The Office of Management and Budget is stepping up its oversight of Internet of Things usage throughout the federal government, calling on agencies to deliver an inventory of their “covered IoT assets” by the end of fiscal year 2024.
In its FY2024 Federal Information Security and Privacy Management Requirements guidance, released Monday, OMB noted that the ubiquity and breadth of agency-used IoT devices underscores the federal government’s vulnerabilities to “new and more complex” cyber threats, a fact that necessitates the “strengthening of cybersecurity posture” of such devices.
“Agencies must have a clear understanding of the devices connected within their information systems to gauge cybersecurity risk to their missions and operations,” the guidance states. “This includes the interconnected devices that interact with the physical world — from building maintenance systems, to environmental sensors, to specialized equipment in hospitals and laboratories.”
The guidance — which defines “covered IoT assets” as devices embedded with “programmable controllers, integrated circuits, sensors, and other technologies for the purpose of collecting and exchanging data with other devices and/or systems over a network in order to facilitate enhanced connectivity, automation, and data-driven insights across devices and systems” — comes on the heels of The Internet of Things Cybersecurity Improvement Act of 2020.
The IoT Act required the National Institute of Standards and Technology to issue IoT-related guidelines and standards, while also calling on the OMB director to review agency security policies and principles regarding the technology to ensure compliance.
OMB said it has “actively engaged with agencies over the past two years to learn about the diversity of IoT devices prevalent throughout the federal government,” setting the stage for the fresh instructions.
In addition to the IoT inventory deadline facing agencies, the guidance mandates the Chief Information Security Officer Council to stand up, within four months, a working group charged with creating IoT and operational technology playbooks that include sector-specific best practices. Those playbooks would then be distributed to agencies.
“These efforts should leverage existing cybersecurity regimes and industry practices wherever feasible,” the guidance states, “so that IoT technology is appropriately integrated into the security frameworks and programs governing other forms of information technology.”