On February 4, 2022, the National Institute of Standards and Technology (“NIST”) published its Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products (“IoT Criteria”).  The IoT Criteria make recommendations for cybersecurity labeling for consumer IoT products, in other words, for IoT products intended for personal, family, or household use.

The purpose of the publication, as described by NIST, is to identify “key elements of a potential labeling scheme.”  The publication makes clear, however, that the scheme would not be established or managed by NIST, but rather “by another organization or program,” referred to in the publication as the “scheme owner.”  The identity of the scheme owner is undetermined, but it “could be a public or private sector” entity.

The publication of the IoT Criteria represents another step toward a national cybersecurity labeling scheme for consumer IoT products.  We should expect that the framework established by NIST in this publication will serve as a model for these requirements.

IoT Criteria Framework.  The IoT Criteria establish recommended considerations for three key aspects of a potential cybersecurity IoT labeling program:

  1. Baseline Product Criteria
  2. Labeling
  3. Conformity Assessments

 

  1. Baseline Product Criteria.

With respect to “baseline product criteria,” the IoT Criteria recommend an “outcome-based approach” that “allows for the flexibility required by a diverse marketplace of IoT products.”  Rather than require specific technical specifications, the IoT Criteria list desirable, baseline “outcomes” that, if achieved, would enhance the cybersecurity of the IoT product.  The outcome-based approach “allows cybersecurity solutions and mitigations to be upgraded and changed over time without significant changes in the product criteria for labeling.”  The recommended criteria are to serve as a baseline.  The publication discusses ten baseline product criteria:

  1. Asset Identification: The IoT product is (1) uniquely identifiable and (2) inventories all its components.
  2. Product Configuration: The IoT product has (1) a changeable configuration, (2) “the ability to restore a secure default setting,” and (3) restricts the ability to implement changes to “authorized individuals, services, and other IoT product components.”
  3. Data Protection: The IoT product and its components protect stored and transmitted data from unauthorized access, disclosure, and modification.
  4. Interface Access Control: “The IoT product and its components restrict logical access to local and network interfaces – and to protocols and services used by those interfaces – to only authorized individuals, services, and IoT product components.”
  5. Software Update: The IoT product and component software can only be updated by authorized individuals, services, and other IoT product components via “a secure and configurable mechanism, as appropriate for each IoT product component.”
  6. Cybersecurity State Awareness: “The IoT product supports detection of cybersecurity incidents affecting or affected by IoT product components and the data they store and transmit.”
  7. Documentation: IoT product developers should create, gather, and store information relevant to cybersecurity of the IoT product and its components throughout product development, prior to customer purchase, and through its subsequent lifecycle.
  8. Information and Query Reception: IoT product developers should be able “to receive information relevant to cybersecurity and respond to queries from customers and others” about that information.
  9. Information Dissemination: IoT product developers should broadcast and distribute information relevant to cybersecurity.
  10. Product Education and Awareness: IoT product developers should create awareness of and educate customers and others “in the IoT product ecosystem about cybersecurity-related information (e.g., considerations, features) related to the IoT product and its product components.”

 

  1. Labeling Considerations.

Next, the publication makes recommendations about labeling considerations.  A few notes on NIST’s guidance regarding labeling:

  • NIST recommends the use of a binary label – “a single label indicating a product has met a baseline standard.”
  • In addition to the binary label, NIST suggests a “layered” approach, which would provide the consumer with additional details online via a URL or a scannable code (e.g., a QR code).
  • NIST recommends specific label content that is aimed at supporting “non-expert, home users of IoT products.” Accordingly, NIST states that labels should be available to consumers before purchase, at the time of purchase (in-store or online), and after purchase.
  • NIST also emphasizes flexibility “in supporting both digital and physical formats as appropriate” and encourages periodic testing with consumers to assess label appropriateness and usability.
  • And, in combination with a label, NIST recommends “a robust consumer education campaign.”
  1. Conformity Assessment Considerations.

The IoT Criteria also recommend considerations for a “conformity assessment” that would demonstrate a device’s compliance (or not) with the relevant standard.  NIST emphasizes that a “scheme owner is necessary to tailor the recommended product criteria, define conformity assessment requirements, develop the label and associated information, and conduct related consumer outreach and education.”  NIST notes that “a single conformity assessment approach is not likely to achieve desired objectives” and lists several conformity assessment approaches that could be used “exclusively or in combination,” including:

  • Self-attestation: A “[s]upplier’s declaration of conformity” made by the organization that provides the IoT device, stating they have complied with the defined criteria.
  • Third-party Testing and Inspection: A prospective external “determination or examination” of the consumer IoT device based on certain defined criteria.
  • Third-party Certification: A statement “issued based on a comprehensive review that an IoT product has fulfilled defined criteria.”

Background & Executive Order 14028.  The IoT Criteria are yet another step in effectuating the guidance issued by President Biden in May 2021, as part of Executive Order 14028 on Improving the Nation’s Cybersecurity.  In that Executive Order, President Biden tasked NIST to work in coordination with the Federal Trade Commission (“FTC”) to identify “IoT cybersecurity criteria for a consumer labeling program.”  NIST took action, soliciting feedback on a cybersecurity IoT labeling program during an initial workshop in September 2021 and a second event in December 2021.  Incorporating feedback from those workshops, NIST’s latest publication fulfills its directive under Section 4(t) of Executive Order 14028.  For more on the Executive Order, see Covington’s ongoing analysis series here.

Looking Forward.  Throughout 2021, Congress, the states, and federal agencies continued to focus on IoT and IoT cybersecurity.  Companies should expect continued developments in this area, particularly on the continued development of a potential IoT cybersecurity labeling program.  The consumer-focused criteria indicate that the emphasis will remain on compliance regimes that prioritize consumer awareness and safety within the IoT product market.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international…

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Ashden Fein Ashden Fein

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing…

Ashden Fein advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Mr. Fein counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Mr. Fein frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, and destructive attacks.

Additionally, Mr. Fein assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, and requirements related to supply chain security.

Before joining Covington, Mr. Fein served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Mr. Fein currently serves as a Judge Advocate in the U.S. Army Reserve.

Matthew Harden

Matthew Harden is a litigation associate in the firm’s New York office and advises on a broad range of cybersecurity, data privacy, and national security matters, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, and regulatory inquiries.