On July 18, 2023, the U.S. Administration announced that a cybersecurity certification and labelling program known as the Cyber Trust Mark, will soon be introduced.
The Federal Communications Commission (FCC) proposed the program to raise the bar for cybersecurity across smart devices. It intends to make it easier for consumers to make purchases that are safer and less vulnerable to cyberattacks.
Read on as we go through some of the main points of the new program.
Discover the latest insights on global IoT compliance, regulations, cybersecurity and more, by signing up for our monthly newsletter.
What exactly is the Cyber Trust Mark?
Under the proposed program, a “U.S. Cyber Trust Mark” in the form of a shield logo. Products that meet the established cybersecurity criteria can display the logo. This makes the safer product more easily identifiable for consumers to make informed decisions about the products they choose to purchase.
Like the forthcoming Battery Regulation in the UK, the FCC also intends the use a QR code linking to a national registry of certified devices. Giving consumers access to more information about the smart product.
What criteria and/or guidelines is the Cyber Trust Mark based on?
Products will be based on cybersecurity criteria published by the National Institute of Standards and Technology (NIST). For example, some of the requirements set out by NIST requires unique and strong default passwords and incident detection capabilities.
Is this a new standard?
Yes, for the U.S., but not so much on the global stage. In fact, the introduction of this program actually brings the U.S. in line with its European counterparts with the CE Marking.
CE marking indicates that a product has been assessed by the manufacturer and deemed to meet EU safety, health and environmental protection requirements. It is required for products manufactured anywhere in the world that are then marketed in the EU. This CE marking directive was introduced as far back as July 1993.
In 2022, the EU Commission made cybsersecurity mandatory for CE Markings of all radio equipment via the pre-existing Radio Equipment Directive (RED). As of August 2024, cyber security will formally be a mandatory requirement for CE marking of all radio equipment.
It is likely the Biden-Harris administration will be engaging its European partners towards harmonizing international standards.
What type of devices does this program cover?
In the latest brief, it mainly highlights smart consumer products including “smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more”.
The program and regulations within are likely to align with current global cybersecurity labelling standards. For instance, the European CE Mark or the PSTI Bill in the UK. Stakeholders including manufacturers, importers and distributers will be encouraged to increase cybersecurity for the products they sell or distribute.
Does it also extend to non-consumer smart devices?
This is highly likely. After all, NIST is simultaneously defining cybersecurity requirements for routers. After all, these can be used to eavesdrop, steal passwords, and attack other devices and high value networks.
Additionally, the U.S. Department of Energy are also researching cybersecurity labelling requirements for smart meters and power inverters.
When will the program come into force?
As of writing, the FCC is preparing to seek public comment regarding the cybersecurity labelling program. The implementation of the program is expected in 2024 with a grace period for stakeholders to company.
The FCC, together with the Cybersecurity and Infrastructure Security Agency, will take some time to educating consumers to look for the new label when making purchasing decisions. They will also be encouraging major U.S. retailers to prioritize labelled products.
The road ahead
As we’ve said before, cybersecurity and data privacy regulations are only going to become more robust. This is another step in the right direction to protect users from malicious actors and the increasingly complex cyber-attack landscape.
If you’d like to discuss this program and learn more about how to safeguard your device and data, while lowering operating costs and integration complexities, schedule a one-one-one meeting with our industry experts today.