FCC Approves Cyber Trust Mark Program
The voluntary certification will be based on NIST cybersecurity standards.
Jake Neenan
WASHINGTON, March 14, 2024 – The Federal Communications Commission voted unanimously Thursday to create the Cyber Trust Mark for internet-connected devices.
The certification will be voluntary, but companies looking to display the mark – an EnergyStar-like signifier that a product is sufficiently secure against hacking – would have to show lab tests confirming a given product complies with cybersecurity standards set out by the National Institute of Standards and Technology.
“It is challenging even for the most informed consumer to confidently identify the cybersecurity capabilities of any given device,” said Commissioner Geoffrey Starks. “Help is on the way.”
The commission first sought comment on implementing the labeling scheme, part of a wider cybersecurity push by the Biden administration, in August.
Industry groups supported both the optionality and adopting NIST frameworks, but the adopted order will also take up a product-level framework as opposed to the device level, something industry pressed the agency not to do, arguing it would be more complicated to implement.
Participating companies will have to commit to a support period, commissioners said, during which they will be legally required to patch vulnerabilities with software updates.
In the biggest edit from the public draft circulated last month, the agency will also be seeking comment on whether to require manufacturers to disclose any software or firmware developed in adversarial nations.
The adopted order will also disqualify devices manufactured by companies deemed to be national security threats. That includes the FCC’s Covered List, The Commerce Department’s Entity List, and the Defense Department’s List of Chinese Military Companies.
The adopted order will stand up new positions within the agency to run the cyber trust mark program, including a lead administrator who would be responsible for reviewing applications.
The European Union has entered an agreement with the White House on a “joint roadmap” for implementing the program in Europe, the Biden administration’s deputy national security advisor for cybersecurity and emerging technologies announced in January.
“Our expectation is that over time more companies will use the Cyber Trust Mark and more consumers will demand it,” said FCC Chairwoman Jessica Rosenworcel.