Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” tasks the National Institute of Standards and Technology (NIST), in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of Things (IoT) devices and software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs. This white paper proposes baseline security criteria for consumer IoT devices. This is one of three dimensions of a consumer Internet of Things (IoT) cybersecurity labeling program that would be responsive to Sections 4 (s) and (t) of the EO. The other dimensions are criteria for conformity assessment and the label. In addition to the feedback sought on this white paper, NIST will also consult with stakeholders on those additional considerations.
NIST will identify key elements of labeling programs in terms of minimum requirements and desirable attributes. Rather than establishing its own programs, NIST will specify desired outcomes, allowing providers and customers to choose the best solutions for their devices and environments. One size may not fit all, and multiple solutions might be offered by label providers.
Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” tasks the National Institute of Standards and Technology (NIST), in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs informed by existing consumer product labeling programs to...
See full abstract
Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” tasks the National Institute of Standards and Technology (NIST), in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of Things (IoT) devices and software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs. This white paper proposes baseline security criteria for consumer IoT devices. This is one of three dimensions of a consumer Internet of Things (IoT) cybersecurity labeling program that would be responsive to Sections 4 (s) and (t) of the EO. The other dimensions are criteria for conformity assessment and the label. In addition to the feedback sought on this white paper, NIST will also consult with stakeholders on those additional considerations.
NIST will identify key elements of labeling programs in terms of minimum requirements and desirable attributes. Rather than establishing its own programs, NIST will specify desired outcomes, allowing providers and customers to choose the best solutions for their devices and environments. One size may not fit all, and multiple solutions might be offered by label providers.
Hide full abstract