U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Information Technology Laboratory

Executive Order 14028, Improving the Nation's Cybersecurity

Workshop and Call for Papers on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software

Share

NOTE: This workshop has taken place. Nearly 550 participants joined the September 14-15 virtual event, with many actively involved by posing questions or joining the online chat. A video recording of the workshop can be found here.

The National Institute of Standards and Technology (NIST) is seeking suggestions and feedback on challenges and practical approaches to initiating cybersecurity labeling efforts for Internet of Things (IoT) devices and consumer software.  The information will help NIST to carry out one of its multiple assignments in an Executive Order (EO) on Improving the Nation’s Cybersecurity. Stakeholders were invited to respond to a call for papers, comment on draft IoT device criteria, and participate in a workshop on September 14-15, 2021.

Background

The President on May 12, 2021, issued an Executive Order on Improving the Nation’s Cybersecurity (EO 14028). Among other things, Section 4 of the EO directs NIST to initiate two labeling efforts  – informed by existing consumer product labeling programs – to educate the public on the cybersecurity capabilities of Internet-of-Things (IoT) devices and software development practices.

By February 6, 2022, in coordination with the Federal Trade Commission (FTC) and other agencies, NIST is required to:

  • identify IoT cybersecurity criteria for a consumer labeling program, and
  • identify secure software development practices or criteria for a consumer software labeling program

The IoT cybersecurity criteria are to:

  • take into consideration whether a consumer labeling program may be operated in conjunction with or modeled after any similar existing government programs consistent with applicable law
  • reflect increasingly comprehensive levels of testing and assessment that a product may have undergone
  • use or be compatible with existing labeling schemes that manufacturers use to inform consumers about the security of their products and
  • be based on an examination of all relevant information, labeling, and incentive programs and employ best practices
  • focus on ease of use for consumers
  • determine measures to maximize manufacturer participation.

The secure software development criteria are to:

  • reflect a baseline level of secure practices
  • if practicable, reflect increasingly comprehensive levels of testing and assessment that a product may have undergone
  • be based on an examination all relevant information, labeling, and incentive programs
  • employ best practices and identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system
  • focus on ease of use for consumers and a determination of what measures can be taken to maximize participation.

Both labeling efforts are to be conducted in a manner consistent with OMB Circular A-119 and NIST Special Publication 2002-02 (Conformity Assessment Considerations for Federal Agencies).

In August, NIST posted for public comment a set of potential baseline security criteria for IoT devices. These draft criteria were discussed at the workshop on September 14-15, 2021. 

Call for Papers on Consumer Software Labeling

NIST requested one- to two-page submissions providing suggestions and feedback on the challenges and practical approaches to consumer software labeling, especially:

  • formal and informal processes and practices used to secure the software development process
  • technical criteria needed to support validation of consumer software security assertions that reflect a baseline level of secure practices
  • how different conformity assessment approaches (e.g., vendor attestation, third-party conformity assessment) can be employed in consumer software labeling efforts
  • consumer product labeling programs for educating the public on the security properties of consumer software
  • feasibility and possible means for implementing tiered labels that reflect increasingly comprehensive levels of testing and assessment
  • measures for incentivizing participation by consumer software developers.

Papers were reviewed for their diversity of information and suggestions in order to ensure that NIST considers a wide range of approaches for practically and effectively achieving the goal of the EO. NIST seeks to build on existing approaches and capabilities to avoid duplication and to speed implementation of needed security steps while also encouraging creative thinking and new approaches. 

NIST encouraged hearing additional views during the upcoming workshop.

Workshop  

On September 14-15, 2021, NIST hosted a virtual public workshop on Cybersecurity Labeling for Internet of Things (IoT) Devices and Consumer Software. The agenda for the workshop, which attracted nearly 550 participants, included facilitated panel discussions and presentations based on the consumer software labeling position papers submitted to NIST and on draft baseline security criteria for consumer IoT devices building on NIST’s current guidance on Cybersecurity for IoTA video recording of the workshop and panelist presentations can be found here.

Frequently Asked Questions about this initiative are available here.

Questions about the position papers and this overall effort should be directed to: labeling-eo [at] nist.gov (labeling-eo[at]nist[dot]gov).

Information technology, Cybersecurity and Internet of Things (IoT)
Created July 8, 2021, Updated September 24, 2021