On August 1, 2017, the U.S. Government took a significant “lead by example” step forward in the battle of Internet of Things (IoT) security. Chief among the vendor commitments — that must be made to the U.S.Government: That their IoT devices are patchable; that the devices don’t contain known vulnerabilities; and that the devices don’t contain hard-coded passwords.
While ‘Internet of Things’ (IoT) devices and the data they transmit present enormous benefits to consumers, the relative insecurity of many devices presents enormous challenges.
Thus far, there has been a significant market failure in the security of these devices.
Sometimes shipped with factory-set, hard-coded passwords and oftentimes unable to be updated or patched, IoT devices can represent a weak point in a network’s security, leaving the rest of the network vulnerable to attack. Additionally, the sheer number of IoT devices – expected to exceed 20 billion devices by 2020 – has enabled bad actors to launch devastating Distributed Denial of Service (DDoS) attacks. This legislation is aimed at addressing the market failure by establishing minimum security requirements for federal procurements of connected devices.The legislation requires vendor commitments:
§ That their IoT devices are patchable.
§ That the devices don’t contain known vulnerabilities.
• If a vendor identifies vulnerabilities, it must disclose them to an agency, with an explanation of why the device can be considered secure notwithstanding the vulnerability and a description of any compensating controls employed to limit the exploitability/impact of the vulnerability.
• Based on this information, an agency CIO could issue a waiver to purchase the device.
§ That the devices rely on standard protocols.
• Outside experts emphasize the importance of having the vendor disclose what network protocols are in use, for instance to assist Department of Homeland Security (DHS)’s Einstein program.
§ That the devices don’t contain hard-coded passwords.
Recognizing that it may be infeasible for certain devices to meet those requirements, and in consideration of network-based technologies that can help manage risks from insecure devices:
§ Agencies may ask the Office of Management and Budget (OMB) for permission to purchase non-compliant devices if they can demonstrate that certain compensating controls have been employed.
§ The legislation empowers OMB, working with National Institute of Standards and Technology (NIST) and industry, to specify particular measures (such as network segmentation, use of gateways, utilization of operating system containers and microservices) for agencies to employ. While the legislation establishes modest new device security requirements, it offers flexibility to agencies to waive these requirements in the event that:
§ Agencies employ their own equivalent, or more rigorous, device security requirements; or
§ Industry develops third-party device certification standards that provide equivalent, or more rigorous, device security requirements (as determined by NIST).
The legislation directs the DHS National Protection and Programs Directorate (NPPD) to:
§ Work with industry to develop coordinated disclosure guidelines for vendors selling IoT to the US government, which vendors would then adopt, allowing researchers to uncover vulnerabilities in those products and responsibly share them with the vendor, without fear of liability under the Digital Millennium Copyright Act (DMCA) or Computer Fraud and Abuse Act (CFAA).
• Vulnerabilities found and reported to vendors must be patched (or devices must be replaced) in a timely manner.
The legislation requires that agencies maintain an inventory of IoT devices in use.
§ Requires OMB to submit a report to Congress after 5 years on effectiveness of guidelines and any recommendations for updates.
The legislation allows OMB to waive, in whole or in part, any of the requirements after 5 years.