A bipartisan bill to encourage IoT security in equipment for federal use is back for legislative approval. In its revised form, it now provides NIST with a role in establishing security benchmarks for future procurement, and drawing up a vulnerability disclosure regime for all technology in federal use.

The bill specifies that, at a minimum, the Director of NIST should consider “Secure development, Identity management, Patching and Configuration management” for benchmarking purposes.

There are two promising aspects of the bill: firstly, NIST is already heavily involved in creating guidelines for IoT security; and secondly, the US government is a huge user of technology sourced from diverse manufacturers, many of them global market leaders — who would scramble to clear any new hurdles, perhaps generating industry-wide momentum that would ultimately benefit everyday consumers.

Though NIST currently has nothing on disclosure regimes, it would be perfectly placed to crowdsource input for a solution which appeals to federal agencies and their vendors/contractors. It would be highly useful in a time of spiraling security vulnerabilities to have a coordinated reporting system which feeds efficient processes to minimize threats to security, privacy or safety.

The original 2017 bill was intended to provide “minimal cybersecurity operational standards” and this version takes a significant step forward.