New U.S. Cyber Trust Mark Can Provide Competitive Advantage for IoT Manufacturers Focused on Consumer-Grade Cybersecurity

On January 7, the White House announced the official launch of the much anticipated U.S. Cyber Trust Mark, an Internet of Things (IoT) cybersecurity labeling program for wireless devices. This will cover a broad swath of consumer devices, such as home security cameras, smart appliances, baby monitors, smart door locks, and fitness trackers, among others. The label will include a QR code linked to an information registry containing the security details of the product, such as password management, security configuration, availability of security patches, and vendor support.

The Federal Communications Commission (FCC) is in charge of the program’s administration and will be leveraging a number of third parties to help it in the evaluation and delivery of labels. The FCC has already designated 11 third parties that will serve as approved Cybersecurity Label Administrations (CLAs), with UL Solutions named as the Lead Administrator. CLAs will be in charge of reviewing submissions for applications by manufacturers once their products have undergone compliance testing by accredited labs (CyberLABS).

The FCC recommended the use of NIST IR 8425 (Profile of the IoT Core Baseline for Consumer IoT Products) as the basis for the U.S. Cyber Trust Mark. NIST IR 8425 is itself built on NIST IR 8259 (Foundational Cybersecurity Activities for IoT Device Manufacturers). This foundation has wide multi-stakeholder support from industry associations, notably due to its compatibility with existing standards such as UL 2900, UL 5500, and IEC 62443. This will make it relatively easy for manufacturers that already comply with those standards to seek out the label. This is key for market traction as the program is entirely voluntary, and comes only a year after the Matter certification launch. Consumer IoT security is becoming a much more visible, and desirable outcome.

The U.S. Cyber Trust Mark is the first such IoT security labeling program launched by a government today. The European Union (EU) is still working on its own cybersecurity certification framework for Information and Communication Technology (ICT) products (led by ENISA), but the U.S. program may have supranational application. In 2023, the United States and the EU signed the EU-US Joint CyberSafe Products Action Plan, which builds on the Cyber Trust Mark, as well as the EU Cyber Resilience Act to ensure national compatibility and alignment between those two instruments (including shared lexicon and taxonomy). In theory, this means consumers in the EU would be able to trust the U.S. label as meeting similar EU standards.

Manufacturers looking to apply to use the U.S. Cyber Trust Label will have to have their product tested against the program’s cybersecurity criteria through one of the accredited CyberLABs. The resulting testing documents will then be reviewed by a CLA, which will determine if it meets the program requirements before allowing use of the label.

While the general process has been laid out, there is still a way to go before the first manufacturers can apply for a label. The next phase is for the CLAs to work together with the FCC to review implementation details of the program, as well as testing procedures for CyberLABs, and provide recommendations that will be available for public comment. The last phase will be to select accredited CyberLABs for the program, before the process can be opened up to manufacturers.

Manufacturers are not yet able to start product accreditation. However, they can start laying the groundwork by looking at how closely their product aligns with NIST 8425, IEC 62443, and UL 2900 and 5500. There is plenty of available material to go on, and this could expedite some of the preliminary work to get a product up to scratch. In a world where consumers are increasingly aware of the threats posed by IoT devices, having a cybersecurity mark of trust appended to a product is likely to provide a competitive advantage, notably in those markets where consumers are likely to spend more for such a label (such as home and child security).