
Getty Images
Cyber Trust Mark certification and how IoT devices qualify
The U.S. Cyber Trust Mark aims to highlight IoT devices that meet a certain security threshold. Explore key NIST recommendations informing certification requirements.
Consumer IoT device manufacturers have been gearing up to participate in an FCC program -- the U.S. Cyber Trust Mark -- that certifies they engineered their products to meet certain cybersecurity standards. The voluntary initiative is designed to validate the security of IoT devices for consumers' benefit. From a manufacturer's perspective, IoT devices that earn the Cyber Trust Mark certification may have a competitive advantage in winning customer trust.
The Federal Communications Commission (FCC) set up the program as a public-private partnership. In late 2024, it named 11 companies as cybersecurity label administrators (CLAs) and Illinois-based testing firm UL Solutions as the lead administrator.
The program has said it expects to begin accepting applications for certification from IoT device makers by 2026, although an investigation into UL Solutions and its ties to China might delay that timeline. In the meantime, here's what IoT device manufacturers need to know to prepare.
How does Cyber Trust Mark certification work?
The U.S. Cyber Trust Mark logo will appear on wireless consumer IoT products that qualify for certification, along with QR codes that users can scan to access security information specific to the devices, such as the following:
- How to change default passwords.
- How to securely configure devices.
- Information about accessing software updates and security patches, if they are not automatic.
- The minimum support period, or the date when the customer can no longer count on the manufacturer to issue security updates.
The approved third-party CLAs will evaluate product applications and authorize use of the Cyber Trust Mark label, accredited labs will handle compliance testing and the FCC will oversee the program.
Eligible products include smart kitchen appliances, smart speakers, baby monitors, smart televisions, smart watches, fitness trackers, home security cameras, smart light bulbs, robot vacuum cleaners, garage door openers and more.
How can devices qualify for Cyber Trust Mark certification?
To qualify to use the Cyber Trust Mark label, manufacturers will need to equip their IoT devices with key cybersecurity capabilities.
Although official program requirements are still under review as of mid-2025, the FCC expects them to align closely with the following existing recommendations from NIST.
Device identification
Each IoT device must have a unique logical and physical identifier that sets the device apart from any other IoT model, even one that's identical. The unique physical identifier must be readily apparent, such as a serial number etched into the device's case or printed on a label affixed to the case. The device's software provides the unique logical identifier to other devices and networks it interacts with -- e.g., a MAC address for a network interface. These identifiers make it easy to determine which device is involved if a security issue occurs.
Device configuration
Each IoT device must be configurable -- that is, its software must have settings that users can change to alter its security posture. For example, a user might configure a device to automatically check for, download and install security updates, rather than relying on manual intervention. To qualify for Cyber Trust Mark certification, IoT devices must also provide users with the ability to restore their settings to previous configurations.
Of course, it's vital that only authorized people, such as device owners, can alter configurations. Configuring a device to improve its security does no good if anyone can alter it at will.
Data protection
Data protection safeguards the confidentiality and integrity of the data an IoT device stores and transmits, using encryption and other forms of cryptography. It also permits owners to render any data stored on devices inaccessible, allowing them to resell, recycle or dispose of their devices without worrying that a third party could recover their data.
Logical access to interfaces
To prevent any misuse of IoT devices, owners must be able to deactivate any local or network interfaces that they don't need.
In the case of a necessary network interface, an owner must be able to require authentication so that only authorized people or devices can communicate with it. This prevents remote attackers and compromised computers from gaining unauthorized access to an IoT device.
Software updates
Regular and reliable software updates and patches help owners protect their IoT devices from vulnerabilities. To that end, manufacturers must engineer certified devices to do the following:
- Ensure software updates are legitimate before installation.
- Offer a rollback feature in the event an update needs to be removed.
- Give owners the choice to acquire updates either automatically or manually.
Collectively, these features enable device owners to ensure secure updates and control when they occur.
Cybersecurity state awareness
Cybersecurity state awareness means the device itself "knows" its current cybersecurity state and can provide that information to owners on demand. Importantly, devices must also prevent any unauthorized users from altering state information to mislead owners.
The NIST recommendations expected to inform Cyber Trust Mark certification requirements also call for IoT device manufacturers to do the following:
- Share comprehensive security documentation and data privacy policies with customers.
- Provide channels for customers to ask questions and register complaints, and for security researchers to report vulnerabilities.
- Disseminate product education and security awareness materials.
Karen Scarfone is the principal consultant at Scarfone Cybersecurity in Clifton, Va. She provides cybersecurity publication consulting to organizations and was formerly a senior computer scientist for NIST.
Alissa Irei is senior site editor of Informa TechTarget Security.