The legislation would require that devices support patches and password changes, and are free of known exploits. To that end, security researchers would have greater legal protection when they're hacking devices to find those exploits. The government would be allowed to ask for permission to buy devices that don't meet all the requirements, but only if they're fenced in through network isolation, operating system containers or other tricks that prevent attackers from doing much damage.

There's no guarantee that the measure will become law. There's a corresponding House bill already in the works, however, and Senator Mark Warner stresses that they're aiming for the "lightest touch" possible. This is more about raising the bar for IoT gear than a narrow set of expectations. If it does take effect, though, it could have an effect well beyond government. Some companies are likely to sell their connected devices to both home and government users, and scoring a lucrative government contract could require that they improve the baseline security for everyone.