Wednesday, September 1, 2021

Why the IoT Cybersecurity Improvement Act will probably fade away


My last two posts have discussed the two mandatory cybersecurity “regulations” – the IoT Cybersecurity Improvement Act of 2020 and the IoT device “labeling” requirement in the May 12 Executive Order - that were promulgated within about six months of each other (under two very different presidents) recently. At first, it might seem that these couldn’t be more different. Here are some of the differences:

1.      The Act is a law, approved by both houses of Congress and by the president. The EO is simply an order that can’t in itself override a law and could be overridden by another law, if Congress were inclined to pass one.

2.      The Act focuses entirely on IoT devices, while the EO is a sprawling attempt to improve cybersecurity in the federal government, on many different fronts.

3.      The Act focuses entirely on federal agencies, requiring them to incorporate cybersecurity concerns into their procurement terms and conditions for IoT devices. Of course, there’s no doubt that the intention of the Act was to have the Feds set a standard for private industry, but there’s not a word in the Act itself about that. On the other hand, the device labeling provision in the EO, while also aiming directly at procurement by federal agencies, repeatedly speaks of “education” and “consumers”. For example, paragraph (s) of section 4 includes the phrase “educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices”. And paragraph (t) says that the labeling program should be “compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products” (you can read both paragraphs in full in my previous post).

4.      The Act seems to be a variation on a fairly familiar theme: require federal contractors to be assessed against a new standard that would be developed by NIST (and has been. More on that in a moment). On the other hand, just the name “device labeling” was a signal that this is a very different type of cybersecurity regulation than has been seen previously in the US – although it has been used to a limited degree in Europe and Southeast Asia.

I had also considered these to be two very different regulations. However, when I recently sat down to look at them carefully, I began to see more similarities than differences. In fact, I’ve decided the two are so similar that I really doubt they’ll both be enforced. Since I see all of the momentum as being behind the EO, and since I haven’t seen any signs at all that anybody’s even preparing to enforce the Act (OMB is in charge of enforcing both regulations, since they’re the regulator/whip-wielder for federal agencies), I don’t think it will be long before the Act either officially or unofficially sleeps with the fishes.

So why do I think the Act and the device labeling requirement are so similar? Two things:

1.      The “meat” behind both the Act and the EO is requiring federal agencies to require contractors to be assessed based on a standard (or framework) to be developed by NIST. Even though the mechanism for this assessment is called a “device label” in the EO, if you dig into it and look into how the “requirements” for the “label” will be developed, they’ll be specified by NIST, just as the framework for the assessments under the Act will be specified by NIST. Since the subject of both the label and the framework is overall cybersecurity of IoT devices and they’re both developed by the same agency, does anyone doubt that they’ll be substantially the same?

2.      But if you do doubt this, you should put that aside now. Another thing I realized as I was studying the two “requirements” was that the framework behind both of them will be the same: NISTIR 8259D. Folks, when you’re talking about two different regulations, they can’t be any more similar than if they’re both based on exactly the same set of “requirements”.[i]

Maybe you now see why I came to believe that both the EO and the Act can’t stand. They require the same organizations (federal agencies) to take the same actions (require suppliers of IoT devices to be assessed for cybersecurity), with respect to the exact same subject matter (NISTIR 8259D). One often hears about redundancy in federal programs (I’ve sometimes mentioned the Department of Redundancy Department), but believe it or not, there are people who do watch for these things and flag them.

So why do I think the Act will fade away? Mainly because I haven’t heard anything about it being enforced, even though it gave OMB a six-month deadline to start the process (which would have probably passed in July, if not June). On the other hand, there’s been a lot of activity on the IoT device labeling requirement. NIST has scheduled a two-day conference (virtual, natch) for September on this and the other device labeling requirement, found in Section 4 paragraph (u) of the EO, on secure development practices for consumer software.

And just as in the case of SBOMs, NIST – this time in conjunction with the Chair of the FTC as well as representatives of other agencies – must make final decisions on the program by early February, 270 days after the date of the EO. Since a lot more decisions are due then, that will be a busy time around NIST. They might not be able to celebrate Groundhog Day next year.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] BTW, I think that NISTIR 8259D is quite good. I hope to discuss it in more depth one of these months.

No comments:

Post a Comment