Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

The Importance of Transparency – Fueling Trust and Security Through Communication

Image depicting clear bubbles in a row
Credit: Shutterstock

Who needs to know ‘What,’ ‘When,’ and ‘How’ to tell them

The Challenge

There are many challenges to providing and maintaining cybersecurity in today’s connected world. While product developers increasingly consider security as they design and build products, they may not always communicate critical cybersecurity information about their connected products. Information gaps present a challenge to stakeholders—especially customers—who have limited insight into the security processes, functions and features that protect connected products, components, and services. Effective communication is the next step towards a more secure connected ecosystem.  

Many of our conversations about connected products focus on connectivity in the technical sense (protocols, algorithms, etc.). Promoting trust among participants in the ecosystem and reducing the cybersecurity risks associated with using these products relies on a different type of communication: open dialogue and sharing information. This helps increase knowledge and improve peoples’ understanding about the cybersecurity of a connected product and is a shared responsibility; from hardware and software component suppliers to product developers, system integrators, security researchers and end users… each member of the ecosystem has a role to play. Ideally, ecosystem members should work in alignment to truly mitigate risk—but they all need information to play their part.  

Communicating effectively about security also helps mitigate risk and is important to establishing and maintaining trust. For example, a lack of information about a product’s security capabilities may constrain a customer’s ability to take advantage of them. In some cases, a question is simply not asked (and therefore, the lack of capability goes unrealized until it’s potentially too late). The phrase “knowledge is power” applies; knowing what’s available is the first step to maximizing the value of it, and communication is about what each audience needs to know. To consider next steps, a framework that aligns lexicon and expectations among parties could provide a shared vision of common best practices.

All audiences could benefit from a consistent framework to identify what needs to be communicated, how to organize the information, and the processes that underlie it. Interactions could include developers, manufacturers, service providers, system integrators, security researchers, conformance assessors, regulators, end users, and … (the list can get very long) – each audience may merit a different approach. Additionally, in our interconnected world, this communication often has a global dimension, which brings in cultural and legal variations that must be considered.

For all of these reasons, we are exploring the idea of an approach to creating a Cybersecurity Transparency Framework for Connected Products. Our goal would be to describe a structured approach to achieving necessary and appropriate communication of relevant cybersecurity information among participants involved in the creation, consumption, and use of connected products.

Such a framework would be a tool for sharing information and expectations across the supply chain. For example, it could be used to organize information and identify key topics that need to be covered for various communications use cases, such as:

  • Product creators to customers;
  • Creators communicating with regulators, conformance assessment bodies, and other third parties who need to understand a product; and
  • Supply chain participants communicating with creators that use their components.

The scope would encompass structure, format, terminology, process, and content as well as communication means. Creating a framework can help establish a shared lexicon and terminology for communicating about features and means to drive outcomes (reducing risk, driving security outcomes). Related to process, the framework could help each ecosystem participant define interested parties, the purpose of the interaction, the mode of communication, how communications can be supported by technical means, and the options to implement the interaction with considerations for things such as risk, relevancy, and applicability.

The framework approach could also provide a structure for establishing best practices in sharing content, such as the types of information appropriate for communications at different levels of supply chain participants, support, and use in the connected product ecosystem. This would be both broad and high level to facilitate improving the exchange of cybersecurity-related information throughout the product ecosystem (while allowing for customization, as not every connected product and every customer will need to receive the same information in the same way).

NIST SP 800-213A and NIST IR 8259B, which describe non-technical supporting capabilities for IoT devices, provide a potential starting point for these kinds of discussions, as do efforts, both domestic and international ranging from the global work on consumer IoT cybersecurity labeling schemes to voluntary standards such as ETSI 303 645 and ISO/IEC 27402 (DIS). We look forward to future discussions with stakeholders in this very important topic that we feel is foundational to enabling a more secure connected product ecosystem.  

Questions or Ideas?

If you’d like to weigh on in this concept, please email us at iotsecurity [at] nist.gov (iotsecurity[at]nist[dot]gov). We’d love to hear from you! 
 

About the author

Katerina Megas

Kat leads the NIST Cybersecurity for the Internet of Things (IoT) Program at the US. National Institute of Standards and Technology (NIST), focused on advancing and accelerating the development and...

Angela Smith

Angela Smith serves as the technical lead for NIST’s Cybersecurity Supply Chain Risk Management program in the Computer Security Division of the National Institute of Standards and Technology.  She...

Dr. Elaine Newton

Elaine Newton is a Senior Director at Oracle for Global Standards Policy and Compliance, focused on cybersecurity and AI/ML developments. The views expressed in this blog are my own and do not...

Dr. Amit Elazari

Dr. Amit Elazari is Head of Cybersecurity Policy at Intel, Lecturer at the UC Berkeley Master in Cybersecurity and Reichman University, Israel, and an External Advisor for the Center for Long Term...

Barbara Cuthill

Barbara Cuthill received her PhD in Computer Science from the University of Connecticut. Her career at the National Institute of Standards and Technology has spanned the Advanced Technology Program...

Comments

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.