Cyber Trust Mark: Voluntary Cybersecurity Label for Smart Products

In a landmark move to bolster cybersecurity measures for wireless consumer Internet of Things (IoT) products, the Federal Communications Commission (FCC) announced on March 15 the inauguration of a voluntary cybersecurity labeling program, expected to officially launch by EOY 2024, in time for the anticipated sale of large numbers of consumer IoT products during the holiday season.

The U.S. Cyber Trust Mark is the most significant product security centric policy action taken in the United States, building on the regulatory momentum we've witnessed in recent years across the US and the EU, in the wake of Executive Order 14028 and the EU Cyber Resiliency Act.

This initiative, marked by the debut of the "U.S. Cyber Trust Mark," aims to guide consumers in making informed purchasing decisions while incentivizing manufacturers to adhere to elevated cybersecurity standards. Currently, the FCC's Cyber Trust Mark program will target consumer IoT only. 

The program unfolds against the backdrop of an increasing reliance on smart products, which, despite their convenience, have raised concerns over cybersecurity vulnerabilities. The U.S. Cyber Trust Mark outlines the importance of ensuring the cybersecurity of Consumer IoT products, emphasizing the need for risk assessment, regular maintenance, and overall security as part of the voluntary program

With the proliferation of consumer IoT devices such as home security cameras, voice-activated shopping devices, and fitness trackers, ensuring their security has become increasingly important.

Key Features of the Program:

• U.S. Cyber Trust Mark: A distinguished logo to be displayed on eligible products that comply with the program's cybersecurity criteria.
• QR Code Transparency: Accompanying QR codes will offer consumers detailed insights into the product's security features and vulnerabilities, including support duration and the provision of automatic software updates.
• Public-Private Collaboration: Oversight by the FCC, coupled with the engagement of third-party administrators, will ensure a comprehensive approach to evaluating products, authorizing labels, and educating consumers.
• Rigorous Compliance Testing: Accredited laboratories will undertake the responsibility of testing product compliance, ensuring a high standard of cybersecurity.

The program also opens the floor for public commentary on further disclosure requirements, such as the geographic origins of software development and data storage, particularly in relation to national security concerns.

What Information Will Be Required?

The FCC Cyber Trust Mark Rule (Released Feb. 22, 2024) requires all manufacturers to provide the following product security information via an API, as information to be displayed to the consumer in a simple, uniform way:

• Date product received authorization (i.e., cybersecurity certification) to affix the label and current status of the authorization (if applicable)
• Name and contact information of the CLA that authorized use of the FCC IoT Label
• Name of the lab that conducted the conformity testing
• Instructions on how to change the default password (if the default password can be changed)
• Information (or link) for additional information on how to configure the device securely
• Information as to whether software updates and patches are automatic and how to access security updates/patches if they are not automatic
• Guaranteed minimum support period for the product (which may be zero, but must be disclosed)
• Disclosure of whether the manufacturer maintains a Software Bill of Materials (SBOM)
• Additional data elements that the Bureau determines 

A Timely Response to Growing Threats

This initiative is a response to the escalating threats targeting IoT devices, evidenced by over 1.5 billion attacks in the first half of 2021 alone. With predictions estimating over 25 billion connected IoT devices by 2030, according to statistics cited in the FCC's official press release this month, the urgency for robust cybersecurity measures is unmistakable.

The FCC's cybersecurity labeling program represents a strategic step forward in enhancing the security of consumer IoT products. By fostering a climate of transparency and accountability, the initiative not only empowers consumers with knowledge but also propels manufacturers towards adopting stringent cybersecurity standards, thereby shaping a more secure digital future.

Given the support we've seen from a number of very large consumer electronic companies, we expect compliance with this new program to be achieved in time for labelling to appear on store shelves for the 2024 holiday season. 

How Finite State Supports U.S. Cyber Trust Mark

Through its SBOM management, Application Security Posture Management, and industry-leading binary software analysis, Finite State stands ready to support the goals of the Cyber Trust Mark program by offering:

• Continuous transparency into the components that drive connected devices
• Confidence in assertions underlying the integrity of the Cyber Trust Mark
• Tools to validate the assertions that bearers of the Cyber Trust Mark label make

If you would like to see more about what the Finite State Next Generation Platform offers, request a demo today!