IoT Nutrition Labels Aim to Put Security on Display

NIST has laid the groundwork for an easy-to-understand way to communicate to consumers the security of software and connected devices.

An all-out effort to develop a consumer-focused security labeling program will likely initially focus on Internet of Things (IoT) devices and could include many technology products used by small businesses as well.
The Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software, held this week by the National Institute of Standards and Technology (NIST), is the government agencys latest step in creating a consumer labeling program to communicate the security capabilities of applications and connected devices, an effort mandated by the Biden administrations Executive Order on Improving the Nations Cybersecurity, issued in May 2021. The initiative includes government agencies, private industry, and academic experts, with the groups rushing to create requirements and institute pilot programs because the first deadline — the identification of the criteria and components of such a label — must be completed by February 2022.
The goal is to improve the security of products by giving consumers and small businesses the information they need to make security a factor in their purchasing decisions, says Warren Merkel, leader of the standards services group in the Standards Coordination Office at NIST.
The overall opinion seems to be the magical, If it is done right, it is a good thing, he says. I do think there is appropriate concern about what the requirements are and ... that we are not adding a bunch of requirements that differ from what is being done globally. There is not a strong feeling that this is a bad idea, but I think everyone thinks this needs to be done in a way that is attainable.
The Biden administrations
May executive order
directs NIST to initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs.
While the focus is on consumers, small businesses have many of the same characteristics — a lack of security expertise and a lack of individual purchasing power to affect vendors — so that any security-labeling system will likely affect their purchasing decisions as well, says Chris Wysopal, co-founder and chief technology officer for application security firm Veracode, who
attended the workshop
.
Small businesses use a lot of the same software that is consumer grade and do not have the sophistication to evaluate the security of these product, he says. So small businesses will get a lot of value out of these labels too.
The effort aims to create a label that communicates the level of security in a products design, development, and maintenance. A
white paper published by NIST in May
concluded that the diversity of IoT devices will require more than one approach to establish security confidence, that more critical devices and software will require more rigorous testing, and that buyers will have to be trained and informed about the components of the labels and what security means in that context.
The label will be voluntary, at least initially, with companies attesting to their own security rankings. Improper ranking of a product will be handled by the Federal Trade Commission as violations of truth-in-advertising laws.
In addition, the labels may start attesting to only the most basic of security precautions. IoT security labels, for example, may just mean that a security analysis of a devices design was completed, the device does not have hard-coded password, and the device is easily updatable, Wysopal says.
Obviously, that is kindergarten-level security, but it is amazing that many IoT devices do not even have that level, he says. Those basics need to be in all software, so we should make those requirements be part of the labels.
Some Pushback
The idea of a logo program or nutrition label for security is not new. A variety of private-industry and government labels to communicate security already exist, such as
Veracode Verified
, Underwriters Laboratories (UL)
Cybersecurity certification
, the European Unions
Cybersecurity Certification Framework
, and the United Kingdoms
Code of Practice of Consumer IoT Security
.
While the current effort is mandated for both software products and IoT products, many companies have pushed back against the software security mandates.
Much of the software that consumers purchase and use for connected devices is consumed via application stores or marketplaces that are already well-tended, Cisco Systems
stated in its initial response to the program
, adding we believe that the emerging area of risk where NISTs efforts can be most effectively focused is on software embedded or otherwise incorporated with devices, such as IoT devices in the consumer environment that interact with the physical environment.
An initial proposal will be released in October, with a comment period until the end of the year, according to NIST. The biggest challenge at this point is the aggressive schedule, says NISTs Merkel.
It is distilling all that input into actual criteria by February, he adds. I think everyone recognizes that there is an issue, but how to get there and do it in a meaningful way — there have been different approaches to that. Especially because consumer outreach and education is a big challenge.
NIST plans to post videos from the workshop in the coming weeks.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
IoT Nutrition Labels Aim to Put Security on Display