On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”). The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.
The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.” The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.” The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.
The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products. We should expect that the framework established by NIST in this publication will serve as a model for these requirements.
IoT Criteria Framework. The IoT Criteria establish recommended considerations for three key aspects of a potential cybersecurity IoT labeling program:
- Baseline Product Criteria
- Conformity Assessments
- Baseline Product Criteria.
With respect to “baseline product criteria,” the IoT Criteria recommend an “outcome-based approach” that “allows for the flexibility required by a diverse marketplace of IoT products.” Rather than require specific technical specifications, the IoT Criteria list desirable, baseline “outcomes” that, if achieved, would enhance the cybersecurity of the IoT product. The outcome-based approach “allows cybersecurity solutions and mitigations to be upgraded and changed over time without significant changes in the product criteria for labeling.” The recommended criteria are to serve as a baseline. The publication discusses ten baseline product criteria:
- Asset Identification: The IoT product is (1) uniquely identifiable and (2) inventories all its components.
- Product Configuration: The IoT product has (1) a changeable configuration, (2) “the ability to restore a secure default setting,” and (3) restricts the ability to implement changes to “authorized individuals, services, and other IoT product components.”
- Data Protection: The IoT product and its components protect stored and transmitted data from unauthorized access, disclosure, and modification.
- Interface Access Control: “The IoT product and its components restrict logical access to local and network interfaces – and to protocols and services used by those interfaces – to only authorized individuals, services, and IoT product components.”
- Software Update: The IoT product and component software can only be updated by authorized individuals, services, and other IoT product components via “a secure and configurable mechanism, as appropriate for each IoT product component.”
- Cybersecurity State Awareness: “The IoT product supports detection of cybersecurity incidents affecting or affected by IoT product components and the data they store and transmit.”
- Documentation: IoT product developers should create, gather, and store information relevant to cybersecurity of the IoT product and its components throughout product development, prior to customer purchase, and through its subsequent lifecycle.
- Information and Query Reception: IoT product developers should be able “to receive information relevant to cybersecurity and respond to queries from customers and others” about that information.
- Information Dissemination: IoT product developers should broadcast and distribute information relevant to cybersecurity.
- Product Education and Awareness: IoT product developers should create awareness of and educate customers and others “in the IoT product ecosystem about cybersecurity-related information (e.g., considerations, features) related to the IoT product and its product components.”
- Labeling Considerations.
Next, the publication makes recommendations about labeling considerations. A few notes on NIST’s guidance regarding labeling:
- NIST recommends the use of a binary label – “a single label indicating a product has met a baseline standard.”
- In addition to the binary label, NIST suggests a “layered” approach, which would provide the consumer with additional details online via a URL or a scannable code (e.g., a QR code).
- NIST recommends specific label content that is aimed at supporting “non-expert, home users of IoT products.” Accordingly, NIST states that labels should be available to consumers before purchase, at the time of purchase (in-store or online), and after purchase.
- NIST also emphasizes flexibility “in supporting both digital and physical formats as appropriate” and encourages periodic testing with consumers to assess label appropriateness and usability.
- And, in combination with a label, NIST recommends “a robust consumer education campaign.”
- Conformity Assessment Considerations.
The IoT Criteria also recommend considerations for a “conformity assessment” that would demonstrate a device’s compliance (or not) with the relevant standard. NIST emphasizes that a “scheme owner is necessary to tailor the recommended product criteria, define conformity assessment requirements, develop the label and associated information, and conduct related consumer outreach and education.” NIST notes that “a single conformity assessment approach is not likely to achieve desired objectives” and lists several conformity assessment approaches that could be used “exclusively or in combination,” including:
- Self-attestation: A “[s]upplier’s declaration of conformity” made by the organization that provides the IoT device, stating they have complied with the defined criteria.
- Third-party Testing and Inspection: A prospective external “determination or examination” of the consumer IoT device based on certain defined criteria.
- Third-party Certification: A statement “issued based on a comprehensive review that an IoT product has fulfilled defined criteria.”
Background & Executive Order 14028. The IoT Criteria are yet another step in effectuating the guidance issued by President Biden in May 2021, as part of Executive Order 14028 on Improving the Nation’s Cybersecurity. In that Executive Order, President Biden tasked NIST to work in coordination with the Federal Trade Commission (“FTC”) to identify “IoT cybersecurity criteria for a consumer labeling program.” NIST took action, soliciting feedback on a cybersecurity IoT labeling program during an initial workshop in September 2021 and a second event in December 2021. Incorporating feedback from those workshops, NIST’s latest publication fulfills its directive under Section 4(t) of Executive Order 14028. For more on the Executive Order, see Covington’s ongoing analysis series here.
Looking Forward. Throughout 2021, Congress, the states, and federal agencies continued to focus on IoT and IoT cybersecurity. Companies should expect continued developments in this area, particularly on the continued development of a potential IoT cybersecurity labeling program. The consumer-focused criteria indicate that the emphasis will remain on compliance regimes that prioritize consumer awareness and safety within the IoT product market.