The NIST is getting closer to a set of recommendations for an IoT device labeling system. The system is intended to promote IoT cybersecurity, and will essentially stamp consumer devices with a “Seal of Approval” that indicates that they meet certain baseline security standards.
In that regard, the labeling system reflects the Biden Administration’s broader efforts to improve cybersecurity at the federal level. President Biden asked the NIST to deliver a report on potential labeling criteria in his cybersecurity executive order last May, and the agency has until May 12 of this year to follow through on the request. The agency has indicated that the report is in progress, and that its labeling pilot tests will be completed in time to meet the deadline.
The tricky part, according to the agency, will be finding a way to convince device manufacturers to embrace the labeling system. In terms of technology, the report will likely focus on best practices like data protection, access control, and secure firmware patches. However, the US’s current IoT legislation only applies to government-owned devices, so manufacturers are not legally obligated to adhere to any labeling system for devices sold to the general public.
With that in mind, the finished report is also expected to include incentives to encourage private businesses to adopt a labeling scheme. The NIST has published a preliminary white paper on the subject, though the agency is still gathering feedback before making its final recommendations.
The Cyberspace Solarium Commission has also supported the creation of a labeling scheme. The NIST itself would not be responsible for running the final program, but advised that organization to conduct market research to make sure that the labels are actually useful to consumers, since it’s not yet clear how much impact labels have on people’s buying decisions.
The NIST recently closed nominations for an IoT Advisory Board that will be asked to lead IoT policy discussions in the US. The organization is also soliciting public comments as it prepares to release an updated version of its Cybersecurity Framework.