In a move that would have been nearly unthinkable as recently as even five years ago, Congress has passed a bipartisan bill around the security of Internet of Things (IoT) devices.

While it's difficult to predict the machinations behind anything that happens in Washington these days, the bill - the Internet of Things Cybersecurity Improvement Act - certainly seems poised to be signed into law imminently.

In its infancy, IoT technology revolved around advances in wireless networking technology like sensors, RFID and smartphone standards like NFC. These days, with the advent of Nest cameras, Ring doorbells, Sonos speakers, Alexa, Siri, and even Cortana, IoT has become an afterthought for many.

The problem, as politicians and experts alike have pointed out over the years, is that the devices that run this technology haven't faced any sort of accountability.

Despite being bipartisan and uncontroversial - the bill will require federal government procurement of IoT devices to conform to basic security - the bill has faced an uphill road.

A 2017 bill, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, introduced by Sen. Cory Gardner (R-Colo.), co-chair of the Senate Cybersecurity Caucus, and Sen. Mark Warner (D-Va.), failed to gain traction. Another bill, this one called the Internet of Things (IoT) Cybersecurity Improvement Act of 2019, was reintroduced last March by Gardner with Warner and in the House by Reps. Robin Kelly (D-Ill.) and Will Hurd (R-Texas). It was advanced by the House Committee on Oversight and Reform last summer, showing it had promise.

The latest iteration, now known as the IoT Cybersecurity Improvement Act of 2020, was passed by the Senate unanimously without any amendments, on Tuesday; it passed the House in September. From here, it heads to the President's desk to be signed into law.

Last night, the Senate passed The Internet of Things (IoT) Cybersecurity Improvement Act.

Now that the bill is on its way to the President’s desk, we can soon combat the threats that insecure IoT devices pose to our individual and national security. pic.twitter.com/G4YC4T5Bkq

— Mark Warner (@MarkWarner) November 18, 2020

Warner, who introduced the bill last year, was enthusiastic about its passing Congress.

“While more and more products and even household appliances today have software functionality and internet connectivity, too few incorporate even basic safeguards and protections, posing a real risk to individual and national security,” said Sen. Warner. “I’m proud that Congress was able to come together today to pass this legislation, which will harness the purchasing power of the federal government and incentivize companies to finally secure the devices they create and sell. I urge the President to sign this bill into law without delay,” Warner said Tuesday.

If signed into law the bill would require the following:

• Require the National Institute of Standards and Technology (NIST) to issue recommendations addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
• Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, including making any necessary revisions to the Federal Acquisition Regulation to implement new security standards and guidelines.
• Require any IoT devices purchased by the federal government to comply with those recommendations.
• Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidelines on vulnerability disclosure and remediation for federal information systems.
• Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation.