On July 18, 2023, the U.S. Administration announced that a cybersecurity certification and labeling program known as the Cyber Trust Mark, will soon be introduced.
The Federal Communications Commission (FCC) proposed the program to raise the bar for cybersecurity across smart devices. It intends to make it easier for consumers to make purchases that are safer and less vulnerable to cyberattacks.
We answer some of the common questions you may have about the new program.
What is the Cyber Trust Mark?
Under the proposed program, a “U.S. Cyber Trust Mark” in the form of a shield logo will be displayed on products that meet the established cybersecurity criteria. This makes the safer product more easily identifiable for consumers to make informed decisions about the products they choose to purchase.
Like the forthcoming Battery Regulation in the UK, the FCC also intends the use a QR code linking to a national registry of certified devices. Giving consumers access to more information about the smart product.
What Criteria Is the Cyber Trust Mark Based On?
Products will be based on cybersecurity criteria published by the National Institute of Standards and Technology (NIST). For example, some of the requirements set out by NIST require unique and strong default passwords and incident detection capabilities.
Is This a New Standard?
Yes, for the U.S., but not so much on the global stage. In fact, the introduction of this program actually brings the U.S. in line with its European counterparts with the CE Marking.
In 2022, the EU Commission made cybersecurity mandatory for CE Markings of all radio equipment via the Radio Equipment Directive (RED). The directive will take effect on April 29, 2024, and covers the majority of IoT and wireless products.
It is likely the Biden-Harris administration will be engaging its European partners toward harmonizing international standards.
Which Type of Devices Are Covered?
The latest brief mainly highlights smart consumer products including “smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more.”
The program and regulations within are likely to align with current global cybersecurity labeling standards. For instance, the European CE Mark or the PSTI Bill in the UK. Stakeholders including manufacturers, importers, and distributors will be encouraged to increase cybersecurity for the products they sell or distribute.
Does it Extend to Non-Consumer Smart Devices?
This is highly likely. After all, NIST is simultaneously defining cybersecurity requirements for routers. After all, these can be used to eavesdrop, steal passwords, and attack other devices and high-value networks.
Additionally, the U.S. Department of Energy is also researching cybersecurity labeling requirements for smart meters and power inverters.
When Will Cyber Trust Mark Start?
As of writing, the FCC is preparing to seek public comment regarding the cybersecurity labeling program. The implementation of the program is expected in 2024 with a grace period for stakeholders to the company.
The FCC, together with the Cybersecurity and Infrastructure Security Agency, will take some time to educate consumers to look for the new label when making purchasing decisions. They will also be encouraging major U.S. retailers to prioritize labeled products.
The Road Ahead
As we’ve said before, cybersecurity and data privacy regulations are only going to become more robust. This is another step in the right direction to protect users from malicious actors and the increasingly complex cyber-attack landscape.
Securing IoT devices is more important than ever. So, don’t wait till you suffer a cyberattack! Take a more proactive approach to cybersecurity hygiene today.