Federal Communication Commission endorses voluntary tagging initiative for smart Internet-of-Things domestic appliances
The Federal Communications Commission (FCC) has announced that it will seek public comment on additional proposed disclosure requirements for the U.S. Cyber Trust Mark program, a voluntary initiative aimed at enhancing the cybersecurity of Internet of Things (IoT) devices.
The Cyber Trust Mark program, launched by the FCC, is designed to provide a label for smart products that meet robust cybersecurity standards. The program requires that consumer IoT devices sold for more than $20 in retail must carry the Cyber Trust Mark label starting October 2025.
The key requirements tied to the program include adherence to federal cybersecurity standards specifically designed for IoT devices, such as strong device authentication, firmware integrity checks, vulnerability disclosure procedures, and secure software development frameworks. The program also mandates support for Transport Layer Security (TLS) 1.3 for secure communications, regular software updates to fix vulnerabilities, encryption to protect sensitive data, and compliance with security frameworks that facilitate automated machine-readable Cyber Trust Mark data for government procurement.
These requirements stem from federal executive orders clarifying the cybersecurity expectations of IoT devices procured by government agencies and sold in retail. The Cyber Trust Mark is intended to be a visible indicator of device security compliance for consumers, promoting trust and reducing cyber risk.
While some federal cybersecurity mandates around software attestations and identity verification have been scaled back under recent policy changes, the Cyber Trust Mark program remains a key ongoing federal cybersecurity initiative to enhance IoT device security across government and consumer sectors.
The Biden administration has taken numerous steps to strengthen the nation's cyber resilience following the 2020 supply chain attacks and the 2021 ransomware attack against Colonial Pipeline. The U.S. Cyber Trust Mark program is considered a key component of the Biden administration's national cybersecurity strategy.
However, some experts remain skeptical about whether a voluntary program like the Cyber Trust Mark will have enough teeth to significantly improve consumer device security. Patrick Gillespie, OT lead at GuidePoint Security, stated that without distinct requirements being imposed on manufacturers, the security of IoT devices will remain insecure.
Threat groups like Volt Typhoon have exploited vulnerabilities in edge devices in a larger campaign to potentially spread destructive attacks against critical infrastructure providers in the U.S. Over 1.5 billion attacks took place against IoT products during the first six months of 2021, according to third-party data.
As the number of IoT devices in use is expected to reach more than 25 billion by 2030, according to the FCC, the need for a program like the Cyber Trust Mark becomes increasingly important. The FCC will seek public comment on additional proposed disclosure requirements, including whether certain software and firmware is made in countries that pose a security risk to the U.S.
In conclusion, the U.S. Cyber Trust Mark program, with its robust requirements and potential to become the worldwide standard for secure IoT devices, is a significant step towards enhancing cybersecurity in the IoT sector. While the program is voluntary, its expansion with new proposed disclosure requirements indicates a commitment to addressing the growing cybersecurity challenges posed by the increasing use of IoT devices.
- Despite some policy changes scaling back federal cybersecurity mandates, the Cyber Trust Mark program remains a key initiative to enhance IoT device security across government and consumer sectors, as part of the Biden administration's national cybersecurity strategy.
- The Cyber Trust Mark program, designed to provide a label for smart products meeting robust cybersecurity standards, mandates support for TLS 1.3 for secure communications, regular software updates, encryption to protect sensitive data, and compliance with security frameworks facilitating automated machine-readable Cyber Trust Mark data.
- As the number of IoT devices continues to grow, potentially reaching 25 billion by 2030, according to the FCC, the need for a program like the Cyber Trust Mark becomes increasingly important, as it aims to address the growing cybersecurity challenges posed by the expanding IoT sector, including potential threats such as ransomware and malware.
