Internet of Things: Federal Actions Needed to Address Legislative Requirements
Fast Facts
The U.S. relies on internet-connected devices for essentials like power and water as well as everyday items like smart speakers.
Federal agencies covered by a 2020 law were told to inventory their internet-connected devices by the end of FY 2024 and document how their cybersecurity aligns with federal standards. As of July 2024, 9 agencies said they wouldn't make the inventory deadline.
Agencies can get waivers for devices that don't meet the standards. But the Office of Management and Budget gave Congress incorrect data on the waivers because it didn't verify that agencies had reported them correctly.
Our recommendations address this, and more.
Highlights
What GAO Found
The Internet of Things (IoT) generally refers to the technology and devices that allow for the connection and interaction of “things” throughout such places as buildings, vehicles, and the transportation infrastructure. The National Institute of Standards and Technology (NIST) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency have issued guidance for securely procuring IoT. For example, NIST has issued cybersecurity guidance for agencies to use in mitigating risk with the acquisition, procurement, and use of IoT at all stages of a system's life cycle. In 2022 and 2023, the Office of Management and Budget (OMB) also issued guidance for ensuring that 23 civilian agencies covered by the IoT Cybersecurity Improvement Act of 2020 address NIST's guidelines, establish IoT inventories, and process IoT cybersecurity waivers.
Many of the 23 civilian agencies have not yet fully addressed OMB's IoT requirements on inventories and waivers. Of these 23 agencies:
- Three stated that they would not complete their inventories by the OMB-established deadline of September 30, 2024, and stated that they plan to do so in fiscal year 2025; six did not provide time frames; and one stated that it does not intend to establish an inventory because it does not have any IoT.
- Six agencies reported granting IoT cybersecurity waivers of certain requirements. However, in following up with these six, officials from five of the agencies stated that they should not have reported waivers. Four of the five subsequently corrected their reported efforts. Additionally, one agency corrected its waiver by removing it, and one (the Department of Health and Human Services) has not yet corrected its waiver. In addition, OMB did not verify any of the reported waiver data and reported erroneous information.
Office of Management and Budget (OMB) and Agency Implementation of Selected Internet of Things (IoT) Requirements
Until OMB and agencies ensure that agencies are meeting OMB's requirements, the agencies will not be effectively positioned to assess risks so that they can impose appropriate security requirements and take other mitigating actions.
Why GAO Did This Study
Cyber threats to IoT—such as a recent cyberattack on a municipal water system—represent a significant national security challenge. The IoT Cybersecurity Improvement Act of 2020 includes provisions for (1) NIST and OMB to establish guidance for securely procuring IoT, and (2) 23 civilian federal agencies to implement IoT cybersecurity requirements. The act also requires OMB to establish a waiver process for those requirements.
The act includes provisions for GAO to report every 2 years on IoT guidance and the waiver process through 2026. This report, the second of three, (1) describes guidance for securely procuring IoT, and (2) evaluates agencies' progress in addressing IoT cybersecurity and waiver requirements.
GAO identified federal agencies with cybersecurity or acquisition responsibilities. GAO then described relevant guidance developed by those agencies covering IoT. It also compared agencies' implementation efforts to the act and OMB's requirements for IoT inventories and waiver processes. GAO also interviewed relevant agency officials.
Recommendations
GAO is making one recommendation to OMB and 10 to nine civilian agencies covered by the IoT Cybersecurity Improvement Act of 2020 to address legislative requirements related to IoT. Eight agencies concurred with our recommendations. The remaining agencies neither agreed nor disagreed with our recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | The Director of OMB should verify agency-reported IoT cybersecurity waivers. (Recommendation 1) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Education | The Secretary of Education should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 2) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of HHS should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 3) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Labor | The Secretary of Labor should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 4) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 5) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Environmental Protection Agency | The Administrator of the Environmental Protection Agency should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 6) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| General Services Administration | The Administrator of the U.S. General Services Administration should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 7) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| National Aeronautics and Space Administration | The Administrator of the National Aeronautics and Space Administration should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 8) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 9) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Social Security Administration | The Commissioner of the Social Security Administration should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 10) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|
| Department of Health and Human Services | The Secretary of HHS should direct the CIO to ensure that granted IoT waivers address OMB's requirements. (Recommendation 11) |
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
|