Baseline Criteria for Consumer Software Cybersecurity Labeling

Date Published: November 1, 2021
Comments Due: December 16, 2021 (public comment period is CLOSED)
Email Questions to: labeling-eo@nist.gov

Author(s)

National Institute of Standards and Technology

Announcement

This draft document advances assignments to NIST in Sec. 4 (s) of Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity” related to cybersecurity labeling for consumer software. It complements a similar document addressing cybersecurity-related consumer labeling for Internet of Things (IoT) products. The criteria in this document are based on extensive input offered to NIST in a September 2021 workshop and position papers submitted to NIST, along with the agency’s research and discussions with organizations and experts from the public and private sector. In accordance with the EO, NIST plans to produce a final version of these criteria by February 6, 2022.

NIST seeks comments on all aspects of the criteria contained in this draft document, including:

• Whether criteria will achieve the goals of the EO by increasing consumer awareness and information and will help to improve the cybersecurity of software which they purchase and use.
• Whether the criteria will enable and encourage software providers to improve the cybersecurity aspects of their products and the information they make available to consumers.
• Whether the labeling-specific criteria are appropriate and likely to be effective for consumers.
• Whether a single, overarching statement that the software product meets the NIST baseline technical criteria should be included on a label, or whether alternative statements would be appropriate.
• Whether additional considerations for the labeling approach, consumer education, or testing are needed – including:
  • Possible appropriate definitive text for describing the labeling program in consumer education materials
  • Best approaches for addressing the needs of non-English speaking consumers
• Whether the software label approach and design should be unique or extended to the IoT product label (also directed in the EO) to facilitate brand recognition, even though the technical criteria will be different.
• Whether the conformity assessment provisions are appropriate.
• Whether a template Declaration of Conformity would be useful for software providers.
• Whether more details on evidence required to support assertions would be useful for software providers.
• Whether the technical baseline criteria are appropriate, including but not limited to:
  • The feasibility, clarity, completeness, and appropriateness of attestations
  • Normative references to be considered for inclusion
  • Potentially requiring that the Software Identifiers attestation take the form of a Software ID Tags

Control Families

None selected