Draft Baseline Criteria for Consumer Software Cybersecurity Labeling

 Please Submit Comments –
Draft Baseline Criteria for Consumer Software Cybersecurity Labeling

Section 4s
of the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028),” issued
on May 12, 2021, charges NIST, in coordination with the Federal
Trade Commission (FTC) and other agencies, to initiate pilot programs for
cybersecurity labeling. These labeling programs are intended to educate the
public on the security capabilities of software development practices.

To inform this effort, Sec. 4 (u)
of the EO directs NIST to “…identify secure software development practices or
criteria for a consumer software labeling program.” Furthermore, the identified
criteria “…shall reflect a baseline level of security practices, and if
practicable, shall reflect increasingly comprehensive levels of testing and
assessment that a product may have undergone.” Sec. 4 (u)
also states that “…NIST shall examine all relevant information, labeling, and
incentive programs, employ best practices, and identify, modify, or develop a
recommended label or, if practicable, a tiered software security rating system.
This review shall focus on ease of use for consumers and a determination of
what measures can be taken to maximize participation.”

Today, NIST has released for public comment a document that
advances these tasks: Draft Baseline Criteria for Consumer Software Cybersecurity Labeling.
This draft document addresses the need to develop appropriate cybersecurity
criteria for consumer software—and it informs the development and use of a
label for consumer software which will improve consumers’ awareness,
information, and ability to make purchasing decisions (while taking
cybersecurity considerations into account). This document was developed after
much input from a recent NIST workshop, position papers submitted to NIST,
additional extensive research, and many discussions with experts and
organizations from the public and private sectors.

We are seeking comments on all aspects of the criteria contained
in the draft document (more
details can be found in the ‘note to reviewers’ section of the draft document).
In accordance with the EO, NIST plans to produce a final version of
these criteria by February 6, 2022.

Please view the draft document HERE.

To submit comments, please email them to labeling-eo@nist.gov using
the subject, “Draft Consumer Software Labeling Criteria,” by December
16, 2021.