On November 17th the US Senate passed the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act by unanimous consent. The US House passed the bill on September 14th by voice vote. The bill now heads to the President’s desk where it is expected he will sign it.
The legislation as passed would:
• Require the National Institute of Standards and Technology (NIST) to issue standards and guidelines addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
• Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
• Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
• Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
• Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.
In summary, government agencies at the federal level are required to make sure all IoT device purchases and those deployed on government networks follow the NIST recommendations. These recommendations include developing security in the design phase. This “security by design” considers the design to retirement of the device. The bill goes beyond configuration, identity management, and regular updates and considers how the device is developed for better security in IoT products.
Currently, NIST has an interim document that describes a range of proposed minimum security attributes for IoT – including updates, identity and access management (IAM), vulnerability management, and secure defaults. It is expected that the interim recommendations will be a baseline for the requirements laid out in the bill.
These first steps are good for government agencies, manufacturers, and taxpayers. While the law only applies to purchases made by the federal government, by virtue of the government’s purchasing power, the security requirements will spill-over into commercial markets. However, the underlying concern of IoT buyers remain unchanged: How do manufacturers, purchasers, and end-users manage the expected exponential growth of IoT devices over the coming years?
Device Authority provided comments on NIST’s Trusted Internet of Things (IoT) Device Network-Layer Onboarding and Lifecycle Management – a part of the overall NIST IoT interim documents. Our recommendations to NIST included:
• Deploy purpose built IoT IAM (Identity and Access Management) platforms capable to deliver:
• Organizations should have policy-driven Automated Lifecycle Management for X.509 certificate provisioning, rotation and revocation.
• Standard protocols like EAP-TLS and m-TLS accelerate the interoperability between device manufacturers and IoT platforms/ applications in accordance with the new law.
Device Authority through its KeyScaler platform, provides the capability to meet and exceed the new law’s requirements on Identity and Access Management (IAM). Additionally, KeyScaler’s features allows our customers to manage these devices at scale in accordance with the expected NIST standards. KeyScaler provides device trust in the connected devices, trust in the data that are generated, and the data are accessible by authorized entities either people, machines or applications.
As we commented to NIST, Enterprise IoT security solutions need to implement the following functional generalized blocks: 1) Device Trust, 2) Data Trust, and 3) Operationalizing the Trust by automating and interfacing to the standards based, proven technologies.
The explosive growth of IoT with the requirement to provision and secure thousands – perhaps millions- of devices the process becomes unmanageable without automation. IoT demands an approach to identification that starts with individual devices – authenticated automatically and dynamically, with no manual intervention required. KeyScaler provides those capabilities, and we do it within the NIST framework.