As part of its assignment under the Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) issued on May 12, 2021, NIST has released a white paper with draft criteria for consumer software cybersecurity labeling. This is one part of a multi-faceted initiative under the executive order related to cybersecurity labeling for consumers. NIST is seeking comments on the draft criteria, which suggests a set of potential baseline security criteria for consumer software.
Comments on the draft white paper are due no later than December 16, 2021. Under the Executive Order, NIST is to publish details about the consumer software labeling effort by February 6, 2022.
Comments should be submitted to: labeling-eo [at] nist.gov. Receipt of submissions will be acknowledged via email. All comments will be published on this website. Please submit comments only and include your name and organization’s name (if any) and cite “Draft Consumer Software Labeling Criteria.” Personally identifiable information (PII), such as street addresses, phone numbers, account numbers, or Social Security numbers, or names of other individuals, should not be included. Do not submit confidential business information or otherwise sensitive or protected information.
NIST will identify key elements of labeling programs in terms of minimum requirements and desirable attributes – rather than establishing its own programs; it will specify desired outcomes, allowing providers and customers to choose best solutions for their devices and environments. One size may not fit all, and multiple solutions might be offered by label providers.