NIST issues software, IoT security, and labelling guidance

The US National Institute of Standards and Technology (NIST) announces the release of five new documents concerning software security practices (2 documents) and software security labelling (3 documents). These documents are aligned with the President’s Executive Order (EO) on “Improving the Nation’s Cybersecurity (14028)” issued on May 12, 2021:

1. Software Supply Chain Security Guidance Under Executive Order (EO) 14028 Section 4e – this document defines guidelines for federal agency staff who have software procurement-related responsibilities (e.g., acquisition and procurement officials, technology professionals). These guidelines aim to help federal agencies know what information to request from software producers regarding their secure software development practices. 

2. NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1: Recommendations for Mitigating the Risk of Software Vulnerabilities – this document recommends a set of high-level secure software development practices that can be integrated into SDLC (software development life cycle) implementation. These practices are defined as the Secure Software Development Framework (SSDF). The framework should help software producers reduce the number of vulnerabilities in released software, mitigate the potential impact of the exploitation of undetected or unaddressed vulnerabilities, and address the root causes of vulnerabilities to prevent future recurrences. The framework also provides a shared vocabulary for secure software development, software purchasers, and consumers to foster communications with suppliers in acquisition processes.

3. Recommended Criteria for Cybersecurity Labelling of Consumer Internet of Things (IoT) Products – as previously announced, NIST is not establishing its scheme or program, nor is NIST designing or proposing a design of a consumer IoT product label. Therefore, this white paper includes consumer IoT product label criteria, label design, consumer education considerations, and conformity assessment considerations for use by a scheme owner to inform a consumer IoT product labelling program. The scheme owner could be a public or private sector organization. The scheme owner will be the entity that manages the labelling scheme, determines its structure management, and performs oversight to ensure that it is functioning with overall objectives. The scheme owner is responsible for tailoring the product criteria, defining conformity assessment requirements, developing the label and associated information, and conducting related consumer outreach and education. A scheme could be defined at a sector level, or an overall scheme owner could be responsible for multiple categories. 

4. Recommended Criteria for Cybersecurity Labelling of Consumer Software – the white paper makes recommendations in the following areas: (1) the role of a scheme owner in a labelling program, (2) baseline technical criteria that can inform a label, (3) labelling presentation criteria, and (4) conformity assessment criteria. This document also explores consumer education and usability for software labels. The paper addresses the following recommendations: (a) establish a baseline set of technical criteria to help organizations wishing to make claims about security via a software label; (b) provide criteria for the label, including how cybersecurity-related risks and attributes could be represented, how labels can be tested for effectiveness, and how the public can be educated about the label and its meaning and (C) describe conformity criteria for use by organizations

5. Consumer Cybersecurity Labelling Pilots: The Approach and Feedback – following the president Executive Order, NIST was instructed to conduct pilots based on the published criteria (the recommended criteria for cybersecurity labelling of consumer IoT products and the recommended criteria for cybersecurity labelling of consumer software), and within one year to conduct a review of the pilot programs, consult with the private sector and relevant agencies to assess the effectiveness of the programs, determine what improvements can be made in the future, and submit a summary report. The pilot will consist of NIST seeking contributions from stakeholders in the following issues: (1) whether there are existing labeling schemes that partially or entirely align with the NIST recommendations, including information regarding that alignment; (2) whether organizations that do not currently operate labelling schemes would be interested in establishing new programs based on the NIST recommendations; (3) the type of organization(s) that could serve as owner(s) for consumer labelling schemes; (4) recommendations on how a scheme owner would utilize the NIST recommendations to manage a labelling program; and (5) potential incentives for implementing a consumer labelling scheme based on NIST recommendations. The deadline for contributions to this pilot is March 15, 2022, and the summary report will be published by May 12, 2022.