Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Cybersecurity Labeling for Consumers: Internet of Things (IoT) Devices and Software
The May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) directs NIST to initiate two labeling programs on cybersecurity capabilities of Internet-of-Things (IoT) consumer devices and software development practices. The agency also received several other directives to enhance the security of the software supply chain.
Section 4 of the order directs NIST to take into account existing consumer product labeling programs as it considers efforts to educate the public on the cybersecurity capabilities of Internet-of-Things (IoT) devices and software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs.
By February 6, 2022, in coordination with the Federal Trade Commission (FTC) and other agencies, NIST is required to identify:
- IoT cybersecurity criteria for a consumer labeling program and
- Secure software development practices or criteria for a consumer software labeling program.
NIST relied heavily on information provided by diverse stakeholders as it carried out these directives.
NIST identified key elements of labeling programs in terms of minimum requirements and desirable attributes – rather than establishing its own programs. NIST specified desired outcomes, allowing providers and customers to choose best solutions for their devices and environments. One size may not fit all, and multiple solutions might be offered by label providers.
Labeling should:
- Encourage innovation in manufacturers’ consumer-oriented IoT and software security efforts, leaving room for changes in technologies and the security landscape.
- Be practical and not be burdensome to manufacturers and distributors.
- Factor in usability as a key consideration.
- Build on national and international experience.
- Allow for diversity of approaches and solutions across industries, verticals, and use cases – so long as they are deemed useful and effective for consumers.
In August, the agency released for public comment a white paper suggesting a draft set of potential baseline security criteria for IoT devices. On September 14-15, 2021, NIST hosted a virtual public workshop on these consumer education-oriented efforts. The workshop included facilitated panel discussions and presentations based on the preliminary feedback on the draft IoT criteria and the consumer software labeling position papers submitted to NIST and on preliminary feedback on potential IoT baseline security criteria. In October, NIST solicited public comments on draft criteria for consumer software cybersecurity and labeling. In November, NIST sought comments on draft criteria for consumer software cybersecurity and labeling. In December, taking public feedback into account, NIST released a further discussion paper, Consumer Cybersecurity Labeling for IoT Products: Discussion Draft on the Path Forward, which was discussed at a December 9, 2021, workshop.
On February 4, 2022, NIST issued IoT cybersecurity criteria for a consumer labeling program and secure software development practices or criteria for a consumer software labeling program. Those are explained in a blog.
On May 10, 2022, NIST delivered to the Assistant to the President for National Security Affairs (APNSA) a summary report about cybersecurity labeling of consumer IoT products and consumer software products. Reflecting consultations with the private sector and relevant agencies, the report reviews the pilot programs as well as opportunities for improvements which can be made going forward.
Questions about NIST’s activities related to these efforts should be directed to labeling-eo [at] nist.gov (labeling-eo[at]nist[dot]gov).