U.S. House Passes Gardner’s IoT Cybersecurity Improvement Act

Bipartisan, bicameral bill establishes minimum requirements for Internet-connected devices purchased by the federal government

Washington, D.C. – Today U.S. Senator Cory Gardner (R-CO), co-founder of the Senate Cybersecurity Caucus and Chairman of the Senate Foreign Relations Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy, applauded the U.S. House of Representatives for passing the Internet of Things (IoT) Cybersecurity Improvement Act, which he introduced in 2017 with U.S. Senator Mark Warner (D-VA) and reintroduced in March 2019. The IoT Cybersecurity Improvement Act would improve the cybersecurity of Internet-connected devices by requiring that devices purchased by the U.S. government meet certain minimum-security requirements.

“Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand. We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks,” said Senator Gardner. “I applaud the House of Representatives for passing this bipartisan, commonsense legislation to ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from accessing government systems.” 

Gardner is a member of the bipartisan Internet of Things Working Group within the Senate Committee on Commerce, Science, and Transportation. The Homeland Security and Governmental Affairs Committee passed the Senate version of the IoT Cybersecurity Improvement Act in June 2019

The legislation as passed would:

  • Require the National Institute of Standards and Technology (NIST) to issue standards and guidelines addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
  • Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the NIST recommendations, and charge OMB with reviewing these policies at least every five years.
  • Require any Internet-connected devices purchased by the federal government to comply with those recommendations.
  • Direct NIST to work with cybersecurity researchers, industry experts, and the Department of Homeland Security (DHS) to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
  • Require contractors and vendors providing information systems to the U.S. government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that can be effectively shared with a vendor for remediation. 


Cory Gardner is a member of the U.S. Senate serving Colorado. He sits on the Energy & Natural Resources Committee, the Foreign Relations Committee, the Commerce, Science, & Transportation Committee, and is the Chairman of the Subcommittee on East Asia, the Pacific, and International Cybersecurity Policy.