Q1. What past work has NIST done related to these labeling-related efforts?
- NIST carries out a cybersecurity-oriented Internet of Things (IoT) program and has produced multiple resources. Some of those documents, including baselines for cybersecurity, will be used as NIST identifies relevant criteria for these efforts. Among recent documents is a draft on “Establishing Confidence in IoT Device Security: How Do We Get There?” which describes the landscape of confidence mechanisms currently available for establishing the security of IoT devices in the marketplace.
- The agency has a long-standing program focused on managing cybersecurity risks in the supply chain, software quality and security, and security development and engineering resources – across research, standards, and transition to practice. For details about the relevant resources produced by NIST to date, go to our resources page.
- NIST has been a key resource and clearinghouse for public and private organizations interested in different approaches to conformity assessment. That includes tracking resources related to conformity assessment, including several federal programs aimed at educating consumers.
Q2. How has NIST involved the private sector and other government agencies in carrying out the labeling-related engagement called for by the Executive Order?
- NIST has been relying heavily on information provided by diverse stakeholders to carry out these directives. NIST published draft criteria on IoT devices and consumer software for public comment.
- In addition, manufacturers, distributors, government agencies (especially the Federal Trade Commission and Consumer Product Safety Commission), consumers and others in the private and public sectors have been asked to submit one- or two-page position papers providing suggestions and feedback on the challenges and practical approaches to consumer cybersecurity labeling.
- NIST has hosted multiple workshops and webinars and will continue to do that and engage with interested stakeholders.
Q3. Will NIST stand up and manage programs in these two areas?
- No. NIST is identifying key elements of labeling programs in terms of minimum requirements and desirable attributes – rather than establishing its own programs.
- NIST has sought public comments on its review of standards and existing security labeling schemes to inform consumers about the security of products.
- NIST is specifying desired outcomes, allowing providers and customers to choose best solutions for their devices and environments. One size may not fit all, and multiple solutions might be offered by label providers.
Q4. Will manufacturers and distributors be required to participate in those labeling programs? Will federal agencies be required to purchase devices which are labeled by those programs?
- The EO does not specify participation or purchase requirements.
Q5. What is the status of the report to be submitted to the President reviewing progress made under the labeling provisions of the EO?
NIST submitted the report to the Assistant to the President for National Security Affairs (APNSA), as directed in the EO. It is available here.