NIST Publishes Recommended Criteria For Cybersecurity Labeling For Consumer Internet Of Things (IoT) Products – Technology


To print this article, all you need is to be registered or login on Mondaq.com.

On February 4, 2022, the National Institute of Standards and
Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling
for Consumer Internet of Things (IoT) Products
(“IoT
Criteria”).  The IoT Criteria make recommendations for
cybersecurity labeling for consumer IoT products, in other words,
for IoT products intended for personal, family, or household
use.

The purpose of the publication, as described by NIST, is to
identify “key elements of a potential labeling
scheme.”  The publication makes clear, however, that the
scheme would not be established or managed by NIST, but rather
“by another organization or program,” referred to in the
publication as the “scheme owner.”  The identity of
the scheme owner is undetermined, but it “could be a public or
private sector” entity.

The publication of the IoT Criteria represents another step
toward a national cybersecurity labeling scheme for consumer IoT
products.  We should expect that the framework established by
NIST in this publication will serve as a model for these
requirements.

IoT Criteria Framework.  The IoT Criteria
establish recommended considerations for three key aspects of a
potential cybersecurity IoT labeling program:

  1. Baseline Product Criteria

  2. Labeling

  3. Conformity Assessments

  1. Baseline Product Criteria.

With respect to “baseline product criteria,” the IoT
Criteria recommend an “outcome-based approach” that
“allows for the flexibility required by a diverse marketplace
of IoT products.”  Rather than require specific technical
specifications, the IoT Criteria list desirable, baseline
“outcomes” that, if achieved, would enhance the
cybersecurity of the IoT product.  The outcome-based approach
“allows cybersecurity solutions and mitigations to be upgraded
and changed over time without significant changes in the product
criteria for labeling.”  The recommended criteria are to
serve as a baseline.  The publication
discusses ten baseline product criteria:

  1. Asset Identification: The IoT product is (1)
    uniquely identifiable and (2) inventories all its components.

  2. Product Configuration: The IoT product has (1)
    a changeable configuration, (2) “the ability to restore a
    secure default setting,” and (3) restricts the ability to
    implement changes to “authorized individuals, services, and
    other IoT product components.”

  3. Data Protection: The IoT product and its
    components protect stored and transmitted data from unauthorized
    access, disclosure, and modification.

  4. Interface Access Control: “The IoT
    product and its components restrict logical access to local and
    network interfaces – and to protocols and services used by those
    interfaces – to only authorized individuals, services, and IoT
    product components.”

  5. Software Update: The IoT product and component
    software can only be updated by authorized individuals, services,
    and other IoT product components via “a secure and
    configurable mechanism, as appropriate for each IoT product
    component.”

  6. Cybersecurity State Awareness: “The IoT
    product supports detection of cybersecurity incidents affecting or
    affected by IoT product components and the data they store and
    transmit.”

  7. Documentation: IoT product developers should
    create, gather, and store information relevant to cybersecurity of
    the IoT product and its components throughout product development,
    prior to customer purchase, and through its subsequent
    lifecycle.

  8. Information and Query Reception: IoT product
    developers should be able “to receive information relevant to
    cybersecurity and respond to queries from customers and
    others” about that information.

  9. Information Dissemination: IoT product
    developers should broadcast and distribute information relevant to
    cybersecurity.

  10. Product Education and Awareness: IoT product
    developers should create awareness of and educate customers and
    others “in the IoT product ecosystem about
    cybersecurity-related information (e.g.,
    considerations, features) related to the IoT product and its
    product components.”

  1. Labeling Considerations.

Next, the publication makes recommendations about labeling
considerations.  A few notes on NIST’s guidance regarding
labeling:

  • NIST recommends the use of a binary label -
    “a single label indicating a product has met a baseline
    standard.”

  • In addition to the binary label, NIST suggests a
    “layered” approach
    , which would provide the
    consumer with additional details online via a URL or a scannable
    code (e.g., a QR code).

  • NIST recommends specific label content that is aimed at
    supporting “non-expert, home users of IoT products.”
    Accordingly, NIST states that labels should be available to
    consumers before purchase, at the time of purchase
    (in-store or online), and after purchase.

  • NIST also emphasizes flexibility “in supporting
    both digital and physical formats as
    appropriate” and encourages periodic testing with consumers to
    assess label appropriateness and usability.

  • And, in combination with a label, NIST recommends “a
    robust consumer education campaign.”

  1. Conformity Assessment Considerations.

The IoT Criteria also recommend considerations for a
“conformity assessment” that would demonstrate a
device’s compliance (or not) with the relevant standard. 
NIST emphasizes that a “scheme owner is necessary to tailor
the recommended product criteria, define conformity assessment
requirements, develop the label and associated information, and
conduct related consumer outreach and education.”  NIST
notes that “a single conformity assessment approach is not
likely to achieve desired objectives” and lists several
conformity assessment approaches that could be used
“exclusively or in combination,” including:

  • Self-attestation: A “[s]upplier’s
    declaration of conformity” made by the organization that
    provides the IoT device, stating they have complied with the
    defined criteria.

  • Third-party Testing and Inspection: A
    prospective external “determination or examination” of
    the consumer IoT device based on certain defined criteria.

  • Third-party Certification: A statement
    “issued based on a comprehensive review that an IoT product
    has fulfilled defined criteria.”

Background & Executive Order 14028. 
The IoT Criteria are yet another step in effectuating the guidance
issued by President Biden in May 2021, as part of Executive Order
14028 on Improving the Nation’s
Cybersecurity
.  In that Executive Order, President Biden
tasked NIST to work in coordination with the Federal Trade
Commission (“FTC”) to identify “IoT cybersecurity
criteria for a consumer labeling program.”  NIST took
action, soliciting feedback on a cybersecurity IoT labeling program
during an initial workshop in September 2021 and a second event in December 2021. 
Incorporating feedback from those workshops, NIST’s latest
publication fulfills its directive under Section 4(t) of Executive
Order 14028.  For more on the Executive Order, see
Covington’s ongoing analysis series
here.

Looking Forward.  Throughout 2021, Congress, the states, and federal agencies
continued to focus on IoT and IoT cybersecurity.  Companies
should expect continued developments in this area, particularly on
the continued development of a potential IoT cybersecurity labeling
program.  The consumer-focused criteria indicate that the
emphasis will remain on compliance regimes that prioritize consumer
awareness and safety within the IoT product market.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from United States

Taxation Of Crypto Mining

Freeman Law

Amid the crypto boom, mining has become an extremely lucrative venture for many and critical to maintaining decentralized cryptocurrency networks.

Taxation Of Crypto Margin Trading

Freeman Law

This year has been a banner year for cryptocurrencies, with the prices of Bitcoin and Ethereum reaching all-time highs in November

https://www.mondaq.com/unitedstates/security/1159872/nist-publishes-recommended-criteria-for-cybersecurity-labeling-for-consumer-internet-of-things-iot-products

Erlando F Rasatro

Next Post

Making Your second-hand gadget good as new

Thu Feb 10 , 2022
Above: Apple’s 2010 Macbook is long obsolete, but remains on the cusp of functional older Macs. Photo courtesy Apple. Conventional wisdom dictates that brand-new devices are always preferable to used gadgets. After all, a new device comes with the latest features and can last for years than a used device. […]