October 15, 2021

WASHINGTON – Today, global tech trade association ITI highlighted the importance of clearly defined and streamlined security labeling schemes to ensure effective security and resiliency of the Internet of Things (IoT) ecosystem. In comments to the National Institute of Standards and Technology (NIST) White Paper on IoT Draft Baseline Security Criteria for Consumer IoT Devices of the Labeling Program, ITI advises that any labeling scheme should streamline and simplify necessary information for the intended audience and avoid unnecessary information that may distract the consumer from understanding important security considerations. Earlier this year, ITI published first-of-its kind recommendations for cybersecurity labeling. 

“As NIST rightly points out in the White Paper, utility for cybersecurity, feasibility of implementation, and support for labeling and conformity assessment are key factors to developing a pilot labeling program for IoT devices," ITI wrote in its comments. “ITI encourages stakeholders to take thoughtful, holistic approaches to managing both the security of devices and the networks and complex ecosystems that comprise global IoT security. In particular, we welcome NIST’s leadership in identifying key elements of existing labeling programs rather than establishing its own programs.”

ITI also noted that, “Cybersecurity is a shared responsibility, and the consumer should understand its responsibility and still protect ‘labeled’ software with strong and unique passwords and apply security updates. The labeling program should be effective in improving IoT cybersecurity as consumers understand such labeling and make market choices accordingly.”

In the comments, which are part of industry’s engagement on the Biden Administration's Executive Order on Improving the Nation's Cybersecurity (EO 14028), ITI recommends NIST:

  • Further refine the scope of the definition of IoT product and develop corresponding details of the labeling program to define the boundaries of a specific product. While NIST focuses on IoT products more broadly rather than IoT devices for labeling considerations, when using a broader term such as “IoT product,” it might become tricky in some cases to define the boundaries of a specific product.

  • Continue advocating for a consistent “IoT Device” definition in all NISTIR publications and with international partners to drive alignment in terminologies/terms. While a view of security in the context of the larger ecosystem may be helpful, we recommend aligning the scope of NIST’s security requirements to existing definitions that exclude conventional IT and appropriately treat security for components that cannot function on their own as part/within the context of the finished product in which they are integrated.

  • Caution against certification as a comprehensive solution. ITI cautions against using certification as an approach because it is not a comprehensive solution for cybersecurity. Cybersecurity is not an end state. Rather, it is a continuous effort to protect products, services, and users, based on the latest threat/vulnerability information available using the best available techniques, throughout the deployment lifecycle.

  • Recognize conformity assessments by suppliers/vendors and avoid local testing. In ITI’s recently published policy principles for cybersecurity certification, we strongly encourage governments to consider the viability of alternatives to certification, including education supplier declaration of conformity (SDOC) and vendor attestation.

  • Ensure labeling conveys a realistic sense of security. A label should not give the misleading impression that a product is completely secure. In ITI’s recently published cybersecurity labeling position paper, we state that such an assumption would create a false sense of security and can serve to undercut the necessity for continuous improvement in cybersecurity practices.

  • Understand shared responsibility. Consumer awareness plays a key role, and we stress that cybersecurity is a shared responsibility, and manufacturers cannot secure the products and services they develop without other stakeholders’ participation. Both end-users and operators must understand their respective roles in maintaining cybersecurity.

  • Allow flexible label formatting and effective content. ITI recommends allowing the adoption of e-labels, a digital representation or an electronic means to display regulatory and other important information, which often provides links to an internet website or a scannable source.

Public Policy Tags: Cybersecurity