NIST provides recommended criteria for cybersecurity labeling for consumer software and IoT products

Will NIST’s cybersecurity labeling for consumer software and IoT products help us achieve better security? Our experts weigh in.

NIST cybersecurity labeling recommendations | Synopsys

If one of the goals of President Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity” is fulfilled, you’ll be able to look for a quality and security assurance label on any software product you consider buying. To which anyone who cares about such things—and everybody should—might say “it’s about time.”

Indeed, consumer labeling has long been mainstream when it comes to just about everything else. We take for granted that what we plan to eat or drink has a list of ingredients on the packaging or container. The U.S. Department of Agriculture has a label that food vendors can use if their product is certified organic. Most of us are familiar with the Good Housekeeping Seal and UL certification, which offer some assurance that a vast range of products meet a minimum quality standard. “Look for the union label” has been a slogan for almost 50 years.

But details or seals of approval on the quality of software ingredients? Not so much. Pretty much not at all.

Current state of consumer cybersecurity awareness

While Americans rely on software for just about everything in modern life—communication (email, text, phone), social media, online purchases, games, research, home security, transportation, and much, much more—most remain only dimly aware of what it is, how it works, and the level of its quality and security. 

As the National Institute of Standards and Technology (NIST) recently put it, “most consumers take for granted and are unaware of the software upon which many products and services rely, [and] the very notion of what constitutes software may even be unclear.” That is, in large measure, because consumers aren’t told much of anything about it. They generally see only what it does, not what it is, who made it, how it works, or how it could put them at risk. 

The Biden executive order (EO) is obviously aimed at closing that gap in consumer awareness. It calls for NIST, the Federal Trade Commission, and other agencies to “initiate pilot programs informed by existing consumer product labeling…