Thursday, November 18, 2021

Draft Baseline Criteria for Consumer Software Cybersecurity Labeling

 Please Submit Comments - Draft Baseline Criteria for Consumer Software Cybersecurity Labeling

Section 4s of the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028),” issued on May 12, 2021, charges NIST, in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs for cybersecurity labeling. These labeling programs are intended to educate the public on the security capabilities of software development practices.

To inform this effort, Sec. 4 (u) of the EO directs NIST to “…identify secure software development practices or criteria for a consumer software labeling program.” Furthermore, the identified criteria “…shall reflect a baseline level of security practices, and if practicable, shall reflect increasingly comprehensive levels of testing and assessment that a product may have undergone.” Sec. 4 (u) also states that “...NIST shall examine all relevant information, labeling, and incentive programs, employ best practices, and identify, modify, or develop a recommended label or, if practicable, a tiered software security rating system. This review shall focus on ease of use for consumers and a determination of what measures can be taken to maximize participation.”

Today, NIST has released for public comment a document that advances these tasks: Draft Baseline Criteria for Consumer Software Cybersecurity Labeling. This draft document addresses the need to develop appropriate cybersecurity criteria for consumer software—and it informs the development and use of a label for consumer software which will improve consumers’ awareness, information, and ability to make purchasing decisions (while taking cybersecurity considerations into account). This document was developed after much input from a recent NIST workshop, position papers submitted to NIST, additional extensive research, and many discussions with experts and organizations from the public and private sectors.

We are seeking comments on all aspects of the criteria contained in the draft document (more details can be found in the ‘note to reviewers’ section of the draft document). In accordance with the EO, NIST plans to produce a final version of these criteria by February 6, 2022.

Please view the draft document HERE.

To submit comments, please email them to labeling-eo@nist.gov using the subject, "Draft Consumer Software Labeling Criteria," by December 16, 2021.