NIST Publishes Criteria for Consumer SoftwareNovember 23, 2021
Consumer software providers will soon have the option to label their software as compliant with National Institute of Standards and Technology (NIST) standards for software security. On November 1, 2021, NIST published its initial draft of this standard in a white paper titled “DRAFT Baseline Criteria for Consumer Software Cybersecurity Labeling” (the White Paper). The White Paper defines the security-related information that would have to be disclosed on the label and the specific security practices a software provider would have to follow. It was developed in coordination with the Federal Trade Commission (FTC) and will likely inform future FTC guidance and enforcement activity. NIST has requested public comments on the White Paper by December 16, 2021. The final version is expected to be published by February 6, 2022.
President Joe Biden’s May 12, 2021, Executive Order (EO) 14028 directs NIST to initiate pilot programs for cybersecurity labeling “to educate the public on the security capabilities of Internet of things (IoT) devices and software development practices.” Under the EO, NIST, in coordination with the FTC and other agencies, “shall identify secure software development practices or criteria for a consumer software labeling program.” The criteria shall “reflect a baseline level of secure practices” as well as “increasingly comprehensive levels of testing and assessment that a product may have undergone.”
The White Paper addresses the need to develop appropriate cybersecurity criteria for consumer software, which means software primarily used for personal, family or household purposes. It is intended to inform “the development and use of a label for consumer software,” which would “improve consumers’ awareness, information, and ability to make purchasing decisions while taking cybersecurity considerations into account.” It is not intended to “describe how a cybersecurity label should be explicitly represented” or “detail how a labeling program should be owned or operated.”
The White Paper has three primary elements: (i) it defines baseline technical criteria for the label; (ii) it details a proposed approach for conformity assessment; and (iii) it describes criteria for the labelling approach. It also enumerates specific issues on which NIST requests comment.
BASELINE TECHNICAL CRITERIA
The White Paper defines a series of outcome-based attestations (i.e., claims) that software providers would make about their product on the NIST label. It also provides criteria for satisfying each attestation.
To meet the baseline technical criteria, software providers will need to implement the following practices:
Follow the NIST Secure Software Development Framework (SSDF).
Provide a mechanism for reporting vulnerabilities.
Provide support at least until the published…