On July 18, 2023, the Biden Administration announced the launch of the long-awaited cybersecurity labeling program, called the “U.S. Cyber Trust Mark,” aimed at providing consumers with a better understanding of the cybersecurity of the products they use daily. This labeling program seeks to enhance transparency and competition in the Internet of Things (“IoT”) device space, to “help differentiate trustworthy products in the marketplace,” and to incentivize manufacturers to meet higher cybersecurity standards.
The U.S. Cyber Trust Mark was proposed by Federal Communications Commission (“FCC”) Chairwoman Jessica Rosenworcel and is the first of its kind in the cybersecurity sector. This labeling program is modeled similar to the Energy Star program, which was created to “bring attention to energy-efficient appliances and encourage more companies to produce them in the marketplace.”
According to the FCC’s press release, it is estimated that there were “more than 1.5 billion attacks against IoT devices in the first six months of 2021 alone” and by the year 2030, “more than 25 billion connected IoT devices [will be] in operation.” This program was introduced in response to these constantly evolving cyber threats impacting IoT products and builds upon existing public and private sector initiatives aimed to enhance IoT cybersecurity and labeling practices.
Development of the Cybersecurity Labeling Program
On May 12, 2021, President Biden issued Executive Order (“EO”) 14028, Improving the Nation’s Cybersecurity, which, among other things, charged the National Institute of Standards and Technology (“NIST”) to recommend requirements for a consumer IoT cybersecurity labeling program. In response to this directive, NIST developed a profile of the IoT core baseline for consumer IoT products, presented in the NISTIR 8259 Series and NISTIR 8425. This profile was used as part of the recommendations that NIST published in February 2022 in response to the EO directive, titled Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products.
NIST’s efforts served to identify key elements of potential labeling programs in terms of recommending minimum requirements and specifying desirable outcomes. The FCC used these key elements to launch the U.S. Cyber Trust Mark labeling program, acting under its authorities to regulate wireless communication devices.
The U.S. Cyber Trust Mark
The U.S. Cyber Trust Mark will appear on the packaging of eligible devices and will be comprised of two parts:
- The logo depicting a shield and the words “U.S. Cyber Trust Mark”; and
- A QR code that can be scanned to continuously verify the security of the device.
The QR code will link users to a national registry of certified devices, which will provide “specific and comparable security information about these smart products” as the cybersecurity threat landscape evolves over time. The FCC has released its proposed U.S. Cyber Trust Mark logo in five colorways, although it is presently unclear whether these colorways are attributed to varying levels of device security.
The U.S. Cyber Trust Mark Notice of Proposed Rulemaking
Currently, the Cyber Trust Mark program is described in a Notice of Proposed Rulemaking (“NPRM”), established under the FCC’s authority to regulate wireless communication devices. The draft proposal outlines this voluntary labeling program and, if adopted, the FCC will open a public comment period on the proposal.
During the public comment period, the FCC will seek input on several issues, including, how to best establish this program, the scope of devices for sale in the U.S. that should be eligible for inclusion in the labeling program, how the program should be managed, how to further develop security standards that could apply to various devices, how to demonstrate compliance with the standards, and how to best educate consumers about the labeling program.
While this program is still in its preliminary stages, the FCC anticipates that this program could be implemented by late 2024. Once implemented, the Cybersecurity and Infrastructure Security Agency (“CISA”) will work with the FCC to encourage major U.S. retailers to prioritize products bearing U.S. Cyber Trust Mark Label in the marketplace.
Future Developments in Cybersecurity Labeling
According to the announcement, consumers and manufacturers can expect to see similar initiatives rolled out by other Federal agencies in the coming years:
- NIST will focus on defining cybersecurity requirements for consumer-grade routers, which are recognized as a higher-risk product, if compromised. NIST is slated to finalize these requirements by the end of 2023 and the FCC will review and consider these requirements to expand the cybersecurity labeling program to cover these routers.
- The U.S. Department of Energy plans to collaborate with National Labs to develop labeling requirements targeted toward smart meters and power inverters, which it recognizes as essential components to the smart grid of the future.
- The U.S. Department of State will support the FCC by engaging with international partners to harmonize standards and labeling efforts globally.
As the U.S. Cyber Trust Mark initiative develops, Sheppard Mullin’s Governmental Practice Cybersecurity Team will continue to track program updates, as well as other developments relating to the Cybersecurity Executive Order.