The Senate Committee on Homeland Security and Governmental Affairs recently reported S.734 to the Senate, the Internet of Things Cybersecurity Improvement Act of 2019. There is a similar bill (HR 1668) pending consideration in the House of Representatives. There is no floor schedule for either bill as yet.
The purpose of S. 734 is to proactively mitigate the risks posed by inadequately secured Internet of Things (IoT) devices through the establishment of minimum-security standards for IoT devices purchased by the Federal Government. The bill codifies the ongoing work of the National Institute of Standards and Technology (NIST) to develop standards and guidelines, including minimum-security requirements, for the use of IoT devices by Federal agencies. The bill also directs the Office of Management and Budget (OMB), in consultation with the Department of Homeland Security (DHS), to issue the necessary policies and principles to implement the NIST standards and guidelines on IoT security and management.
Additionally, the bill requires NIST, in consultation with cybersecurity researchers and industry experts, to publish guidelines for the reporting, coordinating, publishing, and receiving of information about Federal agencies’ security vulnerabilities and the coordinate resolutions of the reported vulnerabilities. OMB will provide the policies and principles and DHS will develop and issue the procedures necessary to implement NIST’s guidelines on coordinated vulnerability disclosure for Federal agencies. The bill includes a provision allowing Federal agency heads to waive the IoT use and management requirements issued by OMB for national security, functionality, alternative means, or economic reasons.
CBO Cost Estimate: Using information from NIST, CBO estimates that implementing the bill would cost $35 million over the 2019-2024 period, assuming appropriation of the necessary amounts.
In 2020, CBO estimates that NIST and OMB would spend a total of $11 million to develop the IoT guidelines and standards. Of that amount CBO estimates that NIST would spend a little more than $3 million to hire 11 employees and that OMB would spend about $350,000 to hire 2 employees. Those newly hired NIST staff would develop the new federal guidelines and provide technical assistance to federal agencies. In addition, CBO estimates that NIST would spend a little more than $3 million to hire contractors and convene workshops to assist with guideline development. Finally, CBO estimates that NIST would spend around $4 million to update their National Vulnerability Database (NVD) to account for the vulnerability of IoT data.
After 2020, CBO estimates that NIST and OMB would spend approximately $6 million annually to update the IoT guidelines and standards, report to Congress, and further update the NVD.
For more information, contact:
Deep Water Point Legislative Affairs Lead
Contact Deep Water Point Today
to Increase Your Federal Business Win Probability