In an effort to improve consumers’ ability to make informed decisions about software they purchase, the National Institute of Standards and Technology (NIST) has drafted a set of cybersecurity criteria for consumer software. The criteria are intended to aid in the development and voluntary use of labels to indicate that the software incorporates a baseline level of security measures.
The document, formally titled Draft Baseline Criteria for Consumer Software Cybersecurity Labeling, forms part of NIST’s response to the May 12, 2021, Executive Order (EO) 140128 on Improving the Nation’s Cybersecurity. The EO specifies that NIST “shall identify secure software development practices or criteria for a consumer software labeling program” – criteria that reflect a baseline level of cybersecurity and that focus on ease of use for consumers. (The EO also instructs NIST to initiate a labeling effort on the cybersecurity aspects of consumer devices associated with the Internet of Things, which the present publication does not address.)
The criteria are based on suggestions from the public via position papers, a workshop, and multiple discussions with interested stakeholders. NIST is seeking public comments on the draft document by Dec. 16, 2021, to inform a final version that NIST will release on or before Feb. 6, 2021 – the deadline set in the EO. This draft is the only version that NIST plans to release before the final publication.
“We are establishing criteria for a label that will be helpful to consumers,” said Michael Ogata, a NIST computer scientist and co-author of the draft document. “The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use.”
Part of the challenge is the sheer vastness and variety of the consumer software landscape. Software forms an integral part of most consumers’ lives, and it is subject to vulnerabilities that place the users’ safety, property and productivity at risk – but there is no one-size-fits-all approach to cybersecurity that can be applied to all types of consumer software. The cybersecurity considerations for a smartphone game could differ greatly from, for example, those applied to a banking app. Yet a security label aimed at consumers will need to communicate simply and directly.
While NIST’s assignment is straightforward – to establish the criteria that should be the basis for a software label – NIST is not designing the label itself, nor is NIST establishing its own labeling program for consumer software. The EO calls for a voluntary approach, and it will be up to the marketplace to determine which organizations might use cybersecurity labels.
Currently, the agency is seeking public input about the baseline of technical requirements for the software and the related label. As proposed by NIST, in order to qualify for a label, the software provider would first need to meet all of the technical requirements. The document refers to these requirements as “attestations,” or claims about the software’s security, which the document organizes into four categories:
- Descriptive attestations – information about the label itself, such as who is making the claims about information within the label, what the label applies to and how the consumer can get more information.
- Secure software development attestations – how the software developer adheres to security best practices. By fulfilling requirements in this category, the provider communicates to consumers that they can be more confident about the development process.
- Critical cybersecurity attributes and capability attestations – features expressed by the software’s functionality, and other attributes that consumers should know, such as whether the software is free from known vulnerabilities or whether encryption is used.
- Data inventory and protection attestations – information about data that consumers may identify as having high cybersecurity-related risk, and the software provider’s descriptions of mechanisms used to protect that data. This data might relate to personally identifiable information, device location information, or any other data the provider has spent time and effort safeguarding.
A software label would not necessarily spell out all of these details, Ogata said, but the overall labeling effort should aim to educate consumers about what the label means and indicate where they can readily get additional information about those cybersecurity attributes. NIST is not itself planning to launch an associated education program, though software providers and others might.
“As a complement to the labeling approach, a robust consumer education program should be developed to increase label recognition and to provide transparency,” Ogata said. “Consumers should have access to online information including what the label means and does not mean, so that they can avoid potential misinterpretations. They also should know what cybersecurity properties are included in the baseline, and why and how these were selected.”