The US has launched a Cyber Trust Mark for Internet of Things (IoT) devices, enabling consumers to easily assess the cybersecurity standards of such products when making purchasing decisions.
Consumer smart device manufacturers that qualify for the Cyber Trust Mark will soon able to display a trademarked, distinct shield logo on their products.
This will demonstrate that they have met robust cybersecurity standards according to established cybersecurity criteria from the US National Institute of Standards and Technology (NIST).
The voluntary label is designed to enhance IoT device security by incentivizing manufacturers to improve their secure by design practices.
Smart devices are heavily targeted by cyber-attacks, with threat actors taking advantages of significant security weaknesses and vulnerabilities that are present in these products.
High profile incidents involving these products include criminals remotely hacking into home security systems to unlock doors and tapping into insecure home cameras to illicitly record conversations.
Read now: From Patchwork to Framework: Towards a Global IoT Security Paradigm
The White House stated: “The program is open for business in 2025: companies will soon be able to submit their products for testing to earn the label, companies like BestBuy and Amazon will be highlighting labeled products, and consumers can look for products bearing the Trust Mark on the shelves.”
White House Sets Out Trust Mark Administration
The Cyber Trust Mark program was launched in July 2023, with the Federal Communications Commission (FCC) adopting final rules for the voluntary cybersecurity labeling program in March 2024.
In December 2024, the FCC approved 11 companies to be Cybersecurity Label Administrators and the conditional selection of UL Solutions as the lead administrator. These administrators will manage activities such as evaluating production applications, authorizing use of the label and consumer education.
Accredited laboratories will handle manufacturers’ compliance testing.
The FCC will provide oversight of the program’s administration.
In December 2024, the EU’s Cyber Resilience Act came into force, which introduces cybersecurity requirements for IoT products. EU firms have until December 2027 to ensure their products comply.
In the UK, a similar law, the Product Security and Telecommunications Infrastructure (PSTI) Act, came into force in April 2024.
These laws include requirements in areas like default passwords, vulnerability reporting and security updates.