Federal Communications Commission endorses voluntary cyber labeling initiative for Internet of Things gadgets in homes
In a bid to fortify the security of Internet of Things (IoT) devices and critical infrastructure, the U.S. Cyber Trust Mark program has been unveiled. This initiative comes at a time when concerns about the security of IoT devices and critical infrastructure are at an all-time high.
Recent cyber threats, such as Volt Typhoon and KV Botnet, have targeted IoT devices and critical infrastructure in the U.S., causing alarm amongst federal authorities. In January, federal authorities disrupted KV Botnet, where hackers put malware onto hundreds of small office/home office routers.
The U.S. Cyber Trust Mark program aims to ensure that IoT devices bought by federal agencies meet baseline cybersecurity standards. To achieve this, federal vendors of consumer IoT products must carry the U.S. Cyber Trust Mark labeling. This requirement is part of an updated federal procurement policy. By January 2027, federal agencies may only purchase consumer IoT products bearing the Cyber Trust Mark, which can be machine-read to automate verification of compliance.
The Cyber Trust Mark signals adherence to established cybersecurity frameworks and practices aligned with federal guidance. It adapts to evolving threats such as secure software development, use of post-quantum cryptography, and artificial intelligence risk management. Transport Layer Security (TLS) version 1.3 support is a specific technical baseline requirement for IoT devices under this initiative.
While secure software development attestations remain a part of broader cybersecurity expectations, recent orders have limited federal mandates on requiring these attestations as contractual obligations. However, federal agencies continue to collect them voluntarily based on NIST guidelines.
The program has the potential to become a worldwide standard for secure IoT devices. The FCC will seek public comment on additional proposed disclosure requirements for the U.S. Cyber Trust Mark program, including whether certain software and firmware is made in countries that pose a security risk to the U.S.
The concerns about IoT security highlighted in this article are indicative of an increased focus on securing IoT devices and critical infrastructure. More than 1.5 billion attacks took place against IoT products during the first six months of 2021, according to third-party data. Some experts remain skeptical about whether a voluntary program like the U.S. Cyber Trust Mark will have enough enforceable requirements to significantly improve consumer device security.
Patrick Gillespie, OT lead at GuidePoint Security, believes that without distinct requirements being imposed on manufacturers, the security of IoT devices will remain insecure. IoT products that can be submitted for testing and evaluation under the U.S. Cyber Trust Mark program include home security cameras, baby monitors, and internet-connected appliances.
The U.S. Cyber Trust Mark program is considered a key component of the Biden administration's national cybersecurity strategy. FCC Chair Jessica Rosenworcel expects more companies to use the U.S. Cyber Trust Mark and consumers to demand it. Connected technologies are expected to be widely used by consumers and businesses, with more than 25 billion devices projected to be in use by 2030.
The skepticism about the U.S. Cyber Trust Mark's effectiveness is rooted in past experiences with other voluntary guidance across critical infrastructure. However, the Biden administration has taken numerous steps in recent years to strengthen the nation's cyber resilience. The U.S. Cyber Trust Mark program is a voluntary program for makers of Internet of Things (IoT) products.
In summary, the Cyber Trust Mark program focuses on a labeling requirement for consumer IoT products procured by federal agencies, backed by underlying modern cybersecurity standards and policies, with an emphasis on automated compliance verification and alignment with updated executive orders aimed at enhancing IoT security without overly prescriptive federal software attestation mandates. The program has the potential to significantly improve the security of IoT devices and critical infrastructure, provided it has enough enforceable requirements and is widely adopted.
- The U.S. Cyber Trust Mark program, a key component of the Biden administration's national cybersecurity strategy, aims to improve the security of IoT devices and critical infrastructure by requiring federal vendors to carry the Cyber Trust Mark labeling on consumer IoT products.
- The Cyber Trust Mark signals adherence to established cybersecurity frameworks and practices, including secure software development, use of post-quantum cryptography, and artificial intelligence risk management, and adapts to evolving threats, such as ransomware and malware.
