Senate Intelligence Committee Chairman Mark Warner, D-Va., is calling on the White House’s Office of Management and Budget (OMB) to review all Federal agencies’ cybersecurity policies for internet of things (IoT) devices to ensure they meet National Institute of Standards and Technology (NIST) guidelines, as required by law.
OMB is required to review these policies under the Internet of Things Cybersecurity Improvement Act, which was signed into law in December 2020.
While NIST has held up its own statutory obligation under the law – publishing the IoT Device Cybersecurity Guidance for the Federal Government in November 2021 – OMB has yet to do so on its end.
In a Sept. 26 letter to OMB director Shalanda Young, Sen. Warner – a sponsor of the original IoT cybersecurity bill – said OMB was supposed to complete the agency reviews within 180 days of NIST’s publication.
“I acknowledge that the law has far-reaching impacts across the Federal government, which may require extensive interagency coordination, but I believe that IoT cybersecurity is of critical importance to our national security,” Sen. Warner wrote. “The security of the Federal government’s IoT devices is a priority the administration and I share,” as outlined in President Biden’s cybersecurity executive order (EO) issued in 2021.
“Despite the requirements under this law and the aforementioned EO, I am disappointed to see that OMB has not yet fulfilled its obligation to ensure that IoT devices procured by the Federal government meet the NIST guidance,” he said, adding, “I am concerned by the pace that OMB has taken to meet its statutory obligations under Federal law.”
The senator wants answers to a number of questions within 60 days, including where OMB is in its review of agency information security policies and principles.
Sen. Warner also wants to know what policies and principles OMB has issued so far to ensure agency policies and principles are consistent with the NIST standards and guidelines, and ensure they address security vulnerabilities of information systems.
Additionally, he’s asking which agencies have already aligned policies with NIST guidelines, and which have yet to do so. And finally, the senator asked whether OMB is tracking “the volume of waivers that agencies are granting” and if it can provide his office with a summary of these numbers.
“I applaud OMB’s continued efforts to improve Federal government cybersecurity, and look forward to continued engagement as you make progress with implementation of the IoT Cybersecurity Improvement Act of 2020,” he concluded.