US Government Mandates Vulnerability Disclosure for IoT

This year has seen a rapid acceleration in the American government’s efforts to secure federal and state cyber infrastructure. This momentum has continued with the unanimous passing of the Internet of Things Cybersecurity Improvement Act.

Like NIST SP 800-53, which was published earlier this year, the bill highlights the crucial role of vulnerability disclosure policies in building an effective cybersecurity strategy.

What are the implications for agencies and vendors working with the federal government? Here’s what you need to know.

NIST 800-53: Laying the Groundwork

Earlier this year, NIST published SP 800-53 Revision 5. Drawing on ISO 29147, the Revision underscores that hackers are uniquely equipped to identify security vulnerabilities that traditional tools and methods will miss -- and that organizations have every incentive to partner with external security researchers to secure their assets. As such, the Revision recommends that all organizations use a vulnerability disclosure policy (VDP) to “ensure that potential vulnerabilities in the system are identified and addressed as quickly as possible.”

This revision was accompanied by NIST SP 800-53B, the Control Baselines for Information Systems and Organizations, which helps organizations mitigate risk by mapping the best practices detailed in 800-53 to severity baselines. Crucially, SP 800-53B recommends that any entity that interfaces with the American government should have a VDP, regardless of that organization’s anticipated risk level.

The message is clear: for contractors looking to do business with the federal government, VDPs are no longer a nice-to-have. They’re an integral part of any security strategy.

Applying NIST Best Practices to IoT Devices

Federal, state, and local governments have demonstrated their willingness to apply NIST’s frameworks to secure their assets. To guide policymakers, NIST released Internal Report 8259, “Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline”, in January 2020. The authors of the IoT Cybersecurity Improvement act leveraged this report to draft their bill.

The Internet of Things (IoT) Cybersecurity Improvement Act outlines minimum security requirements for all IoT devices purchased by the federal government. The bill mandates that contractors and subcontractors who develop and sell IoT devices to the government must screen their products for vulnerabilities. To continue to interface with the government, these actors must have a policy in place to report vulnerabilities and communicate their resolution.

To understand why the government is focusing on the IoT industry, it’s useful to look at the context in which this bill was introduced. The IoT industry has been a locus for widespread, high-speed innovation in recent years. Against this backdrop of continuous innovation and delivery, teams lack the time and resources to thoroughly screen for security vulnerability throughout the software development lifecycle. As a result, they end up shipping products that might contain critical vulnerabilities.

“Providing a channel for third parties to report vulnerabilities so they can be safely resolved is essential to internet and national security. This bill will help shift the responsibility for security back to the IoT manufacturer and away from the purchaser of the device who bears too much of that burden today. " - Alex Rice, CTO of HackerOne

Congress aims to mitigate these vulnerabilities -- which might pose national security threats -- through the introduction of this bill. In passing the IoT Cybersecurity Act, the federal government has highlighted the irreplaceability of crowdsourced security.

Beyond that, this bill has important implications for consumers, too. Many household products and appliances have software functionality and internet connectivity, yet few of them incorporate basic safeguards and protections against cyber attacks. With the passing of this bill, businesses face increased pressure to think about security when creating their products. Ultimately, it’s consumers who will benefit from this movement.

The Bottom Line

If your business sells IoT devices, and you want to do business with the federal government, then you must have a VDP. In more concrete terms, here’s how you’re impacted by the bill.

• NIST has 90 days to develop a standard for IoT vendors who intend to sell products or services to the American government.
• Once those standards are in place, federal agencies have 180 days to implement policies consistent with NIST’s guidelines.
• Vendors must create a process for receiving and resolving security vulnerabilities, as well as disseminating information about vulnerability reports.
• These processes must align with industry best practices and Standards ISO 29147 and ISO 30111 of the International Standards Organization.
• These processes must be consistent with the policies and procedures produced under section 2009(m) of the Homeland Security Act of 2002 (6 U.S.C. 659(m).
• The Director of OMB will oversee the implementation of these guidelines.

Quickly establishing a VDP that meets compliance requirements without disrupting your operations is a daunting prospect. But it doesn’t have to be. HackerOne has partnered with entities like the Department of Defense, the General Services Administration, and all branches of the Armed Forces to deliver safe, trusted, and efficient security.

The only FedRAMP-authorized organization in our space, HackerOne is prepared to answer your questions about vulnerability disclosure and help build your strategy. Learn more about how to craft a VDP, or chat with our federal experts today.