16.3 C
Sunday, May 26, 2024

OMB Reports Few Agencies Meet IoT Security Standards

Must read

Early last year, the White House office ran a sweeping assessment of agency IoT device security policies, according to a letter sent to Sen. Mark Warner, D-Va, most needed to align with NIST guidance.

Most agencies did not have policies in place to address a swath of federally mandated cybersecurity requirements for procured Internet of Things devices at the beginning of last year, according to a previously unreported Office of Management and Budget letter sent to Congress last month and obtained by Nextgov/FCW.

The Dec. 15 missive from OMB Associate Legislative Affairs Director Wintta Woldemariam was addressed to Senate Intelligence Committee Chair Mark Warner, D-Va., in response to his September request that OMB provide an update on how the federal oversight agency was implementing requirements in his 2020 Internet of Things Cybersecurity Improvement Act. 

That legislation, which was designed to leverage the federal government’s purchasing power to influence security standards in the IoT ecosystem, directed OMB to review agency policies on obtaining IoT devices to ensure they were aligned with National Institute of Standards and Technology IoT cybersecurity guidelines.

“Beginning in early 2023, OMB assessed agency policies for consistency with NIST’s standards and guidelines by conducting a time- and labor-intensive series of meetings with a diverse set of agencies to better understand how they are deploying, managing, and securing IoT assets,” Woldemariam wrote. “Based on those engagements, OMB concluded that relatively few formal agency policies address the selection of cybersecurity requirements specifically for IoT devices,” the letter added.

An exact number of assessed agencies still needs to be provided. Nextgov/FCW has reached out to OMB for comment.

The letter later adds that four computer systems across the entire federal enterprise overseen by OMB had IoT devices that did not comply with NIST guidelines but were granted exceptions via a waiver provision that allowed the devices to be obtained for national security or research purposes or if the devices were secured alternately. The letter notes that those four systems accounted for under 2% of the total number of systems with IoT devices that agencies reported to OMB, and no agency possessed more than one system with a waiver.

OMB anticipates that recently updated Federal Information Security and Privacy Management guidance — required under the Federal Information Security Modernization Act of 2014 — will help lay the groundwork for improved federal IoT security policy. The Chief Information Security Officers’ Council will also work with agencies on IoT best practices.

Regarding IoT devices, the guidance, released in early December, directs agencies to list an inventory of their IoT assets containing programmable controllers, sensors, integrated circuits, and other components allowing data collection and transmission.

“I’m encouraged by the progress that OMB has made in recent months, especially in completing the assessment of agency policies and defining a series of firm deadlines for crucial steps towards full implementation,” Warner said in remarks provided to Nextgov/FCW.

The Federal Communications Commission is taking the lead on a Cyber Trust Mark program that would provide consumers with information about internet-connected devices’ security. OMB, which serves as a key player in label development, argued in the letter that such a program would simplify government IoT procurement and reduce technology security risks within the government.

The release of the OMB letter follows news that the General Services Administration used “egregiously flawed” market research in its decision to purchase 150 Chinese-made video conferencing cameras that did not comply with U.S. trade standards, the agency’s oversight office said in an analysis released last week.

More articles

Latest news