On June 18, 2023, the Biden-Harris administration announced the launch of a new “U.S. Cyber Trust Mark” program (hereinafter the “Program”). First proposed by Federal Communication Commission (“FCC”) Chairwoman Jessica Rosenworcel, the Program aims to increase transparency and competition across the smart devices sector and to assist consumers in making informed decisions about the security of the devices they purchase.
Program Implementation and Standard Development
The Program is anticipated to be implemented by 2024, and participation in the Program will be voluntary. The FCC is expected to seek public comment prior to the implementation of the Program. The FCC will also collaborate with other regulators and the U.S. Department of Justice “to establish oversight and enforcement safeguards to maintain trust and confidence in the program.”
The National Institute of Standards and Technology (“NIST”) will be responsible for establishing specific standards devices will need to meet for certification. Of particular note, NIST has also been directed to immediately begin working toward defining cybersecurity requirements for consumer-grade routers to limit their vulnerability. The White House Press Release (the “Press Release”) announcing the Program acknowledged that such routers represent a “higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords, and attack other devices and high value networks.” NIST’s consumer-grade router effort is to be completed by the end of 2023 and is likely to incorporate the prior including the NIST IR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers. The FCC will then decide whether the Trust Mark program should be expanded to include such consumer-grade routers.
Practical Aspects of the Trust Mark
The Trust Mark itself will be trademarked by the FCC and consist of a shield logo signaling that a device meets the government’s established cybersecurity criteria. The Trust Mark label will also incorporate a QR code that links to a newly established “national registry of certified devices” (the “National Registry”). This National Registry is intended to provide additional “specific and comparable security information” about certified devices to provide consumers with more security-related to inform purchasing decisions. The final scheme is likely to reflect elements of other global IoT labelling efforts, such as Singapore’s Cyber Security Labelling Scheme, to which U.S. officials have previously pointed as a model framework.
The Press Release announced that the U.S. Department of Energy (“DOE”) and DOE National Labs will be collaborating with industry partners to “research and develop cybersecurity labeling requirements for smart meters and power inverters, both essential components of the clean, smart grid of the future.” Additionally, the U.S. Department of State will begin engaging international stakeholders to facilitate reciprocity among the growing spectrum of global IoT security schemes, which could otherwise create challenges for the same devices sold in multiple markets.
Crowell & Moring LLP and its global policy affiliate Crowell & Moring International LLC are continuing to monitor the development of these standards and the expansion of the Trust Mark initiative.