On May 12, 2021 the White House released an Executive Order (EO) on Improving the Nation’s Cybersecurity which, among other things, tasked NIST to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products. Activity since then includes a call for papers, multiple workshops, draft criteria, and processing all of the feedback received. The goal of the latest workshop on December 9th was to provide the community an update, answer questions, and gather a final round of feedback which will be factored into final criteria to be released at the beginning of February 2022.
First, a quick review of the workshop agenda and summary of each section led by NIST staff:
Warren Merkel summarized NIST’s activities to-date in responding to the EO and the future milestones, noting that the timelines for the EO are tight. He strongly encouraged participants to provide feedback on the November 1st software labeling criteria paper by the December 16th deadline. He also reiterated that NIST will not initiate its own labeling programs.
Michael Ogata then provided an overview of the software labeling criteria and described the requirements for each of the four categories of criteria: descriptive attestations, software development attestation, critical cybersecurity attributes and capability attestations, and data inventory and protection attestations, which collectively identify 15 types of attestations.
Paul Watrobski and Michael Fagan of the Cybersecurity for IoT program summarized the feedback received on the August draft of consumer IoT cybersecurity criteria, and described adjustments to the criteria reflected in the update published December 3rd.
Amy Phelps reviewed the development of conformity assessment criteria, describing the range of approaches to conformance criteria and the role a scheme owner would play in establishing detailed criteria and assessing conformance.
Julie Haney discussed the labeling criteria aspect, explaining the goals of labeling, types of labels, and NIST’s preferred solution – for both consumer IoT products and consumer software – of a binary label with a layered approach that can supply information beyond the basic presence of the label.
Each session included a closing segment with answers to the many questions submitted by workshop participants. A panel comprising all presenters took a final round of questions to wrap up the event. You can view the event description and recording here.
What We Heard
Overall, NIST perceived general support for the approaches presented for cybersecurity criteria, conformity assessment, and labeling. This support was tempered somewhat with many detailed questions about various aspects of the program.
Multiple participants asked about the labeling scheme owner: their role and scope of responsibilities, their economics, and the potential for conflict among multiple scheme owners. During the final Q&A, Warren Merkel stated that NIST was trying to be as open as possible to various possibilities regarding the scheme owner(s), what sorts of organizations might be scheme owners, and what the associated economics might be. NIST’s goal is to provide clear criteria for scheme owners to work with, and some of the questions raised still remain to be answered.
Questions were raised concerning the potential for variations in accountability or the enforcement of criteria and the reliability of attestation. Concerns were expressed about the viability of self-attestation by suppliers, and the consistency of attestation. This is another area where NIST’s goal is to provide solid baseline criteria and not to presuppose the solutions for accountability.
Participants seemed to generally approve of NIST’s approach of including risk as an important element in guiding the implementation of labeling schemes. Questions in this area related to responsibility for determining risk, processes which might be used, and how risk would be measured – including whether existing standards would be applied.
Some participants inquired about the challenge of keeping labels valid over time as new vulnerabilities are identified in products or end-of-support is reached. They asked whether the information associated with the label would be updated over time to account for these sorts of changes.
Others suggested that there appears to be a disparity between defining a complex set of cybersecurity criteria and recommending a binary label. Others suggested that NIST consider whether binary labels are consistent with a stated no-one-size-fits-all approach.
The multiple dimensions of longer-term program costs generated questions about any follow on program. They included What will be the cost of demonstrating conformity? Is there funding for consumer education? How will manufacturer participation affect the cost of their products?
Various aspects of consumer education were raised, including whether scheme owners were the appropriate party to have that responsibility, and whether consumers would utilize the information in a layered label.
The relationship of NIST’s recommendations to standards and guidelines being developed by other nations and international standards bodies was identified by multiple participants as a concern. Participants noted that software and IoT cybersecurity is a global issue, and that certification under multiple regimes is a burden for manufacturers.
The Path Ahead
NIST is finalizing the software and IoT cybersecurity criteria, with a deadline of February 6th for publishing final criteria. NIST also will summarize the work performed in responding to the EO and the background and reasoning behind decisions embodied in the criteria. Once the criteria are available, they will be used in a pilot phase to provide information on how the criteria can support labeling efforts and improve cybersecurity related to consumer IoT products and software. The EO requires that a final report be submitted by May 12, 2022.