Several agencies haven’t met IoT cybersecurity requirements, GAO says
A handful of federal agencies missed deadlines to complete Internet of Things cybersecurity requirements called out in a 2020 law, a new congressional watchdog report found.
The IoT Cybersecurity Improvement Act of 2020 required the National Institute of Standards and Technology and the Office of Management and Budget to develop guidance for securely procuring IoT — networked technology and devices typically connected to physical objects like buildings, vehicles and other infrastructure. The law also required 23 civilian federal agencies to implement IoT cybersecurity requirements, though a waiver process was to be established by OMB.
According to the Government Accountability Office, three agencies said they wouldn’t be able to finish their IoT inventories by Sept. 30, six did not share their time frames for doing so, and one — the Small Business Administration — said it does not use any IoT and therefore would not be compiling an inventory.
“Until OMB and agencies ensure that agencies are meeting OMB’s requirements, the agencies will not be effectively positioned to assess risks so that they can impose appropriate security requirements and take other mitigating actions,” the GAO wrote.
IoT technologies are used by federal agencies for myriad purposes, the GAO noted, including to control access to devices or facilities and to monitor systems and equipment. The frequency with which the technologies are used makes proper cybersecurity protocols all the more important — especially given the target on IoT’s metaphorical back.
The Department of Justice reported in 2022 that a Russian botnet had targeted a broad swath of IoT and operational technology devices, including routers, streaming devices, clocks and industrial control systems. Earlier this year, the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the Federal Bureau of Investigation assessed that a China-sponsored cyber group had breached IT networks at various communications, energy, transportation and water organizations.
“These technologies are subject to serious cyber threats that can have adverse impacts on organizational operations and assets, individuals, critical infrastructure, and the nation,” the GAO wrote. “As cyber threats grow increasingly sophisticated, the need to manage and bolster the cybersecurity of IoT and OT products and services is also magnified. These cyber threats can include purposeful attacks, environmental disruptions, and machine errors, and may result in harm to the national and economic security interests of the United States.”
So far, just three of the 23 civilian agencies have completed their IoT inventories: the State and Treasury departments and the Nuclear Regulatory Commission. Ten agencies said they were on track to finish their inventory work by the end of fiscal year 2024, while another three plan to meet their inventory requirements by FY25.
The GAO recommended that OMB should verify agency-reported IoT cybersecurity waivers. Six agencies were granted IoT waivers on some requirements, though subsequent outreach revealed that five of those agencies said they should not have reported waivers. Of those five, four corrected their waiver efforts and one removed its waiver.
The watchdog also recommended that the following agencies should direct their respective chief information officers to meet their time frames for completing IoT inventories: the departments of Education, Health and Human Services, Veterans Affairs and Labor, the Office of Personnel Management, the Environmental Protection Agency, the General Services Administration, the Social Security Administration and NASA. The GAO also wants the HHS secretary to “direct the CIO to ensure that granted IoT waivers address OMB’s requirements.”
