The U.S. government is preparing to launch the Cyber Trust Mark, a program designed to help consumers identify secure Internet of Things (IoT) devices through a recognizable label. Announced on January 7, the initiative addresses growing concerns about the cybersecurity vulnerabilities posed by connected devices like home security cameras, baby monitors and voice-activated assistants. The program does not apply to computers or smartphones.
Setting the Standards
Physical and cybersecurity technology specialist Kasia Hanson, founder and CEO of consultancy firm KFactor Global, said the program has garnered many supporters and critics alike. She believes the U.S. Cyber Trust Mark is a starting point that deserves to evolve and grow.
“We have to start somewhere if we are going to bolster our cybersecurity in products delivered to consumers. Manufacturers will see some challenges, including increased resourcing with skilled teams,” she said. “The cost to implement and maintain compliance could increase, and time to deliver products to market may slow. Manufacturers will also need to ensure clear education to their employees and customers about their products.”
Because the program is still voluntary, Hanson said manufacturers can differentiate their wares in the market and showcase their ability to deliver more secure products. Still, she added, “some may view the costs, resourcing, and time-to-market delays as cumbersome.”
While the initiative has been broadly welcomed, some experts have highlighted potential limitations. Roger Grimes, a data-driven defense evangelist at KnowBe4, praised the program’s focus on IoT cybersecurity basics, such as changing default passwords, patching, and providing a software and hardware bill of materials.
“Allowing consumers to scan a QR code and get information from a decentralized IoT registry is a terrific idea,” he said. “Those reasons alone are reasons enough for the program.”
However, Grimes expressed concerns about the voluntary nature of the program and its reliance on recommendations rather than mandatory requirements. “I wish many basic cybersecurity defenses, such as the customer being forced to change the default password and automatic patching, were required to be in the program. It would make the program much more valuable,” he explained.
Grimes also pointed out that vendors participating in the program must disclose practices like hard-coded default passwords rather than being prohibited from using them altogether.
“The way I read the current requirements, a vendor could apply the mark if they simply told the consumer they only patched once a year, never automatically,” he said. “Wouldn’t it be better if the mark actually meant the vendor was using generally accepted safe cybersecurity practices?”
Challenges of IoT Security
Chuck Brooks, a globally recognized cybersecurity expert and adjunct professor at Georgetown University, praised the program as a much-needed initiative to enhance IoT security. “The U.S. Cyber Trust Mark program is a welcome and needed initiative that will enhance cybersecurity,” he said. “In general, the program goal is to help secure smart connected devices both for consumers and businesses of the Internet of Things.”
Brooks noted the scale of the IoT ecosystem, with billions of devices and trillions of sensors already in use globally. “Safeguarding such a large attack surface is difficult, particularly when the devices vary widely in security standards,” he explained. “Anything connected can be compromised, making initiatives like the Cyber Trust Mark vital for risk management.”
He also emphasized the unique challenges posed by IoT devices, which often lack the processing and storage power to support traditional cybersecurity measures like firewalls and antivirus software. “This makes these devices particularly vulnerable,” Brooks said, adding that edge computing, which aggregates local data, is an attractive target for skilled threat actors.
Manufacturer Accountability
The program also aims to pressure manufacturers to prioritize security during product development. “Building a secure device is expensive; building an insecure device is cheap,” said Sean Tufts, managing partner for critical infrastructure and operational technology at Optiv. “This certification puts pressure on business leaders to do the right thing.”
According to the White House announcement, the Cyber Trust Mark represents an important step toward increasing transparency and accountability in IoT security as the rollout progresses in 2025. To obtain the U.S. Cyber Trust Mark, companies must submit their devices for evaluation by laboratories accredited by the Federal Communications Commission (FCC), known as Cybersecurity Label Administrators.
Hanson does not expect the U.S. Cyber Trust Mark will slow the adoption of IoT devices given that the program is voluntary at this time. “It is an opportunity for those that want to lead and innovate to showcase their commitment to improved security of devices,” she said. “The program will evolve and hopefully grow broad industry support. In the meantime, public awareness will be crucial in order for it to be successful.”
Tufts warned that the trust mark could give consumers a false sense of security. “This could increase risk for Americans that are cyber unaware,” he said.
Future Considerations
Brooks highlighted the importance of a risk management strategy in addressing IoT security challenges. “Understanding what is connected, safeguarding the most valuable assets, and efficiently addressing security breaches are all critical to securing the Internet of Things,” he said.
He also noted that emerging technologies will add complexity to IoT security. “Artificial intelligence can automate attacks and find vulnerabilities in device supply chains,” Brooks explained. “5G can significantly expand the speeds of data transfer, and quantum technologies will soon require quantum-resistant encryption for devices in critical infrastructure and sensitive areas.”
The initiative follows over 18 months of public consultation and a unanimous 5-0 decision by FCC commissioners earlier this year to approve the program and its trademarked shield logo. In December, the FCC named 11 companies as label administrators, with UL Solutions being conditionally chosen to serve as the lead administrator. To display the Cyber Trust Mark seal on their packaging, companies must have their products evaluated by the government against well-established cybersecurity standards developed by the U.S. National Institute of Standards and Technology (NIST).
While participation in the program is voluntary, companies like Amazon and Best Buy have expressed plans to showcase products featuring the U.S. Cyber Trust Mark.
Michael Dolan, Best Buy’s head of enterprise privacy and data protection, stated that his company “sees great potential” in the program and called it a “positive step forward for consumers.”
“We believe consumers will value seeing the U.S. Cyber Trust Mark both on product packaging and while shopping online,” stated Steve Downer, vice president at Amazon. “We look forward to collaborating with industry partners and the government on consumer education efforts and implementation strategies.”
