What is the US Cyber Trust Mark?
The U.S. Biden-Harris Administration recently revealed plans to introduce the U.S. Cyber Trust Mark1, a cybersecurity certification and labeling program for consumer IoT products. The program, proposed by the Federal Communications Commission (FCC), aims to promote cybersecurity standards and provide consumers with a safer and more secure purchasing experience.
As part of the program, consumer smart devices that meet the cybersecurity criteria will be labeled with a U.S. Cyber Trust Mark in the form of a shield logo2. This labeling will help consumers easily identify and choose products that prioritize cybersecurity. Additionally, the FCC plans to implement a QR code system that links to a national registry of certified devices. This will provide consumers with more detailed information about the smart products they are considering purchasing.
What requirements need to be fulfilled to obtain US Cyber Trust Mark certification?
The specific criteria for the program are still being developed, and the FCC is actively seeking input from device manufacturers and other stakeholders to ensure the success and adoption of the program. However, it is known that the program intends to adopt the criteria outlined by the National Institute of Standards and Technology (NIST). These criteria focus on cybersecurity outcomes rather than prescribing specific requirements or directives. This outcome-based approach offers flexibility, which is crucial in the diverse and rapidly expanding Internet of Things (IoT) market.
The NIST IoT cybersecurity criteria cover various technical and nontechnical areas, including asset identification, product configuration, data protection, interface access control, software updates, cybersecurity state awareness, documentation, information and query reception, information dissemination, and product education and awareness.
Creating standards, protocols for conformance and certification guidelines is a complex matter with numerous unanswered questions. The FCC is collaborating with stakeholders to guarantee that the program's procedures are led by the industry and designed in a way that ensures efficiency, allowing for prompt and widespread adoption.
What types of devices will be eligible for the mark?
Various consumer smart products are anticipated to qualify for the Trust Mark, including:
- Internet-connected home security cameras
- Smart kitchen appliances
- Smart speakers
- Smartwatches and fitness trackers
- Smart televisions
- Personal digital assistants
- GPS trackers
- Smart light bulbs
- Robot vacuum cleaners
When will the US Cyber Trust Mark start?
The U.S. Cyber Trust Mark scheme is anticipated to commence in late 2024, following the FCC’s announcement of seeking public input on the cybersecurity labeling initiative. To familiarize consumers with the new label, the FCC, in collaboration with the Cybersecurity and Infrastructure Security Agency, will undertake consumer education efforts. Additionally, major retailers in the United States are urged to prioritize products that bear the Cyber Trust Mark1.
How can UL Solutions help you prepare?
To jumpstart your journey towards obtaining the U.S. Cyber Trust Mark, UL Solutions is providing assessment, advisory and gap analysis services based on NIST IR 8259, which serves as the fundamental guidance for expected requirements of the new U.S. Cyber Trust Mark framework described in NIST IR 8425.
Please bear in mind that while the final FCC program may have some variations in terms of assessment compared to NIST IR 8425, we anticipate these differences to be negligible. It is worth noting that a NIST IR 8259 assessment will solely focus on the device itself. The inclusion of cloud services and phone applications in the U.S. Cyber Trust Mark is currently uncertain. It is possible that they may or may not be included in product scope.
Contact us to learn how we can help you prepare today.
- Biden-Harris administration announces cybersecurity labeling program for smart devices to protect American consumers. (2023, July 18). The White House. Retrieved Nov. 14, 2023, from https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/
- Certification MARK – U.S. cybersecurity labeling program for smart devices. (2023, September). Federal Communications Commission. Retrieved Nov. 14, 2023, from https://www.fcc.gov/cybersecurity-certification-mark