News brief: U.S. Cyber Trust Mark update and how to prepare

New FCC investigation threatens IoT security certification program

IoT device manufacturers have been eagerly waiting for the FCC to begin accepting applications to its new Cyber Trust Mark program, but the initiative is facing significant delays due to an investigation into its lead administrator, UL Solutions, over its ties with China.

The FCC launched the Cyber Trust Mark initiative during the Biden administration, with widespread bipartisan support from government officials and tech leaders. But a few months into President Donald Trump's tenure, new FCC Chairman Brendan Carr raised concerns about the firm chosen to oversee the initiative. His ongoing investigation focuses on UL Solutions' joint venture with a Chinese government-owned company and its operation of labs in China.

The Cyber Trust Mark program aimed to begin accepting product submissions in 2025. That appears increasingly unlikely, however, as testing standards still require approval and public comment. Prolonged delays risk discouraging vendor participation and losing momentum for the program.

Read the full story by Eric Geller on Cybersecurity Dive.

How IoT devices qualify for Cyber Trust Mark certification

The U.S. Cyber Trust Mark program aims to build consumer trust and security awareness. Certified devices will display the Trust Mark label, along with QR codes linking to security information, such as how to change default passwords and apply software updates.

Once the FCC begins accepting submissions, interested IoT manufacturers will have to prove their devices meet specific cybersecurity standards. While these are still under review, stakeholders expect them to largely reflect existing NIST recommendations for IoT device security. These include the following:

• Unique device identification.
• Configurable security settings.
• Data protection through encryption.
• Controlled access to interfaces.
• Secure software update mechanisms.
• Cybersecurity state awareness.

Read the full story by Karen Scarfone and Alissa Irei on SearchSecurity.

The hidden risk of consumer devices in the hybrid workforce

Owners of consumer IoT devices aren't the only ones who should be concerned about their security -- their employers would also be wise to worry. Gene Moody, field CTO at endpoint management vendor Action1, wrote in commentary on Dark Reading that lax consumer device security can pose significant risks in hybrid work environments.

Home networks that now extend corporate environments often contain outdated, insecure devices with poor security practices. Many users never change default passwords or update firmware, and manufacturers frequently abandon support for older products. These vulnerabilities create attack vectors for cybercriminals to compromise enterprise systems, build botnets and launch attacks.

IT teams have no control over employees' home devices but bear the risk of breaches. Businesses should address this by encouraging router updates, implementing network segmentation, deploying endpoint detection tools, educating users about risks and potentially providing enterprise-managed routers for sensitive roles.

Read Moody's full commentary on Dark Reading.

More on IoT security

Check out the following to dig deeper into IoT security issues and how to solve them:

• 11 IoT security challenges and how to overcome them
• Top 15 IoT security threats and risks to prioritize
• How to protect your organization from IoT malware
• Use IoT hardening to secure vulnerable connected devices
• An introduction to IoT penetration testing

Editor's note: An editor used AI tools to aid in the generation of this news brief. Our expert editors always review and edit content before publishing.

Alissa Irei is senior site editor of Informa TechTarget Security.