In response to Executive Order 14028 on improving the nation’s security, NIST was required to produce a set of requirements for consumer software to obtain a security “seal of approval”.
Right now the EO calls for the security standard to be voluntary. The theory is that if consumers have a choice between a product that has the NIST seal of approval and one that does not, the consumer is likely to pick the one with the seal of approval.
At this point NIST is asking for comments. The standard covers everything about such a seal, including what it might look like.
The “seal of approval” would require things like whether the company has a secure software development process, that there are no known vulnerabilities, that it supports multifactor authentication and when end of software support will be.
The seal also wants to know what personally identifiable information the software collects, where the data is stored and a data manifest.
For each of the fields that is being proposed, there are 4 attributes: What the attestation is, a description of the attestation, what the desired outcome is and what the assertions are. Here is an example:
22.214.171.124 Software Provider
Attestation: Software Provider
Description: Information relating to the entity that is making attestations in the label.
Desired Outcome: Consumers can quickly and easily determine the author/organization of the software that is making claims.
Assertions: The name of the software developer/vendor/owner making the claims in the label as well as the name and contact information for an individual within this entity that is responsible for these claims is readily available to the consumer.
The label is a “binary” label – either the system passed or it did not. The label needs to be viewable by the consumer before the purchase and any time after the purchase.
The label also needs to provide a way for the consumer to obtain additional security information online.
The proposed standard runs 24 pages and has additional appendices and references.
If either make consumer software or use consumer software, this might be something you want to learn more about.
You can find the draft standard here.