NIST Starts Consumer Labeling Program for IoT Cybersecurity

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP

Over the last several weeks, the National Institute of Standards and Technology (NIST) has taken key steps towards the creation of a consumer labeling program for the cybersecurity of Internet of things (IoT) devices.

President Biden's May 2021 Executive Order (EO) 14028, "Improving the Nation's Cybersecurity," which DWT covered in a prior blog post, directed NIST and the Federal Trade Commission (FTC) to explore and pilot such a labeling program as part of the EO's push to improve the security of software supply chains. The labeling program, which has been likened to the Energy Star program for energy efficiency, would allow consumers to identify which IoT devices incorporate certain cybersecurity capabilities and have undergone comprehensive testing and assessment.

Draft Baseline Security Criteria for Consumer IoT Devices

On August 31, 2021, NIST released a draft white paper, "Baseline Security Criteria for Consumer IoT Devices." The white paper proposes various cybersecurity capabilities and criteria for inclusion in the program.

Included in the white paper's proposals are technical measures, such as encryption, authentication, remote software updates, and secure event logging, as well as non-technical measures, such as documentation of security features, vulnerability reporting procedures, and consumer education. NIST is seeking comments on the white paper by October 17, 2021. Comments may be submitted to

Workshop of Cybersecurity Labeling Programs for Consumers

Last week, NIST held a workshop discussing its white paper and efforts to develop the IoT cybersecurity labeling program more generally. Panelists and audience members discussed various ways to implement the proposed security standards and challenges for consumers and IoT device manufacturers.

A recurring theme was the challenge of creating a consumer-facing label that is easy to understand but that also meaningfully informs consumers about a device's security. Both the white paper and workshop attendees discussed a possible tiered approach that would help consumers quickly evaluate an approved IoT device's level of security assurance without needing to pour through technical details.

The lowest tier label would attest to a minimally accepted level of cybersecurity assurance, with each successive level requiring additional cybersecurity protections and more rigorous testing. Another proposal would have the consumer labels accompanied by a QR code or other mechanism that could lead consumers to more in-depth descriptions of security measures.

Next Steps

DWT will continue to follow the development of the IoT cybersecurity labeling program throughout this fall and into next year. Under the EO, NIST and the FTC have 270 days from the date of the EO, or until February 6, 2022, to publish details about the labeling program's criteria.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP

Davis Wright Tremaine LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.