US Code
CHAPTER 7— NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY
§ 278g–3e. Contractor compliance with coordinated disclosure of security vulnerabilities relating to agency Internet of Things devices

(a) Prohibition on procurement and use(1) In generalThe head of an agency is prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device, if the Chief Information Officer of that agency determines during a review required by section 11319(b)(1)(C) of title 40 of a contract for such device that the use of such device prevents compliance with the standards and guidelines developed under section 278g–3b of this title or the guidelines published under section 278g–3c of this title with respect to such device.
(2) Simplified acquisition thresholdNotwithstanding section 1905 of title 41, the requirements under paragraph (1) shall apply to a contract or subcontract in amounts not greater than the simplified acquisition threshold.
(b) Waiver(1) AuthorityThe head of an agency may waive the prohibition under subsection (a)(1) with respect to an Internet of Things device if the Chief Information Officer of that agency determines that—(A) the waiver is necessary in the interest of national security;
(B) procuring, obtaining, or using such device is necessary for research purposes; or
(C) such device is secured using alternative and effective methods appropriate to the function of such device.
(2) Agency processThe Director of OMB shall establish a standardized process for the Chief Information Officer of each agency to follow in determining whether the waiver under paragraph (1) may be granted.
(c) Reports to Congress(1) ReportEvery 2 years during the 6-year period beginning on December 4, 2020, the Comptroller General of the United States shall submit to the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate a report—(A) on the effectiveness of the process established under subsection (b)(2);
(B) that contains recommended best practices for the procurement of Internet of Things devices; and
(C) that lists—(i) the number and type of each Internet of Things device for which a waiver under subsection (b)(1) was granted during the 2-year period prior to the submission of the report; and
(ii) the legal authority under which each such waiver was granted, such as whether the waiver was granted pursuant to subparagraph (A), (B), or (C) of such subsection.
(2) Classification of reportEach report submitted under this subsection shall be submitted in unclassified form, but may include a classified annex that contains the information described under paragraph (1)(C).
(d) Effective dateThe prohibition under subsection (a)(1) shall take effect 2 years after December 4, 2020.

<< Previous
Next >>

Structure US Code

US Code

Title 15— COMMERCE AND TRADE

CHAPTER 7— NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

§ 271. Findings and purposes

§ 272. Establishment, functions, and activities

§ 272a. Technology services

§ 272b. Annual budget submission

§ 273. Functions; for whom exercised

§ 273a. Under Secretary of Commerce for Standards and Technology

§ 274. Director; powers and duties; report; compensation

§ 275. Hiring critical technical experts

§ 275a. Service charges

§ 275b. Charges for activities performed for other agencies

§ 275c. Cost recovery authority

§ 276. Ownership of facilities

§ 277. Regulations

§ 278. Visiting Committee on Advanced Technology

§ 278a. Repealed. , ,

§ 278b. Working Capital Fund

§ 278c. Acquisition of land for field sites

§ 278d. Construction and improvement of buildings and facilities

§ 278e. Functions and activities

§ 278f. Fire Research Center

§ 278g. International activities

§ 278g–1. Education and outreach

§ 278g–2. Post-doctoral fellowship program

§ 278g–2a. Teacher science and technology enhancement Institute program

§ 278g–3. Computer standards program

§ 278g–3a. Definitions

§ 278g–3b. Security standards and guidelines for agencies on use and management of Internet of Things devices

§ 278g–3c. Guidelines on the disclosure process for security vulnerabilities relating to information systems, including Internet of Things devices

§ 278g–3d. Implementation of coordinated disclosure of security vulnerabilities relating to agency information systems, including Internet of Things devices

§ 278g–3e. Contractor compliance with coordinated disclosure of security vulnerabilities relating to agency Internet of Things devices

§ 278g–4. Information Security and Privacy Advisory Board

§ 278g–5. Enterprise integration initiative

§ 278h. Research program on security of computer systems

§ 278h–1. Standards for artificial intelligence

§ 278i. Reports to Congress

§ 278j. Studies by National Research Council

§ 278k. Hollings Manufacturing Extension Partnership

§ 278k–1. Competitive awards program

§ 278k–2. Expansion awards pilot program

§ 278l. Assistance to State technology programs

§ 278m. Repealed. , ,

§ 278n. Repealed. , ,

§ 278n–1. Emergency communication and tracking technologies research initiative

§ 278n–2. Green manufacturing and construction

§ 278o. User fees

§ 278p. Notice to Congress

§ 278q. Appropriations; availability

§ 278r. Collaborative manufacturing research pilot grants

§ 278s. Manufacturing USA

§ 278t. Advanced communications research activities

§ 279. Absence of Director

§§ 280, 281. Repealed. , ,

§ 281a. Structural failures

§ 282. Repealed. , ,

§ 282a. Assessment of emerging technologies requiring research in metrology

§ 283. Repealed. , , , 656

§ 284. Omitted

§§ 285, 286. Repealed. , ,