NIST provides recommended criteria for cybersecurity labeling for consumer software and IoT products

If one of the goals of President Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity” is fulfilled, you’ll be able to look for a quality and security assurance label on any software product you consider buying. To which anyone who cares about such things—and everybody should—might say “it’s about time.”

Indeed, consumer labeling has long been mainstream when it comes to just about everything else. We take for granted that what we plan to eat or drink has a list of ingredients on the packaging or container. The U.S. Department of Agriculture has a label that food vendors can use if their product is certified organic. Most of us are familiar with the Good Housekeeping Seal and UL certification, which offer some assurance that a vast range of products meet a minimum quality standard. “Look for the union label” has been a slogan for almost 50 years.

But details or seals of approval on the quality of software ingredients? Not so much. Pretty much not at all.

Current state of consumer cybersecurity awareness

While Americans rely on software for just about everything in modern life—communication (email, text, phone), social media, online purchases, games, research, home security, transportation, and much, much more—most remain only dimly aware of what it is, how it works, and the level of its quality and security.

As the National Institute of Standards and Technology (NIST) recently put it, “most consumers take for granted and are unaware of the software upon which many products and services rely, [and] the very notion of what constitutes software may even be unclear.” That is, in large measure, because consumers aren’t told much of anything about it. They generally see only what it does, not what it is, who made it, how it works, or how it could put them at risk.

The Biden executive order (EO) is obviously aimed at closing that gap in consumer awareness. It calls for NIST, the Federal Trade Commission, and other agencies to “initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet of Things (IoT) devices and software development practices, and [to] consider ways to incentivize manufacturers and developers to participate in these programs.”

The EO uses similar language to call for labeling of consumer software.

At one level, an order like that shouldn’t be a tough sell. If an organization can’t trust its software, the business is at risk. That’s true of consumers as well. If you can’t trust the software powering your app or your device, your personal and financial information are at risk.

But is a label an effective way to achieve better security awareness? Debrup Ghosh, former senior product manager with the Synopsys Software Integrity Group, isn’t so sure. “The jury is still out on whether labeling is an effective method of consumer awareness,” he said. “For example, data on whether federal food safety laws increased GMO awareness is inconclusive. Several studies reported conflicting results.”

For consumer IoT devices, the two biggest hypotheses that need to be tested are similar to the GMO question: Do consumers understand what these labels mean? Second, do they care?

That, as is usually the case, remains to be seen. But according to a 2021 study done in the U.K. and published in the PLOS Medicine journal, color-coded labels on foods did have some effect. They were “instrumental in ‘nudging’ consumers toward choosing more healthful products and could be the underlying psychological mechanism toward cementing this behavioral change,” according to the study.

Cybersecurity labeling criteria

When will we know if software labeling will be as influential? Realistically, it’s going to take a while—a long while. For starters, earlier this month, in response to the Biden EO, NIST issued two white papers recommending criteria for cybersecurity labeling of consumer software and consumer IoT products.

They open with a few caveats.

• NIST recommendations are “minimum requirements and desirable attributes.”
• Those recommendations are not intended to describe how a cybersecurity label should be explicitly represented, nor to detail how a labeling program should be owned or operated.
• NIST is not designing a specific label, nor is it establishing its own labeling scheme for consumer software or IoT products. Instead, it is seeking input from all interested parties on labeling programs—the deadline is March 15—and notes that “there may currently be labeling programs that meet the NIST recommended criteria in full or in part.”

The agency does offer some guidance. It said labeling will require context that takes the use or level of risk of a software product into account. We all know that the equipment needed to provide reasonable protection to a racecar driver is much more extensive than that for a standard passenger vehicle, although some of those components might be the same.

Similarly, “the risk associated with software is tightly bound to that software’s intended use (both in function and operating environment),” NIST said. “The cybersecurity considerations appropriate for a mobile game will differ from those applied to an online banking app or to run the media station on an automobile.”

The white papers propose a structure for labeling but leave a lot of the details for later. For example, launching the initiative will require “labeling schemes and scheme owners,” which can be public or private organizations.

NIST does require, though, that any proposed scheme answer the following questions:

• What are the requirements for getting a label?
• What does the label look like and what information should it contain?
• What is the process for obtaining and displaying a label on software?

But with neither scheme owners nor schemes in place yet, it will be some time before those questions get answered, especially since, as NIST put it, “there is no one-size-fits-all definition for cybersecurity that can be applied to all types of consumer software.”

Again, NIST does offer detailed guidance about what should be behind the labeling, including scope, the minimum duration of security update support, update method, and the identity of the entity making those claims.

Keep it simple

The label must also include secure software development claims that align with NIST’s Secure Software Development Framework, which it updated in response to Biden’s EO.

But is all of this going to fit on a label? No way. The overall goal is to keep it relatively simple—to give average consumers some confidence in the quality and security of the software running the products they are considering buying, without confusing them with technical jargon. NIST calls for it to be written at an eighth-grade reading level.

That kind of clarity is key according to Michael White, applications engineer, principal, with the Synopsys. He pointed to a U.K. survey showing that when a date was quoted as the lifetime to receive updates, 13% of those surveyed thought this implied an expiration date for the device itself. “So extensive consideration must be given to the clarity and style in which information is communicated,” he said.

NIST appears to agree, also saying the label should be “usable by a diverse range of consumers without requiring them to have specialized cybersecurity knowledge.” To accomplish that, it recommends a binary label—a single label indicating that a product has met a baseline cybersecurity standard.

Indeed, the agency devotes an entire section of the framework—"Additional Context for Labeling Criteria”—to recommending that the scheme owner conduct focus groups from all demographics to find the best ways for labels to encourage buyers to choose better software.

Ghosh agrees with a robust education campaign but foresees a potential budget problem. “NIST doesn’t specify how it will be funded,” he said. “It will be crucial to get buy-in from manufacturers and industry groups before this scheme is implemented to ensure appropriate funding.”

Cybersecurity labeling details we can expect

Finally, for those who want more detail and technical information, the label should provide a link to a website with additional information that should include, at a minimum

• Intent and scope: What the label means and doesn’t mean, including addressing potential misinterpretations like an assumption that a label makes a product more secure than one without a label, or that the label implies a product endorsement
• Product criteria: What cybersecurity properties are included in the baseline and why and how these were selected
• A glossary: Definitions of the applicable technical terms, written in plain language
• Declaration of conformity: General information about conformity assessment to the baseline criteria, including the date the label was last awarded
• User data guidelines: What sensitive data is handled by the software and how it’s protected
• Changing applicability: The current state of product labeling as new cybersecurity threats and vulnerabilities emerge
• Expectations for consumers: A clear explanation of the consumers’ share of responsibility in securing software
• Contact information for the labeling program: This should include how consumers can issue a complaint against a vendor regarding a label

All of which sounds comprehensive and useful, but Jamie Boote, senior consultant with Black Duck, notes that it will not just be average consumers using the label. It will be procurement employees in government agencies as well.

“These are labels for contracting officials to read in order to accept or reject software bids,” he said. “These are actionable as long as one is following the manual government procurement process. But until these are encoded in machine-readable format that automated decision makers can accept, reject, or apply mitigations to automatically, they will only provide nominal good and be just another sticker for people to stick on their boxes.”