U.S. Cyber Trust Mark: Where are we?

Cybersecurity
Written By Hosch & Morris

This week, let’s look at the status of efforts to roll out the U.S. Cyber Trust Mark (the “Mark”).

Background:

Internet of Things (“IoT”) or “smart” devices have long been a cyber security concern, particularly in consumer devices such as door cameras, fitness trackers, household appliances, and baby monitors.

In 2023, the Federal Communications Commission (“FCC”) began to develop the requirements of a certification mark that could be affixed to such products that met certain cybersecurity standards – roughly like the “Energy Star” certification mark you see on appliances that meet energy-efficiency standards.

The National Institute of Standards and Technology (“NIST”) would develop the standards for consumer products to meet, and Underwriters Laboratory (UL, LLC) would develop the assessment protocols by which they would be tested. Then about ten other well-known testing agencies would be authorized to conduct the testing, along with Underwriters Laboratory. The program was initially conceived to be voluntary, though there were indications President Biden intended to order the U.S. Government to use only “U.S. Cyber Trust certified” products by 2027. 

Status:

As of mid-December 2024, most of the preliminary work had been completed. The FCC was said to be working on “standing up” the program, expecting to see Mark-labeled products on retail shelves later in 2025.

Indications were that the incoming chairman of the FCC supports this initiative and wants the Mark to be introduced. The latest news release from the White House, however, dated January 2025, was removed from the White House website on the afternoon of Inauguration Day and replaced with a “404 Page Not Found” error message. 

You can read some of the more recent information about the Mark by clicking on the following links:

https://www.fcc.gov/CyberTrustMark

https://www.nbcnews.com/tech/security/us-roll-cyber-trust-mark-label-secure-devices-rcna186642

Our Thoughts:

Ordinarily, cybersecurity initiatives have been considered non-partisan, and one of the few things on which the parties could generally agree. There is some question, though, as to whether private companies should be asked to upgrade their systems voluntarily, or whether improved systems should be mandatory.

There are indications that toward the end of its term in office, the outgoing administration concluded that many voluntary efforts hadn’t worked well enough and that stricter requirements should be enacted, particularly with respect to software procurement. What the new administration will think of that is one of many questions “in the air.” We certainly hope it agrees.   

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

 

 

 

Hosch & Morris https://hoschmorris.com
Previous

Texas Court of Appeals Dismisses Privacy Lawsuit Against Google: Implications for Corporate Jurisdiction
Next

AI Marketing Claims Under FTC Scrutiny