by Brendan Bradley | 8/7/2023

On July 18th, the White House announced the rollout of a new program targeting IoT device security. Under this new initiative proposed by the Federal Communications Commission (FCC) and expected to go into effect in 2024, IoT device manufacturers will be able to voluntarily enroll in and apply for the “U.S. Cyber Trust Mark”. The program will enable manufacturers to place this stamp of approval on their devices, advertising to consumers the sound security features found within. In order to achieve this certification, manufacturers will need to address basic security concerns that have plagued the IoT. Specific criteria will be based on cybersecurity guidelines defined by the National Institute of Standards and Technology (NIST), including but not limited to unique default passwords, secure data protection and software updates, and incident detection capabilities.

While not mandatory, the Cyber Trust Mark falls within the portfolio of other voluntary consumer certifications such as the Energy Star Rating or the Fair Trade certification. The exponentially growing IoT market is uniquely positioned to benefit from this consumer labelling. The permeation of IoT devices into all areas of daily life, combined with the average consumer’s lack of cybersecurity awareness, can turn smart homes into an amalgamation of security vulnerabilities. This simple mark provides vendors with an easily obtainable competitive edge while equipping consumers with the confidence they need to make safe and informed purchasing decisions. Although it will not guarantee cyber-invulnerability, the program will help consumers ensure that products at least meet minimum cybersecurity standards.

The issue of voluntary certification marks is not new to the IoT device market – launched in November of 2022, the Matter certification is a voluntary standard that ensures secure interoperability between all certified devices. In order to achieve this compatibility, Matter-certified devices securely communicate with each other via public key infrastructure (PKI) and digital certificates. Unlike the Cyber Trust Mark, the Matter certification is issued by the Connectivity Standards Alliance (CSA), a non-government consortium of industry participants.

As the IoT continues to expand, with new use cases emerging every day, government regulation will continue to expand in tandem. In the EU, the Cyber Resilience Act is working its way through the European Parliament. Among other objectives, this legislation calls for the implementation of stricter safeguards in devices, along with continued vulnerability monitoring once deployed. VDC predicts that, as vendors continue to feel pressure from regulatory authorities and standardization bodies, manufacturers will begin to use PKI to secure their IoT devices.

To learn more about the factors influencing IoT device security, check out VDC’s report, The IoT Market for Public Key Infrastructure & Digital Certificates.