Hot Topics in Consumer Cybersecurity Labeling – Our December 2021 Workshop


On May 12, 2021 the White House released an Executive Order (EO) on Improving the Nation’s Cybersecurity which, among other things, tasked NIST to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products.   Activity since then includes a call for papers, multiple workshops, draft criteria, and processing all of the feedback received. The goal of the latest workshop on December 9th was to provide the community an update, answer questions, and gather a final round of feedback which will be factored into final criteria to be released at the beginning of February 2022.

First, a quick review of the workshop agenda and summary of each section led by NIST staff:

  • Warren Merkel summarized NIST’s activities to-date in responding to the EO and the future milestones, noting that the timelines for the EO are tight. He strongly encouraged participants to provide feedback on the November 1st software labeling criteria paper by the December 16th deadline. He also reiterated that NIST will not initiate its own labeling programs.
  • Michael Ogata then provided an overview of the software labeling criteria and described the requirements for each of the four categories of criteria:  descriptive attestations, software development attestation, critical cybersecurity attributes and capability attestations, and data inventory and protection attestations, which collectively identify 15 types of attestations.
  • Paul Watrobski and Michael Fagan of the Cybersecurity for IoT program summarized the feedback received on the August draft of consumer IoT cybersecurity criteria, and described adjustments to the criteria reflected in the update published December 3rd.
  • Amy Phelps reviewed the development of conformity assessment criteria, describing the range of approaches to conformance criteria and the role a scheme owner would play in establishing detailed criteria and assessing conformance.
  • Julie Haney discussed the labeling criteria aspect, explaining the goals of labeling, types of labels, and NIST’s preferred solution – for both consumer IoT products and consumer software – of a binary label with a layered approach that can supply information beyond the basic presence of the label.

Each session included a closing segment with answers to the many questions submitted by workshop participants.  A panel comprising all presenters took a final round of questions to wrap up the event. You can view the event description and recording here.

What We Heard

Overall, NIST perceived general support for the approaches presented for cybersecurity criteria, conformity assessment, and labeling. This support was tempered somewhat with many detailed questions about various aspects of the program.

The Path Ahead

NIST is finalizing the software and IoT cybersecurity criteria, with a deadline of February 6th for publishing final criteria.  NIST also will summarize the work performed in responding to the EO and the background and reasoning behind decisions embodied in the criteria. Once the criteria are available, they will be used in a pilot phase to provide information on how the criteria can support labeling efforts and improve cybersecurity related to consumer IoT products and software. The EO requires that a final report be submitted by May 12, 2022.

Source link

Read More