IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

FCC Proposes Cybersecurity Labels, Certifications for IoT Devices

The proposed voluntary program would let companies feature labels on consumer products that clear certain cybersecurity criteria, helping consumers identify and select items that are less prone to cyber attack.

A woman holding up a smartphone in one hand and holding an icon of a document being projected from the phone's screen in the other hand.
The federal government is advancing its plan to bring cybersecurity labels to IoT devices and other products. If all goes well, consumers in the near future will be able to check smart home products they’re considering for labels indicating whether the items are generally cyber secure. If the consumers wish, they can reduce their risks of suffering a cyber attack by choosing the certified product.

The cybersecurity certification and labeling program — which is still in its proposal stage — is called Cyber Trust Mark and would be voluntary. Under it, participating companies could feature a distinctive shield logo on products of theirs that meet certain cybersecurity criteria like “unique and strong default passwords, data protection, software updates, and incident detection capabilities,” and other features identified by the National Institute of Standards and Technology (NIST), per a White House announcement. Plans also call for QR codes that consumers could scan to view a national registry of certified devices so they could compare security information about different products.

Today, the Biden administration officially announced its proposal for the program and the Federal Communications Commission (FCC), which would oversee it, applied to register a trademark for the security label. The FCC next intends to seeks public comment on how to roll out the program — something it expects to do in 2024.

This first stage focuses on consumer devices like smart refrigerators, TVs and fitness trackers.

Next, the initiative will address consumer-grade routers, which the White House says are higher risk. Attackers compromising these routers could eavesdrop, steal passwords and use the access to attack other devices and “high value networks.” NIST has until the end of the year to finish determining the cybersecurity requirements that such routers should clear to be deemed cybersecure under the labeling program. (The FCC isn’t committing to ultimately adopting NIST’s recommendations but will consider them).

Another stage of the program will turn attention on security of certain devices used in clean energy smart grids. The Department of Energy, National Labs and industry partners announced today plans to collaborate on researching and developing the kinds of cybersecurity labeling requirements needed for the smart meters and power inverters used in such an energy grid.

“This new labeling program would help provide Americans with greater assurances about the cybersecurity of the products they use and rely on in their everyday lives,” the White House said in its announcement. “It would also be beneficial for businesses, as it would help differentiate trustworthy products in the marketplace.”

The IoT labeling program is one of the many goals outlined in the Biden administration’s cybersecurity strategy. The National Cybersecurity Strategy Implementation Plan released last week attached more specifics to that objective and called for the National Security Council to identify “the broad contours” of a U.S. government IoT security labeling program and designating an agency to take the lead on it by Q4 of fiscal year 2023.

While the Cyber Trust Mark program is voluntary, the White House said several companies pledged to improve their products’ cybersecurity and voiced support for the program. That list includes Amazon, Best Buy, Google, LG Electronics, Logitech and Samsung Electronics.