Executive Order 14028 on Improving the Nation’s Cybersecurity assigned NIST tasks on multiple topics. The Cybersecurity for IoT program is contributing to NIST’s multi-faceted response to E.O. 14028, and developed and published a draft baseline security criteria for consumer IoT devices. This baseline was released as a draft white paper for public comment. The comment period closed on October 18, 2021; with NIST receiving more than 400 comments. An updated discussion draft was released on December 3, 2021, followed by a workshop on December 9.
On February 4, 2022, NIST recommended criteria for cybersecurity labeling of IoT products. The E.O. 14028 website includes a page with details of the response to the IoT-oriented tasking from the E.O.
On September 19, 2022 NIST published, NIST IR 8425: Profile of the IoT Core Baseline for Consumer Products. This IR takes into account the responses to the pilot work and is the final version of NIST’s recommendations for Cybersecurity features in Consumer IoT Products. A fact sheet is also available on this baseline.
On July 18th, 2023, the White House announced the next steps for the Cybersecurity Labeling Program for Smart Devices to Protect American Consumers, referred to as the “U.S. Cyber Trust Mark.” In addition to announcing participation by the Federal Communications Commission and Departments of Energy and State, the White House also directed NIST to “immediately undertake an effort to define cybersecurity requirements for consumer-grade routers—a higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords, and attack other devices and high value networks.”
To support the development of this profile for consumer routers: