What will it look like as the U.S. Cyber Trust Mark Certification Program comes online?

The U.S. Cyber Trust Mark certification program is set to make a significant impact on the cybersecurity landscape for wireless IoT products. This program, approved by the FCC on March 14th, aims to establish a voluntary cybersecurity labeling program that will help consumers make informed decisions about the security of their IoT devices.

Many organizations are ready to start the process and are asking “How can I get a Cyber Trust Mark for my product?”.

Movement and Approval

On March 14th, the FCC approved a comprehensive 126-page report and order to establish the U.S. Cyber Trust Mark program. The program's goal is to strengthen the nation's cybersecurity posture by adopting a voluntary labeling program specifically for wireless Internet of Things (IoT) products. The IoT Labeling Program is designed to provide transparency and assurance regarding the cybersecurity features of these products.

The Two-Step Certification Process

The certification process for manufacturers involves a stringent two-step procedure to ensure the integrity and reliability of the cybersecurity label. Here’s a brief overview of the process as outlined in the FCC's order:

Product Testing

Manufacturers must use an accredited and Lead Administrator-recognized laboratory (such as CyberLAB, CLA lab, or an in-house lab) to test their IoT product for compliance with FCC rules. The lab will generate a detailed test report outlining the product's adherence to the established cybersecurity standards. According to the 126-page report, the technical testing criteria will be based on NIST IR 8425.

Certification Application

Following successful testing, manufacturers must apply to an FCC-recognized Certification Lab Authority (CLA), which is an accredited certification body. This body will review the test report and certify the product as fully compliant with all relevant FCC IoT Labeling Program rules.

"Product" vs. "Device"

The use of "product" in this language is significant. In earlier discussions, the testing and certification was intended to be device-based (IE a specific router model number), and only the device.  However, the switch to the use of product implies testing and certification of not only the hardware device, but the IoT ecosystem associated with the device; that is to say, any mobile applications, cloud-based management platforms, backend data storage, etc. would also be subject to the same technical scrutiny as the device itself.

Timeframe for Implementation

Initially, the White House aimed for the certification and label usage to be available by the end of November 2024. However, due to regulatory and procedural delays, the timeline has shifted. The program's official launch is now anticipated in 2025, with the exact timeframe for certification and label usage remaining uncertain.

According to industry sources, the delay is attributed to the requirements of the Paperwork Reduction Act and the Administrative Procedures Act, which necessitate extended periods for the order to take effect and additional procedural steps. Consequently, it is unlikely that the program will be operational before 2025.

At this time, the industry is in a “hurry up and wait” scenario. While much of  the technical details, testing authorities, and review process are well defined, the infrastructure does not yet exist to support any of the certification process. It is still unclear when these resources will be available to organizations wishing to apply for the Cyber Trust Mark, outside of the vague launch date of 2025.

Conclusion

The U.S. Cyber Trust Mark certification program represents a significant step forward in enhancing the security of wireless IoT products. By establishing a robust and transparent labeling system, the program aims to provide consumers with the confidence that their IoT devices meet stringent cybersecurity standards. While the initial target for implementation has been delayed, the program's launch in 2025 is set to usher in a new era of cybersecurity assurance for IoT products.

Stay tuned for further updates as the FCC continues to refine and implement this critical cybersecurity initiative. At this time, all we can do is wait for further guidance from the FCC.

How Finite State Supports U.S. Cyber Trust Mark

Through its SBOM management, Application Security Posture Management, and industry-leading binary software analysis, Finite State stands ready to support the goals of the Cyber Trust Mark program by offering:

• Continuous transparency into the components that drive connected devices
• Confidence in assertions underlying the integrity of the Cyber Trust Mark
• Tools to validate the assertions that bearers of the Cyber Trust Mark label make

If you would like to see more about what the Finite State Next Generation Platform offers, request a demo today!