The US government is set to introduce a seal of approval to help consumers identify secure devices connected to the Internet, the White House announced in a press release on January 7.
The US Cyber Trust Mark will certify devices that meet certain security standards. Following the first announcement of the initiative in July 2023, the Federal Communications Commission provided details Tuesday on how companies can submit their products for approval under the new label.
The label applies only to consumer devices rather than connected devices intended for “enterprise, industrial control or manufacturing applications.”
“We see great potential in the US Cyber Trust Mark program,” Michael Dolan, senior director and head of enterprise privacy and data protection at Best Buy, said in the press release. “This is a positive step forward for consumers and we are excited about the opportunity to highlight this program for our customers.”
The news comes at a time when cyberattacks are increasingly affecting companies and governments around the world. In 2024, the Department of Justice disrupted a cyberattack targeting consumer routers and connected cameras.
SEE: Cybersecurity professionals struggle as employees flout security best practices.
1
Semperis
Employees by company size
Micro (0-49), Small (50-249), Medium (250-999), Large (1000-4999), Business (5000+)
Large (between 1,000 and 4,999 employees), enterprise (more than 5,000 employees)
Large, Company
Characteristics
Advanced attack detection, advanced automation, anywhere recovery and more
2
ESET PROTECT Advanced
Employees by company size
Micro (0-49), Small (50-249), Medium (250-999), Large (1000-4999), Business (5000+)
Any size of company
Any size of company
Characteristics
Advanced threat defense, full disk encryption, modern endpoint protection, and more
3
NordLayer
Employees by company size
Micro (0-49), Small (50-249), Medium (250-999), Large (1000-4999), Business (5000+)
Small (50-249 employees), Medium (250-999 employees), Large (1000-4999 employees), Enterprise (5000+ employees)
Small, medium, large, company
What is the Cyber Trust brand?
The Cyber Trust Mark aims to encourage companies to apply cybersecurity best practices to the internet-connected devices they produce. The White House compared the Cyber Trust Mark to the Energy Star label, which educates customers about a product's energy use and influences companies to make their appliances meet Energy Star standards.
In the case of Cyber Trust Mark, covered devices include:
- Connected appliances.
- Baby monitors.
- Home security cameras.
- Connected doorbells.
- Voice-activated assistants, like Amazon's Alexa.
“Amazon supports the US Cyber Trust Mark's goal of strengthening consumer trust in connected devices,” Amazon Vice President Steve Downer wrote in the press release. “We think consumers will value seeing the US Cyber Trust brand both on product packaging and when purchasing online.”
Amazon and Best Buy plan to highlight the brand in their product listings.
“Building a secure device is expensive; building an insecure device is cheap,” Sean Tufts, managing partner of critical infrastructure and operational technology at Optiv, said in an email to TechRepublic. “This certification puts pressure on business leaders to do the right thing.”
What devices can and cannot receive the tag?
Some connected devices are not eligible for the Cyber Trust Mark. For example:
- Medical devices are still under the responsibility of the Food and Drug Administration.
- Connected cars and equipment remain the purview of the National Highway Traffic Safety Administration.
- Personal computers, smartphones, and routers are also exempt, although NIST is working on new standards for consumer routers.
Broadly speaking, the label applies to any other consumer wireless IoT product.
Most companies outside the US can apply for the label, participate in testing labs, or work as administrators. Companies that are prohibited from participating in U.S. government programs cannot apply for the trademark, including those on the FCC Covered List, the Department of Commerce Entity List, or the Military Business List Chinese from the Department of Defense.
How organizations can submit their products for the Cyber Trust Mark
To receive the mark, companies must submit their products to accredited laboratories for compliance testing overseen by the U.S. National Institute of Standards and Technology. Eleven private testing companies have been conditionally approved to be administrators. The FCC said the program is active now and that companies will be able to submit products for testing “soon.”
Once devices are approved, manufacturers can apply the label and a QR code. Customers can scan the code to get security information, such as how to change the default password or configure the device securely. The QR code will include information about built-in security measures, such as how long the device will be supported by the company and whether software patches are automatic or must be applied manually.
If the device does not have security support or updates from the manufacturer, the QR code will indicate this.
Are companies required to participate in the Cyber Trust Mark program?
Submitting products for Cyber Trust Mark approval is entirely voluntary.
“Although voluntary, Consumer Reports hopes that manufacturers will request this mark and that consumers will seek it out when it is available,” Justin Brookman, Director of Technology Policy at Consumer Reports, wrote in the news release.
“However, we must also consider whether this trusted brand will give consumers a false sense of being 'unhackable' and a false sense of complacency,” Tufts said. “This could increase the risk for Americans who are not cyber-aware.”
