The May 12, 2021, Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) directs NIST to initiate two labeling programs on cybersecurity capabilities of Internet-of-Things (IoT) consumer devices and software development practices. The agency also received several other directives to enhance the security of the software supply chain.
Section 4 of the order directs NIST to take into account existing consumer product labeling programs as it considers efforts to educate the public on the cybersecurity capabilities of Internet-of-Things (IoT) devices and software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs.
By February 6, 2022, in coordination with the Federal Trade Commission (FTC) and other agencies, NIST is required to identify:
NIST will rely heavily on information provided by diverse stakeholders as it carries out these directives. In August, the agency released for public comment a white paper suggesting a draft set of potential baseline security criteria for IoT devices. In addition, manufacturers, distributors, government agencies, consumers and others in the private and public sectors were asked in July to submit one- or two-page position papers providing suggestions and feedback on the challenges and practical approaches to consumer software labeling. NIST will identify key elements of labeling programs in terms of minimum requirements and desirable attributes – rather than establishing its own programs; it will specify desired outcomes, allowing providers and customers to choose best solutions for their devices and environments. One size may not fit all, and multiple solutions might be offered by label providers.
On September 14-15, 2021, NIST hosted a virtual public workshop on these consumer education-oriented efforts. The workshop included facilitated panel discussions and presentations based on the preliminary feedback on the draft IoT criteria and the consumer software labeling position papers submitted to NIST and on preliminary feedback on potential IoT baseline security criteria.
Questions about NIST’s activities related to these efforts should be directed to labeling-eo [at] nist.gov.