A newly introduced Senate bill would impose minimum standards on Internet-of-Things device makers if they want to sell them for government business.

The new bill, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017, is being supported across party lines and would introduce certain minimum security requirements for IoT devices. Those include not using hard-coded passwords that can’t be changed and ensuring they are free of known security vulnerabilities and can be patched and upgraded if necessary.

All vendors looking to sell for U.S. government contracts would be required to comply with the security standards. But federal agencies will be able to request exemptions to the requirements, which would have to be justified and then approved by the Office of Management and Budget.

According to Reuters, Republicans Cory Gardner and Steve Daines and Democrats Mark Warner and Ron Wyden are sponsoring the legislation, which is said to have been drafted with input from technology experts at the Atlantic Council and Harvard University.

“We’re trying to take the lightest touch possible,” Warner told Reuters. He added, however, that the legislation was intended to remedy an “obvious market failure” that has left device manufacturers with little incentive to build with security in mind.

While citing attacks on IoT device in general in the last 12 months, the “obvious market failure” of IoT devices came to public and government attention in October last year. A series of Distributed Denial of Service attacks targeted Dynamic Network Services Inc., a low-key domain name service hosting provider that does business under the name Dyn. The attack, which used IoT devices arranged into a botnet to attack the company, resulted in large swaths of popular sites being taken offline, including Twitter, Amazon.com, Reddit, Spotify and Etsy.

With some 50 billion IoT devices expected to be connected to the Internet by 2020, this bill goes some way in addressing security concerns. On one hand, the bill will not enforce basic security standards with all IoT devices, meaning that little may change.

But since the U.S. government is the single largest purchaser of goods and services in the world, IoT products included, the legislation may result in companies making sure all of their devices are compliant with government rules. That means those same devices will be more secure for enterprise and consumer customers as well.

Image: 111692634@N04/Flickr