Recommended Criteria for Cybersecurity Labeling for IoT Products Update from NIST
In recent months, the National Institute of Standards and Technology (NIST) has been busy. They have been updating their processes to provide more security to their clients and the supply chain as a whole. The most recent update came on February 4th with its publication of the Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things Products. Also known as IoT products, these recommendations aim to help with cybersecurity labeling for products intended for personal or family use.
The IoT Framework
The IoT framework establishes recommended considerations for three critical aspects of a cybersecurity program: baseline product criteria, labeling, and conformity assessments.
Baseline Product Criteria
The first section of the framework is “baseline product criteria.” This section aims to establish a baseline for your cybersecurity practices. It uses an outcome-based approach that allows cybersecurity solutions to be upgraded and changed over time without needing to make significant changes in the product criteria for labeling.
The publication discusses 10 baseline product criteria:
1. Asset Identification – Product should be uniquely identifiable and inventories all its components
2. Product Configuration – Product has a changeable configuration, can restore to default settings, and restricts the ability to implement changes
3. Data Protection – Protects stored and transmitted data from unauthorized access
4. Interface Access Control – Restricts logical access to local and network interfaces
5. Software Update – Authorized individuals can only update the product
6. Cybersecurity State Awareness – Product supports the detection of cybersecurity incidents affected by other IoT product components
7. Documentation – Product developers should create, gather, and store information relevant to cybersecurity
8. Information and Query Reception – Product developers should be able to receive information relevant to cybersecurity and respond to queries from customers
9. Information Dissemination – Product developers should broadcast and distribute information pertinent to cybersecurity
10. Product Education and Awareness – Product developers should educate customers on the IoT product ecosystem and its relation to cybersecurity
Labeling Considerations
The publication provides recommendations about labeling considerations. Firstly, NIST recommends the use of the binary label. They also recommend a layered approach which should give the consumers additional details online via a URL or QR code.
Additionally, NIST recommends label content that specifically targets “non-expert, home users of IoT products.” Labels should be available before, during, and after purchase. NIST also emphasizes flexibility in supporting digital and physical formats when appropriate.
Conformity Assessments
Finally, NIST recommends considerations for a conformity assessment that demonstrates whether a device is compliant with the relevant standards. They emphasize that a single conformity assessment is not likely to achieve the desired objectives, and as a result, they list several conformity assessment approaches.
The first approach is self-attestation made by the organization that builds the IoT device, stating that they have complied with the criteria.
The second approach is third-party testing and inspection, which refers to an external examination of the device to determine if it complies with the defined criteria.
Finally, third-party certification is a statement issued based on a comprehensive review that an IoT product has fulfilled the defined criteria.
Get Help from GSec LLC
If you or your business partners are confused about any of the recent updates made by NIST, we are here to help. Contact us to develop a plan to help you with anything you need.
By: Alex O’Reilly
Sources: https://www.lexology.com/library/detail.aspx?g=0171d921-259d-403d-b097-4170faee84b8
https://www.nist.gov/itl/executive-order-improving-nations-cybersecurity/iot-product-criteria