NIST publishes a draft about criteria for consumer software cybersecurity labeling

The US National Institute of Standards and Technology (NIST) issued a draft baseline criteria for consumer software cybersecurity labeling. The suggested criteria aim to aid in the development and voluntary use of labels to indicate that the software incorporates a baseline level of security measures. According to the announcement, NIST doesn’t plan to design the label or establish a labeling program for consumer software. It will be up to the industry to determine which organizations might use cybersecurity labels. The criteria are based on suggestions from the public and other stakeholders. According to the criteria, to qualify for a label, the software provider would need to meet the following technical requirements (“attestations” or claims about the software’s security), which the document organizes into four categories:

(1) Descriptive attestations — information about the label itself, such as who is making the claims about details within the label, what the label applies to, and how the consumer can get more information.

(2) Secure software development attestations — how the software developer follows security best practices.

(3) Critical cybersecurity attributes and capability attestations — features expressed by the software’s functionality and other attributes that consumers should know, such as whether the software is free from known vulnerabilities or whether encryption is used. 

(4) Data inventory and protection attestations — information about data consumers may identify as having high cybersecurity-related risk, and the software provider’s descriptions of mechanisms used to protect that data. 

The deadline for public comments is Dec. 16, 2021. NIST will release the final version by Feb. 6, 2021, and this draft is the only version that NIST plans to release before the final publication.