Inside Cybersecurity

December 4, 2022

Daily News

Consumer tech group proposes establishing ‘unifying mark’ for Internet of Things label, building off NIST criteria

By Sara Friedman / October 20, 2022

The Consumer Technology Association wants the federal government to look across a variety of existing approaches when crafting a new voluntary label for Internet of Things devices that builds off criteria developed by NIST through the 2021 cyber executive order.

Test houses UL, EuroFins and Intertek have created labeling schemes and tech company offerings are already in place for IoT, CTA’s Michael Bergman said, where there are “discrete security requirements.” Bergman said, “We can take advantage of existing pieces in the ecosystem.”

CTA’s proposal is for “somebody to establish a unifying mark” where the ecosystem elements can be licensed to issue the mark if a company passes the organization’s testing program, Bergman said. NIST’s criteria could be used as the basis for the label or trademark itself, Bergman said.

Michael Bergman

Michael Bergman, Vice President, Technology & Standards at Consumer Technology Association

NIST conducted an IoT labeling pilot to establish criteria for a potential label in close collaboration with industry. They also sought feedback on potential avenues for further work and submitted a report in May to the White House on potential next steps.

The White House convened a workshop Wednesday to discuss the creation of an IoT label which included CTA among the participants along with manufacturers and other testing houses.

The event included a presentation from Carnegie Mellon University’s Yuvraj Agarwal who provided an overview of IoT labeling research conducted through his institution and featured remarks from National Cyber Director Chris Inglis and other government officials.

The government plans to start with labeling for routers and home cameras, according to a White House fact sheet.

The NIST criteria formalized in NISTIR 8425 should be combined with “a common national mark where labeling programs are licensed to issue based on compliance criteria at one end and an agreement on certain requirements to use the mark on the other,” Bergman said.

CTA’s Bergman, vice president of technology and standards, and David Grossman, vice president of regulatory affairs, spoke with Inside Cybersecurity following the workshop on what they want to see next.

Bergman said the label should build on Carnegie Mellon’s approach of having a physical label on an IoT device and a QR code where consumers can get additional technical information. The label should rely on third party certification and self-attestation, Bergman said, and can also incorporate criteria from industry developed standards from ISO, ANSI and ETSI.

Grossman said the White House has described the upcoming label as a “voluntary program” and recognizes there is “not a one size-fits-all approach for a massive array of IoT devices.”

Google participated in the workshop and published a blog post outlining their future plans.

Grossman said CTA has concerns that they would like to see addressed by the White House including liability protection and incentives for manufacturers to participate, preemption from state laws such as approaches under consideration in California and Oregon, consumer education and awareness, and self-attestation.

The White House should play a substantial role in consumer education and awareness similar to the rollout of the Energy Star label, Grossman said. It should also consider potential impacts to small business if the program is “overly complex or burdensome,” Grossman said.

“If a program is so complex and burdensome that it slows down a product getting into store shelves that is problematic as well,” Grossman said. -- Sara Friedman (sfriedman@iwpnews.com)