Under H.R. 1668, the National Institute of Standards and Technology (NIST) would develop guidelines on the appropriate and secure use of Internet of things (IoT) devices by federal agencies and develop minimum information security requirements for agencies to manage security vulnerabilities for those devices. In addition, the Office of Management and Budget (OMB) would promulgate standards for federal IoT devices that are consistent with NIST’s standards and guidelines. OMB would review and revise those standards at least once every five years and develop waivers to exclude certain IoT devices from the new standards. OMB would report to the Congress annually from 2020 through 2025 on the effectiveness of the standards and on the types and number of excluded devices.
Under H.R. 1668, NIST also would publish standards for federal agencies, contractors, and vendors to systematically report and resolve security vulnerabilities for IoT devices. Each agency’s chief information officer would be required to ensure compliance. OMB would establish federal standards for that coordinated reporting process that are consistent with NIST’s standards and guidelines.
Using information from NIST, CBO estimates that implementing the bill would cost $35 million over the 2019-2024 period, assuming appropriation of the necessary amounts. The costs of the legislation (detailed in Table 1) fall within budget function 370 (commerce and housing credit).
In 2020, CBO estimates that NIST and OMB would spend a total of $11 million to develop the IoT guidelines and standards. Of that amount CBO estimates that NIST would spend a little more than $3 million to hire 11 employees and that OMB would spend about $350,000 to hire 2 employees. Those newly hired NIST staff would develop the new federal guidelines and provide technical assistance to federal agencies. In addition, CBO estimates that NIST would spend a little more than $3 million to hire contractors and convene workshops to assist with guideline development. Finally, CBO estimates that NIST would spend around $4 million to update their National Vulnerability Database (NVD) to account for the vulnerability of IoT data.
After 2020, CBO estimates that NIST and OMB would spend approximately $6 million annually to update the IoT guidelines and standards, report to Congress, and further update the NVD.
On September 13, 2019, CBO transmitted a cost estimate for S. 734, the Internet of Things Cybersecurity Improvement Act of 2019, as ordered reported by the Senate Committee on Homeland Security and Governmental Affairs on June 19, 2019. H.R. 1668 and S. 734 are similar and CBO’s cost estimates are the same for both pieces of legislation.