Hot Topics in Consumer Cybersecurity Labeling – Our December 2021 Workshop

President Biden Outlines Comprehensive Plan for Federal Sustainability : Clean Energy Law Report : Renewable Energy Lawyer and Environmental Law Attorney : Latham & Watkins Law Firm

January 11, 2022

Your Guide to an Eco-friendly Shower – Green Mountain Energy Company

January 12, 2022

Published by Certrec on January 12, 2022

Tags

Go to Source January 12, 2022

Image representing the EXECUTIVE ORDER 14028, IMPROVING THE NATION'S CYBERSECURITY

On May 12, 2021 the White House released an Executive Order (EO) on Improving the Nation’s Cybersecurity which, among other things, tasked NIST to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products. Activity since then includes a call for papers, multiple workshops, draft criteria, and processing all of the feedback received. The goal of the latest workshop on December 9th was to provide the community an update, answer questions, and gather a final round of feedback which will be factored into final criteria to be released at the beginning of February 2022.

First, a quick review of the workshop agenda and summary of each section led by NIST staff:

Warren Merkel summarized NIST’s activities to-date in responding to the EO and the future milestones, noting that the timelines for the EO are tight. He strongly encouraged participants to provide feedback on the November 1st software labeling criteria paper by the December 16th deadline. He also reiterated that NIST will not initiate its own labeling programs.
Michael Ogata then provided an overview of the software labeling criteria and described the requirements for each of the four categories of criteria: descriptive attestations, software development attestation, critical cybersecurity attributes and capability attestations, and data inventory and protection attestations, which collectively identify 15 types of attestations.
Paul Watrobski and Michael Fagan of the Cybersecurity for IoT program summarized the feedback received on the August draft of consumer IoT cybersecurity criteria, and described adjustments to the criteria reflected in the update published December 3rd.
Amy Phelps reviewed the development of conformity assessment criteria, describing the range of approaches to conformance criteria and the role a scheme owner would play in establishing detailed criteria and assessing conformance.
Julie Haney discussed the labeling criteria aspect, explaining the goals of labeling, types of labels, and NIST’s preferred solution – for both consumer IoT products and consumer software – of a binary label with a layered approach that can supply information beyond the basic presence of the label.

Each session included a closing segment with answers to the many questions submitted by workshop participants. A panel comprising all presenters took a final round of questions to wrap up the event. You can view the event description and recording here.

What We Heard

Overall, NIST perceived general support for the approaches presented for cybersecurity criteria, conformity assessment, and labeling. This support was tempered somewhat with many detailed questions about various aspects of the program.

Multiple participants asked about the labeling scheme owner: their role and scope of responsibilities, their economics, and the potential for conflict among multiple scheme owners. During the final Q&A, Warren Merkel stated that NIST was trying to be as open as possible to various possibilities regarding the scheme owner(s), what sorts of organizations might be scheme owners, and what the associated economics might be. NIST’s goal is to provide clear criteria for scheme owners to work with, and some of the questions raised still remain to be answered.

Questions were raised concerning the potential for variations in accountability or the enforcement of criteria and the reliability of attestation. Concerns were expressed about the viability of self-attestation by suppliers, and the consistency of attestation. This is another area where NIST’s goal is to provide solid baseline criteria and not to presuppose the solutions for accountability.

Participants seemed to generally approve of NIST’s approach of including risk as an important element in guiding the implementation of labeling schemes. Questions in this area related to responsibility for determining risk, processes which might be used, and how risk would be measured – including whether existing standards would be applied.

Some participants inquired about the challenge of keeping labels valid over time as new vulnerabilities are identified in products or end-of-support is reached. They asked whether the information associated with the label would be updated over time to account for these sorts of changes.

The multiple dimensions of longer-term program costs generated questions about any follow on program. They included What will be the cost of demonstrating conformity? Is there funding for consumer education? How will manufacturer participation affect the cost of their products?

Various aspects of consumer education were raised, including whether scheme owners were the appropriate party to have that responsibility, and whether consumers would utilize the information in a layered label.

The relationship of NIST’s recommendations to standards and guidelines being developed by other nations and international standards bodies was identified by multiple participants as a concern. Participants noted that software and IoT cybersecurity is a global issue, and that certification under multiple regimes is a burden for manufacturers.

The Path Ahead

NIST is finalizing the software and IoT cybersecurity criteria, with a deadline of February 6th for publishing final criteria. NIST also will summarize the work performed in responding to the EO and the background and reasoning behind decisions embodied in the criteria. Once the criteria are available, they will be used in a pilot phase to provide information on how the criteria can support labeling efforts and improve cybersecurity related to consumer IoT products and software. The EO requires that a final report be submitted by May 12, 2022.

Certrec

Comments are closed.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.