February 24, 2024

We are creating some awesome events for you. Kindly bear with us.

U.S. NIST Seeks Public Input on Consumer Software Labelling for Cybersecurity

Networking concept: pixelated Cloud Whis Padlock icon on digital background, 3d render

The U.S. National Institute of Standards and Technology (NIST) has drafted a set of cybersecurity criteria for consumer software in an effort to improve consumers’ ability to make informed decisions about the software they purchase. The criteria in this document are based on extensive input offered to the NIST workshop and position papers submitted to NIST, along with the agency’s research and discussions with organisations and experts from the public and private sectors.

The document, “Draft Baseline Criteria for Consumer Software Cybersecurity Labeling”, forms part of NIST’s response to the Executive Order (EO) on Improving the Nation’s Cybersecurity. The EO specifies that NIST “shall identify secure software development practices or criteria for a consumer software labelling program” — criteria that reflect a baseline level of cybersecurity and that focus on ease of use for consumers.

We are establishing criteria for a label that will be helpful to consumers. The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use.

– Michael Ogata, NIST computer scientist

Part of the challenge is the sheer vastness and variety of the consumer software landscape. Software is an integral part of life for the modern consumer. Nevertheless, most consumers take for granted and are unaware of the software upon which many products and services rely. While enabling many benefits to consumers, software, too, is subject to cybersecurity flaws or vulnerabilities that can directly affect safety, property, and productivity.

There is no one-size-fits-all definition for cybersecurity that can be applied to all types of consumer software. The risk associated with software is tightly bound to that software’s intended use (both in function and operating environment), as well as its post-deployment configuration.

While NIST’s assignment is straightforward — to establish the criteria that should be the basis for a software label — NIST is not designing the label itself, nor is NIST establishing its own labelling program for consumer software. The EO calls for a voluntary approach, and it will be up to the marketplace to determine which organisations might use cybersecurity labels.

Currently, the agency is seeking public input about the baseline of technical requirements for the software and the related label. As proposed by NIST, in order to qualify for a label, the software provider would first need to meet all of the technical requirements. The document refers to these requirements as “attestations,”  or claims about the software’s security, which the document organises into four categories:

  • Descriptive attestations — information about the label itself, such as who is making the claims about information within the label, what the label applies to and how the consumer can get more information.
  • Secure software development attestations — how the software developer adheres to security best practices. By fulfilling requirements in this category, the provider communicates to consumers that they can be more confident about the development process.
  • Critical cybersecurity attributes and capability attestations — features expressed by the software’s functionality, and other attributes that consumers should know, such as whether the software is free from known vulnerabilities or whether encryption is used.
  • Data inventory and protection attestations — information about data that consumers may identify as having high cybersecurity-related risk, and the software provider’s descriptions of mechanisms used to protect that data. This data might relate to personally identifiable information, device location information, or any other data the provider has spent time and effort safeguarding.

A software label would not necessarily spell out all of these details, but the overall labelling effort should aim to educate consumers about what the label means and indicate where they can readily get additional information about those cybersecurity attributes.

PARTNER

Qlik’s vision is a data-literate world, where everyone can use data and analytics to improve decision-making and solve their most challenging problems. A private company, Qlik offers real-time data integration and analytics solutions, powered by Qlik Cloud, to close the gaps between data, insights and action. By transforming data into Active Intelligence, businesses can drive better decisions, improve revenue and profitability, and optimize customer relationships. Qlik serves more than 38,000 active customers in over 100 countries.

PARTNER

CTC Global Singapore, a premier end-to-end IT solutions provider, is a fully owned subsidiary of ITOCHU Techno-Solutions Corporation (CTC) and ITOCHU Corporation.

Since 1972, CTC has established itself as one of the country’s top IT solutions providers. With 50 years of experience, headed by an experienced management team and staffed by over 200 qualified IT professionals, we support organizations with integrated IT solutions expertise in Autonomous IT, Cyber Security, Digital Transformation, Enterprise Cloud Infrastructure, Workplace Modernization and Professional Services.

Well-known for our strengths in system integration and consultation, CTC Global proves to be the preferred IT outsourcing destination for organizations all over Singapore today.

PARTNER

Planview has one mission: to build the future of connected work. Our solutions enable organizations to connect the business from ideas to impact, empowering companies to accelerate the achievement of what matters most. Planview’s full spectrum of Portfolio Management and Work Management solutions creates an organizational focus on the strategic outcomes that matter and empowers teams to deliver their best work, no matter how they work. The comprehensive Planview platform and enterprise success model enables customers to deliver innovative, competitive products, services, and customer experiences. Headquartered in Austin, Texas, with locations around the world, Planview has more than 1,300 employees supporting 4,500 customers and 2.6 million users worldwide. For more information, visit www.planview.com.

SUPPORTING ORGANISATION

SIRIM is a premier industrial research and technology organisation in Malaysia, wholly-owned by the Minister​ of Finance Incorporated. With over forty years of experience and expertise, SIRIM is mandated as the machinery for research and technology development, and the national champion of quality. SIRIM has always played a major role in the development of the country’s private sector. By tapping into our expertise and knowledge base, we focus on developing new technologies and improvements in the manufacturing, technology and services sectors. We nurture Small Medium Enterprises (SME) growth with solutions for technology penetration and upgrading, making it an ideal technology partner for SMEs.

PARTNER

HashiCorp provides infrastructure automation software for multi-cloud environments, enabling enterprises to unlock a common cloud operating model to provision, secure, connect, and run any application on any infrastructure. HashiCorp tools allow organizations to deliver applications faster by helping enterprises transition from manual processes and ITIL practices to self-service automation and DevOps practices. 

PARTNER

IBM is a leading global hybrid cloud and AI, and business services provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs and gain the competitive edge in their industries. Nearly 3,000 government and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and business services deliver open and flexible options to our clients. All of this is backed by IBM’s legendary commitment to trust, transparency, responsibility, inclusivity and service.

Send this to a friend