The White House has launched a new voluntary cybersecurity certification program for smart devices, aiming to provide consumers with confidence that their connected products maintain adequate security standards.
“The White House initiated this cross-party program to inform American consumers and provide a straightforward method to evaluate the cybersecurity of these products, while encouraging manufacturers to develop more secure devices, similar to how EnergyStar certification drove energy efficiency,” according to the White House statement.
The US Federal Communications Commission oversees the initiative, with implementation handled by 11 certified organizations [PDF], led by UL Solutions. Manufacturers of consumer Internet of Things (IoT) wireless devices can submit their products for security evaluation at authorized testing facilities.
Products that successfully meet the NIST-specified security standards [PDF] – encompassing secure software development practices, supply chain protocols, security lifecycle management, vulnerability handling procedures, and related requirements – will be eligible to display the US Cyber Trust Mark and a QR code, enabling consumers to access online information about password management, security features, and software updates.
Major retailers including Best Buy and Amazon have committed to promoting certified products, creating a commercial advantage for manufacturers participating in the program.
The US Cyber Trust Mark, offered in multiple color variations, specifically targets IoT devices such as home security cameras, voice-activated shopping assistants, smart household appliances, fitness monitoring devices, garage door systems, and baby monitors. The certification excludes FDA-regulated medical equipment, wired devices, automotive components, industrial or enterprise systems, and hardware subject to other network security regulations like the FCC Covered List.
The initiative stems from a 2021 White House executive order aimed at strengthening cybersecurity measures following significant breaches affecting organizations like Colonial Pipeline and SolarWinds. Among its various directives, the order mandated government officials to establish IoT cybersecurity criteria for a consumer labeling system.
In an official statement, Amazon Vice President Steve Downer expressed the company’s enthusiasm for partnering with industry stakeholders and government representatives to roll out this certification initiative.
“Amazon fully endorses the US Cyber Trust Mark’s initiative to enhance consumer confidence in connected devices,” Downer stated. “We anticipate that consumers will find significant value in seeing the US Cyber Trust Mark displayed both on physical product packaging and during their online shopping experience.”
The US Cyber Trust Mark initiative “won’t address every challenge associated with the proliferation of connected devices in our households, but it certainly represents a step in the right direction,” explained RJ Cross, who heads the Consumer Privacy Program at US PIRG, in a conversation with The Register.
“The fundamental approach aims to motivate companies to elevate their security standards and emphasize transparency with consumers. We’ve reached a point where the sheer volume of cybersecurity breaches and hacks has made most people acutely aware of cybersecurity concerns. Therefore, providing individuals with additional information about the security features of devices they incorporate into their daily lives will grant them unprecedented control, which is undoubtedly beneficial.”
When questioned about whether the certification program would effectively transfer security responsibility from consumers to manufacturers, Cross emphasized the complexity of the matter.
“Success lies in the implementation details,” Cross noted. “A truly effective program must be thorough and comprehensive. It needs to evaluate not just the hardware security of devices like smart washing machines, but also assess the security measures protecting the cloud infrastructure where companies store data collected through these appliances.”
