As part of its assignment under the Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) issued on May 12, 2021, NIST is responsible for a multi-faceted initiative related to cybersecurity labeling for consumers. That includes labeling for consumer software products.
Under the Executive Order, NIST is to publish details about the IoT labeling effort by February 6, 2022. NIST identified key elements of consumer software labeling programs in terms of minimum requirements and desirable attributes. Rather than establishing its own program, NIST specified desired outcomes, allowing providers and customers to choose best solutions for their products and environments. One size may not fit all, and multiple solutions might be offered by label providers.
On November 1, 2021, NIST released a white paper with draft criteria for consumer software cybersecurity labeling. Comments received are available HERE.
On February 4, NIST recommended criteria for cybersecurity labeling of consumer software.
On May 10, 2022, NIST delivered to the Assistant to the President for National Security Affairs (APNSA) a summary report about cybersecurity labeling of consumer IoT products and consumer software products. Reflecting consultations with the private sector and relevant agencies, the report reviews the pilot programs as well as opportunities for improvements which can be made going forward.
Summary report about cybersecurity labeling of consumer IoT products and consumer software products (May 10, 2022)
Recommended Criteria for Cybersecurity Labeling of Consumer Software (February 4, 2022)