October 2, 2022

Volume XII, Number 275


September 30, 2022

Subscribe to Latest Legal News and Analysis

September 29, 2022

Subscribe to Latest Legal News and Analysis

NIST Publishes New Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products

On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products.  These criteria make recommendations for cybersecurity labeling of consumer IoT products, i.e., those IoT products intended for personal, family, or household use.

NIST’s guidance is yet another step forward in implementing the Biden Administration’s May 2021 Executive Order on Improving the Nation’s Cybersecurity.  In that Executive Order, NIST was tasked with working with the Federal Trade Commission (“FTC”) and others to identify a consumer labeling program for IoT.  NIST’s recommendations also include feedback obtained during an initial workshop in September 2021 and a second event in December 2021.

The purpose of these recommendations is to identify a potential labeling scheme—not to be established or managed by NIST—but rather by the scheme owner itself, which could be a public or private sector entity.  These criteria are one step closer toward a national cybersecurity labeling scheme for consumer IoT products, and will likely be used as the model moving forward for these requirements.

The criteria established recommended considerations for three key aspects of a cybersecurity security IoT labeling program: (1) baseline product criteria; (2) labeling; and (3) conformity assessments.

With respect to baseline product criteria, NIST recommends an outcome-based approach that allows for the flexibility required by a diverse IoT marketplace.  The outcome-based approach allows for solutions to be updated and changed over time without significant changes to the product criteria for labeling.  The ten baseline criteria noted in the recommendations are: (1) asset identification; (2) product configuration; (3) data protection; (4) interface access control; (5) software update; (6) cybersecurity state awareness; (7) documentation; (8) information and query reception; (9) information dissemination; and (10) product education and awareness.

Next, NIST makes recommendations about label considerations.  NIST recommends the use of a binary label, that is, a single label indicating a product has met a baselines standard.  In addition to the binary label, NIST suggests a “layered” approach, which would provide the consumer with additional details online via a URL or a scannable code (i.e., a QR code).  These labels should be available to consumers before purchase, at the time of purchase (in-store or online), and after purchase.  NIST also emphasizes flexibility in supporting both digital and physical formats and encourages a robust consumer education campaign, including periodic testing with consumers to assess label appropriateness and usability.

The criteria also recommend considerations for a “conformity assessment” that would demonstrate a device’s compliance with the relevant standard.  While a single conformity approach may not achieve desired outcomes, NIST lists three potential conformity assessment approaches: (1) self-attestation; (2) third-party testing and inspection; and (3) third-party certification.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 49

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

Marissa Black Litigation Attorney Squire Patton Boggs Cleveland, OH

Marissa Black is a results-oriented litigator representing clients in complex civil disputes. She has represented clients in federal and state courts throughout the US, at both the trial and appellate levels.

Before joining the firm, Marissa clerked for two years for the Honorable Dan Aaron Polster of the US District Court for the Northern District of Ohio. Before that, she was an associate at another Cleveland-based AmLaw 100 law firm.