"NIST Gears up for Software Security and IoT Labeling Pilot Programs"
In September 2021, the National Institute of Standards and Technology (NIST) held the "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software" and solicited comments from stakeholders and experts. NIST was mandated by the Biden administration's Executive Order on Improving the Nation's Cybersecurity to create pilot labeling programs that educate the public about the security of the Internet of Things (IoT) devices and software products they purchase. The goal is to enhance product security by providing security information that consumers and small businesses need to consider when making purchasing decisions. The effort aims to create a label that effectively communicates a product's level of security regarding its design, development, and maintenance. The label will be voluntary, with companies attesting to their security rankings. NIST issued draft "Baseline Criteria for Consumer Software Cybersecurity Labeling" on November 1 and a discussion draft on "Consumer Cybersecurity Labeling for IoT Products" on December 3. The tentative general guidelines NIST has developed for IoT label criteria include product identification, product configuration, data protection, interface access controls, software updates, documentation, cybersecurity state awareness, information reception, and more. This article continues to discuss the effort to develop a consumer-focused security labeling program and the challenges associated with such a program.
CSO Online reports "NIST Gears up for Software Security and IoT Labeling Pilot Programs"