"NIST Seeks Public Input on Consumer Software Labeling for Cybersecurity"
The National Institute of Standards and Technology (NIST) has drafted cybersecurity criteria for consumer software in an effort towards helping consumers make better decisions when purchasing software. The criteria aims to assist in the development and voluntary use of labels that would show whether software incorporates a baseline level of security measures. The document titled "Draft Baseline Criteria for Consumer Software Cybersecurity Labeling" is a part of NIST's response to the May 12, 2021, Executive Order (EO) 140128 on improving the nation's cybersecurity, which calls on NIST to identify secure software development practices or criteria for a consumer software labeling program. The criteria should reflect a baseline level of cybersecurity and be easy for consumers to use. It is based on suggestions from the public through position papers, a workshop, and discussions with stakeholders. The agency is seeking the public's feedback about the baseline of technical requirements for the software and the related label. NIST proposes that the software provider would have to meet all of the technical requirements to qualify for a label. These requirements are referred to as attestations or claims about the software's security, which are categorized as descriptive attestations, secure software development attestations, critical cybersecurity attributes and capability attestations, and data inventory and protection attestations. The labeling effort should educate consumers about what the labels mean and show where they can get additional information about those cybersecurity attributes. This article continues to discuss the consumer software cybersecurity labeling effort.
HSToday reports "NIST Seeks Public Input on Consumer Software Labeling for Cybersecurity"