The Government Accountability Office (GAO) has released a critical report highlighting gaps in federal agencies’ compliance with the IoT Cybersecurity Improvement Act of 2020, a law aimed at ensuring the secure procurement and use of Internet of Things (IoT) devices across the federal government. These devices, integral to infrastructure such as water systems and power grids, as well as everyday technologies like smart speakers, face increasing cyber threats.
The GAO report underscores the pressing need for federal agencies to meet legislative requirements for IoT cybersecurity, particularly as threats continue to grow. The report reveals that significant gaps remain in IoT device inventories, waiver processing, and adherence to cybersecurity guidelines.
Key Findings
- IoT Inventories Lagging: Of the 23 civilian federal agencies covered by the IoT Cybersecurity Improvement Act:
- Nine agencies indicated they would miss the September 30, 2024, deadline to establish IoT device inventories.
- Three agencies plan to complete inventories by fiscal year 2025, six did not provide timelines, and one claimed it had no IoT devices to inventory.
- Inaccurate Reporting on Waivers: Agencies can request waivers for IoT devices that do not meet cybersecurity standards. However:
- Six agencies initially reported granting waivers, but five later stated they had reported these inaccurately.
- The Office of Management and Budget (OMB) failed to verify waiver data, leading to erroneous information being reported to Congress.
- Cybersecurity Guidance Implementation: The National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have provided detailed guidance for securely procuring IoT devices. However, many agencies have yet to fully adopt these guidelines.
Why This Matters
Cyber threats to IoT devices have become a national security challenge, with recent incidents, such as a cyberattack on a municipal water system, illustrating the potential for widespread harm. The IoT Cybersecurity Improvement Act mandates federal agencies to adopt NIST and OMB guidance, maintain IoT inventories, and follow a waiver process to ensure robust cybersecurity protections.
The GAO’s findings reveal that many agencies are falling short of these requirements, creating vulnerabilities in critical infrastructure and national security operations.
Recommendations
The GAO made 11 recommendations to address these challenges, including:
- OMB must improve its processes for verifying IoT waiver data.
- Nine civilian agencies must meet legislative requirements by establishing accurate IoT inventories and adhering to cybersecurity standards.
Eight agencies concurred with GAO’s recommendations, while the remaining agencies did not explicitly agree or disagree.
Encouraging Progress, But Work Remains
While progress has been made, the GAO report makes it clear that more needs to be done to protect federal IoT networks. The report calls on federal agencies to prioritize cybersecurity efforts and ensure compliance with legislative requirements to mitigate risks posed by IoT vulnerabilities.
Read the full GAO report here.