NIST Seeks Feedback on Cybersecurity Labels for Software


The effort aims to create a user-friendly label to educate consumers about their purchases.

The National Institute of Standards and Technology is looking for input on new cybersecurity guidance for consumer software in a bid to increase the public’s safety and awareness.

NIST officials want feedback on labeling criteria for certain software products to ensure the general public find the labels user-friendly.

“We are establishing criteria for a label that will be helpful to consumers,” Michael Ogata, a NIST computer scientist and co-author of the draft document, said in the press release. “The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use.”

NIST’s criteria initiative is a result of an executive order President Joe Biden signed in May following multiple widespread ransomware attacks. Pursuant to the order, NIST is required to develop new operating procedures that can be used to evaluate software security and educate consumers about the technology they purchase. 

The criteria will serve as the foundational technical information requirements for labeling consumer software products. Some of the information set to be included in the labels are “attestations,” which are claims about a specific software’s security features. These claims range from best practices, a description of the software systems, known vulnerabilities, and data encryption and protection statuses. 

“As a complement to the labeling approach, a robust consumer education program should be developed to increase label recognition and to provide transparency,” Ogata said. “Consumers should have access to online information including what the label means and does not mean, so that they can avoid potential misinterpretations.”

NIST itself does not create the labels and has yet to determine which entity will. Labels won’t be a requirement on all software products; rather, the executive order stipulates the labels will be voluntary and at the discretion of the marketplace to determine which organizations should use cybersecurity labels on software products.