The US Federal Communications Commission (FCC) has adopted a voluntary cybersecurity labelling program for wireless consumer Internet of Things (IoT) products.
The program will enable qualifying consumer smart device manufacturers to demonstrate that their product has met the FCC’s robust cybersecurity standards.
This includes a new ‘US Cyber Trust Mark’ logo, which consumers can scan for easy-to-understand security information relating to the product, such as the length of the support period and whether software patches and security updates are automatic.
The trust mark logo was announced by the Biden-Harris administration in July 2023.
The initiative is designed to help consumers factor cybersecurity into their purchasing decisions by differentiating safe products in the marketplace. It is also hoped this will create market incentives for IoT manufacturers to enhance the security of their products.
IoT devices, such as home security cameras, fitness trackers and baby monitors, have been heavily targeted by cybercriminals in recent years. They often provides a gateway to targeting businesses, with a recent study finding that 50% of companies have experienced IoT cyber incidents.
It is forecast that there will be more than 29 billion IoT devices in operation by 2030, which has put the issue of smart device security on the radar of governments.
The EU and UK have recently created legislation imposing minimum cybersecurity standards of smart device manufacturers.
How the FCC Labeling Program Will Work
The FCC will provide oversight of the program, with approved third-party label administrators managing activities such as evaluating production applications, authorizing use of the label and consumer education.
These administrators will be selected following a “rigorous selection process.”
Accredited laboratories will handle manufacturers’ compliance testing.
The FCC is also seeking public comment on additional disclosure requirements.
Future requirements could include whether the software or firmware for a product is developed or deployed by a company located in a country that presents national security concerns and whether customer data collected by the product will be sent to servers located in such a country.
FCC Chairwoman Jessica Rosenworcel said: “Just like the ‘Energy Star’ logo helps us know which devices are energy efficient, the Cyber Trust Mark will help us make informed choices about the security and privacy of IoT products we bring into our homes and businesses.”
She added: “Our expectation is that over time more companies will use the Cyber Trust Mark – and more consumers will demand it. This has the power to become the worldwide standard for secure IoT devices. To get to this point, we know we need to work with our federal partners, manufacturers, retailers, and cybersecurity groups. We are ready to do just that.”
Commenting on the announcement, Tim Mackey, head of software supply chain risk at the Synopsys Software Integrity Group, noted that the voluntary nature of the new program will mean it is unlikely there will be an influx of certified devices on store shelves or from online retailers.
Additionally, Cyber Trust Mark does not apply to medical devices that are regulated by the FDA.
“Consumers should expect to see manufacturers who take cybersecurity seriously aggressively pursuing certification,” stated Mackey.