19/06/2025
FCC Cyber Trust Mark aims to make cybersecurity posture of IoT devices visible to consumers

An Introduction to the US IoT Security Label for IoT device manufacturers: The FCC Cyber Trust Mark

 

The proliferation of Internet of Things (IoT) devices has profoundly reshaped our daily lives, offering unprecedented convenience – from smart home automation to voice-activated shopping. Yet, with this connectivity comes inherent risks. These smart products are susceptible to a myriad of security vulnerabilities, which cyber criminals increasingly exploit, posing threats to user privacy and even national security. In response to these growing concerns, the U.S. Federal Communications Commission (FCC) has launched the voluntary U.S. Cyber Trust Mark program. This initiative aims to provide a clear, easily understandable indicator of a product’s baseline cybersecurity, much like “ENERGY STAR” signifies energy efficiency. For businesses, this mark offers a way to differentiate trustworthy products and demonstrate a commitment to security-by-design. The program officially saw final rules adopted in March 2024 and is expected to be operational for product submissions in 2025. In this blog we try to introduce the FCC Cyber Trust Mark and what it means for IoT device Manufacturers.

 

Target Audience

This blog is primarily for companies who already have a established or a semi-established cybersecurity process and policies. The content focuses on understanding scope, initial assessment tools, and understanding the basics of the FCC Cyber Trust Mark.

The blog is especially useful to the following roles:

  1. C-suite executives / Business Owners: To understand the business impact, potential costs, and the overall need for FCC Cyber Trust Mark.
  2. Product Managers & Engineering Managers:
    To grasp how FCC Cyber Trust Mark affects product design (“security by design”), development lifecycle, vulnerability management, and ongoing
    maintenance.

The Strategic Edge: Benefits for Your Business and Customers

Participating in the U.S. Cyber Trust Mark program offers significant advantages for both manufacturers and consumers:

For Consumers:

    • Informed Decisions & Confidence: The mark provides a simple, recognizable signal of baseline cybersecurity, enabling consumers to make more informed purchasing decisions and boosting their confidence in the security of the IoT products they bring into their homes.
    • Accessible Information: The mark is accompanied by a QR code that links to a public registry containing easy-to-understand details about the product’s security, such as the minimum support period, whether software patches are automatic, and how to change default passwords. This directly addresses the current lack of readily available security information for consumers prior to purchase.

For Companies (Manufacturers & Retailers):

    • Market Differentiation & Competitive Advantage: Bearing the Cyber Trust Mark allows manufacturers to visibly differentiate their products from competitors that do not participate, creating a clear quality signal in the marketplace. This can lead to increased product awareness and sales.

    • Reduced Risk & Improved Reputation: By aligning with robust cybersecurity standards, participating businesses can reduce the likelihood of costly cybersecurity incidents, mitigate reputational damage, and foster greater goodwill with consumers.

    • Flexibility & Efficiency: The voluntary nature allows companies to assess the benefits versus costs of participation for specific product lines. The allowance for accredited in-house testing labs can also offer cost and time savings. The reliance on existing industry consensus standards further expedites program development and implementation.

    • Streamlined Labeling: The binary label approach simplifies implementation for manufacturers compared to more complex multi-tiered systems.

Path to Earning the U.S. Cyber Trust Mark

Product Scope:
Initially, the program applies only to wireless consumer IoT products. Excluded are medical devices (regulated by the FDA), motor vehicles (regulated by NHTSA), wired devices, and products primarily for manufacturing, industrial control, or enterprise applications. Importantly, the program applies to the entire “IoT product” – encompassing the IoT device itself and any additional necessary components like back-end services, gateways, or mobile applications – rather than just the individual device. This comprehensive scope ensures that the full functionality of the product, including its interconnected ecosystem, is considered for security.

 

The Foundational Standards: NIST Core Baseline:
The Cyber Trust Mark program is built upon the National Institute of Standards and Technology’s (NIST) “Profile of the IoT Core Baseline for Consumer IoT Products” (NISTIR 8425). This framework outlines ten key cybersecurity capabilities, categorised into:

    • IoT Product Capabilities: Asset Identification, Product Configuration, Data Protection, Interface Access Control, Software Update, and Cybersecurity State Awareness.

    • IoT Product Developer Activities: Documentation, Information and Query Reception, Information Dissemination, and Product Education and Awareness.
      These capabilities are framed as “outcomes” to provide flexibility across the diverse IoT market. The Lead Administrator, in collaboration with industry stakeholders, will develop specific technical standards and testing procedures based on NISTIR 8425 for various product classes.

Securing the FCC Cyber Trust Mark

For IoT device manufacturers, securing the Cyber Trust Mark involves a structured, two-step process:

  1. Rigorous Product Testing by Accredited Laboratories
    The initial phase requires your IoT product to undergo comprehensive testing by an accredited and FCC-recognized laboratory. These testing bodies, known as Cybersecurity Testing Laboratories (CyberLABs), must demonstrate technical expertise in cybersecurity testing of IoT products and comply with ISO/IEC 17025 accreditation requirements. Crucially, manufacturers have the flexibility to utilise independent third-party CyberLABs, or even their own in-house testing labs, provided these in-house facilities meet the same stringent accreditation and recognition standards as external CyberLABs. The outcome of this testing is a detailed conformity and compliance report.
  2. Application for Certification with a Cybersecurity Label Administrator (CLA)
    Once your product has successfully undergone testing, the next step is to submit an application, along with the supporting test report, to a Cybersecurity Label Administrator (CLA). The FCC has selected UL LLC (UL Solutions) as the initial Lead Administrator, who will also serve as a CLA. CLAs are accredited third-party entities, independent of the applicant, authorised by the FCC to manage and administer aspects of the labelling program. They are responsible for reviewing applications and supporting data to determine compliance with program requirements, ultimately granting or denying the authority to use the FCC IoT Label. CLAs must themselves be accredited to ISO/IEC 17065 standards.

Challenges: What to Watch Out For

    • Voluntary Participation & Market Adoption: Some argue that the voluntary nature might limit widespread adoption, especially by smaller businesses with limited resources. However, the FCC believes consumer demand will drive participation.
    • Implementation Complexity & Costs: Standing up such a comprehensive program involves many steps and ongoing coordination. Manufacturers will incur costs for conformity testing, CLA fees, internal compliance, and mark placement. The initial setup and administration of the decentralised registry, though designed for efficiency, also entails costs.
    • Maintaining Integrity & Trust: The program’s success hinges on maintaining the integrity of the mark. The FCC has consciously decided against a “self-attestation” model for product certification, learning from the ENERGY STAR program’s past challenges with fraudulent certifications that undermined consumer trust. Robust post-market surveillance and auditing by CLAs are crucial to ensure ongoing compliance and prevent misuse of the mark.
    • Limited Initial Scope: The current exclusion of wired devices, personal computers, smartphones, and routers, while streamlining initial rollout, means that a significant portion of connected devices remains outside the program’s immediate purview. Future expansion is possible, but not guaranteed initially.
    • Lack of Legal Safe Harbor: Manufacturers must commit to diligently identifying and promptly correcting critical vulnerabilities through software updates until the product’s minimum support period end date, without disclaiming these promises. This commitment is legally enforceable not just by the FCC, but also by state courts under product warranty and contract law. The FCC has explicitly declined to preempt state laws or offer a broad legal safe harbor against liability for cybersecurity incidents, beyond stating that achievement of the mark serves as an “indicium of reasonableness”. While some states offer their own safe harbors for companies adopting reasonable security measures, the absence of a federal blanket protection might be a deterrent for some manufacturers seeking to mitigate legal exposure.
    • Evolving National Security Disclosures: The FCC is currently seeking further input on requiring manufacturers to disclose the origin of software and storage/transit locations of data from “high-risk countries” (as defined by the Department of Commerce as “foreign adversary” countries). This potential future requirement aims to enhance supply chain transparency but could introduce additional compliance burdens and potentially exclude products with certain foreign affiliations.

How to Prepare for the FCC Cyber Trust Mark

The U.S. Cyber Trust Mark aligns with a broader ecosystem of cybersecurity standards. The program is built on NIST’s work, especially NISTIR 8425.

The FCC aims for harmonization with international programs like Singapore’s CLS, Finland’s label, and Germany’s IT Security Label, and is working with the EU and Japan on interoperability. Relevant industry standards include those from UL (e.g., UL 2900), CTA, ioXt Alliance, and CTIA. Core accreditation requirements (ISO/IEC 17025 for labs, ISO/IEC 17065 for CLAs) are international standards.

Manufacturers can prepare for the FCC Cyber Trust Mark by showing compliance with existing and established standards like Singapore, Japan or EU’s cybersecurity standards. The security requirements are expected to be very similar and by preparing for global requirements, it will be possible to easily obtain the FCC Cyber Trust Mark when the program reaches more maturity.

 

Further Reading

Read more about EU’s cybersecurity programs here:https://iotregulations.com/security/cen-cenelec-explain-cra/

 

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

CRA-AI project aims to simplify compliance to EU CRA using automated AI tools

Tools to simplify compliance to CRA: CRA-AI

16/06/2025
IoT SF hosts a webinar to introduce a tool for compliance with EU CRA

Tools to simplify compliance to CRA: CRACoWi

16/06/2025

You may have missed

FCC Cyber Trust Mark aims to make cybersecurity posture of IoT devices visible to consumers

What is the FCC Cyber Trust Mark? A Guide for IoT Manufacturers

17/06/2025
CRA-AI project aims to simplify compliance to EU CRA using automated AI tools

Tools to simplify compliance to CRA: CRA-AI

16/06/2025
IoT SF hosts a webinar to introduce a tool for compliance with EU CRA

Tools to simplify compliance to CRA: CRACoWi

16/06/2025
CEN CENELEC explain EU CRA and call for experts to participate in standardization activities

CEN and CENELEC explain CRA and call for experts to participate in standardization

15/06/2025
Webinar by APPLUS+ Labs on EN 18031 to comply with RED DA

Exploring compliance to RED DA using EN 18031 standards: APPLUS+ Laboratories

15/06/2025