"IoT 'Nutrition' Labels Aim to Put Security on Display"

The National Institute of Standards and Technology (NIST) recently held the "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software," which is the government agency's latest step in the creation of a consumer labeling program aimed at communicating the security capabilities of applications and connected devices. This effort was mandated by the Biden administration's Executive Order on Improving the Nation's Cybersecurity, issued in May 2021. According to Warren Merkel, leader of the standards services group in the Standards Coordination Office at NIST, the goal is to enhance product security by providing security information that consumers and small businesses need to consider when making purchasing decisions. The effort aims to create a label that effectively communicates a product's level of security regarding its design, development, and maintenance. The label will be voluntary, at least at first, with companies attesting to their security rankings. The Federal Trade Commission (FTC) will handle improper product rankings as violations of truth-in-advertising laws. Labels may start attesting only to basic security precautions. For example, IoT security labels may only mean that a security analysis of a device's design was conducted, the device does not contain a hard-coded password, and it can easily be updated. This article continues to discuss the current effort to develop a consumer-focused security labeling program, the concept behind security labels, other existing private-industry and government labels that communicate security, and companies' push back against software security mandates. 

Dark Reading reports "IoT 'Nutrition' Labels Aim to Put Security on Display"