Everything You Need To Know About the U.S. Cyber Trust Mark

What Is the U.S. Cyber Trust Mark?

The U.S. Cyber Trust Mark is a cybersecurity assessment and labeling program for wireless consumer Internet of Things (IoT) products. Only products that meet the stringent National Institute of Standards and Technology (NIST) Profile of the IoT Core Baseline for Consumer Products (NISTIR 8425) standards will carry this label. 

The program’s label will include the U.S. Cyber Trust Mark logo and a QR code linking to a product registry that consumers could scan to learn more about specific security features. Examples of these features include:

• Instructions on how to change the default password
• The minimum support period for the product
• Information regarding software updates (whether they will be automatic or manual)
• Instructions on how to securely set up the device

Once the Cyber Trust Mark is up and running, it will help consumers make informed decisions about the IoT devices they buy.

Is the Cyber Trust Mark Program Run by the Government?

The U.S. Cyber Trust Mark program will rely on public-private collaboration. The Federal Communications Commission (FCC) will oversee the program. Designated third-party label administrators will handle tasks like reviewing product applications, granting label approvals, and educating consumers.

As of December 11, 2024, UL LLC (UL Solutions) has been selected as the Lead Administrator and a Cybersecurity Label Administrator (CLA) of the FCC’s cybersecurity labeling program for wireless consumer IoT products.

This means that UL labs will recommend the FCC testing procedures, cybersecurity standards, and label designs. It will also be responsible for receiving, reviewing, and applications from manufacturers to use the Cyber Trust Mark label. 

IoT device manufacturers will also have to undergo rigorous product testing by CyberLABs to ensure compliance with the program.  

Finally, external auditors play an important role in the program’s implementation. They will help IoT manufacturers align their operations with the requirements of the Cyber Trust Mark program. Internal audits and penetration testing are two examples of activities an auditor can engage in to help businesses achieve the Cyber Trust Program.

Is the Cyber Trust Mark Mandatory?

No, the Cyber Trust Mark is a voluntary program for labeling wireless consumer IoT products. Manufacturers are not required to participate, but those who choose to must meet the program’s requirements to use the official Cyber Trust Mark.

The decision to keep the program voluntary was based on support from industry experts and organizations. 

Experts believe that a voluntary program will encourage manufacturers, the government, and other stakeholders to work with each other to improve IoT security. Its flexibility will also attract more companies to participate, which will make the program more effective.

Timeline of the U.S. Cyber Trust Mark Program

• July 12, 2023—The Biden-Harris Administration announced the “Cyber Trust Mark Program” cybersecurity certification and labeling program.  
• August 10, 2023—The FCC sought public opinion on the Cyber Trust Mark Program. 
• March 14, 2024—The FCC established the framework and rules for the program.  
• January 7, 2025—The White House officially announced the launch of the program. 

Significance of the U.S. Cyber Trust Mark

The Cyber Trust Mark was created to help consumers make smarter and safer decisions when purchasing IoT devices. Here is how it will achieve that:

1. Counteract IoT Vulnerabilities

In 2022, there were over 112 million IoT cyberattacks, four times higher than 32 million in 2018. This is a shocking increase and was one of the primary reasons for the proposal of the Cyber Trust Mark in 2023. 

This program is expected to incentivize manufacturers to find and eliminate vulnerabilities in the thousands of IoT devices on the market. This will, in turn, reduce the risk of IoT attacks and make it safer for American consumers to use wireless devices. 

2. Respond to Customer Demand for Secure Products

Many consumers are becoming increasingly concerned about the way IoT devices use their data. Approximately 92% of participants in a recent survey said they want to control what personal information is collected, and 57% demanded the “right to be forgotten.” 

The FCC’s Cyber Trust Mark is expected to regulate the use of customer information—it will require companies to protect any personally identifiable information (PII) they collect according to NISTIR principles. 

3. Help Customers Learn About Cybersecurity Risks

The awareness of IoT risks has increased over the years. However, many Americans still aren’t fully aware of IoT vulnerabilities and the effects of potential data breaches over their connected wireless devices.  

One of the main job requirements of the Lead Administrator of the Cyber Trust Mark is to create an education campaign that helps Americans learn about the risks of using IoT devices. This will help consumers make informed decisions when purchasing such devices. 

4. Differentiate Trustworthy Products

It’s almost impossible for most customers to differentiate between secure and insecure IoT devices—and how companies use their data. The Cyber Trust Mark program was created to fill this need and help consumers understand whether the devices they’re purchasing are safe. 

Once the program goes live, consumers will be able to scan the QR code beside the Cyber Trust Mark on IoT devices to get details about the device’s compliance with cybersecurity guidelines. This information will include data on encryption, software updates, and data privacy policies.

5. Encourage Manufacturers To Meet Cybersecurity Standards

The FCC expects the Cyber Trust Mark program to push manufacturers toward adopting stricter cybersecurity practices. This is because customers will gravitate toward certified products over uncertified ones. 

This change in consumer preference might create a market-driven incentive for manufacturers to meet the program’s standards. The end result will be a reduced risk of data breaches and hacker control over IoT devices.  

Who Is the Cyber Trust Mark For?

The Cyber Trust Mark program was created to protect the cyber safety of consumers and businesses using consumer wireless IoT products in the United States. 

Manufacturers outside the U.S. will also be able to apply for the mark as long as they meet the requirements. They may also apply to be recognized as a CyberLAB for easier certification. 

However, certain manufacturers and entities are prohibited from participating in the program. These include: 

• Entities on the FCC Covered List
• Entities on the Department of Commerce’s Entity List
• Entities on the Department of Defense’s List of Chinese Military Companies
• Entities owned, controlled, or affiliated with individuals or organizations that have been suspended or debarred from federal procurements or financial awards
• Entities that are listed as ineligible for awards in the General Services Administration’s System for Award Management

The FCC will establish qualification criteria for entities outside the U.S. once the program is live. 

Which Products Will the Cyber Trust Mark Affect?

The Cyber Trust Mark will affect any consumer device or appliance that connects to the internet, including: 

• Smart home devices (e.g., locks, alarms, home security cameras, lights)
• Wearables and health monitoring devices (e.g., fitness trackers, baby monitors)
• Voice-activated and connected appliances (e.g., voice-activated shopping devices, internet-connected appliances, garage door openers)

However, the mark will not, at the moment, affect:

• FDA-regulated medical devices
• National Highway Traffic Safety Administration (NHTSA)-regulated vehicles and equipment (e.g., motor vehicles and vehicle equipment)
• Wired devices
• Manufacturing, industrial, or enterprise products
• FCC Covered List equipment
• IoT devices named on the Department of Commerce’s Entity List and Department of Defense’s List of Chinese Military Companies
• Products banned from Federal procurement (including those ineligible for award on the General Service Administration’s System for Award Management)
• PCs, smartphones, and routers

While the program currently focuses only on wireless consumer IoT products, it may extend over time to include other smart products. 

U.S. Cyber Trust Mark Requirements

The FCC has not yet finalized any specific U.S. Cyber Trust Mark requirements. But the program is expected to follow the criteria outlined in NISTIR 8425 and be consistent with the NIST Core Baseline.  

The proposed criteria fall into two main categories: technical capabilities for IoT products (1–6) and non-technical practices for developers (7–10).

IoT Product Technical Capabilities

1. Asset identification. Devices must have unique identifiers and maintain an updated inventory of connected components. 
2. Product configuration. Products must allow authorized users to make secure configuration changes and offer a reset to secure default settings. 
3. Data protection. Devices should protect all stored and transmitted data (between IoT product components and outside the product) from unauthorized access, disclosure, or modification. 
4. Interface access control. Logical access to device interfaces must be restricted to authorized users, product components, and services. 
5. Software updates. IoT devices must support secure software updates performed only through a secure and configurable mechanism to patch vulnerabilities found after deployment. 
6. Cybersecurity state awareness. Devices must detect and alert users about unusual activity like malware, unauthorized access attempts, botnets, software errors, or other anomalies that were not initiated by the user or intended by the developer. 

IoT Product Developer Practices

7. Documentation. Developers have to create and maintain detailed records about the product’s cybersecurity features and lifecycle. 
8. Information and query reception. Developers have to provide a way for customers to report issues or ask questions about the device’s security. 
9. Information dissemination. Developers must share updates and advice about new threats, security measures, and best practices. 
10. Product education and awareness. Developers have to educate customers about the device’s cybersecurity features and secure usage.

How to Comply With the Cyber Trust Mark Program

The FCC has set up a two-step process for manufacturers to obtain the authority to use the Cyber Trust Mark. These steps are:

1. Product Testing by a Lead Administrator-Recognized Lab

To begin the process, IoT devices have to be tested at an accredited laboratory that has been recognized by the Lead Administrator. These accredited labs may include specialized facilities like CyberLABs or CLA labs. 

Manufacturers can also use in-house labs, but only if they meet the strict accreditation requirements outlined by the FCC, such as ISO/IEC 17025 compliance. 

Once a lab has been chosen, the device will be tested to check if it meets the FCC’s cybersecurity criteria. This evaluation will be based on the device’s ability to:

• Protect stored and transmitted data from unauthorized access
• Ensure only authorized users can modify device configurations
• Update software to patch vulnerabilities discovered post-launch

During testing, the lab will thoroughly review the device’s hardware, software, and communication interfaces to identify any potential weaknesses and compliance with NIST IoT guidelines. 

For example, it may test whether the device restricts access to sensitive areas, protects user data during transmission, or alerts users to abnormal behavior that could mean a cybersecurity incident. 

The results of these assessments will be compiled into a detailed test report, which will be used in the next step.

2. Product Label Certification by a CLA

After completing testing, manufacturers will submit an application to one of the following Certification and Labeling Authority (recognized by the FCC on December 11, 2024): 

• CSA America Testing & Certification
• CTIA Certification LLC
• DEKRA Certification Inc.
• Intertek Testing Services NA, Inc.
• ioXt Alliance
• Palindrome Technologies
• SGS North America Inc.
• Telecommunications Industry Association
• TÜV Rheinland of N.A.
• TÜV SÜD America
• UL LLC (UL Solutions)

The manufacturer’s application will include a test report from the accredited lab and documentation showing how the IoT product meets the FCC IoT Labeling Program requirements.

Once the application has been submitted, the CLA will review and verify the product’s compliance with all relevant rules. If approved, the manufacturer will receive authorization to use the Cyber Trust Mark on their product. 

If the application is denied, the CLA will provide a detailed explanation, and manufacturers may correct the issues and reapply.

Challenges in Implementing Cyber Trust Mark Program and Solutions

Let’s look at some potential challenges that manufacturers might run into when implementing the Cyber Trust Mark program: 

1. The Implementation Is Complex

IoT products are rarely simple. They’re made up of multiple components and support additional features or interfaces beyond their primary function. 

For instance, a smart thermostat might have the ability to manage HVAC systems and support data-sharing with third-party applications or platforms. 

This makes it difficult for manufacturers to figure out which parts of the product need to comply with the Cyber Trust Mark requirements. 

Solution

Manufacturers can separate components or interfaces that support other IoT systems and justify their exclusion from the certification scope through a risk assessment. In practice, this means manufacturers must:

• Define the core functionality of the IoT product
• Identify additional features or interfaces that do not directly relate to the certified product’s purpose
• Assess the security risks posed by those features and justify their separation from the Cyber Trust Mark evaluation

This will help manufacturers focus on meeting security requirements for the primary product without being held accountable for unrelated or peripheral functionalities.

2. Manufacturers Must Attest to the Security of Components Outside of Their Control

Consumers will expect the Cyber Trust Mark to represent the security of the entire IoT product they purchase, not just individual components. 

For example, many IoT devices rely on additional components, such as internal communication links or external apps, to function. These components, while important, might not always fall under the direct control of the manufacturer. 

Without proper oversight of these components, consumers may face security risks, which would undermine trust in the Cyber Trust Mark.

Solution

Manufacturers should ensure the security of the full IoT product, including its internal and external communication links—even if some components are outside their direct control. This means that they must:

• Secure the connections between different components of the product to protect them from unauthorized access or tampering
• Verify that third-party apps integrated into or that interact with the IoT product meet security requirements (because the FCC holds the manufacturer responsible for this)
• Account for and mitigate risks introduced by external components that could act as attack vectors. This includes apps or devices that access the IoT product’s data or functionality

Once you’ve verified all internal and external communication links, you need to document and attest to their security during the certification process.

3. The Oversight Is Difficult

As a manufacturer, you’ll have to ensure continuous compliance with the Cyber Trust Mark framework, coupled with periodic cybersecurity audits and documentation. You’ll also have to manage oversight for integrated third-party components, which can be outside your direct control.

If anything changes with your vendors or the third-party components they supply, you’ll need to reassess those components to make sure they still meet the program requirements. This might include reviewing updates to software, firmware, or security practices to identify potential risks or gaps in compliance, which can be expensive and take time. 

Solution 

Work closely with your vendors to make sure they understand and meet the required security standards. This will help you ensure that all components they provide meet Cyber Trust Mark requirements, which will lower your non-compliance risk. 

Aside from that, make sure your vendor provides regular updates on their security practices, like patch management or vulnerability fixes. This will help you identify potential risks early and take corrective action before they affect your certification.

4. Compatibility Issues With Legacy Systems

Many manufacturers have existing IoT products in the market or legacy systems that weren’t designed with modern cybersecurity best practices in mind. These older systems use outdated protocols, have limited processing power, or lack the hardware needed to implement modern security features.

Upgrading these systems could require significant hardware modifications or complete product redesigns—a costly and time-consuming endeavor.

Solution

Businesses can address compatibility challenges through a phased approach to compliance:

• Develop a roadmap to upgrade legacy products via firmware updates or necessary hardware changes.
• Introduce new Cyber Trust Mark-compliant products while maintaining existing ones for a smooth transition.
• Collaborate with certification bodies to create alternative compliance solutions for legacy systems.

It’s also a good idea to communicate clear end-of-life dates for legacy products that cannot be upgraded to meet the new requirements. This will give customers adequate time to plan for replacements.

Streamline Your Cyber Trust Mark Compliance with I.S. Partners

Navigating the complexities of the U.S. Cyber Trust Mark can be overwhelming for manufacturers, requiring strict adherence to cybersecurity standards, vendor oversight, and continuous compliance. Without the right processes in place, achieving certification can be costly and time-consuming.

At I.S. Partners, we simplify compliance by helping manufacturers integrate secure vendor management systems, automate documentation tracking, and align their IoT products with NIST standards. Our experienced auditors provide hands-on guidance to ensure a seamless compliance process—without disrupting your supply chain or product development.

Don’t let compliance challenges slow you down—contact I.S. Partners today and take the first step toward Cyber Trust Mark compliance with confidence!

About The Author

David Dunkelberger

During his 25-year career, David has successfully delivered assurance, business advisory and investigative services to the financial institutions industry, primarily commercial banks and insurance companies. Additionally, he possesses solid competencies in risk-based auditing and internal control evaluation, and has generated significant cost savings for clients engaged in Sarbanes-Oxley compliance. He has held senior positions in both public accounting and private industry.

Prior to joining IS Partners, LLC, David managed forensic investigations at a nationally-recognized accounting firm and provided fraud detection, forensic investigation and litigation support services for the FDIC.

David graduated from Temple University in Philadelphia, PA.