Over the last several weeks, the National Institute of Standards and Technology (NIST) has taken key steps towards the creation of a consumer labeling program for the cybersecurity of Internet of things (IoT) devices.

President Biden's May 2021 Executive Order (EO) 14028, "Improving the Nation's Cybersecurity," which DWT covered in a prior blog post, directed NIST and the Federal Trade Commission (FTC) to explore and pilot such a labeling program as part of the EO's push to improve the security of software supply chains. The labeling program, which has been likened to the Energy Star program for energy efficiency, would allow consumers to identify which IoT devices incorporate certain cybersecurity capabilities and have undergone comprehensive testing and assessment.

Draft Baseline Security Criteria for Consumer IoT Devices

On August 31, 2021, NIST released a draft white paper, "Baseline Security Criteria for Consumer IoT Devices." The white paper proposes various cybersecurity capabilities and criteria for inclusion in the program.

Included in the white paper's proposals are technical measures, such as encryption, authentication, remote software updates, and secure event logging, as well as non-technical measures, such as documentation of security features, vulnerability reporting procedures, and consumer education. NIST is seeking comments on the white paper by October 17, 2021. Comments may be submitted to labeling-eo@nist.gov.

Workshop of Cybersecurity Labeling Programs for Consumers

Last week, NIST held a workshop discussing its white paper and efforts to develop the IoT cybersecurity labeling program more generally. Panelists and audience members discussed various ways to implement the proposed security standards and challenges for consumers and IoT device manufacturers.

A recurring theme was the challenge of creating a consumer-facing label that is easy to understand but that also meaningfully informs consumers about a device's security. Both the white paper and workshop attendees discussed a possible tiered approach that would help consumers quickly evaluate an approved IoT device's level of security assurance without needing to pour through technical details.

The lowest tier label would attest to a minimally accepted level of cybersecurity assurance, with each successive level requiring additional cybersecurity protections and more rigorous testing. Another proposal would have the consumer labels accompanied by a QR code or other mechanism that could lead consumers to more in-depth descriptions of security measures.

Next Steps

DWT will continue to follow the development of the IoT cybersecurity labeling program throughout this fall and into next year. Under the EO, NIST and the FTC have 270 days from the date of the EO, or until February 6, 2022, to publish details about the labeling program's criteria.