The Congressional Budget Office (CBO) said in a Sept. 13 report that implementing the Internet of Things (IoT) Cybersecurity Improvement Act of 2019 will cost $35 million over the 2019-2024 period, and an additional $11 million in 2020 to develop the IoT guidelines and standards mandated in the legislation.
The bill would require the National Institute of Standards and Technology (NIST) to develop recommended standards for IoT devices, and would task the Office of Management and Budget (OMB) with issuing guidance to agencies that aligns with NIST’s requirements. It also would require NIST to offer guidance on vulnerability disclosure, and report on IoT cybersecurity threats.
OMB would be required to issue an annual report to Congress from 2020 through 2025 on the “effectiveness of the standards and on the types and number of excluded devices.”
“Using information from NIST, CBO estimates that implementing the bill would cost $35 million over the 2019-2024 period, assuming appropriation of the necessary amounts,” the report said. “The costs of the legislation fall within budget function 370.”
Regarding the $11 million needed in 2020 for NIST and OMB to develop the IoT guidelines, CBO estimated that NIST would spend slightly more than $3 million to hire 11 new employees and OMB would spend roughly $350,000 to hire two more employees. Additionally, NIST would spend an estimated $3 million to hire contractors and convene workshops to assist with guideline development. CBO also reported NIST would spend $4 million to update its National Vulnerability Database (NVD) to account for the vulnerability of IoT data.
Post-2020, CBO said that NIST and OMB would spend an additional $6 million annually to update the IoT guidelines and standards, report to Congress, and further update the NVD.