Your Guide to Understanding the US Cyber Trust Mark

As part of our ongoing series on IoT device security, we dive into the details of the US Cyber Trust Mark. Learn what it is, who it applies to, and how you can start preparing to attain the US Cyber Trust Mark.

One of the hottest topics in the embedded space over the last several months is the evolving regulatory landscape for IoT devices. While global approaches differ, one thing remains constant: IoT security expectations are shifting rapidly. What was once deemed an acceptable level of security is no longer enough. Previously, we explored Europe’s Cyber Resilience Act—a mandatory regulation for any business that wants to sell IoT products in the EU. Now, let’s focus on the US, which is adopting a voluntary accreditation known as the Cyber Trust Mark.

Watch Now: How New IoT Security Regulations Will Shape the Industry’s Future

Contents

• What is the US Cyber Trust Mark?
• Who does the US Cyber Trust Mark Act apply to?
• When does the US Cyber Trust Mark enter into force?
• How to comply with the US Cyber Trust Mark
• Solutions for attaining the US Cyber Trust Mark
• How to start planning for the US Cyber Trust Mark

What is the US Cyber Trust Mark?

The Cyber Trust Mark is an accreditation available to manufacturers of connected consumer devices selling in the US market. To gain the accreditation, manufacturers must demonstrate that their products, systems, and processes comply with a set of security and privacy standards.

Accredited products will feature a Cyber Trust Mark logo, indicating to consumers that the device meets accreditation standards. Each logo will be accompanied by a QR code, allowing consumers to scan and view detailed information about the product in a database of accredited devices.

Unlike the EU Cyber Resilience Act, the Cyber Trust Mark is entirely voluntary. The FCC states that the intention of the Cyber Trust Mark is to “help consumers make safer purchasing decisions, raise consumer confidence regarding the cybersecurity of the IoT products they buy, and encourage manufacturers to develop IoT products with security-by-design principles in mind.”

Who does the US Cyber Trust Mark apply to?

Businesses selling wireless IoT products into consumer use cases may attain the Cyber Trust Mark certification. That includes everything from a smart fitness device to a connected doorbell. Certain use cases are excluded from the accreditation, such as automotive use cases and products already regulated by agencies like the FDA (think medical devices). The certification also specifically excludes “wired IoT devices.”

How does the Cyber Trust Mark define an IoT product?

This definition is in fact a source of some contention as it broadens the scope from focusing just on the “device” to include other components such as apps that may run on other devices (e.g. a smartphone). As such, achieving accreditation will require some holistic thinking from manufacturers.

When does the US Cyber Trust Mark enter into force?

The FCC has yet to confirm the exact date, but the Cyber Trust Mark has been through an industry review process and is due to become active at the end of 2024.

How to comply with the US Cyber Trust Mark

The FCC has not yet fully approved the final requirements. However, at this stage it seems highly likely that manufacturers can achieve the accreditation via compliance with some of NIST’s existing standards. In particular, we expect the NIST Core Baseline will lay a foundation for the final requirements.

The Core Baseline does not prescribe exact requirements, but instead positions itself as being “outcome focused.” It is made up of requirements from existing NIST standards NISTIR 8529A and NISTIR 8529B. In combination, IoT products must be able to demonstrate 10 key capabilities to be considered in adherence.

NISTIR 8529A

1. Asset Identification – You have a way to uniquely identify each device
2. Product Configuration – Only authorized entities can change configurations (hardware and software)
3. Data Protection – Data is secure in transit and at rest
4. Interface Access Control – The device can restrict access to local and network interfaces to authorized entities
5. Software Updates – The software can be securely updated only by authorized entities
6. Cybersecurity State Awareness – The device can report on its security state and make the information available only to authorized entities

NISTIR 8529B

1. Documentation – Create, gather, and store cybersecurity information at time of purchase and throughout the device lifecycle
2. Information and Query Reception – Provide a way for the customer/consumer to query the cybersecurity of a device
3. Information Dissemination – Be able to publish information about the cybersecurity of the device to the customer and ecosystem
4. Product Education and Awareness – Be able to educate the customer and ecosystem about the cybersecurity features and capabilities of the device

Overall, the requirements are broadly similar to those in other comparable regulations such as the EU’s Cyber Resilience Act. The similarity in requirements should make it fairly straightforward for businesses already complying with the CRA to also achieve Cyber Trust Mark accreditation.

Cyber Trust Mark certification process

The certification process for the Cyber Trust Mark will require that businesses submit their product for testing by an accredited lab. These labs will be known as CyberLABs and will be certified to complete the testing process by FCC appointed Cybersecurity Label Administrators (CLA). The CLAs will be responsible for issuing the Cyber Trust Mark alongside other duties relating to managing the program, informing the public, etc.

Solutions for attaining the US Cyber Trust Mark

Given that the requirements are still a work-in-progress, solutions for achieving the Cyber Trust Mark accreditation are impossible to define with absolute confidence. However, we can make some educated guesses based on the pre-existing standards referenced in the regulation and other similar regulatory frameworks. To be clear, the suggestions below are simply our opinion and we recommend that businesses seek support specific to their requirements from an appropriate entity.

For the purposes of this guide, we will primarily focus on the requirements that are device/product centric rather than those that are more process focused. For the most part, that means focusing on the requirements from NISTIR 8529A.

Asset Identification

Although the requirements are not yet fully defined, it appears that manufacturers will need to be able to remotely identify hardware with a unique serial number and label devices for physical identification. This would seem like a very straightforward requirement and should be easy to satisfy.

For non-physical device identification, the most sophisticated solutions will quickly and easily associate a unique device with its behavior and current state data, enabling general support and—more importantly—vulnerability identification and resolution.

We don’t yet know if the Cyber Trust Mark requirements will follow those of the European Cyber Resilience Act, which also require manufacturers to hold information relating to the hardware and software components of each device. If so, then sophisticated solutions will hold a record of the components for each device and also a Software Bill of Materials (SBOM) for each software version. Again, when vulnerability identification and resolution are required, holding these key pieces of information in association with each unique device identifier will significantly simplify processes.

Product Configuration

Configuration management can be complicated for IoT devices. From a cybersecurity perspective, secure configuration management is a critical requirement. The requirements are likely to focus on the ability to restore devices to a secure default configuration, as well as the ability to remotely manage configuration settings in the case of incident mitigation or vulnerability resolution.

Because changing configurations remotely carries a degree of risk to device reliability and performance, the most sophisticated solutions will also be able to monitor how configuration changes impact the performance and reliability of their devices. Having up-to-date and ideally real-time information on device state and health will also combine well with more sophisticated configuration change rollout processes.

Data Protection

It’s no surprise that the accreditation will likely require robust data protection, including secure storage on devices and encryption during transit. However, the scope of these requirements—especially regarding the handling of potentially sensitive data—remains unclear. Drawing from the upcoming EU regulations, manufacturers may be required to carefully manage data collected from devices and ensure they only collect what is strictly necessary.

Regardless of the specifics, the best solutions will not only secure data transmission and storage but also provide strong controls over what data is collected and how it is handled.

Interface Access Control

This requirement here is rooted in the objective to reduce attack vectors and blast radius of any potential vulnerabilities. Ultimately, this will largely be accomplished in the product design and relates closely to requirements around configuration management.

The best solutions will be able to monitor network access and traffic in order to understand normal behavior, quickly identify anomalous activity that could be related to a vulnerability, and take action.

Software Updates

Every major IoT device regulation requires updating software on devices, so it is no surprise that this will play a role here. Being able to securely and automatically distribute updates to devices in the field will, without doubt, be a core requirement. Without yet knowing the specifics, we can safely assume that businesses will need to build this capability into their product.

It’s worth noting that, similar to Configuration Management, the process of deploying updates can itself be risky. Therefore, the best solutions will have a robust and highly controlled rollout process and comprehensive observability of devices receiving updates to ensure manufacturers can quickly identify and resolve any unexpected issues.

Cybersecurity State Awareness

It’s safe to assume that manufacturers will need to collect some health, performance, and state information from deployed devices on a regular basis. The best solutions will quickly and easily correlate cybersecurity information with key device metrics and attributes, such as current software version, making it easier to isolate vulnerabilities, isolate their causes, and work toward a targeted fix.

The best solutions will also collect information that allows manufacturers to understand what “normal” behavior looks like across numerous metrics and ideally have some kind of automatic alerting on unexpected state changes that could signal a vulnerability has been exploited. When combined with the previous requirement to be able to update software the best solutions will be able to see all of this information in a single interface so that they can ship patches to targeted groups of devices based on good data and carefully monitor the rollout of that update to ensure success.

How to start planning for the US Cyber Trust Mark

The Cyber Trust Mark’s impact on the US IoT device market is still uncertain, but it clearly forms a key piece in the rapidly evolving regulatory picture for IoT device makers. Some question its effectiveness due to its voluntary nature. However, taken in context of the regulatory environment in regions like the EU, achieving the Cyber Trust Mark could be a valuable opportunity for device makers.

There appears to be significant crossover with regulations like the mandatory Cyber Resilience Act, which means businesses selling devices into the EU may not require much additional work to also achieve the Cyber Trust Mark. Depending on the cost of the certification process, it could be an obvious decision for many businesses.

At Memfault, we are keeping a close eye on the evolving regulatory environment to ensure our current and future customers are well-equipped with the tools they need for compliance. Memfault’s own products will fulfill some of the core requirements, such as OTA updates, device state observability, and device identification.

If you are considering Cyber Trust Mark accreditation—or if you have questions about IoT security best practices—reach out to us. We’re committed to helping embedded teams navigate the complex regulatory environment and would be happy to provide more detail on our perspective.

I also encourage you to watch my recent discussion with fellow co-founder, Chris Coleman, for more insights on these new regulations and how it will impact the future of the IoT industry. We’ll talk about the driving forces behind regulations like the US Cyber Trust Mark and provide recommendations to help you and your team prepare.

More IoT Security Resources for You

• IoT Device Security On-Demand Discussion: A panel of IoT and security experts discuss best practices for safeguarding your connected devices.
• Your Guide to Understanding the EU Cyber Resilience Act: Everything you need to know about the EU Cyber Resilience Act, including expected requirements to help you prepare for compliance.
• Benchmarks on IoT Security and Other Pressing Challenges: This first-of-its-kind report reveals how hundreds of other IoT professionals are handling security and other development challenges.
• Opinion: Regulators are coming for IoT device security: Insights on what is striking about the new regulations and standards, and recommendations on what to do.