What is the U.S. Cyber Trust Mark?
The U.S. Cyber Trust Mark is a proposal by the United States Federal Communications Commission (FCC) to establish a cybersecurity labeling program that will provide consumers with transparent information about the security of their internet-enabled smart devices.
Modeled after the U.S. Energy Star program, the Cyber Trust Mark program is designed to help consumers make informed purchasing decisions and motivate manufacturers to voluntarily adhere to government standards for Internet of Things (IoT) cybersecurity.
If approved, the program could be operational by late 2024.
The FCC’s proposal is part of the United States National Cybersecurity Strategy Implementation and is being overseen by the country’s National Security Council.
Currently, the proposal is inviting public input on matters such as:
- The range of devices or products available in the U.S. eligible for inclusion in the labeling program;
- The formulation of security standards applicable to different types of IoT devices or products;
- Methods for demonstrating compliance with these security standards;
- The entity responsible for overseeing and managing the program;
- Safeguarding the cybersecurity label against unauthorized use;
- Educating consumers about the program.
Consumer Benefits of the Program
It’s expected that compliant smart devices will be able to display the U.S. Cyber Trust Mark logo on packaging alongside a QR code that points to a national registry of certified devices. The national registry will allow consumers to access the most current security information about the product they are thinking of buying and compare the information to that of similar products.
Tech giants like Amazon, Google, LG Electronics, Logitech, and Samsung Electronics have already pledged their support for the U.S. Cyber Trust Mark, which will appear on approved products as a distinct shield logo.
The FCC anticipates that as consumer demand for trustworthy smart products continues to grow, an increasing number of manufacturers will voluntarily participate in the program to demonstrate their commitment to privacy, confidentiality, and security.
Importance of the U.S. Cyber Trust Mark Program
According to Deloitte, U.S. households had an average of 22 connected IoT devices in 2022. These products offer immense benefits, but they also pose a variety of security challenges due to poor design and/or outdated software.
Insecure IoT devices are an attractive target for cybercriminals because they can be used to gain network access that allows the intruder to conduct a lateral attack. Breaches in consumer IoT systems can have severe consequences, ranging from privacy violations to theft – and even physical harm in critical sectors like healthcare.
SonicWall Capture Labs threat researchers recorded 112.3 million instances of IoT malware in 2022, an 87% increase over 2021. At the same time, the number of smart devices is still rising, with projections suggesting there will be more than 25 billion connected devices in operation by 2030.
The absence of universal security standards for IoT devices has led to inconsistencies in security practices, which makes it challenging for consumers to make informed purchasing choices.
To mitigate the security challenges, it is crucial for manufacturers, governments, and consumers to prioritize IoT security.
Eligible Smart Device Products
It’s expected that a broad spectrum of consumer smart products will be eligible for the Trust Mark, including:
- Personal digital assistants;
- Internet-connected home security cameras
- Voice-activated remote controls
- Smart speakers
- Smart kitchen appliances
- Fitness trackers like Fitbit
- GPS trackers
- Wearable smart medical devices
- Internet-connected garage door openers
- Smart light bulbs
- Baby monitors
- Robot vacuum cleaners
- Internet-connected televisions
- Smart thermostats
- Consumer-grade routers
Requirements for Certification
The requirements for certification for the U.S. Cyber Trust Mark are still being developed, but they are expected to address the following concerns:
- Unique and strong default passwords: Devices must have unique and strong password defaults that cannot be easily guessed or cracked.
- Data protection: Devices must protect data from unauthorized access, use, disclosure, disruption, modification, or destruction.
- Software updates: Devices must be able to receive software and firmware updates to fix security vulnerabilities.
- Incident detection capabilities: Devices must have the ability to autonomously detect and report security incidents.
- Secure development: Devices must be developed using secure coding best practices.
- Secure supply chain: Devices must be sourced from secure suppliers.
- End-of-life management: Devices must be properly disposed of at the end of their life cycle to prevent security vulnerabilities from being exploited.
The FCC’s call for input indicates that specific requirements for certification may vary, depending on the type of device. For example, wireless devices that process sensitive data, like wireless home routers, may have more stringent requirements than devices that do not.
U.S. Cyber Trust Mark and NIST
The FCC’s proposal for a labeling system, which is outlined in this Notice of Proposed Rulemaking, relies on standards developed by the National Institute of Standards and Technology (NIST). It is expected to build upon existing efforts within the public and private sectors to address cybersecurity and labeling concerns in smart devices, including:
- The NIST Cybersecurity Framework and NIST Special Publication 800-183 both of which offer guidance on securing IoT devices.
- The Industry Internet Consortium (IIC), the Open Connectivity Foundation (OCF), and the IoT Security Foundation’s efforts to define security standards for IoT devices.
- The National Telecommunications and Information Administration’s guidelines for IoT device makers.
- California and Oregon state laws that mandate specific security features in IoT devices sold in each state.
- The ioXt Alliance’s certification program that assesses the security of IoT devices.
Other IoT Security Standards
The United States is not the only country that is encouraging IoT device manufacturers to make IoT device security a priority. Different countries and international organizations around the world have been working on IoT security standards to safeguard the integrity and privacy of IoT systems. Initiatives include:
The proposed European Union’s Cyber Resilience Act aims to address the lack of cybersecurity in consumer IoT products, as well as a lack of updates or patches to address vulnerabilities. Unlike the voluntary guidance proposed by the United States, the Cyber Resilience Act allows for large fines and penalties for violators, and it specifies that products failing to meet the Act’s outlined safety requirements will not be permitted to go to market.
The Product Security and Telecommunications Infrastructure Act of 2022 (PSTIA) helps make sure that consumer IoT devices are more secure against threats by banning default passwords and stipulating that manufacturers disclose how long they plan to offer product security updates.
To ensure compliance with the new regulations, the law sets up an enforcement regime that includes civil and criminal sanctions. It also requires manufacturers to designate a point of contact for reporting IoT device security issues and vulnerabilities.
The European Union Agency for Cybersecurity (ENISA) has been actively working on IoT security recommendations and best practices. The European Cybersecurity Act mandates the development of a European IoT cybersecurity certification framework to ensure the security of IoT devices.
China’s Standardization Administration has established the China Communications Standards Association (CCSA) to develop national IoT standards that cover various aspects of IoT security, including device authentication, data protection, and network security.
The Ministry of Internal Affairs and Communications (MIC) in Japan has issued guidelines for IoT security. These guidelines address issues like password management, data encryption, and software updates to enhance IoT security in the country.
The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) collaborate on developing global standards for IoT security. ISO/IEC 27001 and ISO/IEC 27002 are widely recognized international standards for information and communication technology (ICT) security that can be applied to IoT systems.