What just happened? In an age where many Internet of Things devices suffer from vulnerabilities and other security risks, the Biden administration has announced its IoT labeling campaign. The US Cyber Trust Mark program is designed to help Americans identify which connected devices meet government cybersecurity requirements.
FCC Chairwoman Jessica Rosenworcel said in a press briefing that internet or Bluetooth-connected devices carrying the US Cyber Trust Mark must meet security standards based on those established in a report by the National Institute of Standards and Technology (NIST). The report classifies an IoT device as any network-connected device with a "sensor or actuator."
In addition to carrying the Cyber Trust logo on the box, there will also be a QR code that directs to a national registry of certified devices. This provides up-to-date security information, such as the software update policies, details on data encryption standards, and what is being done to address any vulnerabilities. Scanning the code also confirms that the device is still certified and whether any patches are needed.
Several manufacturers, retailers, and trade associations have already signed up for the voluntary program, including Google, Samsung, Logitech, Amazon, Best Buy, Qualcomm, LG, Cisco, and the Connectivity Standards Alliance.
It will be a while before we start seeing the labels and QR codes on IoT devices. The US Cyber Trust Mark program isn't expected to be in place until late 2024, while the labels are arriving "soon after." There will also be a public comment period before the rollout to determine the criteria used for granting the marks.
An FCC official said the Commission is considering annual recertifications but has yet to decide interval lengths. Certification will be handled by third-parties like the Connectivity Standards Alliance or the Consumer Technology Association, Deputy National Security Advisor Anne Neuberger told The Verge. It's unclear what punishments the FCC will hand out to companies that use the label on products that aren't secure.
"We knew that we didn't want to create a label that said this product had been certified and secured and then stayed secure forever," a senior administration official said.
Earlier this week, the US Department of Energy announced that it is working with industry partners to develop similar cybersecurity labels for smart meters and power inverters.