U.S. Cyber Trust Mark: What Manufacturers Need to Know

On January 7th, 2025, the White House officially announced the launch of the U.S. Cyber Trust Mark, a groundbreaking initiative to empower consumers and incentivize manufacturers to prioritize cybersecurity in connected devices. Here’s what you need to know. 

What is the U.S. Cyber Trust Mark? 

The U.S. Cyber Trust Mark is a voluntary cybersecurity labeling initiative designed to help consumers easily identify devices that meet rigorous security standards. Administered by the Federal Communications Commission (FCC), devices certified under this program will display a distinct shield logo, signaling that they meet the stringent security requirements established by the National Institute of Standards and Technology (NIST). Alongside the logo, there will be a QR code that will take consumers to a registry of information containing details about the device's security, including support periods and whether software patches/updates are automatically applied. 

Source: FCC

This voluntary program aims to help Americans make more informed decisions about the connected devices they bring into their homes and incentivize companies to produce more cyber-secure devices, thereby improving IoT security as a whole. 

The hope is that the Cyber Trust Mark will do for device security what the EngeryStar labels did for energy efficiency — and it looks promising.

Cyber Trust Mark Certification Process

How do you obtain the Cyber Trust Mark? 

Manufacturers wishing to use the U.S. Cyber Trust Mark symbol must follow the FCC's certification process and align their devices with NIST’s cybersecurity baseline requirements.  

First, the product must be tested by an accredited and FCC-recognized CyberLab to ensure it meets the necessary requirements. 

If the device passes, the next step is to submit an application and supporting documents to a Cybersecurity Label Administrator. (At the time of writing, 11 companies have been conditionally approved to act as CLAs, with UL Solutions acting as Lead Administrator.) 

The Cybersecurity Label Administrator will then review the application against the program requirements and either approve or deny it. 

What products need to be certified? 

Participation in the program is voluntary, but examples of products that are eligible to obtain the U.S. Cyber Trust Mark certification include (but are not limited to)  

• Wireless broadband routers

• Fitness trackers

• Smart appliances 

• Internet-connected home security systems and cameras

• Baby monitors 

• Voice-activated devices, e.g., Amazon Echo (Alexa!), Google Home, etc. 

Products excluded from the Cyber Trust Mark program include 

• Medical devices regulated by the Food and Drug Administration

• Motor vehicles and equipment regulated by the National Highway Traffic Safety Administration

• Wired devices

• Products primarily used for manufacturing, industrial control, or enterprise applications

• Equipment on the FCC’s Covered List and equipment produced by an entity on the covered list

• IoT products from a company on other lists addressing national security

• IoT products produced by entities banned from Federal procurement

The Benefits of Opting into the U.S. Cyber Trust Mark Program 

But Larry, the program is voluntary. Why should we bother when we’ve got other mandatory regulations to worry about? 

The good news is that if you’re already subject to mandatory regulations like the EU CRA, there’s a good chance you also meet the requirements to apply for the Cyber Trust Mark. If you don’t, the benefits of opting into the program likely outweigh the costs needed to get your product up to scratch. 

A few immediate benefits of participation I can see include 

• Improving consumer confidence in your product, thereby boosting sales 
• Positioning your company as a leader in cybersecurity best practices, giving you a competitive edge 
• Reducing reputational risks from security breaches by improving your cybersecurity posture
• Contributing to a higher standard for IoT cybersecurity that benefits us all 
• Improving internal cyber security practices in order to maintain certification.
• A head start on additional certifications, such as the EU Cyber Resilience Act

Besides, who’s to say how long this program remains voluntary… 

Why the Program’s Focus on IoT Security Matters 

The IoT landscape is expanding rapidly, with more than 32.1 billion connected devices expected globally by 2030. And one of the places we’re seeing the biggest increase? The home. From smart fridges to smart salt shakers (yes, really), consumers are bringing more connected devices into their homes than ever before. And while it might be adding more convenience to our lives (salt shaker notwithstanding), it’s also making us more vulnerable.

NETGEAR and Bitdefender’s 2024 IoT Security Landscape Report reveals that home network devices see an average of 10 attacks every 24 hours. So, if you’re still on the fence about the impact of the Cyber Trust Mark, think about that stat next time you’re in the kitchen! 

How Finite State Can Help You Obtain the U.S. Cyber Trust Mark

Finite State is built to help you tackle the unique challenges of connected device security. If you’re looking to obtain Cyber Trust Mark certification, our advanced analysis and government-grade expertise can help you get there. 

With advanced SBOM management, industry-leading binary and source code analysis, and complete application security posture management, the Finite State platform offers 

• Continuous transparency into the components that drive your connected device, wherever they originate
• Complete confidence in assertions underlying the integrity of the Cyber Trust Mark 
• The tools needed to validate assertions made by the bearers of the Cyber Trust Mark 
• Tracking of known vulnerabilities to provide prioritization for ongoing improvement
• Expert services to assist in the assessment of product readiness before Cyberlab submission

Talk to us to learn more and start your journey to compliance today.