IoT device showing Cyber Trust Mark for connected devices

White House Launches the Cyber Trust Mark Labeling Program for Consumer Connected Devices

White House has launched a Cyber Trust Mark labeling program for connected devices, allowing consumers to assess whether various IoT products meet basic cybersecurity requirements.

“The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products,” the White House stated.

The US Federal Communications Commission (FCC) will oversee the program, assisted by a group of 11 select companies led by UL Solutions as the Cybersecurity Label Administrator (CLA).

While recently launched, the program relates to the 2021 Biden administration’s executive order to improve the country’s cybersecurity.

The executive order required the Secretary of Commerce, through the Director of NIST, to “initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security” of IoT devices and software development practices.

Like the EnergyStar energy efficiency label, the White House believes the Cyber Trust Mark would encourage manufacturers “to produce more cybersecure devices.”

Criteria for accreditation

Consumer Internet of Things (IoT) device manufacturers will voluntarily submit their connected devices for compliance review and accreditation. Major product makers, such as Amazon, Google, Samsung Electronics, LG USA, and Logitech, already joined the program when it launched in July 2023.

However, submitted connected devices must pass predefined NIST testing criteria to display the Cyber Trust Mark, which will be accompanied by a QR code.

Device owners can use the QR code to check product information, including how to change default passwords, securely configure the device, install updates, and confirm the support period.

Thus, the Cyber Trust Mark will allow consumers to determine if the manufacturer intends to support the device by providing software updates and for how long.

The NIST certification criteria cover areas such as default passwords, software updates, secure software development, data protection, supply chain requirements, security lifecycle policies, vulnerability management policies, and incident detection.

“There are a lot of things to like about this program, especially the focus on IoT cybersecurity basics, such as changing default passwords, patching, data protection, and a software/hardware bill of materials,” said Roger Grimes, data-driven defense evangelist at KnowBe4. “Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea. Those reasons alone are reasons enough for the program.”

However, Grimes highlighted the program’s shortcomings, including its voluntary nature and many security requirements being recommendations: “I wish many basic cybersecurity defenses, such as the customer being forced to change the default password and automatic patching, were required to be in the program. It would make the program much more valuable.”

Online retailers will highlight the Cyber Trust Mark label

Online retailers say they will highlight accredited connected devices to encourage more manufacturers to join the Cyber Trust Mark program.

“Amazon supports the U.S. Cyber Trust Mark’s goal to strengthen consumer trust in connected devices,” said Steve Downer, Vice President, Amazon. “We believe consumers will value seeing the U.S. Cyber Trust Mark both on product packaging and while shopping online.”

U.S. Deputy National Security Adviser for Cyber and Emerging Technology Anne Neuberger also disclosed that the administration is working on an executive order requiring the government to buy only Cyber Trust Mark labeled products from 2027.

The FCC also plans to make the program global, allowing other countries and certifying bodies to accept the label.

Which connected devices are eligible for the Cyber Trust Mark?

Connected devices have recently become vulnerable to hacking and unauthorized access, exposing sensitive data and aiding malicious activities such as illegal home surveillance and invasions.

The Cyber Trust Mark program applies home security cameras, TVs, voice-activated shopping devices, smart appliances, climate control devices, fitness trackers, garage door openers, and baby monitors.

However, it excludes IoT medical devices regulated by the FDA, manufacturing, industrial and enterprise products, wired devices, and automotive products regulated by the National Highway Traffic Safety Administration.

Similarly, products from entities banned from Federal procurement, products addressing national security, and items on the FCC’s Covered List addressed by the Secure Networks Act are beyond the program’s scope.