USA launches IT security label "U.S. Cyber Trust Mark"

In the USA, the “U.S. Cyber Trust Mark” is an attempt to introduce a voluntary IT security label. Consumers should be able to recognize that internet-connected “smart” devices are secure.

This is reminiscent of the IT security mark from the German Federal Office for Information Security (BSI), which has been available since 2022. However, when the Cyber Resiliance Act (CRA) comes into force in the EU, a minimum level of cybersecurity will become mandatory in the German economic area, while the US label will remain voluntary, at least for now. While companies only have to fill out application forms for the BSI certificate, which is also voluntary, and the BSI carries out a plausibility check, the “U.S. Cyber Trust Mark” requires the devices to be tested.

Several organizations authorized testing

The White House has announced that a total of eleven companies are authorized to carry out such tests: CSA America Testing & Certification, LLC; CTIA Certification LLC; DEKRA Certification Inc; Intertek Testing Services NA, Inc; ioXt Alliance; Palindrome Technologies; SGS North America Inc; Telecommunications Industry Association; TÜV Rheinland of N.A.; TÜV SÜD America; and UL LLC. The latter company, also known as UL Solutions, is the administrative lead administrator for the U.S. Cyber Trust Mark.

The Federal Communications Commission (FCC) has established a dedicated website for the U.S. Cyber Trust Mark. The available information is collected there. Logos are available in different versions on another website.

The program is intended to certify the IT security of IoT devices, with a particular focus on wireless devices: the FCC lists Internet-connected security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers and baby monitors as examples. Medical and wired devices explicitly fall outside the scope of the Cyber Trust Mark program, as do products for manufacturing and industrial or enterprise use, as well as IoT products that are on national security lists.

On certified devices, there is a QR code next to the Cyber Trust Mark logo that leads to further information. For example, how long the product will receive support and whether software patches and security updates will be installed automatically and how customers can access them. It should also provide instructions on how to change default passwords and secure device configuration.

The FCC also wants to work with other US federal authorities on international recognition of the label and promote the mutual recognition of international labels – such as the IT security label of the BSI –.

(dmk)