NIST seeks public input on proposed consumer software labeling scheme
The National Institutes of Standards and Technology is calling for feedback from experts and industry in response to proposals for a draft consumer software labeling framework.
In a draft document published on Monday, the department outlined baseline criteria for a possible new assessment regime, which could require software manufactures to attest to the cybersecurity of their products.
Publication of the new draft guidelines comes amid an increase in the cybersecurity arrangements of federal technology contractors, including with the launch of an enforcement push by the Department of Justice to pursue companies that fail to disclose accurate details of their cybersecurity posture.
The National Institutes of Standards and Technology (NIST) has issued recommendations for the launch of a voluntary cybersecurity assurance framework, as required by the Biden Administration’s cybersecurity executive order, which was published in May.
As part of the software labeling proposals, manufacturers could have to provide assurances about a range of specific aspects of the software production process, including how the company adheres to accepted secure development practices and data protection measures that it follows.
The criteria are so far based on suggestions that have already been submitted by the public through a position paper, a workshop, and multiple discussions with interested stakeholders.
NIST is seeking public comments on the draft document by Dec. 16, which will then be used to inform a final version that will be published either on or before Feb. 6 next year.
Commenting on the draft proposals, NIST computer scientist and co-author the document Michael Ogata said: “We are establishing criteria for a label that will be helpful to consumers. The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use.”
In its publication of the draft, NIST emphasized that it will not directly run any such labeling regime and that adhering to the program will be voluntary for software providers.