Q1. What past work has NIST done related to these labeling-related efforts?
- NIST carries out a cybersecurity-oriented Internet of Things (IoT) program and has produced multiple resources. Some of those documents, including baselines for cybersecurity, will be used as NIST identifies relevant criteria for these efforts. Among recent documents is a draft on “Establishing Confidence in IoT Device Security: How Do We Get There?” which describes the landscape of confidence mechanisms currently available for establishing the security of IoT devices in the marketplace.
- The agency has a longstanding program focused on managing risks to the cyber supply chain, software quality and security, and security development and engineering resources – across research, standards, and transition to practice. For details about the relevant resources produced by NIST to date, go to our resources page.
- NIST has been a key resource and clearinghouse for public and private organizations interested in different approaches to conformity assessment. That includes tracking resources related to conformity assessment, including several federal programs aimed at educating consumers.
Q2. How will NIST involve the private sector and other government agencies in carrying out the engagement called for by the Executive Order?
- NIST will rely heavily on information provided by diverse stakeholders as it carries out these directives. In August, the agency published for comment a draft baseline security criteria for IoT devices.
- In addition, manufacturers, distributors, government agencies (especially the Federal Trade Commission and Consumer Product Safety Commission), consumers and others in the private and public sectors were asked to submit one- or two-page position papers providing suggestions and feedback on the challenges and practical approaches to consumer software labeling pilots.
- On September 14-15, 2021, NIST hosted a virtual public workshop on these consumer education-oriented efforts.
Q3. Will NIST stand up and manage programs in these two areas?
- No. NIST will identify key elements of labeling programs in terms of minimum requirements and desirable attributes – rather than establishing its own programs.
- NIST is seeking public comments on its recent review of standards and existing security labeling schemes to inform consumers about the security of products. These existing efforts might be compatible with the criteria and schemes which NIST develops.
- The agency will specify desired outcomes, allowing providers and customers to choose best solutions for their devices and environments. One size may not fit all, and multiple solutions might be offered by label providers.
Q4. Will manufacturers and distributors be required to participate in those labeling programs? Will federal agencies be required to purchase devices which are labeled by those programs?
- The EO does not specify participation or purchase requirements.