The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 sponsored by U.S. Senators Cory Gardner (R-CO) and Mark R. Warner (D-VA), co-chairs of the Senate Cybersecurity Caucus, and Sens. Ron Wyden (D-WA) and Steve Daines (R-MT) would require government agencies deploying an IoT solution to ensure devices are patchable, make use of industry standard protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities. Government agencies would also be required to create an inventory of all IoT devices employed an agency.
The proposed legislation also directs the Department of Homeland Security’s National Protection and Programs Directorate to issue guidelines regarding cyber-security coordinated vulnerability disclosure policies that would be applied to government contractors, while at the same time tasking the Office of Management and Budget (OMB) to develop alternative network-level security requirements for devices with limited data processing and software functionality. Finally, the act also proposes to exempt cyber-security researchers engaging in good-faith research from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when in engaged in research that complies with vulnerability disclosure guidelines stipulated in the legislation.
Because so many organizations do business with the Federal Government the hope is that this legislation will create a new minimum threshold for IoT security that will wind up being adopted within private industry as well. It could also create a baseline that courts would employ to determine liability in cases where they would need to determine whether a minimum level of IoT security was put in place.