The White House has introduced the U.S. Cyber Trust Mark, a voluntary cybersecurity labelling programme designed to enhance the safety of wireless smart devices and Internet of Things (IoT) products. Administered by the Federal Communications Commission (FCC), the initiative is intended to help consumers identify devices that meet cybersecurity standards set by the National Institute of Standards and Technology (NIST). It applies to products such as fitness trackers, smart appliances, and voice-activated assistants and is set to roll out fully this year.
Following 18 months of public consultation, the programme received unanimous approval from FCC Commissioners in a bipartisan vote. Certified IoT devices will bear a shield logo as a visible indicator of compliance with cybersecurity requirements.
“Major electronics, appliance, and consumer product manufacturers, as well as retailers and trade associations, have been working to increase cybersecurity for the products they sell,” the White House stated. “The U.S. Cyber Trust Mark programme allows them to test products against established cybersecurity criteria from the U.S. National Institute of Standards and Technology via compliance testing by accredited labs, and earn the Cyber Trust Mark label, providing an easy way for American consumers to see the cybersecurity of products they choose to bring into their homes.”
The rise of IoT devices in homes has raised cybersecurity concerns, including risks of unauthorised access to cameras, hacking of security systems, and vulnerabilities in other devices. The U.S. Cyber Trust Mark aims to address these risks by offering a standardised method for assessing device security.
Manufacturers can submit devices for compliance testing at accredited laboratories. Certified products will earn the U.S. Cyber Trust Mark, featuring a QR code that links to a registry with information about the device’s security features. This includes guidance on changing default passwords, securely configuring devices and accessing updates, as well as details on the product’s support period.
The programme applies to IoT products such as home security cameras, baby monitors, and smart appliances. However, it excludes medical devices regulated by the US Food and Drug Administration (FDA), motor vehicles, wired devices, and industrial or enterprise equipment. Devices from manufacturers restricted under federal procurement rules or flagged for national security concerns are also ineligible.
According to the US government, the programme involves collaboration between public agencies, manufacturers, retailers, and third-party labs. UL Solutions has been conditionally appointed as the lead administrator, overseeing compliance testing and certification. Retailers like Amazon and Best Buy are expected to promote labelled devices.
“Amazon supports the U.S. Cyber Trust Mark’s goal to strengthen consumer trust in connected devices,” said Amazon’s vice president Steve Downer. “We believe consumers will value seeing the U.S. Cyber Trust Mark both on product packaging and while shopping online. We look forward to collaborating with industry partners and the government on consumer education efforts and implementation strategies.”
The FCC stated that it is working with other agencies to explore mutual recognition of cybersecurity labels with international partners to ensure global compatibility and expand the programme’s reach. It is finalising details such as testing standards, label design, and the registry structure while reviewing public feedback on national security disclosures and post-market surveillance.
Applications for certification will open after finalisation. Consumers will then find U.S. Cyber Trust Mark-labelled devices in stores and online, with the QR code providing instant access to security details.
Global IoT security efforts
The U.S. Cyber Trust Mark aligns with international initiatives to improve IoT security. In January 2024, the EU and the US formalised a joint roadmap for a consumer labelling programme to harmonise standards and support mutual recognition of cybersecurity labels, streamlining compliance for manufacturers across regions.
In the UK, the Product Security and Telecommunications Infrastructure (PSTI) Act enforces requirements for consumer IoT products, including bans on default passwords, transparency about security update durations, and mandatory vulnerability disclosure policies. These measures aim to enhance consumer protection and strengthen IoT security in the UK market.
Read more: The world needs tighter IoT governance. But reforms are on the way.
