U.S. Federal IoT Policy: What You Need to Know

Over the past several months, increased attention has been paid to U.S. federal government policies surrounding internal use of IoT devices. In January 2018, researchers discovered they could track the movements of fitness tracker-wearing military personnel over the Internet. In July, a similar revelation occurred with fitness app Polar, which was exposing the locations of military and intelligence personnel around the world.

Shortly thereafter, on August 3, the U.S. Department of Defense announced a partial ban on geolocatable cell phones:

Effective immediately, Defense Department personnel are prohibited from using geolocation features and functionality on government and non-government-issued devices, applications, and services while in locations designated as operational areas.

At the time, I wrote that this was a good “first step” but pointed out that it still failed to address a number of gaps in U.S. federal government IoT policies. In addition to a lack of device standards and clear cybersecurity frameworks for the Internet of Things, federal employees are currently left without much guidance on which IoT devices they can and cannot use in the workplace and while on the job—and they’re also left without clear guidance on the cybersecurity and data privacy mechanisms that must be in place within said devices.

This is what a fellow researcher and I detailed in our recent paper on gaps in U.S. federal government policies surrounding the Internet of Things. We comprehensively reviewed all federal laws and regulations that either directly address or could possibly apply to the IoT with the aim of identifying gaps and pitfalls in the guidance of future policy creation.

Gaps in cybersecurity policies

While the Federal Information Security Modernization Act (FISMA) requires each federal agency to establish, document, implement and monitor information security programs for their assorted ICT systems, it leaves many (Read more...)