Consumer IoT Cybersecurity Labeling Program Launching in the U.S.

Image Credit: N. Hanacek/NIST

The Seven Things Consumer Device Manufactures Need to Know to Prepare.

In the wake of the Colonial Pipeline and Solar Winds hacks in 2021, President Biden issued Executive Order On Improving Nation’s Cybersecurity, number 14028.  Among a number of directives, including end point detection and response, zero trust, and multi-factor authentication was an order for an Internet of Things, consumer device labeling program.

That executive order tasks the National Institute of Standards and Technologies (NIST) to develop guidance for this labeling program.  In response, NIST published a whitepaper in February of 2022 with their recommendations.  This work builds upon NIST’s IoT device security best practices outlined in NISTIR 8259.  BG Networks’ security automation tools, BGN-SAT , are based on these security controls specified by NIST as is our AnCyR cybersecurity awareness software.

In October of 2022, the White House called together leaders from various federal agencies and some of the largest consumer IoT companies on how to best implement this program.  These companies will work with the U.S. Government to move the labeling program forward.

If you make consumer IoT devices for sale in the U.S., here are seven things that you need to know about this labeling program to help you prepare:

• The program calls for Energy Star like labeling for consumer device cybersecurity. A bar code on the IoT device will take a consumer to a web page where the cybersecurity label information is listed.  This can be thought of as a list of ingredients on a package of food.
• The program will start in the spring of 2023.
• The program will be voluntary to start but it is expected that it will become mandatory as other nations have cybersecurity consumer labeling programs that are further along. Singapore launched a cybersecurity labeling scheme in October 2020.  The U.K. has a bill that is moving through the house of commons that includes potential fines of up to 10 million pounds for non-conformance.
• High-risk devices will be targeted first such as network routers used in the home and security cameras.
• NIST will always recommend security that is fit for purpose. In other words, one size security does not fit all. But the security controls they have outlined come from their NISTIR 8259 documents.  Both device-level security features and what is called non-technical recommendations (e.g., having a way that consumers can contact a company concerning cybersecurity issues) are mentioned.
• A baseline of security is to be established for the purposes of education to ensure that consumers don’t become overconfident in the security implemented and will give the opportunity for high levels of cybersecurity implementations to be highlighted.
• There are still many aspects of the program that need to be defined. One of the biggest open questions is who will be the “scheme owners”.  This could be public or private organizations that would oversee the labeling program with responsibility for consistency and integrity of the program.

BG Networks security automation tools are the fastest way to implement a baseline of security features in IoT devices.  The security features these tools implement are aligned with NIST IoT cybersecurity guidance and will help you prepare for this IoT consumer device labeling program.  BG Networks also offers cybersecurity training and engineering services to help you prepare.  We can provide assistance ranging from helping establish a holistic cybersecurity program to threat assessment to implementation of security features in IoT devices.