Data Protection Report - Norton Rose Fulbright

On August 1, 2017, Senators unveiled a bipartisan bill to mandate baseline cybersecurity requirements for internet connected devices purchased by the federal government. Recent attacks demonstrate that connected devices, which make up the Internet of Things (“IoT”), can paralyze websites, networks, and even components of critical infrastructure.

The draft bill, introduced by a bipartisan coalition of Senators, proposes implementation of basic security requirements for interconnected devices purchased by the federal government. Under the proposed law, federal suppliers would be required to monitor and patch cybersecurity vulnerabilities.

The bill would require that suppliers of internet connected devices to the federal government:

  • Provide written certification that the product does not contain any known security vulnerabilities.
  • Use software and components that can be updated and patched.
  • Refrain from using hard-coded credentials or passwords.
  • Notify the purchasing agency if any defects are discovered.
  • Update software or replace components that create vulnerabilities.
  • Repair new security vulnerabilities in a timely manner.
  • Continue to support the device or provide the purchasing agency notice when cybersecurity support ends.

Instead of complying with these contract requirements, suppliers will have the option to certify compliance with third party security standards. The National Institute of Standards and Technology (NIST), in coordination with other federal agencies, will have the authority to determine which certifications will be sufficient.

The bill also includes a limitation on liability for cybersecurity researchers engaged in research and acting in good faith.  The limitation applies to the the Computer Fraud and Abuse Act (CFAA) and Digital Millennium Copyright Act (DMCA).

Our Take

Recent events show that the IoT is an attractive vector for a cyberattack.  By mandating that suppliers meet basic security requirements, the federal government is pushing the market to take cybersecurity considerations into account as early as the product and system design phases. Further, by requiring post-sale monitoring of vulnerabilities, the government is requiring entities to monitor and enhance a device’s cybersecurity throughout its life-cycle. Given the federal government’s purchasing power, this bill could move the entire IoT market toward better cybersecurity practices.