The White House is calling on Federal agencies to prioritize creating internet of things (IoT) asset inventories by the end of fiscal year (FY) 2024 as a way to better gauge cybersecurity risks.
According to a memo released by Office of Management and Budget (OMB) Director Shalanda Young on Dec. 4, agency chief information officers (CIO) will establish an enterprise-wide inventory of their agency’s covered IoT assets “to enhance the U.S. Government’s overall cybersecurity posture and to help ensure integrity of systems.”
OMB issued the new requirements in its memorandum that provides agencies with FY 2024 reporting guidance and deadlines in accordance with the Federal Information Security Modernization Act of 2014 (FISMA).
“Agencies must have a clear understanding of the devices connected within their information systems to gauge cybersecurity risk to their missions and operations,” the memo reads. “This includes the interconnected devices that interact with the physical world — from building maintenance systems, to environmental sensors, to specialized equipment in hospitals and laboratories.”
“To that end, maturing Federal cybersecurity practices for internet of things (IoT) devices is critical in today’s increasingly automated world. The prevalence and wide range of IoT devices used by Federal agencies provide new and more complex vectors for cyber threats,” the memo continues. “Strengthening the cybersecurity posture of IoT devices within the Federal enterprise requires that we ensure foundational cyber protection measures are in place for all such devices connected to Federal systems.”
The 2020 IoT Cybersecurity Improvement Act required the National Institute of Standards and Technology (NIST) to set up guidelines and standards for IoT devices and for OMB to review agency policies to ensure they’re aligned with NIST standards.
“An inventory enables agency CIOs and CISOs to gain visibility over their connected devices and systems, apply appropriate controls (such as those set out in NIST SP 800-82 and NIST SP 800-213), and make risk-based decisions about mitigating against cybersecurity threats,” the memo reads. “Additionally, an inventory enables agencies to more efficiently identify and mitigate vulnerabilities to ensure a more secure and resilient infrastructure. Inventorying is also a necessary prerequisite to establishing a baseline to enable monitoring and detecting unauthorized, abnormal, or potentially malicious activities.”
In the memo, OMB defines what types of IoT assets agencies need to inventory — many of which might be considered operational technology — and what information that inventory needs to include, such as vendor manufacturers and how the device is aligned with NIST requirements.
Within four months of the issuance of this memo, OMB said the CISO Council will establish a working group to provide agencies with specialized IoT and OT security best practice playbooks for various sectors used within the Federal Government – including building management systems, industrial control systems, health and medical devices and systems, scientific laboratories, aerospace systems, and more.
The working group will consist of representatives from agencies with significant IoT and OT inventories and include owners and operators as active participants, OMB said.
