Our Quest: Advancing Product Labels to Help Consumers Consider Cybersecurity
 For many decades, consumers have relied on labels to help them make decisions about which products to buy. Sometimes the labels make assertions about what ingredients or components the product uses. (What’s in that peanut butter?) Other times labels claim a level of performance. (How much storage does that laptop have?) These statements may come from the manufacturer or from a third party who has reviewed and perhaps tested the product. (This appliance has been tested to meet specific electrical safety standards) Labels have assisted manufacturers and retailers to help consumers make more informed purchasing choices. Presumably, labels also have improved the quality and performance of available products by upping the ante for manufacturers and retailers who compete for consumers’ business.
That’s the motivation behind a key provision in the May 12, 2021, Executive Order (EO) on Improving the Nation’s Cybersecurity. The order assigned NIST a host of responsibilities, most aimed at improving cybersecurity related to the software supply chain. NIST also was tasked to develop cybersecurity criteria and labeling approaches for consumer software and Internet of Things (IoT) products and then to initiate pilots based on those criteria.
The EO set a 270-day deadline for these two efforts; NIST delivered “the goods” on February 4. The pilot consists of NIST seeking contributions from stakeholders regarding current or potential future labeling efforts for consumer IoT products and consumer software, and how those efforts align with the NIST recommendations.
|
