December 3, 2021

Volume XI, Number 337


December 02, 2021

Subscribe to Latest Legal News and Analysis

December 01, 2021

Subscribe to Latest Legal News and Analysis

November 30, 2021

Subscribe to Latest Legal News and Analysis

NIST Publishes Draft Security Criteria for Consumer Software

Consumer software providers will soon have the option to label their software as compliant with National Institute of Standards and Technology (NIST) standards for software security. On November 1, 2021, NIST published its initial draft of this standard in a white paper titled “DRAFT Baseline Criteria for Consumer Software Cybersecurity Labeling” (the White Paper). The White Paper defines the security-related information that would have to be disclosed on the label and the specific security practices a software provider would have to follow. It was developed in coordination with the Federal Trade Commission (FTC) and will likely inform future FTC guidance and enforcement activity. NIST has requested public comments on the White Paper by December 16, 2021. The final version is expected to be published by February 6, 2022.


President Joe Biden’s May 12, 2021, Executive Order (EO) 14028 directs NIST to initiate pilot programs for cybersecurity labeling “to educate the public on the security capabilities of Internet of things (IoT) devices and software development practices.” Under the EO, NIST, in coordination with the FTC and other agencies, “shall identify secure software development practices or criteria for a consumer software labeling program.” The criteria shall “reflect a baseline level of secure practices” as well as “increasingly comprehensive levels of testing and assessment that a product may have undergone.”

The White Paper addresses the need to develop appropriate cybersecurity criteria for consumer software, which means software primarily used for personal, family or household purposes. It is intended to inform “the development and use of a label for consumer software,” which would “improve consumers’ awareness, information, and ability to make purchasing decisions while taking cybersecurity considerations into account.” It is not intended to “describe how a cybersecurity label should be explicitly represented” or “detail how a labeling program should be owned or operated.”

The White Paper has three primary elements: (i) it defines baseline technical criteria for the label; (ii) it details a proposed approach for conformity assessment; and (iii) it describes criteria for the labelling approach. It also enumerates specific issues on which NIST requests comment.


The White Paper defines a series of outcome-based attestations (i.e., claims) that software providers would make about their product on the NIST label. It also provides criteria for satisfying each attestation.

To meet the baseline technical criteria, software providers will need to implement the following practices:

  • Follow the NIST Secure Software Development Framework (SSDF).

  • Provide a mechanism for reporting vulnerabilities.

  • Provide support at least until the published end-of-support date.

  • Remediate all known vulnerabilities before the label date.

  • Cryptographically sign the software and any updates.

  • If user authentication is required, implement multifactor authentication or participate in an identity federation ecosystem that supports multifactor authentication.

  • Remove passwords, encryption keys or other secrets from source code (i.e., no hard-coded secrets).

  • Follow NIST cryptographic standards for all encryption.

  • Inventory the types of data stored, processed or transmitted by the software, and the safeguards applicable to each data type.


The White Paper defines criteria for a Supplier’s Declaration of Conformity. The declaration of conformity is intended to “provide written assurance of conformity to the specified requirements.”

To meet the conformity assessment criteria, software providers will need to implement the following practices:

  • Maintain procedures for issuing, maintaining, extending, reducing, suspending or withdrawing the declaration and the label attestations.

  • Maintain procedures to ensure “continued conformity” with the label attestations.

  • Separation of responsibilities and roles between the person conducting the review of the attestation and the signatory of the consumer software attestation.

  • If the declaration was issued by an accredited laboratory or inspection body, maintain the results of the assessment and other supporting documentation that identifies the third-party and its qualifications, including accreditation status.


The White Paper recommends a single, consumer-tested label which indicates that the software has met the technical and conformity assessment criteria. The label may also provide a means for consumers to access additional online information, including:

  • Consumer-focused information about the labeling program;

  • The declaration of conformity; and

  • Descriptions supporting the data inventory and protection attestations.


NIST requests comments on “all aspects of the criteria,” including:

  • Whether the criteria will achieve the goals of the EO by increasing consumer awareness and improving the cybersecurity of consumer software.

  • Whether the criteria will enable and encourage software providers to improve the cybersecurity of their products and the information they make available to consumers.

  • Whether the label should include a definitive statement that “the software product meets the NIST baseline technical criteria.”

  • Whether the software label approach and design should be similar to the forthcoming IoT product label “to facilitate brand recognition.”

  • Whether to include “more details on evidence required to support assertions.”

  • Whether to provide a template Declaration of Conformity.

  • Whether the technical baseline criteria are appropriate, including the “feasibility, clarity, completeness, and appropriateness of attestations.”


Consumer software providers should consider whether they would benefit from labeling their software as NIST-compliant, and, if so, whether they could meet the requirements for secure development, information disclosure and conformity declaration. NIST is accepting comments on the draft through December 16, 2021.

© 2021 McDermott Will & EmeryNational Law Review, Volume XI, Number 327

About this Author


Todd S. McClelland advises companies on complex, international legal issues associated with cybersecurity breaches and compliance, data privacy compliance, and data, technology, cloud and outsourcing transactions. Todd counsels clients in many industries, including payment processors, cybersecurity product providers, retailers, petro companies, financial institutions and traditional brick-and-mortar companies.

Prior to his legal career, Todd was an engineer designing and programming industrial control, robotics and automation systems. This background gives him unique perspective and...

Shawn C. Helms Partner  Dallas Corporate & Transactional  Autonomous Vehicles  Consumer Data & Digital Marketing

Shawn C. Helms is co-head of the Firm’s Technology & Outsourcing Practice. Shawn has broad experience in the areas of information technology, outsourcing and telecommunications. He focuses his practice on complex transactions involving technology and intellectual property, including business process outsourcing (BPO) and information technology outsourcing (ITO), licensing, cloud computing arrangements (infrastructure as a service (IaaS), software as a service (SaaS) and platform as a service (PaaS)), technology maintenance and services, technology development/customization (including...

Robert Duffy Counsel Attorney Cyberseurity Privacy Washington DC

Robert Duffy helps clients manage their cybersecurity, privacy, and information technology legal risks by delivering practical advice, navigating crisis response and aggressively pursuing justice for victims of cybercrime and business torts. Robert conducts internal investigations into security incidents, vulnerability reports, potential compliance issues, insider threats and other high-stakes matters. Robert helps clients meet regulatory and legal obligations by assessing cybersecurity maturity and developing cost-effective and risk-prioritized remediation plans and...