‘US Cyber Trust Mark’ Security Label Coming to Smart Home Devices

Sometime next year, you’ll have yet another logo to look for on connected-home devices: a shield with the federal government’s stamp of authority. 

That US Cyber Trust Mark, announced by the Biden administration today, will advertise an Internet-of-things (IoT) gadget’s compliance with security criteria developed by the National Institute of Standards and Technology as part of a voluntary program to be run by the Federal Communications Commission. 

“Poorly secured products can enable attackers to gain footholds in American homes and offices,” Anne Neuberger, deputy national security advisory for cyber and emerging technologies, said in a press call on Monday. 

She added that while people realize this risk—“we hear again and again that American consumers want to buy cybersecure products”—many remain unsure about how to pick more secure devices. “In 2024, the program will be up and running,” she said. “You’ll be able to look for the cyber trust mark’s distinct shield.” 

This effort will also let shoppers scan a standardized QR code to get details about a product, such as what security measures it incorporates. That code could also report when a device was last certified under this program, which may include an annual re-certification process.

The White House announcement says the FCC, which already has authority to regulate wireless devices, will enforce these rules—with details to be established in a rulemaking process after input from other regulatory agencies and the Department of Justice.  

The government plans to write these standards based on a NIST report(Opens in a new window) published in September. That document(Opens in a new window) mandates such security measures as minimizing the number of administrative interfaces, securely storing and transmitting data, providing automatic or at least consistently notified software updates, and maintaining vulnerability reporting mechanisms for outsiders. 

The feds plan to make Wi-Fi routers the first gadgets to be evaluated under these standards, since the router in your home can see so much of your internet and home-network traffic. The White House announcement gives NIST until the end of 2023 to wrap up that phase of the work. 

Speaking on the same call, FCC Chair Jessica Rosenworcel said consumers and IoT vendors will benefit: “They are going to be able to differentiate themselves in the market when they meet these standards.” 

She compared this to the Environmental Protection Agency’s Energy Star program(Opens in a new window), which sets energy-efficiency standards for a vast variety of devices and lets manufacturers label compliant hardware with a blue-star logo.

The White House’s announcement touts support from a large set of boldface names in the consumer-electronics industry—among others, Amazon, Best Buy, Cisco Systems, Google, Infineon, LG, Logitech, Qualcomm, and Samsung. It also cites backing from such industry groups as the Connectivity Standards Alliance, the industry body behind the Matter smart-home compatibility and security standard, and the Consumer Technology Association, the trade group that produces CES.

The latter organization endorsed the White House initiative in its own announcement. “While IoT makes our world better, it also tempts bad actors to exploit consumers’ connected devices,” the release quoted CTA President and CEO Gary Shapiro. “Research shows consumers want more information on the safety and security of their connected devices, and we agree.”

CTA’s announcement applauded the label standard for how it will “minimize label footprint on packaging” and predicted that products featuring the label would be on display at the January 2024 edition of CES.

The Biden administration assigned this work to agencies in May of 2021 when President Biden issued an executive order(Opens in a new window) on cybersecurity that has since also led to the government imposing stricter standards on government IT vendors and setting up a safety-review board to report what went wrong in serious security incidents.