The U.S. government is set to introduce a seal of approval to help consumers identify secure internet-connected devices, the White House announced in a press release on Jan. 7.
The U.S. Cyber Trust Mark will certify devices that meet certain security standards. Following the initiative’s first announcement in July 2023, the Federal Communications Commission provided details on Tuesday about how companies can submit their products for approval under the new label.
The label applies to consumer devices only rather than connected devices intended for “manufacturing, industrial control or enterprise applications.”
“We see great potential in the US Cyber Trust Mark Program,” said Michael Dolan, senior director and head of enterprise privacy and data protection at Best Buy, in the press release. “It is a positive step forward for consumers and we are excited about the opportunity to highlight this program for our customers.”
The news comes as cyberattacks are increasingly plaguing companies and governments worldwide. In 2024, the Justice Department disrupted a cyberattack that had targeted consumer routers and connected cameras.
SEE: Cybersecurity professionals struggle with employees skipping security best practices.
1
Semperis
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Large (1,000-4,999 Employees), Enterprise (5,000+ Employees)
Large, Enterprise
Features
Advanced Attacks Detection, Advanced Automation, Anywhere Recovery, and more
2
ESET PROTECT Advanced
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Any Company Size
Any Company Size
Features
Advanced Threat Defense, Full Disk Encryption , Modern Endpoint Protection, and more
3
NordLayer
Employees per Company Size
Micro (0-49), Small (50-249), Medium (250-999), Large (1,000-4,999), Enterprise (5,000+)
Small (50-249 Employees), Medium (250-999 Employees), Large (1,000-4,999 Employees), Enterprise (5,000+ Employees)
Small, Medium, Large, Enterprise
What is the Cyber Trust Mark?
The Cyber Trust Mark is intended to incentivize companies to apply cybersecurity best practices to the internet-connected devices they produce. The White House compared the Cyber Trust Mark to the Energy Star label, which educates customers about a product’s energy use and influences companies to make their appliances meet the Energy Star standards.
In the case of the Cyber Trust Mark, devices covered include:
- Connected appliances.
- Baby monitors.
- Home security cameras.
- Connected doorbells.
- Voice-activated assistants, such as Amazon’s Alexa.
“Amazon supports the U.S. Cyber Trust Mark’s goal to strengthen consumer trust in connected devices,” Amazon Vice President Steve Downer wrote in the news release. “We believe consumers will value seeing the U.S. Cyber Trust Mark both on product packaging and while shopping online.”
Amazon and Best Buy plan to highlight the mark in their product listings.
“Building a secure device is expensive; building an insecure device is cheap,” said Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv, in an email to TechRepublic. “This certification puts pressure on business leaders to do the right thing.”
What devices can and can’t receive the label?
Some connected devices aren’t eligible for the Cyber Trust Mark. For example:
- Medical devices still fall under the Food and Drug Administration.
- Connected cars and equipment remain under the purview of the National Highway Traffic Safety Administration.
- Personal computers, smartphones, and routers are also exempt — although NIST is working on new standards for consumer routers.
Broadly, the label applies to any other consumer wireless IoT products.
Most companies outside of the U.S. can apply for the label, participate in testing labs, or work as administrators. Companies prohibited from participating in U.S. government programs can’t apply for the mark, including those on the FCC Covered List, the Department of Commerce’s Entity List, or the Department of Defense’s List of Chinese Military Companies.
How organizations can submit their products for the Cyber Trust Mark
To receive the mark, companies must submit products to accredited labs for compliance testing overseen by the U.S. National Institute of Standards and Technology. Eleven private testing companies have been conditionally approved to be administrators. The FCC said the program is active now, and companies will be able to submit products for testing “soon.”
Once devices are approved, manufacturers can apply the label and a QR code. Customers can scan the code to learn security information such as how to change the default password or configure the device securely. The QR code will include information about built-in security measures, such as how long the device will receive support from the company and whether software patches are automatic or must be applied manually.
If the device does not have security support or updates from the manufacturer, the QR code will note that.
Are companies required to participate in the Cyber Trust Mark program?
Submitting products for Cyber Trust Mark approval is entirely voluntary.
“While voluntary, Consumer Reports hopes that manufacturers will apply for this mark, and that consumers will look for it when it becomes available,” Justin Brookman, Director of Technology Policy, Consumer Reports, wrote in the press release.
“However, we also must consider whether this trust mark will give consumers a false sense of being ‘unhackable’ and a false sense of complacency,” Tufts said. “This could increase risk for Americans that are cyber unaware.”
