Baseline standards proposed for secure development, handling vulnerabilities, and protecting sensitive data

NIST unveils draft criteria for 'seal of approval' scheme on consumer software security

The US National Institute of Standards and Technology (NIST) has released draft criteria for a cybersecurity labeling system focused on consumer software.

Released for public comment yesterday (November 1), the proposals (PDF) set out baseline security standards that vendors would have to meet to earn certification under any future scheme.

This would include demonstrating software integrity and provenance, the absence of known vulnerabilities and hardcoded secrets, and, where applicable, multi-factor authentication (MFA) and strong cryptography.

Read more of the latest cybersecurity policy and legislation news and analysis

Vendors would also need to adhere to best practices around secure development, vulnerability reporting and remediation, end-of-life dates, and data protection.

“The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use,” said Michael Ogata, NIST computer scientist and co-author of the document.

IoT counterpart

The proposals complement equivalent criteria released at the end of August for Internet of Things (IoT) devices (PDF), with both projects mandated by the cybersecurity-focused executive order issued by President Biden in May.

NIST, in coordination with the Federal Trade Commission (FTC) and other agencies, was tasked by the executive order with initiating “pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of-Things (IoT) devices and software development practices, and shall consider ways to incentivize manufacturers and developers to participate in these programs”.

A news release from NIST reflects on the challenges of reconciling the aim of conveying security assurances to customers “simply and directly” with the fact that “there is no one-size-fits-all approach to cybersecurity that can be applied to all types of consumer software”.

RELATED NIST charts course towards more secure supply chains for government software

While the executive order suggested that “a tiered software security rating system” should be considered, NIST proposes a simpler, binary label – or ‘seal of approval’ – that simply indicates whether a product has met a baseline standard.

This would make it more like Finland’s IoT cybersecurity label than Singapore’s equivalent regime, which classifies IoT devices using a ratings scale.

However, NIST suggests that customers could also have the option of clicking on a URL to discover additional details about the labelling scheme and the software’s declaration of conformity.

Expert response

Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Center), tells The Daily Swig: “At the core of all labelling schemes is an attestation that the software was developed and tested to known norms and that it’s free from known vulnerabilities at the point of shipment.

“While this information is valuable to the public consumer, its impact will be better realized within enterprise and industry. Where an individual might purchase a single unit of a device like a security camera, the average business likely has dozens of them – each an appealing target for cybercriminals.

Mackey adds: “If the contents of the attestation are incorporated into the procurement processes business use for such a device, then more vendors will comply with the labelling requirements, which would limit the market for non-compliant devices – ultimately reducing the number of potentially vulnerable businesses attackers might successfully compromise.”

NIST reiterated that it would not be setting up a labeling program itself, since the executive order calls for a voluntary approach, adding that it “will be up to the marketplace to determine which organizations might use cybersecurity labels”.

Members of the general public can submit their responses to the draft document until December 16.

NIST plans to produce final versions for both consumer software and IoT devices by February 6, 2022.

RECOMMENDED All Day DevOps 2021: Securing the software supply chain with ephemerality and the least-privilege principle