FCC Launches 'Cyber Trust Mark' for IoT Devices to Certify Security Compliance

The U.S. government on Tuesday announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for Internet-of-Things (IoT) consumer devices.

"IoT products can be susceptible to a range of security vulnerabilities," the U.S. Federal Communications Commission (FCC) said. "Under this program, qualifying consumer smart products that meet robust cybersecurity standards will bear a label—including a new 'U.S Cyber Trust Mark.'"

As part of the effort, the logo will be accompanied by a QR code that users can scan, taking them to a registry of information with easy-to-understand details about the security of the product, such as the support period and whether software patches and security updates are automatic.

The information will also comprise details related to changing the default password and the various steps users can take to configure the device securely.

The initiative, announced back in July 2023, is expected to involve third-party cybersecurity label administrators who will be in charge of evaluating product applications and authorizing use of the label. Compliance testing will be handled by accredited labs, the FCC added.

Eligible products that come under the purview of the Cyber Trust Mark program include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.

It does not cover medical devices regulated by the Food and Drug Administration (FDA); motor vehicles and equipment regulated by the National Highway Traffic Safety Administration (NHTSA); wired devices; and products used for manufacturing, industrial control, or enterprise applications.

The program also does not extend to equipment added to the FCC's Covered List; and products manufactured by companies added to other lists for national security reasons (Department of Commerce's Entity List or Department of Defense's List of Chinese Military Companies), or banned from Federal procurement.

To apply to use the U.S. Cyber Trust Mark, manufacturers who meet the eligibility criteria must have their products tested by an accredited and FCC- recognized CyberLAB to ensure they meet the program's cybersecurity requirements, and then submit an application to a Cybersecurity Label Administrator with the necessary supporting documents.

"The U.S. Cyber Trust Mark program allows them to test products against established cybersecurity criteria from the U.S. National Institute of Standards and Technology via compliance testing by accredited labs, and earn the Cyber Trust Mark label, providing an easy way for American consumers to see the cybersecurity of products they choose to bring into their homes," the White House said.