UL Solutions 美国网络安全信任标志指南

美国网络安全信任标志是什么？

2023 年，美国政府宣布计划推出面向美国消费者的美国网络安全信任标志（US Cyber Trust Mark）¹。网络安全信任标志由联邦通信委员会 (FCC) 监管，旨在成为面向消费级物联网 (IoT) 产品的网络安全认证和标志计划。

此标志将推动消费产品采用物联网安全标准，从而为消费者提供更安全、更可靠的用户体验。

要获得美国网络安全信任标志认证，需要满足哪些要求？

该项计划的具体标准仍在制定中。不过，根据 FCC 的官方公告，该项计划将采用美国国家标准与技术研究院 (NIST) 提出的网络安全标准。这些标准重点关注适用于物联网产品及其相关服务的全生命周期网络安全控制，涵盖各种风险和使用场景，以适应多样化且快速发展的物联网市场。

NIST 物联网网络安全标准涵盖多个技术和非技术领域，包括资产识别、产品配置、数据保护、接口访问控制、软件更新、网络安全态势感知、文档、信息和查询接收、信息传播以及产品教育和认知度普及。

制定标准、合规协议和认证指南是一个非常复杂的过程，需要各行各业的利益相关方群策群力，以便确保这些标准、协议和指南得到有效执行，并迅速得到广泛采纳。FCC 根据这些利益相关方的建议，正式敲定该计划的具体要求。作为计划的主要管理机构，UL Solutions 能够牵头组织和协调各方工作。

哪些类型的设备有资格获得这一标志？

预计多种消费类智能产品将有资格取得这一信任标志，包括但不限于：

美国网络安全信任标志将于何时启用？

美国网络安全信任标志计划预计将于 2025 年启动。为了让消费者尽快熟悉新标志，FCC 将与计划的各利益相关方联合开展消费者宣传活动。此外，FCC 还敦促美国的主要零售商优先考虑销售带有网络安全信任标志¹的产品。

UL Solutions 将在美国网络安全信任标志计划中扮演什么样的角色？ 

UL Solutions 将在美国网络安全信任标志计划中扮演关键的管理角色。UL Solutions 将与各利益相关方合作，就计划的多个重要细节向 FCC 提供建议，包括适用的技术标准、测试程序、上市后监管、产品注册以及消费者宣传活动等。与此同时，UL Solutions 还将负责批准满足 FCC 标准的测试实验室，并计划在 FCC 公布测试实验室的要求和申请流程后立即提交申请。

另外，UL Solutions 还将作为网络安全标志管理机构 (CLA)，授权符合计划标准的产品使用网络安全信任标志。

UL Solutions 将如何协助您做好相关准备？

为了助力您尽快取得美国网络安全信任标志，UL Solutions 将根据 NIST IR 8259 提供评估、咨询和差距分析服务。NIST IR 8259 为理解美国网络安全信任标志新框架提供了基础指导，从中可以了解该框架的预期要求（详见 NIST IR 8425）。

FCC 计划的最终评估要求可能与 NIST IR 8425 中的要求存在些许差异，但我们预计这些差异较为细微。需要注意的是，NIST IR 8259 评估仅针对设备本身，而美国网络安全信任标志有可能包括云服务和手机应用。

立即联系我们，了解我们如何助力您立即着手准备。

1. 美国网络安全信任标志。（日期不详）。联邦通信委员会。引自 https://www.fcc.gov/CyberTrustMark，2024 年 12 月 5 日

2. 美国 FCC 认证标志 – 美国智能设备网络安全标志计划。（2023 年 9 月）。联邦通信委员会。引自 https://www.fcc.gov/cybersecurity-certification-mark，2023 年 11 月 14 日

What requirements need to be fulfilled to obtain U.S. Cyber Trust Mark certification?

The specific criteria for the program are still under development. However, according to official notices from the FCC, the program will adopt the criteria outlined by the National Institute of Standards and Technology (NIST). These criteria focus on cybersecurity controls which should be implemented for security of the entire lifecycle of an IoT product and its associated services. This approach will take into consideration risks and use cases, which is crucial in the diverse and rapidly expanding IoT market.

The NIST IoT cybersecurity criteria cover various technical and nontechnical areas, including asset identification, product configuration, data protection, interface access control, software updates, cybersecurity state awareness, documentation, information and query reception, information dissemination and product education and awareness.

Creating standards, protocols for conformance and certification guidelines is a complex matter. Various industry stakeholders are contributing their expertise and experience to develop these in a way that enables efficiency and prompt, widespread adoption. Based on these stakeholder recommendations, the FCC will make the official determination on the program’s requirements. UL Solutions, serving in the role of Lead Administrator for the program, will lead this stakeholder effort.

What types of devices will be eligible for the Mark?

Various consumer smart products are anticipated to qualify for the Trust Mark, including, but not limited to:

When will the U.S. Cyber Trust Mark begin?

The U.S. Cyber Trust Mark scheme is expected to commence in 2025. To familiarize consumers with the new label, the FCC, in collaboration with program stakeholders, will undertake consumer education efforts. Additionally, major retailers in the United States are urged to prioritize products that bear the Cyber Trust Mark¹.

What is UL Solutions' role in the U.S. Cyber Trust Mark Program? 

UL Solutions will be serving as the Lead Administrator for the program. In that role, UL Solutions will work with stakeholders to make recommendations to the FCC on a number of important program details, like applicable technical standards and testing procedures, post-market surveillance requirements, the product registry, and a consumer education campaign. UL Solutions will also approve testing labs for the program that meet the criteria established by the FCC. UL Solutions plans to apply to become a testing laboratory once the requirements and applications are released.

In addition, UL Solutions will be a Cyber Label Administrator (CLA), authorizing the use of the label for those products that meet the program standards and authorizing labels for those products that meet the program standards.

How can UL Solutions help you prepare?

To jumpstart your journey towards obtaining the U.S. Cyber Trust Mark, UL Solutions is providing assessment, advisory and gap analysis services based on NIST IR 8259, which serves as the foundational guidance for expected requirements of the new U.S. Cyber Trust Mark framework described in NIST IR 8425.

The final FCC program assessment requirements may vary from those in NIST IR 8425. However, we anticipate these variations will be minor. It is worth noting that a NIST IR 8259 assessment will solely focus on the device itself. The inclusion of cloud services and phone applications in the U.S. Cyber Trust Mark is expected to be included as part of the U.S. Cyber Trust Mark.