WASHINGTON – Today, global tech trade association ITI emphasized the importance of ongoing and regular reviews for consumer software labeling given the evolving nature of risks and vulnerabilities. In comments to the National Institute of Standards and Technology (NIST) on the Executive Order on Improving the Nation's Cybersecurity Consumer Software Labeling Program, ITI made several recommendations that focus on flexibility and processes to build continuous security and user trust. Earlier this year, ITI published first-of-its kind recommendations for cybersecurity labeling.
“Consumer software labeling can provide consumers with clear information about the security of their products, and help facilitate greater confidence and trust," said John Miller, ITI Senior Vice President of Policy and General Counsel. “We appreciate the Biden Administration’s ongoing consultation with stakeholders to identify secure software development practices and criteria for a consumer software labeling program and urge them to remain flexible in their approach.”
In the comments, ITI recommends that:
- Ensure Labeling Does Not Convey a False Sense of Security: While labels may help incentivize the adoption of the underlying security practices, they should not be perceived as a substitute for processes to build security and trust.
- Raise End-User Awareness and Balance Responsibility: The goal should be enabling consumers to make intelligent purchasing decisions rather than driving post-purchase behavior. Both consumers and manufacturers must understand their respective roles in maintaining cybersecurity.
- Allow for Flexible Labeling Formats and Conduct Periodic Reviews: Any labeling scheme should be flexible to accommodate a range of formats, including e-labeling for digital listings in online marketplaces, machine-readable codes, and other forms of communication that effectively convey the security information to the intended audience.
- Recognize Conformity Assessments by Suppliers/Vendors and Facilitate Mutual Recognition: We encourage the U.S. government to recognize conformity assessments by vendors, as well as third-party assessment labs, to facilitate the mutual recognition of labeling schemes across international jurisdictions.
- Align with International Standards and Best Practices: Proposed guidelines, best practices, or standards must be technology-agnostic and account for the risk levels associated with software components that specifically focus on “consumer” products, not business products to protect enterprise software. This tiered and narrow approach will help companies tailor the guidelines, best practices or standards to different types of software.
Read ITI’s full comment submission here.