As part of its assignment under the Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) issued on May 12, 2021, NIST is responsible for a multi-faceted initiative related to cybersecurity labeling for consumers. That includes labeling for Internet of Things (IoT) products. Under the Executive Order, NIST is to publish details about the IoT labeling effort by February 6, 2022.
NIST identified key elements of IoT labeling programs in terms of minimum requirements and desirable attributes. Rather than establishing its own program, NIST specified desired outcomes, allowing providers and customers to choose best solutions for their products and environments. One size may not fit all, and multiple solutions might be offered by label providers.
On August 31, 2021, NIST released a white paper with draft criteria for a labeling program on cybersecurity capabilities of Internet of Things (IoT) devices. NIST sought comments on the draft criteria, which suggested a set of potential baseline security criteria for IoT devices. Those comments are available here.
On December 3, 2021, taking public feedback into account, NIST released a further discussion paper, Consumer Cybersecurity Labeling for IoT Products: Discussion Draft on the Path Forward, which was discussed at a December 9, 2021 workshop.
On February 4, 2022, NIST recommended criteria for cybersecurity labeling of IoT products.
On May 10, 2022, NIST delivered to the Assistant to the President for National Security Affairs (APNSA) a summary report about cybersecurity labeling of consumer IoT products and consumer software products. Reflecting consultations with the private sector and relevant agencies, the report reviews the pilot programs as well as opportunities for improvements which can be made going forward.
Summary report about cybersecurity labeling of consumer IoT products and consumer software products (May 10, 2022)
For questions, contact: labeling-eo [at] nist.gov