U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.


Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Other (Initial Public Draft)

Baseline Criteria for Consumer Software Cybersecurity Labeling

Date Published: November 1, 2021
Comments Due: December 16, 2021 (public comment period is CLOSED)
Email Questions to: labeling-eo@nist.gov


National Institute of Standards and Technology


This draft document advances assignments to NIST in Sec. 4 (s) of Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity” related to cybersecurity labeling for consumer software. It complements a similar document addressing cybersecurity-related consumer labeling for Internet of Things (IoT) products. The criteria in this document are based on extensive input offered to NIST in a September 2021 workshop and position papers submitted to NIST, along with the agency’s research and discussions with organizations and experts from the public and private sector. In accordance with the EO, NIST plans to produce a final version of these criteria by February 6, 2022.

NIST seeks comments on all aspects of the criteria contained in this draft document, including:

  • Whether criteria will achieve the goals of the EO by increasing consumer awareness and information and will help to improve the cybersecurity of software which they purchase and use.
  • Whether the criteria will enable and encourage software providers to improve the cybersecurity aspects of their products and the information they make available to consumers.
  • Whether the labeling-specific criteria are appropriate and likely to be effective for consumers.
  • Whether a single, overarching statement that the software product meets the NIST baseline technical criteria should be included on a label, or whether alternative statements would be appropriate.
  • Whether additional considerations for the labeling approach, consumer education, or testing are needed – including:
    • Possible appropriate definitive text for describing the labeling program in consumer education materials
    • Best approaches for addressing the needs of non-English speaking consumers
  • Whether the software label approach and design should be unique or extended to the IoT product label (also directed in the EO) to facilitate brand recognition, even though the technical criteria will be different.
  • Whether the conformity assessment provisions are appropriate.
  • Whether a template Declaration of Conformity would be useful for software providers.
  • Whether more details on evidence required to support assertions would be useful for software providers.
  • Whether the technical baseline criteria are appropriate, including but not limited to:
    • The feasibility, clarity, completeness, and appropriateness of attestations
    • Normative references to be considered for inclusion
    • Potentially requiring that the Software Identifiers attestation take the form of a Software ID Tags



consumers; cybersecurity labeling; Executive Order 14028; software
Control Families

None selected


Draft Baseline Criteria (pdf)

Supplemental Material:
Comments received
Consumer Software Criteria page
NIST news article

Document History:
11/01/21: Other (Draft)
02/04/22: CSWP 23 (Final)


Security and Privacy

general security & privacy


software & firmware

Laws and Regulations

Executive Order 14028