth of IoT devices in use on Federal
networks.\8\ Co-Director of the Harvard University Belfer
Center for Science and International Affairs, Eric Rosenbach
testified on the importance of ``establish[ing] baseline
security standards for the manufacturers and distributors of
[IoT] devices.''\9\ While cautioning against a regulatory
approach, Mr. Rosenbach supported the idea of using government
procurement reform as a ``good place to start'' in advancing
the secure procurement and use of IoT devices.\10\
---------------------------------------------------------------------------
\7\Id.; see also U.S. Gov't Accountability Office, GAO-17-75,
Technology Assessment: Internet of Things, Status and Implications of
An Increasingly Connected World (May 2017), available at https://
www.gao.gov/assets/690/684590.pdf.
\8\Mitigating America's Cybersecurity Risks, supra note 6.
\9\Id. (Testimony of Eric Rosenbach).
\10\Id.
---------------------------------------------------------------------------
Security baselines for IoT devices are necessary as
designers and manufactures are not producing IoT devices with
basic cybersecurity measures baked into their products. In May
2017, GAO published a technology assessment of IoT. The
assessment found, among other things, ``[widespread] concerns
have been raised about the lack of security controls in many
IoT devices, which is in part because many vehicles, equipment,
and other increasingly IoT-enabled devices were built without
anticipating threats associated with Internet connectivity or
the requisite security controls.''\11\ The implications of
these findings were illustrated by the 2016 Mirai botnet
attack, which exploited basic vulnerabilities in IoT technology
to compromise an estimated 493,000 devices.\12\
---------------------------------------------------------------------------
\11\GAO-17-75 at 28, supra note 7.
\12\Joshua Abramson, DDoS Attacks: Bigger, Stronger, Scarier,
SYMANTEC CORP. (Apr. 19, 2016), https://www.symantec.com/connect/blogs/
ddos-attacks-bigger-stronger-scarier.
---------------------------------------------------------------------------
In May, 2019 the Secretaries of Commerce and Homeland
Security published a report entitled, Enhancing the Resilience
of the Internet and Communications Ecosystem Against Botnets
and Other Automated, Distributed Threats.\13\ Among the
findings of this report are that IoT devices need to be secure
during all stages of the technology lifecycle and that market
incentives are not aligned with the cybersecurity best
practices.\14\ In 2018, DHS Assistant Secretary for
Cybersecurity and Communications, Janette Manfra, echoed this
idea during testimony before the Committee by stating that the
Federal Government needs a ``higher level framework'' led by
OMB to manage cybersecurity risk related to IoT devices that
includes basic authentication measures.\15\
---------------------------------------------------------------------------
\13\Sec. of Commerce, Sec. of Homeland Security, Enhancing the
Resilience of the Internet and Communications Ecosystem Against Botnets
and Other Automated, Distributed Threats. (May 22, 2018) available at
https://www.commerce.gov/sites/default/files/media/files/2018/eo_13800_
botnet_report_-_finalv2.pdf.
\14\Id. at 8.
\15\Mitigating America's Cybersecurity Risks, supra note 6
(Testimony of Janette Manfra).
---------------------------------------------------------------------------
As a result, IoT device security does not end with the
design, manufacture, and procurement of the device; rather
ongoing efforts are necessary to discover and remediate
vulnerabilities that create the potential for exploitation by
bad actors. The Federal Cybersecurity Risk Determination Report
and Action Plan, published by OMB, found that ``[a]n agency's
ability to mitigate security vulnerabilities is a direct
function of its ability to identify those vulnerabilities
across the enterprise.''\16\ To affectively secure IoT devices
in use on Federal networks, a comprehensive vulnerability
disclosure program is an important step in identifying
vulnerable IoT on a network.
---------------------------------------------------------------------------
\16\Office of Management and Budget, Executive Office of the
President, Federal Cybersecurity Risk Determination Report and Action
Plan, 12 (2018), available at https://www.whitehouse.gov/wp-content/
uploads/2018/05/Cybersecurity-Risk-Determination-Report-FINAL_May-2018-
Release.pdf.
---------------------------------------------------------------------------
The success of the ``Hack the Pentagon'' program led to the
establishment of a formal Vulnerability Disclosure Policy
(VDP),\17\ as well as legislation codifying DHS authority to
create a process to easily report and mitigate
vulnerabilities.\18\ Standards, policies, and practices for VDP
of information technology, including IoT, consistent with the
authorities and responsibilities established in the Federal
Information Security Modernization Act of 2014 (FISMA14),\19\
is a fundamental aspect of securing networked technologies over
the course of their life-cycle.
---------------------------------------------------------------------------
\17\Id.
\18\Pub. L. No. 115-390, Title I Sec. 101, (H.R. 7327, the
``SECURE'' Technology Act).
\19\Federal Information Security Modernization Act of 2014, Pub. L.
No. 113-283, 44 U.S.C. Sec. 3553(a)(1).
---------------------------------------------------------------------------
Federal agencies can better ensure the security of their
networks with IoT devices that have basic cybersecurity
requirements engineered into the devices, and with IT systems
that are maintained throughout their life-cycle in a secure
fashion. S. 734 codifies the ongoing work of NIST, OMB, and DHS
to improve the resilience of IoT devices and Federal networks
through enterprise-wide policies and procedures to manage this
rapidly expanding emerging technology. The legislation ensures
that the technical guidance developed by NIST on the security
of IoT devices, from procurement to use, is implemented in
policy and practice across the Federal enterprise. NIST has
already begun to develop standards and guidelines necessary to
help ``federal agencies and other organizations better
understand and manage the cybersecurity and privacy risk
associated with their IoT devices throughout the devices
lifecycle.''\20\ Due to NIST's ongoing efforts to develop the
information security standards and best practices for IoT
management and use, this legislation did not further define the
categories, computer functions, or types of devices covered
under the term IoT to ensure NIST's work is not delayed.
---------------------------------------------------------------------------
\20\National Institute of Standards and Technology, NIST IR 8228,
Considerations for Managing IoT Cybersecurity and Privacy Risks (June
2019).
---------------------------------------------------------------------------
III. LEGISLATIVE HISTORY
Senator Mark R. Warner (D-VA) introduced S. 734 on June 19,
2019, with Senator Cory Gardner (R-CO), Senator Margaret Wood
Hassan (D-NH), and Senator Steve Daines (R-MT).
The Committee considered S. 734 at a business meeting on
June 19, 2019. During the business meeting, Chairman Ron
Johnson offered a substitute amendment as modified that removed
the definition of IoT and clarified DHS's role in the
development of OMB's guidelines for IoT devices, and in leading
the VDP. S. 734 was ordered reported favorably as amended by
the Johnson Substitute Amendment as modified by voice vote en
bloc. The Senators present for the voice vote were Johnson,
Portman, Paul, Lankford, Romney, Scott, Enzi, Hawley, Peters,
Carper, Hassan, Sinema and Rosen.
IV. SECTION-BY-SECTION ANALYSIS OF THE BILL, AS REPORTED
Section 1. Short title
This section established that the bill may be cited as the
``Internet of Things Cybersecurity Improvement Act of 2019'' or
the ``IoT Cybersecurity Improvement Act of 2019.''
Section 2. Definitions
This section includes definitions of the terms ``Agency,''
``Director,'' ``Information System,'' ``Secretary,'' and
``Security Vulnerability.''
Section 3. National Institute of Standards and Technology
considerations and recommendations regarding managing Internet
of Things cybersecurity risks
Subsection (a) requires the Director of the NIST to
develop, consistent with ongoing efforts, standards and
guidelines for the Federal government on the appropriate use
and management of Internet of things devices, including
cybersecurity risks.
Subsection (b) requires the Director of NIST to brief
appropriate committees of Congress on the increasing
convergence of traditional information technology devices,
networks, and systems.
Section 4. Policies and principles for Federal agencies on use and
management of Internet of Things devices
Subsection (a) requires the Director of OMB, in
consultation with the Secretary of Homeland Security, to issue
policies and principles consistent on the use of IoT devices
based on the standards and guidelines developed under section
3(a).
Subsection (b) requires that the policies and guidelines
developed by OMB for IoT devices is consistent with the Federal
Information Security Management Act, as found in subchapter II
of chapter 35 of title 44, of United States Code.
Subsection (c) requires the Director of OMB and Secretary
of Homeland Security to regularly review the policies and
principles for the use and management of IoT devices.
Section 5. Guidelines on coordinated disclosure of security
vulnerabilities relating to information systems, including
Internet of Things devices
Subsection (a) requires the Director of NIST, in
consultation with cybersecurity researchers and private-sector
industry experts, to establish guidelines for reporting,
coordinating, publishing, and receiving of information about
and the resolution of security vulnerabilities related to
agency information systems.
Subsection (b) lays out the elements of the coordinated
vulnerability disclosure guidelines. The guidelines shall be
consistent with industry best practices and Standards 29147 and
30111 of the International Standards Organization; and shall
incorporate vulnerability information on IoT devices and how to
disseminate information on the resolution of security or
personal information vulnerabilities on agency information
systems.
Subsection (c) requires the Director of OMB and Secretary
of Homeland Security to regularly review the policies and
principles for the use and management of IoT devices.
Subsection (d) required the Director of OMB to provide
oversight and implement the guidelines laid out in section 5
subsection (a) of this bill.
Subsection (e) requires that the Secretary of DHS provide
technical and operational assistance to implement section 5
subsection (a) of this bill.
Section 6. Implementation of coordinated disclosure of security
vulnerabilities relating to agency information systems,
including Internet of Things devices
Subsection (a) requires that, once the Director of NIST
publishes guidelines required under section 5(a), within 180
days, the Director of OMB should publish policies on
vulnerabilities regarding information systems and IoT devices.
Subsection (b) establishes procedures whereby the Secretary
of DHS and Director of OMB develop procedures for each Federal
agency to publish and receive information on vulnerabilities
regarding information systems and IoT devices.
Subsection (c) creates a limitation to subsection (b) that
prohibits agencies to use or acquire IoT devices from
contractors if the contractors fail to comply with section
5(a).
Subsection (d) requires the Secretary of DHS to ensure that
procedures outlined by subsection (b) are consistent with NIST
standards.
Section 7. Waiver
This section allows the head of an agency to use an IoT
device without regard to any policy under several requirements.
The requirements include that the IoT device is necessary for
research or national security, appropriate to the function of a
device, secured, and of a greater quality or of a lesser cost
than one that already meets guidelines.
V. EVALUATION OF REGULATORY IMPACT
Pursuant to the requirements of paragraph 11(b) of rule
XXVI of the Standing Rules of the Senate, the Committee has
considered the regulatory impact of this bill and determined
that the bill will have no regulatory impact within the meaning
of the rules. The Committee agrees with the Congressional
Budget Office's statement that the bill contains no
intergovernmental or private-sector mandates as defined in the
Unfunded Mandates Reform bill (UMRA) and would impose no costs
on state, local, or tribal governments.
VI. CONGRESSIONAL BUDGET OFFICE COST ESTIMATE
U.S. Congress,
Congressional Budget Office,
Washington, DC, September 13, 2019.
Hon. Ron Johnson,
Chairman, Committee on Homeland Security and Governmental Affairs, U.S.
Senate, Washington, DC.
Dear Mr. Chairman: The Congressional Budget Office has
prepared the enclosed cost estimate for S. 734, the Internet of
Things Cybersecurity Improvement Act of 2019.
If you wish further details on this estimate, we will be
pleased to provide them. The CBO staff contact is David Hughes.
Sincerely,
Phillip L. Swagel,
Director.
Enclosure.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Under S. 734, the National Institute of Standards and
Technology (NIST) would develop guidelines on the appropriate
and secure use of Internet of things (IoT) devices by federal
agencies and develop minimum information security requirements
for agencies to manage security vulnerabilities for those
devices.\1\ In addition, the Office of Management and Budget
(OMB) would promulgate standards for federal IoT devices that
are consistent with NIST's standards and guidelines. OMB would
review and revise those standards at least once every five
years and develop waivers to exclude certain IoT devices. OMB
would report to the Congress annually from 2020 through 2025 on
the effectiveness of the standards and on the types and number
of excluded devices.
---------------------------------------------------------------------------
\1\The IoT consists of devices connected to one another and to a
network for exchanging data without human interaction. See Suzy E.
Park, Internet of Things (IoT): An Introduction, In Focus Report 11239
(Congressional Research Service, June 4, 2019), https://go.usa.gov/
xVcdR.
---------------------------------------------------------------------------
Under S. 734, NIST also would publish standards for federal
agencies, contractors, and vendors to systematically report and
resolve security vulnerabilities for IoT devices. Each agency's
chief information officer would be required to ensure
compliance. OMB would establish federal standards for that
coordinated reporting process that are consistent with NIST's
standards and guidelines.
Using information from NIST, CBO estimates that
implementing the bill would cost $35 million over the 2019-2024
period, assuming appropriation of the necessary amounts.
The costs of the legislation (detailed in Table 1) fall
within budget function 370 (commerce and housing credit).
TABLE 1.--ESTIMATED INCREASES IN SPENDING SUBJECT TO APPROPRIATION UNDER S. 734
----------------------------------------------------------------------------------------------------------------
By fiscal year, millions of dollars--
----------------------------------------------------------
2019 2020 2021 2022 2023 2024 2019-2024
----------------------------------------------------------------------------------------------------------------
Estimated Authorization.............................. 0 11 6 6 6 6 35
Estimated Outlays.................................... 0 11 6 6 6 6 35
----------------------------------------------------------------------------------------------------------------
In 2020, CBO estimates that NIST and OMB would spend a
total of $11 million to develop the IoT guidelines and
standards. Of that amount CBO estimates that NIST would spend a
little more than $3 million to hire 11 employees and that OMB
would spend about $350,000 to hire 2 employees. Those newly
hired NIST staff would develop the new federal guidelines and
provide technical assistance to federal agencies. In addition,
CBO estimates that NIST would spend a little more than $3
million to hire contractors and convene workshops to assist
with guideline development. Finally, CBO estimates that NIST
would spend around $4 million to update their National
Vulnerability Database (NVD) to account for the vulnerability
of IoT data.
After 2020, CBO estimates that NIST and OMB would spend
approximately $6 million annually to update the IoT guidelines
and standards, report to Congress, and further update the NVD.
On September 13, 2019, CBO transmitted a cost estimate for
H.R. 1668, the Internet of Things Cybersecurity Improvement Act
of 2019, as ordered reported by the House Committee on
Oversight and Reform on June 12, 2019. S. 734 and H.R. 1668 are
similar and CBO's cost estimates are the same for both pieces
of legislation.
The CBO staff contact for this estimate is David Hughes.
The estimate was reviewed by H. Samuel Papenfuss, Deputy
Assistant Director for Budget Analysis.
VII. CHANGES IN EXISTING LAW MADE BY THE BILL, AS REPORTED
Because this legislation would not repeal or amend any
provision of current law, it would not make changes in existing
law within the meaning of clauses (a) and (b) of paragraph 12
of rule XXVI of the Standing Rules of the Senate.
[all]