Consumer software providers will soon have the option to label their software as compliant with National Institute of Standards and Technology (NIST) standards for software security. On November 1, 2021, NIST published its initial draft of this standard in a white paper titled “DRAFT Baseline Criteria for Consumer Software Cybersecurity Labeling” (the White Paper). The White Paper defines the security-related information that would have to be disclosed on the label and the specific security practices a software provider would have to follow. It was developed in coordination with the Federal Trade Commission (FTC) and will likely inform future FTC guidance and enforcement activity. NIST has requested public comments on the White Paper by December 16, 2021. The final version is expected to be published by February 6, 2022.
President Joe Biden’s May 12, 2021, Executive Order (EO) 14028 directs NIST to initiate pilot programs for cybersecurity labeling “to educate the public on the security capabilities of Internet of things (IoT) devices and software development practices.” Under the EO, NIST, in coordination with the FTC and other agencies, “shall identify secure software development practices or criteria for a consumer software labeling program.” The criteria shall “reflect a baseline level of secure practices” as well as “increasingly comprehensive levels of testing and assessment that a product may have undergone.”
The White Paper addresses the need to develop appropriate cybersecurity criteria for consumer software, which means software primarily used for personal, family or household purposes. It is intended to inform “the development and use of a label for consumer software,” which would “improve consumers’ awareness, information, and ability to make purchasing decisions while taking cybersecurity considerations into account.” It is not intended to “describe how a cybersecurity label should be explicitly represented” or “detail how a labeling program should be owned or operated.”
The White Paper has three primary elements: (i) it defines baseline technical criteria for the label; (ii) it details a proposed approach for conformity assessment; and (iii) it describes criteria for the labelling approach. It also enumerates specific issues on which NIST requests comment.
BASELINE TECHNICAL CRITERIA
The White Paper defines a series of outcome-based attestations (i.e., claims) that software providers would make about their product on the NIST label. It also provides criteria for satisfying each attestation.
To meet the baseline technical criteria, software providers will need to implement the following practices:
Follow the NIST Secure Software Development Framework (SSDF).
Provide a mechanism for reporting vulnerabilities.
Provide support at least until the published end-of-support date.
Remediate all known vulnerabilities before the label date.
Cryptographically sign the software and any updates.
If user authentication is required, implement multifactor authentication or participate in an identity federation ecosystem that supports multifactor authentication.
Remove passwords, encryption keys or other secrets from source code (i.e., no hard-coded secrets).
Follow NIST cryptographic standards for all encryption.
Inventory the types of data stored, processed or transmitted by the software, and the safeguards applicable to each data type.
CONFORMITY ASSESSMENT CRITERIA
The White Paper defines criteria for a Supplier’s Declaration of Conformity. The declaration of conformity is intended to “provide written assurance of conformity to the specified requirements.”
To meet the conformity assessment criteria, software providers will need to implement the following practices:
Maintain procedures for issuing, maintaining, extending, reducing, suspending or withdrawing the declaration and the label attestations.
Maintain procedures to ensure “continued conformity” with the label attestations.
Separation of responsibilities and roles between the person conducting the review of the attestation and the signatory of the consumer software attestation.
If the declaration was issued by an accredited laboratory or inspection body, maintain the results of the assessment and other supporting documentation that identifies the third-party and its qualifications, including accreditation status.
The White Paper recommends a single, consumer-tested label which indicates that the software has met the technical and conformity assessment criteria. The label may also provide a means for consumers to access additional online information, including:
Consumer-focused information about the labeling program;
The declaration of conformity; and
Descriptions supporting the data inventory and protection attestations.
AREAS FOR COMMENT
NIST requests comments on “all aspects of the criteria,” including:
Whether the criteria will achieve the goals of the EO by increasing consumer awareness and improving the cybersecurity of consumer software.
Whether the criteria will enable and encourage software providers to improve the cybersecurity of their products and the information they make available to consumers.
Whether the label should include a definitive statement that “the software product meets the NIST baseline technical criteria.”
Whether the software label approach and design should be similar to the forthcoming IoT product label “to facilitate brand recognition.”
Whether to include “more details on evidence required to support assertions.”
Whether to provide a template Declaration of Conformity.
Whether the technical baseline criteria are appropriate, including the “feasibility, clarity, completeness, and appropriateness of attestations.”
Consumer software providers should consider whether they would benefit from labeling their software as NIST-compliant, and, if so, whether they could meet the requirements for secure development, information disclosure and conformity declaration. NIST is accepting comments on the draft through December 16, 2021.