§278g–3e — Title 15 Commerce and Trade | U.S. Code

Summary

Agency heads must not buy, renew, or use Internet of Things (IoT) devices if the agency’s Chief Information Officer (CIO), during a required contract review, finds the device would stop the agency from meeting the federal IoT security standards and guidelines. That rule applies even to small contracts or subcontracts that are below the simplified acquisition threshold. The ban takes effect 2 years after December 4, 2020. An agency can make an exception only if the CIO says it’s needed for national security, for research, or if the device is protected by other effective security methods. The Office of Management and Budget must create a standard process for CIOs to decide on these exceptions. The Comptroller General must report every 2 years during the 6-year period beginning on December 4, 2020 to the House Oversight and Reform Committee, the House Homeland Security Committee, and the Senate Homeland Security and Governmental Affairs Committee on how the process works, recommended buying practices, and a list of waivers granted (what devices and which legal reason). Reports should be unclassified but may include a classified annex.

Title 15, §278g–3e

Commerce and Trade — Source: USLM XML via OLRC

(a)(1)The head of an agency is prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device, if the Chief Information Officer of that agency determines during a review required by section 11319(b)(1)(C) of title 40 of a contract for such device that the use of such device prevents compliance with the standards and guidelines developed under section 278g–3b of this title or the guidelines published under section 278g–3c of this title with respect to such device.

(2)Notwithstanding section 1905 of title 41, the requirements under paragraph (1) shall apply to a contract or subcontract in amounts not greater than the simplified acquisition threshold.

(b)(1)The head of an agency may waive the prohibition under subsection (a)(1) with respect to an Internet of Things device if the Chief Information Officer of that agency determines that—

(A)the waiver is necessary in the interest of national security;

(B)procuring, obtaining, or using such device is necessary for research purposes; or

(C)such device is secured using alternative and effective methods appropriate to the function of such device.

(2)The Director of OMB shall establish a standardized process for the Chief Information Officer of each agency to follow in determining whether the waiver under paragraph (1) may be granted.

(c)(1)Every 2 years during the 6-year period beginning on December 4, 2020, the Comptroller General of the United States shall submit to the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate a report—

(A)on the effectiveness of the process established under subsection (b)(2);

(B)that contains recommended best practices for the procurement of Internet of Things devices; and

(C)that lists—

(i)the number and type of each Internet of Things device for which a waiver under subsection (b)(1) was granted during the 2-year period prior to the submission of the report; and

(ii)the legal authority under which each such waiver was granted, such as whether the waiver was granted pursuant to subparagraph (A), (B), or (C) of such subsection.

(2)Each report submitted under this subsection shall be submitted in unclassified form, but may include a classified annex that contains the information described under paragraph (1)(C).

(d)The prohibition under subsection (a)(1) shall take effect 2 years after December 4, 2020.

Notes & Related Subsidiaries

Editorial Notes

Codification Section was enacted as part of the Internet of Things Cybersecurity Improvement Act of 2020, also known as the IoT Cybersecurity Improvement Act of 2020, and not as part of the National Institute of Standards and Technology Act which comprises this chapter.

Statutory Notes and Related Subsidiaries

Change of Name

Committee on Oversight and Reform of House of Representatives changed to Committee on Oversight and Accountability of House of Representatives by House Resolution No. 5, One Hundred Eighteenth Congress, Jan. 9, 2023. Definitions For definitions of terms used in this section, see section 278g–3a of this title.

§278g–3e Contractor compliance with coordinated disclosure of security vulnerabilities relating to agency Internet of Things devices