15 U.S. Code § 278g–3e - Contractor compliance with coordinated disclosure of security vulnerabilities relating to agency Internet of Things devices

(a) Prohibition on procurement and use
(1) In general

The head of an agency is prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device, if the Chief Information Officer of that agency determines during a review required by section 11319(b)(1)(C) of title 40 of a contract for such device that the use of such device prevents compliance with the standards and guidelines developed under section 278g–3b of this title or the guidelines published under section 278g–3c of this title with respect to such device.

(2) Simplified acquisition threshold

Notwithstanding section 1905 of title 41, the requirements under paragraph (1) shall apply to a contract or subcontract in amounts not greater than the simplified acquisition threshold.

(b) Waiver
(1) AuthorityThe head of an agency may waive the prohibition under subsection (a)(1) with respect to an Internet of Things device if the Chief Information Officer of that agency determines that—
the waiver is necessary in the interest of national security;
procuring, obtaining, or using such device is necessary for research purposes; or
such device is secured using alternative and effective methods appropriate to the function of such device.
(2) Agency process

The Director of OMB shall establish a standardized process for the Chief Information Officer of each agency to follow in determining whether the waiver under paragraph (1) may be granted.

(c) Reports to Congress
(1) ReportEvery 2 years during the 6-year period beginning on December 4, 2020, the Comptroller General of the United States shall submit to the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate a report—
on the effectiveness of the process established under subsection (b)(2);
that contains recommended best practices for the procurement of Internet of Things devices; and
(C) that lists—
the number and type of each Internet of Things device for which a waiver under subsection (b)(1) was granted during the 2-year period prior to the submission of the report; and
the legal authority under which each such waiver was granted, such as whether the waiver was granted pursuant to subparagraph (A), (B), or (C) of such subsection.
(2) Classification of report

Each report submitted under this subsection shall be submitted in unclassified form, but may include a classified annex that contains the information described under paragraph (1)(C).

(d) Effective date

The prohibition under subsection (a)(1) shall take effect 2 years after December 4, 2020.


Section was enacted as part of the Internet of Things Cybersecurity Improvement Act of 2020, also known as the IoT Cybersecurity Improvement Act of 2020, and not as part of the National Institute of Standards and Technology Act which comprises this chapter.


For definitions of terms used in this section, see section 278g–3a of this title.