EFS Consulting
04/09/2024

U.S. Cyber Trust Mark Approved

The U.S. Cyber Trust Mark, similar to the energy-efficiency Energy Star program, signifies compliance with cybersecurity standards for consumer Internet of Things devices.

As the inter-connectivity of devices such as “smart” home products rises, so does the opportunity and willingness to exploit the often vast lacks in the security thereof. These can pose significant privacy risks and enable malicious hackers and cybercriminals to exploit vast networks of interconnected devices for coordinated attacks.

With this new initiative, consumers shall be able to influence the consumer market by prioritizing products with more developed security systems. This, in turn, shall encourage manufacturers to address these widespread vulnerabilities in smart devices. At first, the framework shall only focus on consumer IoT (Internet of Things) products. Subsequently, the basics of the initiative can be expanded to further products.

Testing and information requirements

In order to obtain the Cyber Trust Mark, the devices shall be subject to testing in accredited third-party laboratories. Furthermore, there will be consumer information obligations including the date of authorization, name of the test lab and whether a software bill of materials is included. However, also instructions on how to change the password (if applicable) and other security-focused configuration means shall be included. Additionally, the list is still open with “any additional information the administrator can add”.

Growing support and recognition

The industry expresses satisfaction with the White House’s initiative for the U.S. Cyber Trust Mark due to its comprehensive approach. It will not only consider devices but also their surrounding software ecosystems and, thus, highlight their interconnected nature. Furthermore, based on the interconnectivity, it shall also have an effect on global supply chains and emphasize the importance of the U.S. participating in global discussion on IoT security labeling.

While the mark is voluntary, the initiative aims for international recognition and intends to collaborate with other labeling programs worldwide. Consequently, companies are interested in using it to distinguish their products internationally.

Just the beginning?

Even though praised for its efforts, the initiative in its current form only lies the basis for security. Organizations such as the Consumer Technology Association and Consumer Reports emphasize the need for additional requirements, including encryption, vulnerability reporting, and privacy disclosure. They highlight the importance of incorporating privacy considerations into the label and enhancing security elements. Lastly, further evolution of the Cyber Trust Mark could include more specific trust criteria to better inform consumers about the security of their connected devices.

Official information on the U.S. Cyber Security Mark can be found here.

More about this Business Area
Compliance and Legal

Insights

Cyber security of consumer IoT devices in UK
EU Commission announces new EU cyber security requirements
New cybersecurity standards for RED Directive