The U.S. National Institute of Standards and Technology (NIST) has drafted a set of cybersecurity criteria for consumer software in an effort to improve consumers’ ability to make informed decisions about the software they purchase. The criteria in this document are based on extensive input offered to the NIST workshop and position papers submitted to NIST, along with the agency’s research and discussions with organisations and experts from the public and private sectors.
The document, “Draft Baseline Criteria for Consumer Software Cybersecurity Labeling”, forms part of NIST’s response to the Executive Order (EO) on Improving the Nation’s Cybersecurity. The EO specifies that NIST “shall identify secure software development practices or criteria for a consumer software labelling program” — criteria that reflect a baseline level of cybersecurity and that focus on ease of use for consumers.
We are establishing criteria for a label that will be helpful to consumers. The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use.
– Michael Ogata, NIST computer scientist
Part of the challenge is the sheer vastness and variety of the consumer software landscape. Software is an integral part of life for the modern consumer. Nevertheless, most consumers take for granted and are unaware of the software upon which many products and services rely. While enabling many benefits to consumers, software, too, is subject to cybersecurity flaws or vulnerabilities that can directly affect safety, property, and productivity.
There is no one-size-fits-all definition for cybersecurity that can be applied to all types of consumer software. The risk associated with software is tightly bound to that software’s intended use (both in function and operating environment), as well as its post-deployment configuration.
While NIST’s assignment is straightforward — to establish the criteria that should be the basis for a software label — NIST is not designing the label itself, nor is NIST establishing its own labelling program for consumer software. The EO calls for a voluntary approach, and it will be up to the marketplace to determine which organisations might use cybersecurity labels.
Currently, the agency is seeking public input about the baseline of technical requirements for the software and the related label. As proposed by NIST, in order to qualify for a label, the software provider would first need to meet all of the technical requirements. The document refers to these requirements as “attestations,” or claims about the software’s security, which the document organises into four categories:
- Descriptive attestations — information about the label itself, such as who is making the claims about information within the label, what the label applies to and how the consumer can get more information.
- Secure software development attestations — how the software developer adheres to security best practices. By fulfilling requirements in this category, the provider communicates to consumers that they can be more confident about the development process.
- Critical cybersecurity attributes and capability attestations — features expressed by the software’s functionality, and other attributes that consumers should know, such as whether the software is free from known vulnerabilities or whether encryption is used.
- Data inventory and protection attestations — information about data that consumers may identify as having high cybersecurity-related risk, and the software provider’s descriptions of mechanisms used to protect that data. This data might relate to personally identifiable information, device location information, or any other data the provider has spent time and effort safeguarding.
A software label would not necessarily spell out all of these details, but the overall labelling effort should aim to educate consumers about what the label means and indicate where they can readily get additional information about those cybersecurity attributes.