cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AndreaMoore
Community Manager

NIST Releases "Seal of Approval" Criteria for Cybersecurity Labeling System

Cybersecurity professionals,

What are your thoughts on this announcement?

 

The US National Institute of Standards and Technology (NIST) has released draft criteria for a cybersecurity labeling system focused on consumer software.

 

Released for public comment on November 1, the proposals (PDF) set out baseline security standards that vendors would have to meet to earn certification under any future scheme.

 

This would include demonstrating software integrity and provenance, the absence of known vulnerabilities and hardcoded secrets, and, where applicable, multi-factor authentication (MFA) and strong cryptography.

 

Vendors would also need to adhere to best practices around secure development, vulnerability reporting and remediation, end-of-life dates, and data protection.

 

“The goal is to raise consumers’ awareness about the various security needs they might have and to help them make informed choices about the software they purchase and use,” said Michael Ogata, NIST computer scientist and co-author of the document.

 

Read more: https://portswigger.net/daily-swig/nist-unveils-draft-criteria-for-seal-of-approval-scheme-on-consum...

 




(ISC)² Community Manager
1 Reply
JKWiniger
Community Champion

Re: NIST Releases "Seal of Approval" Criteria for Cybersecurity Labeling System

To me, I feel this is basically a joke! It's like when the CAN SPAM act came out, it was worthy until the added fines. If a company does what is needed and get certified will anyone care? I think this need to be an act instead of a standard and it need to be a requirement instead of a recommendation. Many people do not understand and really don't care about the details that secure things they use, so I don't think they will know about or care about a certification. Companies need to be held accountable and there needs to be oversight. When Microsoft can release a version of Windows with 65K know bugs and I'm sure some of those had to be security related someone need to step in a say, hey not so fast. How many of those bugs led to exploits, which if fixed could have been avoided. How many companies are being held accountable to releasing software with known issues?

 

John-