The Internet of Things Cybersecurity Improvement Act would require that IoT devices purchased by the American government must not have any known security vulnerabilities, must have the ability to be patched, and may not have hardcoded passwords built in. It mandates that every government department inventory all IoT devices on their networks.
[…]
The bill also directs Homeland Security to come up with a vulnerability disclosure program so that departments can get patched and updated. Another requirement says the Office of Management and Budget must come up with reasonable standards as to what IoT security should actually entail.
[…]
A key element of the proposed legislation is that it would make it legal for security researchers to tear these devices apart and search for security bugs. Currently a broad interpretation of the Digital Millennium Copyright Act means that a company could prosecute a researcher who looks into the firmware for breaking the terms and conditions of its use.

Source: No vulns. No hardwired passwords. Patchable. Congress dreams of IoT: Impossible Online Tech