From smart speakers and cameras to baby monitors and fitness trackers, Internet of Things (IoT) devices have become integral to our daily lives. However, they can also be vulnerable to cyberattacks, posing a risk to our privacy and security. To address this, the Federal Communications Commission (FCC) has introduced the U.S. Cyber Trust Mark, a voluntary labeling program designed to help consumers identify secure IoT products. This article provides an analysis of the requirements for obtaining the FCC Cyber Trust Mark, with a focus on the underlying guidelines from the National Institute of Standards and Technology (NIST) in their publication NIST IR 8425.
Target Audience
What will you learn from this article
We already covered the fundamentals of the FCC Cyber Trust Mark in a previous article where we went through why it was created, what it meant for consumers and manufacturers and the challenges associated with adoption of such a program. This article has a different focus.
To clarify the Scope of “IoT Product”: This article hopes to educate non-technical managers that, for certification purposes, an “IoT Product” is not just the physical device but the entire ecosystem, including mobile applications and backend cloud services.
To summarize actionable requirements: This article also intends to translate the technical and non-technical requirements from NIST IR 8425 into a practical checklist that non-technical managers can understand and use to guide their product development and security strategies in preparation for certification.
The Governing Standard: NIST IR 8425
The cybersecurity standards for the Cyber Trust Mark are based on the requirements of NIST Internal Report (IR) 8425, “Profile of the IoT Core Baseline for Consumer IoT Products.” This document outlines a set of cybersecurity capabilities that are essential for securing consumer IoT products.
A Critical Distinction: What is an “IoT Product”?
Before diving into the specific requirements, it’s crucial to understand how NIST defines an “IoT Product.” Unlike other standards where “product” might refer only to the physical device, NIST IR 8425 takes a holistic, system-wide view. The “IoT Product” is the entire ecosystem that the consumer interacts with.
Let’s use a smart thermostat as an example to illustrate this:
The IoT Device: This is the physical thermostat unit mounted on your wall. It has sensors, a display, and connects to your home’s Wi-Fi.
The Mobile App: This is the application on your smartphone or tablet that you use to control the thermostat remotely, set schedules, and view energy usage.
The Cloud Backend: This is the manufacturer’s set of servers that the thermostat and the mobile app communicate with. This backend service processes commands, stores user data and settings, and pushes software updates.
Under the NIST IR 8425 definition, the “IoT Product” is not just the thermostat on the wall; it is the combination of the device, the mobile app, and the cloud backend. Security must be addressed across all three components. A vulnerability in the mobile app or the cloud service can compromise the entire system just as easily as a flaw in the device itself.
Therefore, when we discuss the requirements for the Cyber Trust Mark, these capabilities apply to the entire system, ensuring that there are no weak links in the chain.
IoT Product Capability Requirements
These are the technical features that must be built into the IoT product ecosystem.
Asset Identification: Every component of the system (device, app version, cloud service instance, etc.,) must be uniquely identifiable for management and updates.
Product Configuration: A user must be able to securely configure the product, for example, by changing a password through the mobile app, which then securely updates the settings on the device via the cloud.
Data Protection: Data must be protected everywhere it exists within the system. This means data must be encrypted when stored on the device, when transmitted between the device and the cloud, and when accessed by the mobile app or by anyone.
Interface Access Control: Access to all interfaces must be restricted to only authorized users. For example, debug logs for the thermostat device must be available only to the service technician after proper authentication and not to general users of the device.
Software Update: The manufacturer must be able to securely update all parts of the system. This includes pushing firmware updates to the thermostat, updating the mobile app through an app store, and patching the cloud backend.
Cybersecurity State Awareness: The system as a whole should be able to detect and report potential security events. For example, the cloud backend could detect multiple failed login attempts from the mobile app and alert the user.
Non-Technical Supporting Capabilities and The Manufacturer’s Role
These are the responsibilities of the product developer to ensure the ongoing security of their entire product ecosystem.
Documentation: The manufacturer must document the security of the entire system, including the architecture of how the device, app, and cloud interact.
Information and Query Reception: Manufacturers must have a clear process for customers to report a security issue they find in the mobile app, the device, or the cloud service.
Information Dissemination: Manufacturers must be able to notify customers about a critical update for the mobile app or a security incident involving the cloud back-end.
Education and Awareness: Manufacturers must educate customers, with proper product documentation, on how to use the entire system securely, from setting a strong password in the app to understanding what data is stored in the cloud.
The Path to the Cyber Trust Mark
To earn the U.S. Cyber Trust Mark, a manufacturer’s IoT product will be tested by accredited labs called CyberLABs. These labs will verify that the complete system—device, app, and cloud—meets the requirements of NIST IR 8425. In-house testing is permitted, if these companies can prove that their labs comply with ISO/IEC 17025 standards. However, the test specification that will be used by CyberLABs is still work in progress as of 26th June 2025. IoT Regulations will cover the test specification in more details when its released.
We know that organizations like PSA Certified and Trust CB’s SESIP are working to make it easy for device manufacturers to comply with NIST 8425 and get their IoT devices certified with FCC Cyber Trust Mark. We will cover how devices using sub-components with PSA Certification can easily get through the FCC Cyber Trust Mark. If your IoT device uses a CPU or MCU with PSA Certification, watch out for our upcoming article. If you are global company selling your products to the EU, you need to also be compliant to the EU Cyber Resilience Act, which has almost similar requirements. You can read more on our coverage of EU CRA here.
