Adam Bannister 02 November 2021 at 16:47 UTC

Updated: 02 November 2021 at 16:58 UTC

Proposed basic standards for safe development, addressing vulnerabilities and protecting sensitive data

The National Institute of Standards and Technology in the US (NIST) has published the draft criteria for a cyber security labeling system focused on consumer software.

Released for public comment yesterday (November 1st), the proposals (PDF) set out the basic safety standards vendors will need to meet to gain certification under any future scheme.

This will include demonstrating the integrity and origin of the software, the absence of known vulnerabilities and encrypted secrets, and, where applicable, multi-factor authentication (MFA) and strong cryptography.

Read more from the latest news and analysis of cyber security policies and legislation

Vendors will also need to adhere to best practices regarding secure development, reporting and vulnerability correction, expiration dates, and data protection.

“The goal is to raise consumer awareness of the different security needs they may have and help them make informed choices about the software they buy and use,” said Michael Ogata, NIST computer scientist and co-author of the document. .

IoT counterpart

The proposals meet the equivalent criteria issued in late August for Internet of Things (IoT) (PDF) devices, with both projects mandated by the cyber security-focused executive order issued by President Biden in May.

NIST, in coordination with the Federal Trade Commission (FTC) and other agencies, was tasked by the executive order to initiate “pilot programs informed by existing consumer product labeling programs to educate the public on Internet security capabilities. of-Things (IoT) software development equipment and practices and will explore ways to encourage manufacturers and developers to participate in these programs.

A news release from NIST reflects on the challenges of harmonizing the purpose of forwarding security guarantees to customers “simply and directly” with the fact that “there is no single approach to cyber security that can be applied to all types of consumer software ”.

RELATED NIST describes the course towards the most secure supply chains for government software

While the executive order suggested that “a software level security rating system” should be considered, NIST proposes a simpler, binary label – or ‘approval stamp’ – that simply indicates whether a product has met a basic standard.

This would make it more like Finland’s IoT cyber security label than the Singapore equivalent regime, which classifies IoT devices using a rating scale.

However, NIST suggests that customers may also have the option to click on a URL to discover additional details about the labeling scheme and the software conformity statement.

Expert response

Tim Mackey, chief security strategist at Synopsys CyRC (Cyber ​​Security Research Center), said Daily Swig: “Essentially all labeling schemes are a certification that the software has been developed and tested according to known norms and that it is free from known vulnerabilities at the point of delivery.

“While this information is valuable to the public consumer, its impact will be better realized within the enterprise and industry. When an individual can purchase a single unit of a device such as a security camera, the average business is likely to have dozens of them – each an attractive target for cybercriminals.

“If the content of the certificate is included in the procurement processes that the business uses for such a device, then more vendors will meet the labeling requirements that would restrict the market for non-compliant devices – ultimately reducing the number of potentially vulnerable that attackers can compromise successfully. ”

NIST reiterated that it would not create a labeling program itself, as the executive order requires a voluntary approach, adding that “it will be up to the market to determine which organizations can use cyber security labels”.

Members of the general public can submit their responses to the draft document by December 16th.

NIST plans to produce the final versions for both consumer software and IoT equipment by February 6, 2022.

RECOMMENDED All Day DevOps 2021: Securing the software supply chain with transferability and the principle of least privilege