Draft Cybersecurity Legislation Would Impose Substantial New Obligations on Vendors Selling Interconnected Devices to the U.S. Government

On Tuesday, August 1, 2017, a bipartisan group of four Senators from the Senate Cybersecurity Caucus introduced legislation designed to improve the cybersecurity of devices purchased by the U.S. government and – albeit indirectly – sold anywhere in the U.S. or the world.

The legislation – the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” – would require government contracts for the purchase of Internet-connected devices to include clauses that impose significant new cybersecurity obligations on suppliers.

Among other provisions, suppliers would be required to certify that their devices:

• (a) do not contain any known security vulnerabilities or defects;
• (b) can be patched;
• (c) use industry-standard protocols for communications and encryption; and
• (d) do not include any hard-coded credentials for receiving updates.

Suppliers would be obliged to notify the government of any later-discovered security vulnerabilities, and to either update/patch or replace devices that are found to have such vulnerabilities. Waivers on a case-by-case basis would be permitted for “devices with severely limited functionality” if it is uneconomical to require compliance with the requirements of the bill.

Read the full analysis here.