To print this article, all you need is to be registered or login on Mondaq.com.
On February 4, 2022, the National Institute of Standards and
Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling
for Consumer Internet of Things (IoT) Products (“IoT
Criteria”). The IoT Criteria make recommendations for
cybersecurity labeling for consumer IoT products, in other words,
for IoT products intended for personal, family, or household
The purpose of the publication, as described by NIST, is to
identify “key elements of a potential labeling
scheme.” The publication makes clear, however, that the
scheme would not be established or managed by NIST, but rather
“by another organization or program,” referred to in the
publication as the “scheme owner.” The identity of
the scheme owner is undetermined, but it “could be a public or
private sector” entity.
The publication of the IoT Criteria represents another step
toward a national cybersecurity labeling scheme for consumer IoT
products. We should expect that the framework established by
NIST in this publication will serve as a model for these
IoT Criteria Framework. The IoT Criteria
establish recommended considerations for three key aspects of a
potential cybersecurity IoT labeling program:
- Baseline Product Criteria
- Conformity Assessments
- Baseline Product Criteria.
With respect to “baseline product criteria,” the IoT
Criteria recommend an “outcome-based approach” that
“allows for the flexibility required by a diverse marketplace
of IoT products.” Rather than require specific technical
specifications, the IoT Criteria list desirable, baseline
“outcomes” that, if achieved, would enhance the
cybersecurity of the IoT product. The outcome-based approach
“allows cybersecurity solutions and mitigations to be upgraded
and changed over time without significant changes in the product
criteria for labeling.” The recommended criteria are to
serve as a baseline. The publication
discusses ten baseline product criteria:
- Asset Identification: The IoT product is (1)
uniquely identifiable and (2) inventories all its components.
- Product Configuration: The IoT product has (1)
a changeable configuration, (2) “the ability to restore a
secure default setting,” and (3) restricts the ability to
implement changes to “authorized individuals, services, and
other IoT product components.”
- Data Protection: The IoT product and its
components protect stored and transmitted data from unauthorized
access, disclosure, and modification.
- Interface Access Control: “The IoT
product and its components restrict logical access to local and
network interfaces – and to protocols and services used by those
interfaces – to only authorized individuals, services, and IoT
- Software Update: The IoT product and component
software can only be updated by authorized individuals, services,
and other IoT product components via “a secure and
configurable mechanism, as appropriate for each IoT product
- Cybersecurity State Awareness: “The IoT
product supports detection of cybersecurity incidents affecting or
affected by IoT product components and the data they store and
- Documentation: IoT product developers should
create, gather, and store information relevant to cybersecurity of
the IoT product and its components throughout product development,
prior to customer purchase, and through its subsequent
- Information and Query Reception: IoT product
developers should be able “to receive information relevant to
cybersecurity and respond to queries from customers and
others” about that information.
- Information Dissemination: IoT product
developers should broadcast and distribute information relevant to
- Product Education and Awareness: IoT product
developers should create awareness of and educate customers and
others “in the IoT product ecosystem about
cybersecurity-related information (e.g.,
considerations, features) related to the IoT product and its
- Labeling Considerations.
Next, the publication makes recommendations about labeling
considerations. A few notes on NIST’s guidance regarding
- NIST recommends the use of a binary label -
“a single label indicating a product has met a baseline
- In addition to the binary label, NIST suggests a
“layered” approach, which would provide the
consumer with additional details online via a URL or a scannable
code (e.g., a QR code).
- NIST recommends specific label content that is aimed at
supporting “non-expert, home users of IoT products.”
Accordingly, NIST states that labels should be available to
consumers before purchase, at the time of purchase
(in-store or online), and after purchase.
- NIST also emphasizes flexibility “in supporting
both digital and physical formats as
appropriate” and encourages periodic testing with consumers to
assess label appropriateness and usability.
- And, in combination with a label, NIST recommends “a
robust consumer education campaign.”
- Conformity Assessment Considerations.
The IoT Criteria also recommend considerations for a
“conformity assessment” that would demonstrate a
device’s compliance (or not) with the relevant standard.
NIST emphasizes that a “scheme owner is necessary to tailor
the recommended product criteria, define conformity assessment
requirements, develop the label and associated information, and
conduct related consumer outreach and education.” NIST
notes that “a single conformity assessment approach is not
likely to achieve desired objectives” and lists several
conformity assessment approaches that could be used
“exclusively or in combination,” including:
- Self-attestation: A “[s]upplier’s
declaration of conformity” made by the organization that
provides the IoT device, stating they have complied with the
- Third-party Testing and Inspection: A
prospective external “determination or examination” of
the consumer IoT device based on certain defined criteria.
- Third-party Certification: A statement
“issued based on a comprehensive review that an IoT product
has fulfilled defined criteria.”
Background & Executive Order 14028.
The IoT Criteria are yet another step in effectuating the guidance
issued by President Biden in May 2021, as part of Executive Order
14028 on Improving the Nation’s
Cybersecurity. In that Executive Order, President Biden
tasked NIST to work in coordination with the Federal Trade
Commission (“FTC”) to identify “IoT cybersecurity
criteria for a consumer labeling program.” NIST took
action, soliciting feedback on a cybersecurity IoT labeling program
during an initial workshop in September 2021 and a second event in December 2021.
Incorporating feedback from those workshops, NIST’s latest
publication fulfills its directive under Section 4(t) of Executive
Order 14028. For more on the Executive Order, see
Covington’s ongoing analysis series
Looking Forward. Throughout 2021, Congress, the states, and federal agencies
continued to focus on IoT and IoT cybersecurity. Companies
should expect continued developments in this area, particularly on
the continued development of a potential IoT cybersecurity labeling
program. The consumer-focused criteria indicate that the
emphasis will remain on compliance regimes that prioritize consumer
awareness and safety within the IoT product market.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States