U.S. Cyber Trust Mark

When was the U.S. Cyber Trust Mark program created?

In August 2023, the FCC sought public comment on how to create the Cyber Trust Mark program. In March 2024, based on public input, we adopted rules establishing the framework for the program.

We are now in the process of standing up this comprehensive program. As we move forward, we will make additional announcements and will seek further public input on specific implementation details.

How will the U.S. Cyber Trust Mark program work?

Here is an overview:

• The U.S. Cyber Trust Mark logo will appear on wireless consumer IoT products that meet the program’s cybersecurity standards.
• The logo will be accompanied by a QR code that consumers can scan, linking to a registry of information with easy-to-understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.
• The voluntary program will rely on public-private collaboration, with the FCC providing oversight and approved third-party cybersecurity label administrators managing activities such as evaluating product applications, authorizing use of the label, and supporting consumer education.
• Compliance testing will be handled by accredited labs
• Examples of eligible products may include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.
• While the program is voluntary, participants must follow the FCC’s program requirements.
• The FCC will work with other federal agencies to develop international recognition of the FCC’s IoT Label and mutual recognition of international labels.

Which products will be included in the program?

The program applies to consumer wireless IoT products.

Examples of eligible products include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.

Which products will not be included in the program?

The FCC’s Cyber Trust Mark program does not include:

• Medical devices regulated by the Food and Drug Administration
• Motor vehicles and equipment regulated by the National Highway Traffic Safety Administration
• Wired devices
• Products primarily used for manufacturing, industrial control or enterprise applications
• Equipment on the FCC’s Covered List and equipment produced by an entity on the covered list
• IoT products from a company on other lists addressing national security
• IoT products produced by entities banned from Federal procurement

Our program, which is based largely on criteria established by the National Institute of Standards and Technology (NIST), initially focuses on wireless consumer IoT products but may evolve over time.  It does not include personal computers, smartphones, and routers. NIST is working to define cybersecurity requirements for consumer-grade routers.

What role will the third-party administrators play?

The Cyber Trust Mark program is owned by the Commission and will by supported by third party administrators. Their duties are spelled out in an FCC Order. In brief:

• The Lead Administrator will be responsible for collaborating with stakeholders and will recommend to the Commission cybersecurity standards, testing procedures, and label design. It will also be responsible for developing a consumer education campaign.
• The Cybersecurity Label Administrators will be responsible for day-to-day management of the program, including accepting and reviewing applications and approving or denying use of the FCC IoT Label.
• And the CyberLABs will test products to demonstrate they meet the program's cybersecurity requirements.

The Lead Administrator, Cybersecurity Label Administrators, and CyberLABs must be accredited to international (ISO/IEC) standards.

Can entities outside of the U.S. participate in the U.S. Cyber Trust Mark program?

Manufacturers outside of the U.S. will be eligible to apply for the U.S. Cyber Trust Mark for their products as long as they are not otherwise prohibited from participating in the program. In addition, entities may apply to be a recognized CyberLAB as long as they are not otherwise prohibited from the program. Manufacturers and other entities owned or controlled by, or affiliated with, any of the following sources are prohibited from the program:

• FCC Covered List;
• Department of Commerce’s Entity List;
• Department of Defense's List of Chinese Military Companies; and Products produced by any entity owned or controlled by or affiliated with any person or entity that has been suspended or debarred from receiving federal procurements or financial awards, to include all entities and individuals published as ineligible for award on the General Service Administration’s System for Award Management.

We will establish qualification criteria for any entity outside the U.S. to be approved to act as a Cybersecurity Label Administrator once appropriate international agreements or other appropriate prerequisites are in place. We may also establish additional criteria or procedures necessary with respect to LABs located outside of the United States.

What are the next steps to launch the program?

There are many steps to standing up such a comprehensive program.  Much of this is described in the FCC's Order, but in brief:

• We have been doing extensive stakeholder outreach to increase awareness and understanding of the new program. This should ultimately help increase participation in all aspects of program.
• We are also engaging with stakeholders on the details of the program (for example, standards and label design) to promote an efficient and timely rollout of the U.S Cyber Trust Mark.
• We are reviewing public input on certain implementation details for the program—for example, matters related to the structure of the registry.
• We are currently seeking applicants to serve as administrators of the program.  After a review and selection process, we will announce the administrators and select a Lead Administrator.
• The Lead Administrator will engage with stakeholders to develop recommendations for the FCC on issues including standards and testing procedures, label design, and post-market surveillance. 
• There will be an announcement when the program is ready to accept applications for products to bear the label.
• Meanwhile, we are reviewing the public input in response to the Further Notice of Proposed Rulemaking regarding additional potential disclosures related to national security.
• There will be some intermediary steps as well, and we will be communicating new developments as we move forward.

How will a manufacturer apply to use the U.S. Cyber Trust Mark?

Once the U.S. Cyber Trust Mark is launched:

• The applicant (e.g., manufacturer) must have its product tested by an accredited and FCC- recognized CyberLAB to ensure it meets the program’s cybersecurity requirements.
• The applicant would then submit an application with supporting documents to a Cybersecurity Label Administrator.
• The Cybersecurity Label Administrator will review the application and determine whether the IoT product meets the program requirements.
• The Cybersecurity Label Administrator will then either approve or deny the application.

What will happen when consumers scan the QR code that accompanies the U.S. Cyber Trust Mark?

Once the U.S. Cyber Trust Mark label is on products, it will be accompanied by a QR code that you can scan with your wireless phone to read easy-to-understand, security-related information about that particular product.  This information will include:

• How to change the default password
• How to configure the device securely
• Whether updates/patches are automatic and if not, how consumers can access them
• The product's minimum support period end date or a statement that the device is not supported by the manufacturer and the consumer should not rely on the manufacturer to release security updates