[UPDATE July 17, 2023: The US officially announced the IoT Cybersecurity Label program plans. Looks like FCC will host the "Trust Registry" of product cybersecurity labels]
The National Cybersecurity Strategy Implementation Plan (NCSIP) was released this past week and it has been receiving lots of media coverage, as it should. The hackers have had their way for years with ransomware attacks, data stealing and other malicious acts that are causing pain across society, shutting hospitals, disrupting manufacturing supply chains and affecting schools and local governments across the country, to name a few. And, they are making lots of money in the process, cyber-crime is a lucrative business. So, it’s high-time that the US get serious about stopping this crime wave and the NCSIP is the game plan that team Cybersecurity needs to execute. Many software supply chain breaches can be avoided using a "Left of Bang" monitoring approach.
Failure is not an option.
It’s imperative that team cybersecurity work collaboratively in public-private partnerships, with mutual respect, to implement the details of this plan. The first milestone is to be completed by September 30, 2023, which is key to seeing if team cyber is up to the challenge. The first milestone, Strategic Directive 3.2, aims to provide consumers with greater visibility into the cybersecurity risks of “Internet of Things” (IoT) devices and the software that runs those devices, with updated Federal Acquisition Rules (FAR) in accordance with NCSIP initiative 3.2.1. NIST published IoT Labeling Guidelines in 2022 that will likely guide work on this milestone with the following guidance under section 2.2 Recommended Baseline Product Criteria:
“Product criteria are recommended to apply to the IoT product overall, as well as to each individual IoT product component (e.g., IoT device, backend, companion app), as appropriate.”
The NIST guidance for IoT labeling does a good job of describing WHAT is in scope to ascertain the trustworthiness of an IoT device and its components, but lacks actual implementation steps advising device manufacturers HOW to receive an “IoT Cybersecurity Label” NOR any guidance to consumers on HOW to use/check the IoT Cybersecurity Label for trustworthiness. This is where Finland may provide useful insights from their IoT labeling program, operated by Traficom National Cyber Security Centre.
Finland’s IoT labeling program identifies several prerequisites before a manufacturer can receive the rights to display a Cybersecurity Label. Consumers can check the cybersecurity status of a product by scanning the Cybersecurity Label QR Code, which returns information about device security status. An example of the Finland Cybersecurity Label data provided to consumers for a product is available here.
Prerequisites for obtaining the Cybersecurity Label
When applying for the Cybersecurity Label, a company must fill in a statement of compliance form that contains information on the features of the product or service. The NCSC-FI reviews the information given on the form. An independent third party then undertakes an information security inspection on the product or service that the application concerns. The results are compared against the Cybersecurity Label requirements. Once the information and features provided are deemed sufficient, the NCSC-FI grants the Cybersecurity Label.
The “statement of compliance” is essentially a self-attestation form submitted by the manufacturer of the IoT device. Finland’s labeling program applies the excellent European standard requirements ETSI EN 303 645 V2.1.0 (2020-04) to assess the supplied information in the attestation form when deciding to issue a Cybersecurity Label, or not.  The ETSI standard explicitly refers to the need for Software Bill of Materials (SBOM) and vulnerability disclosure reporting (VDR) to consumers following an international standard IEC 29147:2018.
Software solutions often contain open source and third party software components. Creating and maintaining list of all
software components and their sub-components is a pre-requisite to be able to monitor for product vulnerabilities.
Various tools exist to scan source code and binaries and build a so-called Software Bill of Materials (SBOM), which
identifies third party components and the versions used in the product. This information is then used to monitor for the
associated security and licensing risks of each identified software component.
Vulnerabilities are expected to be reported directly to the affected stakeholders in the first instance. If that is not
possible, vulnerabilities can be reported to national authorities. Manufacturers are also encouraged to share information
with competent industry bodies, such as the GSMA [i.21] and the IoT Security Foundation. Guidance on Coordinated
Vulnerability Disclosure is available from the IoT Security Foundation [i.22] which references ISO/IEC 29147 [i.4].
This is expected to be performed for devices within their defined support period. However, manufacturers can continue
this outside that period and release security updates to rectify vulnerabilities.
Manufacturers that provide IoT products have a duty of care to consumers and third parties who can be harmed by their
failure to have a CVD programme in place. Additionally, companies that share this information through industry bodies
can assist others who can be suffering from the same problem.
NIST Guidance includes both SBOM and VDR requirements, in sync with the ETSI IoT Consumer Labeling standard requirements and IEC 29147:2018. These SBOM and VDR standards are also supported in the SPDX SBOM standard version 2.3 and CycloneDX SBOM standard 1.4. SBOM and VDR enable a software consumer to proactively monitor for risks using a "Left of Bang" strategy in installed software when new vulnerabilities are reported. This helps to rebalance cyber-risks; today software consumers bare all the risks and costs of a cyber-breach.
There is still one question that most consumers are anxious to know the answer to "Is my product vulnerable as of right NOW?", when a new vulnerability is reported. IoT device trustworthiness can change from one second to the next when new vulnerabilities are reported. The solution chosen by the FAR team needs to be able to answer this consumer question, based on actual current risk, in order to be an effective deterrent against cyber-risks. Anne Neuberger used a restaurant cleanliness score analogy to convey that this labeling scheme needs to be straight forward and easy for consumers to understand, to make a risk-based decision to buy an IoT product, or not. Would you eat at a restaurant with a cleanliness score of "F". Would you buy an IoT device with a "Trust Score" of "F". The IoT Cybersecurity label must convey product trustworthiness, simply and easily, just like the restaurant cleanliness score. It's unclear to me if any of the existing labeling approaches (Finland and Singapore) answer this important question. Software vulnerabilities can appear at any time, and it's imperative to notify consumers when the risk profile changes for an IoT device and it's software app ASAP to reduce the window of susceptibility to consumer risk.Â
It's too soon to predict what will appear in the final FAR rules due by September 30, 2023, with regard to IoT labeling requirements, but it may be worthwhile for the people working on NCSIP initiative 3.2.1 to define Federal Acquisition Rule (FAR) changes supporting IoT labeling to consider looking at the successful IoT labeling implementation used by Finland, following international standards provided by ETSI and NIST guidance identified in OMB M-22-18. Another international initiative within the Internet Engineering Task Force (IETF) called Supply Chain Integrity, Transparency and Trust (SCITT) aims to create a “Trust Registry” where consumers can go to check for “Trust Statements”, such as IoT Cybersecurity Labels for IoT devices, to see if a device has received a formal, trusted Cybersecurity Label in accordance with governmental requirements. A SCITT Trust Registry, when complete, is expected to operate similar to a “Registry of Deeds” reflecting the official record of trusted data, i.e., IoT Cybersecurity Labels, in this scenario. Consumers will want to know that a cybersecurity label is "legit" and that is the assurance that a SCITT Trust Registry provides.