IoT Labeling Program: Improving Public Information and Informing IoT Purchasing Decisions

If you have an Internet-connected “smart” device – like a home security system, Apple watch, exercise equipment with video feed, or glucose monitoring system that sends data to your doctor – a new product label is in the works to provide consumers with data and security information.

The goal is to give consumers more confidence and have information they can use to protect their sensitive information and privacy when purchasing IoT.

IoT Devices
NIST Program Initiated

NIST Program Initiated by Presidential Executive Order

Launched in mid-2021 by the National Institute of Standards and Technology (NIST), the two labeling programs on cybersecurity capabilities of Internet-of-Things (IoT) consumer devices and software development practices are in response to the Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) signed in May 2021. This program is in addition to the first directive in the in the order; to “identify or develop standards, tools, best practices, and other guidelines to enhance software supply chain security.”

man typing on computer with cybersecurity shield overlay

Four Best Practices for Personal Data Security Protection

Read Insight

NIST Labeling Program Timeline

NIST Labeling Program Timeline

The program is on a one-year schedule, including two upcoming milestones:

  1. By February 6, 2022, they Issue guidance that identifies practices that enhance software supply chain security, including standards, procedures, and criteria.
  2. May 8, 2022: Publish additional guidelines, including procedures for periodically reviewing and updating guidelines.

See the full timeline.

IoT Labeling Criteria

Three Sets of IoT Labeling Criteria

There are three areas of criteria for cybersecurity labeling of IoT:

  1. Technical Security
  2. Labeling
  3. Conformance

Technical Security Criteria

The goals of this criteria is to describe desired outcomes, influence purchase decisions, and enforce desirable qualities in IoT security. It includes a set of claims that a software provider makes about their software.

Labeling Criteria

The goal of this criteria is to provide recommendations for label form and content, labeling programs, and to encourage consideration of usability.

Conformance Criteria

The goal of this criteria is to have manufacturers self-declare their cybersecurity.

mother and young daughter looking at ipad

Internet Safety For Kids & Seniors: Teaching our young and elderly critical cybersecurity skills

Read Insight

Cybersecurity Attributes and Capability Attestations

Cybersecurity Attributes and Capability Attestations

Possibly most important are the critical cybersecurity attributes and capability attestations:

  • Free from known vulnerabilities
  • Software integrity and provenance
  • Multifactor authentication
  • Free from hard coded secrets
  • Strong cryptography

What Could the IoT Label Look Like?

While NIST won’t dictate what the label should look like, they are providing the standards and criteria as recommendations from their collaboration with industry, academia, and the public. One example comes from researchers at Carnegie Mellon University. You can see their ideas for a user-friendly label here.

To stay abreast of progress and to get involved with the NIST labeling project, you can find more information on their website.

Contact Us