The National Institute of Standards and Technology has drafted a set of cybersecurity criteria to help consumers make more informed software purchasing decisions.
NIST says it doesn’t intend to create a formal standard, but hopes to create a voluntary labeling system that shows the software “incorporates a baseline level of security measures.”
The document, formally titled Draft Baseline Criteria for Consumer Software Cybersecurity Labeling, forms part of NIST’s response to the May 12, 2021, Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity. The EO specifies that NIST “shall identify secure software development practices or criteria for a consumer software labeling program” — criteria that reflect a baseline level of cybersecurity and that focus on ease of use for consumers. (The EO also instructs NIST to initiate a labeling effort on the cybersecurity aspects of consumer devices associated with the Internet of Things, which the present publication does not address.)
In the announcement, NIST acknowledged the challenges of a security labeling system for a wide array of technology solutions:
Part of the challenge is the sheer vastness and variety of the consumer software landscape. Software forms an integral part of most consumers’ lives, and it is subject to vulnerabilities that place the users’ safety, property and productivity at risk — but there is no one-size-fits-all approach to cybersecurity that can be applied to all types of consumer software. The cybersecurity considerations for a smartphone game could differ greatly from, for example, those applied to a banking app. Yet a security label aimed at consumers will need to communicate simply and directly.
Comments on the draft document are due by December 16, 2021.
News we're paying attention to.