134 STAT. 1001 PUBLIC LAW 116–207—DEC. 4, 2020 Public Law 116–207 116th Congress An Act To establish minimum security standards for Internet of Things devices owned or controlled by the Federal Government, and for other purposes. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ‘‘Internet of Things Cybersecurity Improvement Act of 2020’’ or the ‘‘IoT Cybersecurity Improvement Act of 2020’’. SEC. 2. SENSE OF CONGRESS. It is the sense of Congress that— (1) ensuring the highest level of cybersecurity at agencies in the executive branch is the responsibility of the President, followed by the Director of the Office of Management and Budget, the Secretary of Homeland Security, and the head of each such agency; (2) this responsibility is to be carried out by working collaboratively within and among agencies in the executive branch, industry, and academia; (3) the strength of the cybersecurity of the Federal Govern- ment and the positive benefits of digital technology trans- formation depend on proactively addressing cybersecurity throughout the acquisition and operation of Internet of Things devices by the Federal Government; and (4) consistent with the second draft National Institute for Standards and Technology Interagency or Internal Report 8259 titled ‘‘Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capa- bility Baseline’’, published in January 2020, Internet of Things devices are devices that— (A) have at least one transducer (sensor or actuator) for interacting directly with the physical world, have at least one network interface, and are not conventional Information Technology devices, such as smartphones and laptops, for which the identification and implementation of cybersecurity features is already well understood; and (B) can function on their own and are not only able to function when acting as a component of another device, such as a processor. SEC. 3. DEFINITIONS. In this Act: 15 USC 278g–3a. 15 USC 278g–3a note. Internet of Things Cybersecurity Improvement Act of 2020. 15 USC 271 note. Dec. 4, 2020 [H.R. 1668] VerDate Sep 11 2014 10:00 Dec 09, 2020 Jkt 019139 PO 00207 Frm 00001 Fmt 6580 Sfmt 6581 E:\PUBLAW\PUBL207.116 PUBL207 dkrause on LAP5T8D0R2PROD with PUBLAWS 134 STAT. 1002 PUBLIC LAW 116–207—DEC. 4, 2020 (1) AGENCY.—The term ‘‘agency’’ has the meaning given that term in section 3502 of title 44, United States Code. (2) DIRECTOR OF OMB.—The term ‘‘Director of OMB’’ means the Director of the Office of Management and Budget. (3) DIRECTOR OF THE INSTITUTE.—The term ‘‘Director of the Institute’’ means the Director of the National Institute of Standards and Technology. (4) INFORMATION SYSTEM.—The term ‘‘information system’’ has the meaning given that term in section 3502 of title 44, United States Code. (5) NATIONAL SECURITY SYSTEM.—The term ‘‘national secu- rity system’’ has the meaning given that term in section 3552(b)(6) of title 44, United States Code. (6) OPERATIONAL TECHNOLOGY.—The term ‘‘operational technology’’ means hardware and software that detects or causes a change through the direct monitoring or control of physical devices, processes, and events in the enterprise. (7) SECRETARY.—The term ‘‘Secretary’’ means the Secretary of Homeland Security. (8) SECURITY VULNERABILITY.—The term ‘‘security vulner- ability’’ has the meaning given that term in section 102(17) of the Cybersecurity Information Sharing Act of 2015 (6 U.S.C. 1501(17)). SEC. 4. SECURITY STANDARDS AND GUIDELINES FOR AGENCIES ON USE AND MANAGEMENT OF INTERNET OF THINGS DEVICES. (a) NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY DEVELOPMENT OF STANDARDS AND GUIDELINES FOR USE OF INTER- NET OF THINGS DEVICES BY AGENCIES.— (1) IN GENERAL.—Not later than 90 days after the date of the enactment of this Act, the Director of the Institute shall develop and publish under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g– 3) standards and guidelines for the Federal Government on the appropriate use and management by agencies of Internet of Things devices owned or controlled by an agency and con- nected to information systems owned or controlled by an agency, including minimum information security requirements for man- aging cybersecurity risks associated with such devices. (2) CONSISTENCY WITH ONGOING EFFORTS.—The Director of the Institute shall ensure that the standards and guidelines developed under paragraph (1) are consistent with the efforts of the National Institute of Standards and Technology in effect on the date of the enactment of this Act— (A) regarding— (i) examples of possible security vulnerabilities of Internet of Things devices; and (ii) considerations for managing the security vulnerabilities of Internet of Things devices; and (B) with respect to the following considerations for Internet of Things devices: (i) Secure Development. (ii) Identity management. (iii) Patching. (iv) Configuration management. (3) CONSIDERING RELEVANT STANDARDS.—In developing the standards and guidelines under paragraph (1), the Director Deadline. Publication. 15 USC 278g–3b. VerDate Sep 11 2014 10:00 Dec 09, 2020 Jkt 019139 PO 00207 Frm 00002 Fmt 6580 Sfmt 6581 E:\PUBLAW\PUBL207.116 PUBL207 dkrause on LAP5T8D0R2PROD with PUBLAWS 134 STAT. 1003 PUBLIC LAW 116–207—DEC. 4, 2020 of the Institute shall consider relevant standards, guidelines, and best practices developed by the private sector, agencies, and public-private partnerships. (b) REVIEW OF AGENCY INFORMATION SECURITY POLICIES AND PRINCIPLES.— (1) REQUIREMENT.—Not later than 180 days after the date on which the Director of the Institute completes the develop- ment of the standards and guidelines required under subsection (a), the Director of OMB shall review agency information secu- rity policies and principles on the basis of the standards and guidelines published under subsection (a) pertaining to Internet of Things devices owned or controlled by agencies (excluding agency information security policies and principles pertaining to Internet of Things of devices owned or controlled by agencies that are or comprise a national security system) for consistency with the standards and guidelines submitted under subsection (a) and issue such policies and principles as may be necessary to ensure those policies and principles are consistent with such standards and guidelines. (2) REVIEW.—In reviewing agency information security poli- cies and principles under paragraph (1) and issuing policies and principles under such paragraph, as may be necessary, the Director of OMB shall— (A) consult with the Director of the Cybersecurity and Infrastructure Security Agency of the Department of Home- land Security; and (B) ensure such policies and principles are consistent with the information security requirements under sub- chapter II of chapter 35 of title 44, United States Code. (3) NATIONAL SECURITY SYSTEMS.—Any policy or principle issued by the Director of OMB under paragraph (1) shall not apply to national security systems. (c) QUINQUENNIAL REVIEW AND REVISION.— (1) REVIEW AND REVISION OF NIST STANDARDS AND GUIDE- LINES.—Not later than 5 years after the date on which the Director of the Institute publishes the standards and guidelines under subsection (a), and not less frequently than once every 5 years thereafter, the Director of the Institute, shall— (A) review such standards and guidelines; and (B) revise such standards and guidelines as appro- priate. (2) UPDATED OMB POLICIES AND PRINCIPLES FOR AGEN- CIES.—Not later than 180 days after the Director of the Institute makes a revision pursuant to paragraph (1), the Director of OMB, in consultation with the Director of the Cyber- security and Infrastructure Security Agency of the Department of Homeland Security, shall update any policy or principle issued under subsection (b)(1) as necessary to ensure those policies and principles are consistent with the review and any revision under paragraph (1) under this subsection and para- graphs (2) and (3) of subsection (b). (d) REVISION OF FEDERAL ACQUISITION REGULATION.—The Fed- eral Acquisition Regulation shall be revised as necessary to imple- ment any standards and guidelines promulgated in this section. Consultation. Deadlines. Consultation. Deadline. VerDate Sep 11 2014 10:00 Dec 09, 2020 Jkt 019139 PO 00207 Frm 00003 Fmt 6580 Sfmt 6581 E:\PUBLAW\PUBL207.116 PUBL207 dkrause on LAP5T8D0R2PROD with PUBLAWS 134 STAT. 1004 PUBLIC LAW 116–207—DEC. 4, 2020 SEC. 5. GUIDELINES ON THE DISCLOSURE PROCESS FOR SECURITY VULNERABILITIES RELATING TO INFORMATION SYSTEMS, INCLUDING INTERNET OF THINGS DEVICES. (a) IN GENERAL.—Not later than 180 days after the date of the enactment of this Act, the Director of the Institute, in consulta- tion with such cybersecurity researchers and private sector industry experts as the Director considers appropriate, and in consultation with the Secretary, shall develop and publish under section 20 of the National Institute of Standards and Technology Act (15 U.S.C. 278g–3) guidelines— (1) for the reporting, coordinating, publishing, and receiving of information about— (A) a security vulnerability relating to information sys- tems owned or controlled by an agency (including Internet of Things devices owned or controlled by an agency); and (B) the resolution of such security vulnerability; and (2) for a contractor providing to an agency an information system (including an Internet of Things device) and any subcon- tractor thereof at any tier providing such information system to such contractor, on— (A) receiving information about a potential security vulnerability relating to the information system; and (B) disseminating information about the resolution of a security vulnerability relating to the information system. (b) ELEMENTS.—The guidelines published under subsection (a) shall— (1) to the maximum extent practicable, be aligned with industry best practices and Standards 29147 and 30111 of the International Standards Organization (or any successor standard) or any other appropriate, relevant, and widely-used standard; (2) incorporate guidelines on— (A) receiving information about a potential security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device); and (B) disseminating information about the resolution of a security vulnerability relating to an information system owned or controlled by an agency (including an Internet of Things device); and (3) be consistent with the policies and procedures produced under section 2009(m) of the Homeland Security Act of 2002 (6 U.S.C. 659(m)). (c) INFORMATION ITEMS.—The guidelines published under sub- section (a) shall include example content, on the information items that should be reported, coordinated, published, or received pursu- ant to this section by a contractor, or any subcontractor thereof at any tier, providing an information system (including Internet of Things device) to the Federal Government. (d) OVERSIGHT.—The Director of OMB shall oversee the implementation of the guidelines published under subsection (a). (e) OPERATIONAL AND TECHNICAL ASSISTANCE.—The Secretary, in consultation with the Director of OMB, shall administer the implementation of the guidelines published under subsection (a) and provide operational and technical assistance in implementing such guidelines. Consultation. Deadline. Consultation. Publication. 15 USC 278g–3c. VerDate Sep 11 2014 10:00 Dec 09, 2020 Jkt 019139 PO 00207 Frm 00004 Fmt 6580 Sfmt 6581 E:\PUBLAW\PUBL207.116 PUBL207 dkrause on LAP5T8D0R2PROD with PUBLAWS 134 STAT. 1005 PUBLIC LAW 116–207—DEC. 4, 2020 SEC. 6. IMPLEMENTATION OF COORDINATED DISCLOSURE OF SECU- RITY VULNERABILITIES RELATING TO AGENCY INFORMA- TION SYSTEMS, INCLUDING INTERNET OF THINGS DEVICES. (a) AGENCY GUIDELINES REQUIRED.—Not later than 2 years after the date of the enactment of this Act, the Director of OMB, in consultation with the Secretary, shall develop and oversee the implementation of policies, principles, standards, or guidelines as may be necessary to address security vulnerabilities of information systems (including Internet of Things devices). (b) OPERATIONAL AND TECHNICAL ASSISTANCE.—Consistent with section 3553(b) of title 44, United States Code, the Secretary, in consultation with the Director of OMB, shall provide operational and technical assistance to agencies on reporting, coordinating, publishing, and receiving information about security vulnerabilities of information systems (including Internet of Things devices). (c) CONSISTENCY WITH GUIDELINES FROM NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY.—The Secretary shall ensure that the assistance provided under subsection (b) is consistent with applicable standards and publications developed by the Director of the Institute. (d) REVISION OF FEDERAL ACQUISITION REGULATION.—The Fed- eral Acquisition Regulation shall be revised as necessary to imple- ment the provisions under this section. SEC. 7. CONTRACTOR COMPLIANCE WITH COORDINATED DISCLOSURE OF SECURITY VULNERABILITIES RELATING TO AGENCY INTERNET OF THINGS DEVICES. (a) PROHIBITION ON PROCUREMENT AND USE.— (1) IN GENERAL.—The head of an agency is prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device, if the Chief Information Officer of that agency determines during a review required by section 11319(b)(1)(C) of title 40, United States Code, of a contract for such device that the use of such device prevents compliance with the standards and guidelines developed under section 4 or the guidelines published under section 5 with respect to such device. (2) SIMPLIFIED ACQUISITION THRESHOLD.—Notwithstanding section 1905 of title 41, United States Code, the requirements under paragraph (1) shall apply to a contract or subcontract in amounts not greater than the simplified acquisition threshold. (b) WAIVER.— (1) AUTHORITY.—The head of an agency may waive the prohibition under subsection (a)(1) with respect to an Internet of Things device if the Chief Information Officer of that agency determines that— (A) the waiver is necessary in the interest of national security; (B) procuring, obtaining, or using such device is nec- essary for research purposes; or (C) such device is secured using alternative and effec- tive methods appropriate to the function of such device. (2) AGENCY PROCESS.—The Director of OMB shall establish a standardized process for the Chief Information Officer of each agency to follow in determining whether the waiver un [Text truncated for display. Full text available on Congress.gov.]