IoT Labeling Program: Improving Public Information and Informing IoT Purchasing Decisions
If you have an Internet-connected “smart” device – like a home security system, Apple watch, exercise equipment with video feed, or glucose monitoring system that sends data to your doctor – a new product label is in the works to provide consumers with data and security information.
The goal is to give consumers more confidence and have information they can use to protect their sensitive information and privacy when purchasing IoT.
NIST Program Initiated by Presidential Executive Order
Launched in mid-2021 by the National Institute of Standards and Technology (NIST), the two labeling programs on cybersecurity capabilities of Internet-of-Things (IoT) consumer devices and software development practices are in response to the Presidential Executive Order on Improving the Nation’s Cybersecurity (14028) signed in May 2021. This program is in addition to the first directive in the in the order; to “identify or develop standards, tools, best practices, and other guidelines to enhance software supply chain security.”
NIST Labeling Program Timeline
The program is on a one-year schedule, including two upcoming milestones:
- By February 6, 2022, they Issue guidance that identifies practices that enhance software supply chain security, including standards, procedures, and criteria.
- May 8, 2022: Publish additional guidelines, including procedures for periodically reviewing and updating guidelines.
See the full timeline.
Three Sets of IoT Labeling Criteria
There are three areas of criteria for cybersecurity labeling of IoT:
- Technical Security
Technical Security Criteria
The goals of this criteria is to describe desired outcomes, influence purchase decisions, and enforce desirable qualities in IoT security. It includes a set of claims that a software provider makes about their software.
The goal of this criteria is to provide recommendations for label form and content, labeling programs, and to encourage consideration of usability.
The goal of this criteria is to have manufacturers self-declare their cybersecurity.
Cybersecurity Attributes and Capability Attestations
Possibly most important are the critical cybersecurity attributes and capability attestations:
- Free from known vulnerabilities
- Software integrity and provenance
- Multifactor authentication
- Free from hard coded secrets
- Strong cryptography
What Could the IoT Label Look Like?
While NIST won’t dictate what the label should look like, they are providing the standards and criteria as recommendations from their collaboration with industry, academia, and the public. One example comes from researchers at Carnegie Mellon University. You can see their ideas for a user-friendly label here.
To stay abreast of progress and to get involved with the NIST labeling project, you can find more information on their website.