U.S. flag   An unofficial archive of your favorite United States government website
Dot gov

Official websites do not use .rip
We are an unofficial archive, replace .rip by .gov in the URL to access the official website. Access our document index here.


Secure websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to our website. Please do not share sensitive information with us.

This is an archive
(replace .gov by .rip)

White Paper (Draft)

Baseline Criteria for Consumer Software Cybersecurity Labeling

Date Published: November 1, 2021
Comments Due: December 16, 2021
Email Comments to: labeling-eo@nist.gov


National Institute of Standards and Technology


This draft document advances assignments to NIST in Sec. 4 (s) of Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity” related to cybersecurity labeling for consumer software. It complements a similar document addressing cybersecurity-related consumer labeling for Internet of Things (IoT) products. The criteria in this document are based on extensive input offered to NIST in a September 2021 workshop and position papers submitted to NIST, along with the agency’s research and discussions with organizations and experts from the public and private sector. In accordance with the EO, NIST plans to produce a final version of these criteria by February 6, 2022.

NIST seeks comments on all aspects of the criteria contained in this draft document, including:

  • Whether criteria will achieve the goals of the EO by increasing consumer awareness and information and will help to improve the cybersecurity of software which they purchase and use.
  • Whether the criteria will enable and encourage software providers to improve the cybersecurity aspects of their products and the information they make available to consumers.
  • Whether the labeling-specific criteria are appropriate and likely to be effective for consumers.
  • Whether a single, overarching statement that the software product meets the NIST baseline technical criteria should be included on a label, or whether alternative statements would be appropriate.
  • Whether additional considerations for the labeling approach, consumer education, or testing are needed – including:
    • Possible appropriate definitive text for describing the labeling program in consumer education materials
    • Best approaches for addressing the needs of non-English speaking consumers
  • Whether the software label approach and design should be unique or extended to the IoT product label (also directed in the EO) to facilitate brand recognition, even though the technical criteria will be different.
  • Whether the conformity assessment provisions are appropriate.
  • Whether a template Declaration of Conformity would be useful for software providers.
  • Whether more details on evidence required to support assertions would be useful for software providers.
  • Whether the technical baseline criteria are appropriate, including but not limited to:
    • The feasibility, clarity, completeness, and appropriateness of attestations
    • Normative references to be considered for inclusion
    • Potentially requiring that the Software Identifiers attestation take the form of a Software ID Tags



consumers; cybersecurity labeling; Executive Order 14028; software
Control Families

None selected


Draft Baseline Criteria

Supplemental Material:
Consumer Software Criteria page (web)
NIST news article (web)

Document History:
11/01/21: White Paper (Draft)


Security and Privacy
general security & privacy

software & firmware

Laws and Regulations
Executive Order 14028