37.4 F
Washington D.C.
Friday, January 17, 2025

GAO: Federal Action Needed to Strengthen IoT Cybersecurity Compliance

The Government Accountability Office (GAO) has released a critical report highlighting gaps in federal agencies’ compliance with the IoT Cybersecurity Improvement Act of 2020, a law aimed at ensuring the secure procurement and use of Internet of Things (IoT) devices across the federal government. These devices, integral to infrastructure such as water systems and power grids, as well as everyday technologies like smart speakers, face increasing cyber threats.

The GAO report underscores the pressing need for federal agencies to meet legislative requirements for IoT cybersecurity, particularly as threats continue to grow. The report reveals that significant gaps remain in IoT device inventories, waiver processing, and adherence to cybersecurity guidelines.

Key Findings

  1. IoT Inventories Lagging: Of the 23 civilian federal agencies covered by the IoT Cybersecurity Improvement Act:
    • Nine agencies indicated they would miss the September 30, 2024, deadline to establish IoT device inventories.
    • Three agencies plan to complete inventories by fiscal year 2025, six did not provide timelines, and one claimed it had no IoT devices to inventory.
  2. Inaccurate Reporting on Waivers: Agencies can request waivers for IoT devices that do not meet cybersecurity standards. However:
    • Six agencies initially reported granting waivers, but five later stated they had reported these inaccurately.
    • The Office of Management and Budget (OMB) failed to verify waiver data, leading to erroneous information being reported to Congress.
  3. Cybersecurity Guidance Implementation: The National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have provided detailed guidance for securely procuring IoT devices. However, many agencies have yet to fully adopt these guidelines.

Why This Matters

Cyber threats to IoT devices have become a national security challenge, with recent incidents, such as a cyberattack on a municipal water system, illustrating the potential for widespread harm. The IoT Cybersecurity Improvement Act mandates federal agencies to adopt NIST and OMB guidance, maintain IoT inventories, and follow a waiver process to ensure robust cybersecurity protections.

The GAO’s findings reveal that many agencies are falling short of these requirements, creating vulnerabilities in critical infrastructure and national security operations.

Recommendations

The GAO made 11 recommendations to address these challenges, including:

  • OMB must improve its processes for verifying IoT waiver data.
  • Nine civilian agencies must meet legislative requirements by establishing accurate IoT inventories and adhering to cybersecurity standards.

Eight agencies concurred with GAO’s recommendations, while the remaining agencies did not explicitly agree or disagree.

Encouraging Progress, But Work Remains

While progress has been made, the GAO report makes it clear that more needs to be done to protect federal IoT networks. The report calls on federal agencies to prioritize cybersecurity efforts and ensure compliance with legislative requirements to mitigate risks posed by IoT vulnerabilities.

Read the full GAO report here.

Matt Seldon
Matt Seldon
Matt Seldon, BSc., is an Editorial Associate with HSToday. He has over 20 years of experience in writing, social media, and analytics. Matt has a degree in Computer Studies from the University of South Wales in the UK. His diverse work experience includes positions at the Department for Work and Pensions and various responsibilities for a wide variety of companies in the private sector. He has been writing and editing various blogs and online content for promotional and educational purposes in his job roles since first entering the workplace. Matt has run various social media campaigns over his career on platforms including Google, Microsoft, Facebook and LinkedIn on topics surrounding promotion and education. His educational campaigns have been on topics including charity volunteering in the public sector and personal finance goals.

Related Articles

HTA Month Jan 2025

Latest Articles