WASHINGTON — Today, global tech trade association ITI outlined first-of-its-kind recommendations for policymakers worldwide considering adopting cybersecurity labeling as a means of better communicating security features in information and communications technology (ICT) products and services. In its guidance, ITI stressed that cybersecurity labeling alone should not be viewed as a substitute for processes — like secure development lifecycles — that build continuous security and user trust.

“Cybersecurity labeling can be a useful mechanism for providing consumers with clear information about companies’ adherence to cybersecurity standards and adoption of certain security features in their devices or services, which in turn can help facilitate greater confidence and trust,” said John Miller, ITI’s Senior Vice President for Policy and General Counsel. “As policymakers around the world consider whether to pursue cybersecurity labeling , we urge them to engage with stakeholders and remain flexible in their approach. We look forward to sharing our guidance and working closely with policymakers who are considering how to most effectively foster confidence and trust in ICT products and services.”

To better inform ongoing discussions around cybersecurity labeling, ITI recommends that policymakers:

  • Embrace stakeholders, ensure clarity, and balance responsibilities to ensure that labeling programs bring value to consumers and that both end-users and manufacturers understand their respective roles in maintaining security.
  • Ensure the labeling format is flexible and the content is effective, such as through the use of e-labels or machine-readable codes and reasonably simple, clear language that does not overwhelm or distract consumers.
  • Ensure that the labeling does not convey a false sense of security, in recognition of the fact that cybersecurity is a continuous process and a label only reflects security at a specific point in time.
  • Align labeling with consensus-based, voluntary, industry-led international standards, to facilitate mutual recognition of labeling schemes across jurisdictions and prevent potential barriers to trade.

Read the full recommendations here.

Related [Cybersecurity]