Consumer Cybersecurity Labeling Pilots: The Approach and Contributions

The May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) directs NIST to initiate two labeling efforts on cybersecurity capabilities of Internet-of-Things (IoT) consumer devices and software development practices. Section 4 of the order directs NIST to take into account existing consumer product labeling programs as it considers what efforts are needed to educate the public on the cybersecurity capabilities of Internet-of-Things (IoT) devices and software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs.

On February 4, 2022, NIST published Recommended Criteria for Cybersecurity Labeling of Consumer IoT Products and Recommended Criteria for Cybersecurity Labeling of Consumer Software. These documents reflect input received through public comments and two public workshops.

The Executive Order also directs NIST to conduct pilots based on the published criteria, and within one year of the date of the order conduct a review of the pilot programs, consult with the private sector and relevant agencies to assess the effectiveness of the programs, determine what improvements can be made going forward, and submit a summary report.

During the process, NIST stated:

"The pilot will consist of NIST seeking contributions from stakeholders regarding current or potential future labeling efforts for consumer IoT products and consumer software, and how those efforts align with the NIST recommendations. NIST is not designing a particular label – nor is NIST establishing its own labeling program for consumer software or consumer IoT products. Rather, NIST’s recommendations set out desired outcomes, allowing and enabling the marketplace of providers and consumers to make informed choices. One size may not fit all, and multiple solutions might be offered by label providers.

 NIST welcomes contributions on any of the following issues:

• Whether there are existing labeling schemes that partially or completely align with the NIST recommendations, including information regarding that alignment;
• Whether organizations that do not currently operate labeling schemes would be interested in establishing new programs based on the NIST recommendations;
• The type of organization(s) that could serve as owner(s) for consumer labeling schemes;
• Recommendations on how a scheme owner would utilize the NIST recommendations to manage a labeling program; and
• Potential incentives for implementing a consumer labeling scheme based on the NIST recommendations."

Contributions to this pilot for cybersecurity labeling of consumer IoT products or consumer software products were to be submitted to labeling-eo [at] nist.gov (labeling-eo[at]nist[dot]gov) by March 15, 2022, to be incorporated into a summary report which NIST delivered to the Assistant to the President for National Security Affairs (APNSA), as directed in the EO in accordance with the executive order. That report was delivered on May 10, 2022, and is available here. 

Recognizing that there may currently be labeling programs that meet the NIST Recommended Criteria for Cybersecurity Labeling of Consumer IoT Products in full or in part, those criteria have been included in the Online Informative Reference (OLIR) Catalog managed by NIST. Organizations that have a specification/guidance/standard that is related to the IoT cybersecurity outcomes in the recommended criteria are encouraged to map their own guidance, standards or other documents to these criteria. Those mappings in OLIR were requested to to be submitted to olir [at] nist.gov (olir[at]nist[dot]gov) by March 15, 2022, with a copy to labeling-eo [at] nist.gov (labeling-eo[at]nist[dot]gov). Mappings are helpful but not necessary; a general description of the relationship is sufficient for the purpose of this pilot. NIST continues to welcome suggested OLIR mappings.