It was recently reported that the US National Institute of Standards and Technology (NIST) has unveiled new draft criteria for consumer software cybersecurity.
Indeed, the proposals revealed the baseline security standards that vendors would need to meet in order to earn certification under that scheme. This means proving software integrity and provenance, the absence of known vulnerabilities and hardcoded secrets, and possibly multi-factor authentication and strong cryptography.
By following this, vendors would also be required to follow the best practices around secure development, vulnerability reporting and remediation, end-of-life dates, and data protection. This should help raise consumers’ awareness about security and software.
NIST had previously released criteria for Internet of Things (IoT) devices as well as initiated pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of IoT devices and software development practices.
However, it was reported that NIST would not be setting up a labeling program itself, meaning that it will be up to the marketplace to determine which organizations might use cybersecurity labels. The final versions for both consumer software and IoT devices should be delivered by February 2022.