In Internet of Things Cybersecurity Improvement Act of 2020, the Office of Management and Budget (OMB) was directed to complete a review of agency policies pertaining to IoT devices.
The review would ensure consistency with the National Institute of Standards and Technology (NIST) cybersecurity guidelines, and OMB has yet to complete the review.
U.S. Sen. Mark R. Warner of Virginia, Chairman of the Senate Select Committee on Intelligence, wrote to Office of Management and Budget (OMB) Director Shalanda Young today. He calls on OMB to fulfill requirements and complete the review.
“I acknowledge that the law has far-reaching impacts across the federal government, which may require extensive interagency coordination, but I believe that IoT cybersecurity is of critical importance to our national security,” Warner wrote. “I am disappointed to see that OMB has not yet fulfilled its obligation to ensure that IoT devices procured by the Federal government meet the NIST guidance.”
Warner recognized the progress made by the agency to issue guidance, but voiced frustration over the lack of urgency to review agency policies.
“We were happy to see some forward progress — namely, the inclusion of information on the IoT Cybersecurity waiver process in OMB’s December, 2022 FISMA guidance — and we know that you intend to include additional guidelines in the upcoming Fall 2023 FISMA guidance. However, I am concerned by the pace that OMB has taken to meet its statutory obligations under federal law,” Warner wrote.
Warner’s letter posed a series of questions:
- Where is OMB in the review of agency information security policies and principles to ensure that they align with NIST guidelines?
- What policies and principles has OMB issued to date to:
- ensure agency policies and principles are consistent with the NIST standards and guidelines?
- address security vulnerabilities of information systems?
- Which agencies have aligned policies with NIST guidelines, and which have yet to do so?
- Is OMB tracking the volume of waivers that agencies are granting? Can you provide my office with a summary of these numbers?
Warner, a former technology entrepreneur, is co-Chair of Senate Cybersecurity Caucus and is a leader in the Senate on security issues related to the Internet of Things.