Federal agencies must have an inventory of IoT devices by September 2024
The Office of Management and Budget recently told all federal agencies that by the end of fiscal 2024 an inventory of Internet of Things (IoT) assets must be created.
OMB Director Shalanda Young on Dec. 5 sent a memo to all federal agencies that their implementation of the Federal Information Security Modernization Act of 2014 must be completed by Sept. 30, 2024.
The 2020 IoT Cybersecurity Improvement Act required the National Institute of Standards and Technology (NIST) to set up guidelines and standards for IoT devices and for OMB to review agency policies to make sure that they’re aligned with NIST.
IoT Devices
“The prevalence and wide range of IoT devices used by federal agencies provide new and more complex vectors for cyber threats,” according to the memo. “Strengthening the cybersecurity posture of IoT devices within the federal enterprise requires that we ensure foundational cyber protection measures are in place for all such devices connected to federal systems.”
In the memo, OMB defines what types of IoT assets agencies need to be inventoried, and what information that inventory needs to include, such as how it’s aligned to requirements and controls like those released by NIST.
NIST defines IoT devices as those that have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface for interfacing with the digital world, including Ethernet, Wi-Fi and Bluetooth.
The memo stressed “agencies must have a clear understanding of the devices connected within their information systems to gauge cybersecurity risk to their missions and operations.” Among the interconnected devices cited includes building maintenance systems, environmental sensors and specialized equipment in hospitals and laboratories.”
Security Concerns
Additionally, the memo reminds officials that Cybersecurity and Infrastructure Security Agency (CISA) scans “internet-accessible addresses and segments of federal civilian agency systems for vulnerabilities on an ongoing basis” — and that non-invasive scans do not require prior agency authorization.
OMB tasks agencies with ensuring that they have points of contact in their security teams with CISA, regularly giving CISA lists of their internet-accessible systems and more.
“Federal agencies should expect that any system accessible over the public internet is being scanned for vulnerabilities by various parties at all times, and factor this into their security operations accordingly,” the memo states.