Understanding the US Cyber Trust Mark

Mar 3, 2025 | Cyber resilience act, news

The United States is set to launch the US Cyber Trust Mark in 2025, a groundbreaking voluntary initiative aimed at enhancing the cybersecurity of wireless consumer IoT products sold in the U.S. market. This program marks a significant step in creating safer digital ecosystems by promoting transparency, security, and trust in smart devices.

As mentioned in our previous article, a CyberSafe Products Action Plan builds on existing cybersecurity frameworks. In the EU we have the Cyber Resilience Act (CRA) that establishes security requirements for digital products, while in the U.S. there is the Cyber Trust Mark Program. Let`s dive deeper to understand better this trust mark.

What is the US Cyber Trust Mark?

The US Cyber Trust Mark is a cybersecurity labeling program introduced by the Federal Communications Commission (FCC). Its goal is to help consumers identify IoT products that meet recognized cybersecurity standards, empowering them to make informed decisions about the devices they bring into their homes.

The program is designed to enhance the security of wireless consumer IoT products sold in the United States. The program applies to a wide range of devices, including smart home appliances, wearable technologies, and other connected products, ensuring comprehensive coverage of the consumer IoT market.

Participation in the initiative is voluntary, allowing manufacturers to demonstrate their commitment to cybersecurity by meeting established standards. With the program’s expected launch in 2025, businesses have time to align their products with the framework and prepare for compliance, showcasing their dedication to delivering secure and trustworthy technologies.

How Does the U.S. Cyber Trust Mark Work?

The program involves Cybersecurity Label Administrators (CLAs)– organizations authorized to assess IoT products for compliance with security standards. In December 2024, the FCC announced the conditional approval of 11 companies as CLAs, with UL Solutions selected as the Lead Administrator. These administrators will evaluate product applications, authorize the use of the label, and support consumer education.

Participating devices will feature a certification label with a shield logo and a QR code, allowing consumers to scan for detailed security information, including support periods, automatic software updates, and security patch details.

Bureau Veritas (7layers), a partner in the CRACoWi Project, is one of the organizations that can conduct these cybersecurity assessments under the U.S. Cyber Trust Mark framework through authorization as Lab for CSA-PSWG, CTIA IoT-Cyber and ioXt. With its expertise in testing, certification, and regulatory compliance, Bureau Veritas helps businesses navigate the certification process efficiently, ensuring they meet the necessary security requirements.

Global Streamlining

In a joint statement, the European Union (EU) and U.S. have emphasized their commitment to mutual recognition of cybersecurity standards, including the US Cyber Trust Mark and the EU’s Cyber Resilience Act (CRA). This alignment seeks to streamline compliance for global manufacturers, ensuring that IoT products meet shared security expectations across both markets. Read also our article on Transatlantic Cooperation for Cybersecurity and a Safer Future for IoT Products

Except initiatives introduced by national authorities, we can see some good examples of projects, like the CRACoWi Project, that play a vital role in improving cybersecurity awareness and resilience in IoT devices. By highlighting initiatives like the U.S. Cyber Trust Mark, CRACoWi helps manufacturers navigate global cybersecurity requirements and align with emerging standards.

The launch of the U.S. Cyber Trust Mark is a critical step toward securing the digital world. By adopting voluntary cybersecurity certifications, manufacturers can demonstrate their commitment to security and innovation, while consumers gain greater confidence in IoT technologies.

💡 Stay Connected:

Cyber Resilience Act Published as Regulation in the Official Journal

Nov 22, 2024 | Cyber resilience act, news

The Cyber Resilience Act (CRA) has officially been adopted, marking a major step towards enhancing cybersecurity standards across the EU. Its publication in the Official Journal of the European Union (EUR-Lex) as Regulation 2024/2847was the final step in the legislative process for the CRA. The act establishes horizontal cybersecurity requirements for products with digital elements, addressing widespread vulnerabilities and inconsistent security update practices, with the aim of improving the security and resilience of digital products throughout their lifecycle​.

This final step defines the deadlines as follows:

  • December 10, 2024: Following its publication in the Official Journal of the European Union on November 20, 2024, the CRA will enter into force on the twentieth day after its publication, ensuring a swift transition towards enhanced cybersecurity standards.
  • September 11, 2026: Reporting obligations for stakeholders take effect.
  • December 11, 2027: Full application of the regulation.

The CRA introduces horizontal cybersecurity standards applicable to hardware, software, and digital services. The goal is to address widespread vulnerabilities and ensure that manufacturers prioritize security throughout a product’s lifecycle.

The regulation requires manufacturers to adopt vulnerability management processes and ensure timely security updates. It emphasizes transparency in the product lifecycle, obligating manufacturers to clearly communicate the duration of support for security updates.

The act also includes provisions to support microenterprises and small businesses, particularly in understanding and complying with the cybersecurity standards required by the regulation.

The Scope and Specific Provisions of the Cyber Resilience Act (CRA) require that all products with digital elements meet mandatory cybersecurity standards before being sold in the EU. Products must also display the CE marking, indicating compliance with EU safety regulations. Additionally, the CRA distinguishes between “important” and “critical” products, with stricter assessments applied to higher-risk products to ensure greater security.

Furthermore, the CRA ensures consumers are better informed about the security features of digital products, providing them with tools to choose secure devices and ensuring a safer digital environment for end-users, including children.

Overall, the Cyber Resilience Act sets the foundation for a more resilient digital landscape in Europe by mandating essential cybersecurity measures for all digital products. Emphasizing transparency, the CRA requires from manufacturers to prioritize cybersecurity at every stage – from design to end-of-life – while ensuring users are informed about security support periods. By harmonizing requirements across the EU, the act aims to foster a secure digital market while minimizing risks for consumers and businesses alike.

For more details, see the full regulation on EUR-Lex.