NIST Requests Comment on Software Cybersecurity White Paper

Written By Haley Metteauer

On November 1, 2021, the National Institute of Standards and Technology (NIST) published its initial draft of this standard in a white paper titled “DRAFT Baseline Criteria for Consumer Software Cybersecurity Labeling” (White Paper). This draft is in response to Executive Order (EO) 14028, which directs NIST to initiate programs for cybersecurity labeling “to educate the public on the security capabilities of Internet of things (IoT) devices and software development practices.”

The impact of this White Paper is that it would give consumer software providers the option to label their software as compliant with National Institute of Standards and Technology (NIST) standards for software security if the provider meets all the requirements to do so. The White Paper outlines the required security-related information to be disclosed on the label on the software product and the security practices a provider would have to follow.

The White Paper will inform "the development and use of a label for consumer software" and, as a result, “improve consumers’ awareness, information, and ability to make purchasing decisions while taking cybersecurity considerations into account.” There are three components to the White Paper:

i. It contains the baseline technical criteria for the label and methodology used to arrive at those criteria;

To meet the “baseline technical criteria,” software providers must implement these practices: 

  • Follow the NIST Secure Software Development Framework (SSDF).

  • Provide a mechanism for reporting vulnerabilities.

  • Provide support at least until the published end-of-support date.

  • Remediate all known vulnerabilities before the label date.

  • Cryptographically sign the software and any updates.

  • If user authentication is required, implement multifactor authentication or participate in an identity federation ecosystem that supports multifactor authentication.

  • Remove passwords, encryption keys, or other secrets from source code (i.e., no hard-coded secrets).

  • Follow NIST cryptographic standards for all encryption.

  • Inventory the data types stored, processed, or transmitted by the software and the safeguards applicable to each data type.

ii. It describes criteria for the labeling approach and consumer-focused label; and

this draft recommends a single, consumer-tested label indicating that the software has met the technical and conformity assessment criteria. Additionally, the label may provide consumers with a means to access additional online information, including:

  • Consumer-focused information on the labeling program.

  • Declaration of conformity for the software, including the label assertion date.

  • Data Inventory and Protection Attestation descriptions.

iii. It details a proposed approach for conformity assessment.

To meet the conformity assessment criteria, software providers will need to implement the following practices:

  • maintain procedures for issuing, maintaining, extending, reducing, suspending, or withdrawing the declaration, as well as the attestation of the consumer software.

  • have procedures in place to ensure the continued conformity of the software development practice as acknowledged to the specified technical criteria within the declaration of conformity.

  • maintain separation of responsibilities and roles between the person conducting the attestation review and the signatory of the consumer software attestation.

Because the White Paper criteria was developed in coordination with the Federal Trade Commission (FTC), it is likely to inform future FTC guidance and enforcement activity regarding consumer software. As such, organizations that utilize or produce consumer software as a means of conducting their business should be apprised of these requirements and of the possibility that legislative action may follow.  The NIST has requested public comments on the White Paper before December 16, 2021, and all affected organizations should consider doing so.

NIST requests comments on “all aspects of the criteria,” including:

  • Whether the criteria will achieve the goals of the EO by increasing consumer awareness and improving the cybersecurity of consumer software.

  • Whether the criteria will enable and encourage software providers to improve the cybersecurity of their products and the information they make available to consumers.

  • Whether the label should include a definitive statement that “the software product meets the NIST baseline technical criteria.”

  • Whether the software label approach and design should be similar to the forthcoming IoT product label “to facilitate brand recognition.”

  • Whether to include “more details on evidence required to support assertions.”

  • Whether to provide a template Declaration of Conformity.

  • Whether the technical baseline criteria are appropriate, including the “feasibility, clarity, completeness, and appropriateness of attestations.”

If you have any questions or concerns about how this draft could impact you or if you would like assistance in drafting a comment to the White Paper, please contact Kennedy Sutherland.

Haley Metteauer
Previous

Federal Agencies Warn of Ransomware Attacks During Holiday Season
Next

EPIC & U.S. Chamber of Commerce Release Comments on FTC Draft Strategic Plan