US Cyber Trust Mark: Cybersecurity Labeling Program Launching in 2025

U.S. Cybersecurity Labeling Program Launching in 2025

The United States government has declared that its anticipated cybersecurity labeling scheme for consumer internet-connected devices will commence in 2025.

Introduction of the U.S. Cyber Trust Mark

Initially presented by the Biden administration in June 2023, the U.S. Cyber Trust Mark is a voluntary labeling program intended to elevate security standards for internet-connected devices. This initiative aims to empower consumers to make well-informed choices regarding the security features of their purchased devices.

Although originally planned for a late 2024 rollout, the White House has now confirmed the program will be operational this year.

Program Details and Timeline

While a specific launch date remains undisclosed, companies will shortly have the opportunity to submit their products for evaluation by one of eleven approved testing organizations. The goal is to have certified products available in retail stores by 2025.

Comparison to Energy Star

The voluntary Cyber Trust Mark program draws parallels to the Energy Star initiative. Like Energy Star, which identifies energy-efficient products, the Cyber Trust Mark focuses on enhancing the security of consumer internet-connected devices.

This includes commonly vulnerable devices such as routers, home security cameras, smart speakers, and baby monitors, which often suffer from weak default passwords and a lack of ongoing security updates.

Retailer Support and QR Code System

Major retailers, including Best Buy and Amazon, are expected to prominently feature products displaying the U.S. Cyber Trust Mark. The mark will be presented as a QR code, allowing consumers to access detailed cybersecurity information about the product.

This information will encompass the duration of support provided and whether security updates are automatically installed.

Government Procurement Mandate

According to Anne Neuberger, U.S. Deputy National Security Adviser for Cyber and Emerging Technology, an executive order is being finalized. This order will mandate that the U.S. government exclusively purchase products certified with the Cyber Trust Mark, beginning in 2027.

NIST Cybersecurity Standards

To qualify for the Cyber Trust Mark, products must adhere to cybersecurity standards established by the National Institute of Standards and Technology (NIST). These standards, as outlined in 2023, include requirements for robust default passwords, data protection measures, software updates, and incident detection capabilities.

The complete set of standards is still pending publication, but NIST has initiated work on recommendations for securing “high-risk” consumer routers, frequently targeted by malicious actors.

Future Program Expansion

The second phase of the Cyber Trust Mark will concentrate on improving the security of routers utilized in small offices and home offices (SOHO). These routers have increasingly become attractive targets for botnet operators.

These operators exploit the hijacked internet bandwidth of compromised devices to launch denial-of-service attacks. The timeline for the second phase of the initiative has not yet been announced.

Zack Whittaker contributed reporting.