Privacy & Information Security Law Blog

On September 14 and 15, 2021, the National Institute of Standards and Technology (“NIST”) held a public workshop, as part of its effort to create a consumer labeling program to communicate the security capabilities of consumer Internet of Things (“IoT”) devices and software development practices, as mandated by the Biden administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity. NIST, in coordination with the Federal Trade Commission  and other agencies, must identify the criteria and components of such a labeling program by February 6, 2022.

In May 2021, NIST released a draft white paper that summarized its review of the currently available confidence mechanisms for the security of consumer IoT devices and in August 2021, NIST released a draft white paper that detailed draft baseline security criteria for consumer IoT devices. NIST has sought public comments on the draft baseline security criteria, which are due by October 17, 2021. NIST’s workshop touched upon the proposed security criteria and related issues. A variety of stakeholders participated in the workshop, including representatives from government agencies, the private industry and academic experts.

NIST will not establish its own labeling program, and will instead identify minimum requirements and desirable attributes and outcomes for labeling programs, so that providers and consumers can choose the best labeling solutions for their devices and environments. According to NIST, such labeling program should:

• encourage innovation in manufacturers’ IoT security efforts, leaving room for changes in technologies and the security landscape;
• be practical and not burdensome to manufacturers and distributors;
• factor in usability as a key consideration;
• build on national and international experience; and
• allow for diversity of approaches and solutions across industries, verticals and use cases, provided such approaches are useful and effective for consumers.