On September 9, the U.S. IoT Cybersecurity Label officially came into effect, aimed at enhancing the privacy and security of consumer IoT devices, boosting consumer confidence in these products, and providing more transparent safety information. After comparing the FCC's initial and final versions of the regulation, it is clear the core content remains unchanged. Kaamel has previously provided detailed analysis of the "IoT Cybersecurity Label" and its "National Security Statement" rules, which can be accessed via the following links:
This article will broadly review the structure of the regulation.
The IoT Cybersecurity Label, known as the "Cyber Trust Mark," is a voluntary program in which certified devices display the Cyber Trust Mark, indicating compliance with the minimum cybersecurity standards set by the Federal Communications Commission (FCC), covering aspects such as data encryption, authentication, and software updates. A QR code on the product packaging allows consumers to easily scan and view detailed security information about the device and whether it meets the National Institute of Standards and Technology (NIST) cybersecurity framework.
To earn the Cyber Trust Mark, manufacturers must have their devices tested by certified CyberLAB or CLA labs, or their in-house labs if approved by leading administrators. Manufacturers are required to provide the FCC with detailed information on product development, data storage, and remote control, and disclose this to consumers when necessary. While participation in the program is voluntary, the FCC expects it to have a significant market impact, as consumers are likely to choose products with higher safety standards, incentivizing manufacturers to seek certification for a competitive edge.
Additionally, the FCC introduced the "National Security Statement" rule, which imposes special requirements for devices related to national security. If a device contains hardware, software, or data from high-risk countries like China or Russia, manufacturers must disclose this and ensure their products are free from hidden vulnerabilities linked to these nations. The rule also requires that data collected by these products is not stored or remotely controlled by servers in such countries. This measure is intended to ensure that devices used by consumers do not contain components or services that pose security risks.
The regulation has garnered attention not only within the U.S. market but also from global manufacturers, especially those exporting devices to the U.S. Manufacturers are expected to focus more on secure product design, and consumers will increasingly prioritize security in their purchasing decisions. With the proliferation of IoT devices and growing cybersecurity threats, this regulation is seen as a significant milestone in strengthening consumer privacy protection and enhancing device security.
As the FCC noted, while this is a voluntary program, consumer demand is expected to drive widespread adoption, as shoppers will favor IoT products with the label. The "National Security Statement" rule could also affect businesses aiming to export products. It is recommended that manufacturers view this program as a strategic opportunity to enhance product competitiveness and incorporate its requirements into the design of secure products, with particular attention to NIST standards.