The National Institute of Standards and Technology (NIST) has released draft criteria for consumer software cybersecurity labeling, as mandated by the Biden administration’s Cybersecurity Executive Order.
The draft document is a result of input from a September workshop, position papers submitted to NIST, and collaboration with experts from the private and public sectors. NIST plans to release a final version by February 6, 2022.
“We are establishing criteria for a label that will be helpful to consumers,” Michael Ogata, a NIST computer scientist and co-author of the draft document, said. “The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use.”
In order to qualify for a label, NIST is proposing four main criteria, or “attestations,” for software providers.
The four attestations include:
- “Descriptive attestations – information about the label itself, such as who is making the claims about information within the label, what the label applies to, and how the consumer can get more information.
- Secure software development attestations – how the software developer adheres to security best practices. By fulfilling requirements in this category, the provider communicates to consumers that they can be more confident about the development process.
- Critical cybersecurity attributes and capability attestations – features expressed by the software’s functionality, and other attributes that consumers should know, such as whether the software is free from known vulnerabilities or whether encryption is used.
- Data inventory and protection attestations – information about data that consumers may identify as having high cybersecurity-related risk, and the software provider’s descriptions of mechanisms used to protect that data. This data might relate to personally identifiable information, device location information, or any other data the provider has spent time and effort safeguarding.”
Comments on the draft criteria are due by December 16, 2021.