15 U.S.C. § 278g–3e — Contractor compliance with coordinated disclosure of security vulnerabilities relating to agency Internet of Things devices
Verified against govinfo.gov as of June 20, 2026View official text on govinfo.gov ↗
- (a)Prohibition on procurement and use
- (1)In generalThe head of an agency is prohibited from procuring or obtaining, renewing a contract to procure or obtain, or using an Internet of Things device, if the Chief Information Officer of that agency determines during a review required by section 11319(b)(1)(C) of title 40 of a contract for such device that the use of such device prevents compliance with the standards and guidelines developed under section 278g–3b of this title or the guidelines published under section 278g–3c of this title with respect to such device.
- (2)Simplified acquisition thresholdNotwithstanding section 1905 of title 41, the requirements under paragraph (1) shall apply to a contract or subcontract in amounts not greater than the simplified acquisition threshold.
- (b)Waiver
- (1)AuthorityThe head of an agency may waive the prohibition under subsection (a)(1) with respect to an Internet of Things device if the Chief Information Officer of that agency determines that—
- (2)Agency processThe Director of OMB shall establish a standardized process for the Chief Information Officer of each agency to follow in determining whether the waiver under paragraph (1) may be granted.
- (c)Reports to Congress
- (1)ReportEvery 2 years during the 6-year period beginning on December 4, 2020, the Comptroller General of the United States shall submit to the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate a report—
- (A)on the effectiveness of the process established under subsection (b)(2);
- (B)that contains recommended best practices for the procurement of Internet of Things devices; and
- (C)that lists—
- (i)the number and type of each Internet of Things device for which a waiver under subsection (b)(1) was granted during the 2-year period prior to the submission of the report; and
- (ii)the legal authority under which each such waiver was granted, such as whether the waiver was granted pursuant to subparagraph (A), (B), or (C) of such subsection.
- (2)Classification of reportEach report submitted under this subsection shall be submitted in unclassified form, but may include a classified annex that contains the information described under paragraph (1)(C).
- (1)ReportEvery 2 years during the 6-year period beginning on December 4, 2020, the Comptroller General of the United States shall submit to the Committee on Oversight and Reform of the House of Representatives, the Committee on Homeland Security of the House of Representatives, and the Committee on Homeland Security and Governmental Affairs of the Senate a report—
- (d)Effective dateThe prohibition under subsection (a)(1) shall take effect 2 years after December 4, 2020.