Internet of Things: Federal Actions Needed to Address Legislative Requirements
Fast Facts
The U.S. relies on internet-connected devices for essentials like power and water as well as everyday items like smart speakers.
Federal agencies covered by a 2020 law were told to inventory their internet-connected devices by the end of FY 2024 and document how their cybersecurity aligns with federal standards. As of July 2024, 9 agencies said they wouldn't make the inventory deadline.
Agencies can get waivers for devices that don't meet the standards. But the Office of Management and Budget gave Congress incorrect data on the waivers because it didn't verify that agencies had reported them correctly.
Our recommendations address this, and more.
Highlights
What GAO Found
The Internet of Things (IoT) generally refers to the technology and devices that allow for the connection and interaction of “things” throughout such places as buildings, vehicles, and the transportation infrastructure. The National Institute of Standards and Technology (NIST) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency have issued guidance for securely procuring IoT. For example, NIST has issued cybersecurity guidance for agencies to use in mitigating risk with the acquisition, procurement, and use of IoT at all stages of a system's life cycle. In 2022 and 2023, the Office of Management and Budget (OMB) also issued guidance for ensuring that 23 civilian agencies covered by the IoT Cybersecurity Improvement Act of 2020 address NIST's guidelines, establish IoT inventories, and process IoT cybersecurity waivers.
Many of the 23 civilian agencies have not yet fully addressed OMB's IoT requirements on inventories and waivers. Of these 23 agencies:
- Three stated that they would not complete their inventories by the OMB-established deadline of September 30, 2024, and stated that they plan to do so in fiscal year 2025; six did not provide time frames; and one stated that it does not intend to establish an inventory because it does not have any IoT.
- Six agencies reported granting IoT cybersecurity waivers of certain requirements. However, in following up with these six, officials from five of the agencies stated that they should not have reported waivers. Four of the five subsequently corrected their reported efforts. Additionally, one agency corrected its waiver by removing it, and one (the Department of Health and Human Services) has not yet corrected its waiver. In addition, OMB did not verify any of the reported waiver data and reported erroneous information.
Office of Management and Budget (OMB) and Agency Implementation of Selected Internet of Things (IoT) Requirements
Until OMB and agencies ensure that agencies are meeting OMB's requirements, the agencies will not be effectively positioned to assess risks so that they can impose appropriate security requirements and take other mitigating actions.
Why GAO Did This Study
Cyber threats to IoT—such as a recent cyberattack on a municipal water system—represent a significant national security challenge. The IoT Cybersecurity Improvement Act of 2020 includes provisions for (1) NIST and OMB to establish guidance for securely procuring IoT, and (2) 23 civilian federal agencies to implement IoT cybersecurity requirements. The act also requires OMB to establish a waiver process for those requirements.
The act includes provisions for GAO to report every 2 years on IoT guidance and the waiver process through 2026. This report, the second of three, (1) describes guidance for securely procuring IoT, and (2) evaluates agencies' progress in addressing IoT cybersecurity and waiver requirements.
GAO identified federal agencies with cybersecurity or acquisition responsibilities. GAO then described relevant guidance developed by those agencies covering IoT. It also compared agencies' implementation efforts to the act and OMB's requirements for IoT inventories and waiver processes. GAO also interviewed relevant agency officials.
Recommendations
GAO is making one recommendation to OMB and 10 to nine civilian agencies covered by the IoT Cybersecurity Improvement Act of 2020 to address legislative requirements related to IoT. Eight agencies concurred with our recommendations. The remaining agencies neither agreed nor disagreed with our recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Office of Management and Budget | The Director of OMB should verify agency-reported IoT cybersecurity waivers. (Recommendation 1) |
At the time of our report, OMB did not comment on the draft report. Subsequently, in January 2025, OMB issued new guidance on identifying and securing IoT and operational technology (OT) devices. The guidance reiterated requirements for agencies to develop IoT and OT inventories of and for IoT waivers to be signed by the agency head and be provided to the agency Chief Information Officer (CIO). The guidance states that CIOs must make these waivers available to OMB, upon request, and to ensure that such waivers are documented in relevant system security plans. However, OMB has yet to demonstrate that it is verifying agency-reported IoT waivers. We will continue to review OMB's activities in this area.
|
| Department of Education | The Secretary of Education should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 2) |
In December 2024, agency officials stated that the agency was in the process of inventorying its IoT assets and that the inventory would be completed around the end of calendar year 2024. As of May 2025, we have not received an update on the status of the inventory effort. We will continue to review the department's progress in this area.
|
| Department of Health and Human Services | The Secretary of HHS should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 3) |
In June 2025, agency officials stated that HHS is reevaluating potential solutions/alternatives for completing its IoT inventory and the completion date for the effort is to be determined. We will continue to review the department's progress in this area.
|
| Department of Labor | The Secretary of Labor should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 4) |
In April 2025, agencies officials noted that due to limited resources and competing priorities (such as zero trust initiatives and implementing OMB's Memorandum M-24-15: Modernizing the Federal Risk and Authorization Management Program) progress on establishing a plan and time frame for completing the covered IoT inventory was delayed. They estimated the tasks would be completed by the end of fiscal year 2025. We will continue to follow the department's progress in this area.
|
| Department of Veterans Affairs | The Secretary of Veterans Affairs should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 5) |
In May 2025, agency officials stated that VA was in the process of updating the policies and contract security processes that support the procurement of IoT and medical devices. They also described activities to address OMB's covered IoT inventory requirements, including verifying IoT asset data. The planned efforts are scheduled to be completed by September 30, 2025. We will continue to review the department's progress in this area.
|
| Environmental Protection Agency | The Administrator of the Environmental Protection Agency should direct the CIO to complete the covered IoT inventory within the revised time frame it has proposed. (Recommendation 6) |
In December 2024, EPA agency officials provided steps the agency planned to take to finalize the Office of Management and Budget's covered IoT inventory requirements and stated that the inventory would be completed by February 28, 2025. Subsequently, in May 2025, agency officials stated that EPA finalized its Enterprise IoT inventory but has not yet provided us with evidence ofcompletion. We will continue to review the agency's progress in this area.
|
| General Services Administration | The Administrator of the U.S. General Services Administration should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 7) |
In November 2024, GSA officials told us that they had developed an inventory of their covered IoT; however, we were not able to verify the information in time to be included in the report. In May 2025, GSA officials provided us with evidence of their completed IoT inventory. By completing this inventory, GSA improved its visibility into the IoT devices in its enterprise environments, as well as its ability to mitigate IoT cybersecurity risks.
|
| National Aeronautics and Space Administration | The Administrator of the National Aeronautics and Space Administration should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 8) |
In May 2025, agency officials stated that NASA would submit a plan and budget request to fund the completion of a covered IoT inventory beginning in fiscal year 2027. They stated that NASA has developed a plan and timeline to address GAO's recommendation and is in the process of gathering additional information. The planned efforts are scheduled to be completed by June 27, 2025. We will continue to review the department's progress in this area.
|
| Office of Personnel Management | The Director of the Office of Personnel Management should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 9) |
In May 2025, agency officials stated that OPM is evaluating options for IoT inventory management and has developed an initial project plan confirming the timeframes and resources to complete the covered IoT inventory. They stated that OPM does not have a target date for completion of these efforts. We will continue to review the department's progress in this area.
|
| Social Security Administration | The Commissioner of the Social Security Administration should direct the CIO to establish a plan and time frame for completing the covered IoT inventory, as directed by OMB. (Recommendation 10) |
In May 2025, agency officials stated that SSA is in the process of identifying system devices or operational technology. The planned efforts are scheduled to be completed by end of fiscal year 2025. We will continue to review the department's progress in this area.
|
| Department of Health and Human Services | The Secretary of HHS should direct the CIO to ensure that granted IoT waivers address OMB's requirements. (Recommendation 11) |
In June 2025, agency officials stated that HHS will work to address OMB's requirements and the completion date for the effort is to be determined. We will continue to review the department's progress in this area.
|