NIST closes in on recommendations for cybersecurity labeling for IOT devices

Internet-of-things devices could be sold with cybersecurity labels in the coming years to assure consumers that connected gear can safeguard user data, receive software updates and protect against hijacking by botnets. 

The Biden administration's cybersecurity executive order from May 2021 includes a provision tasking the National Institute of Standards and Technology with coming up with benchmarks for cybersecurity labels and developing incentives to get manufacturers and marketers to adopt a labeling scheme. A consumer product labeling scheme was also included among the recommendations of the Cyberspace Solarium Commission.

Katerina Megas, program manager for NIST's IOT cybersecurity program, said the agency is currently conducting cybersecurity labeling pilots and will submit a report on their efforts to the White House by May 12.

"We are on the hook to deliver the report to the White House," Megas said on Tuesday at a New America Foundation event on IOT labeling. She said the agency is "looking to draw on the collective brainstorming of the community" to include potential recommendations and incentives for a NIST cybersecurity labeling program for IOT devices used by industry, government agencies and individual consumers.

Any label will likely take the form of a "seal of approval" that indicates that a product meets a range of baseline criteria that will likely include data protection, access control, the ability to receive software and firmware patches and more. NIST will issue recommendations on these criteria but ultimately buy-in will be up to industry. Congress did pass IOT cybersecurity legislation in 2020, but it only covers devices owned by the U.S. government, and full implementation is about a year away.

Megas plans to include "potential incentives'' in its report to the White House that would encourage businesses to follow along with new cybersecurity labeling programs similar to those outlined in a NIST whitepaper published in December. The white paper recommended establishing a single, "seal of approval" type of label to indicate a product has met a baseline standard, along with additional directives for consumers to find more information about the labeling online. 

NIST would not implement such a program, but hand it off to industry or a stakeholder organization. Megas said that it's not really known yet if a cybersecurity seal-of-approval on a device will change consumer behavior. She said that NIST's research suggests that consumers will say that cybersecurity is important but that "the intent to actually care sometimes gets overshadowed by decisions about all the cool features" of products. Megas recommends that the entity that takes on the implementation of the labeling scheme conduct "significant market testing."