NOTE: This workshop has taken place. Nearly 550 participants joined the September 14-15 virtual event, with many actively involved by posing questions or joining the online chat. A video recording of the workshop can be found here.
The National Institute of Standards and Technology (NIST) is seeking suggestions and feedback on challenges and practical approaches to initiating cybersecurity labeling efforts for Internet of Things (IoT) devices and consumer software. The information will help NIST to carry out one of its multiple assignments in an Executive Order (EO) on Improving the Nation’s Cybersecurity. Stakeholders were invited to respond to a call for papers, comment on draft IoT device criteria, and participate in a workshop on September 14-15, 2021.
The President on May 12, 2021, issued an Executive Order on Improving the Nation’s Cybersecurity (EO 14028). Among other things, Section 4 of the EO directs NIST to initiate two labeling efforts – informed by existing consumer product labeling programs – to educate the public on the cybersecurity capabilities of Internet-of-Things (IoT) devices and software development practices.
By February 6, 2022, in coordination with the Federal Trade Commission (FTC) and other agencies, NIST is required to:
The IoT cybersecurity criteria are to:
The secure software development criteria are to:
Both labeling efforts are to be conducted in a manner consistent with OMB Circular A-119 and NIST Special Publication 2002-02 (Conformity Assessment Considerations for Federal Agencies).
In August, NIST posted for public comment a set of potential baseline security criteria for IoT devices. These draft criteria were discussed at the workshop on September 14-15, 2021.
Papers were reviewed for their diversity of information and suggestions in order to ensure that NIST considers a wide range of approaches for practically and effectively achieving the goal of the EO. NIST seeks to build on existing approaches and capabilities to avoid duplication and to speed implementation of needed security steps while also encouraging creative thinking and new approaches.
NIST encouraged hearing additional views during the upcoming workshop.
On September 14-15, 2021, NIST hosted a virtual public workshop on Cybersecurity Labeling for Internet of Things (IoT) Devices and Consumer Software. The agenda for the workshop, which attracted nearly 550 participants, included facilitated panel discussions and presentations based on the consumer software labeling position papers submitted to NIST and on draft baseline security criteria for consumer IoT devices building on NIST’s current guidance on Cybersecurity for IoT. A video recording of the workshop and panelist presentations can be found here.
Frequently Asked Questions about this initiative are available here.
Questions about the position papers and this overall effort should be directed to: labeling-eo [at] nist.gov.