US Deputy National Security Advisor Anne Neuberger, Chairwoman of the Federal Communications Commission (FCC) Jessica Rosenworcel, and Laurie Locascio, Director of the National Institute of Standards and Technology (NIST) unveiled the U.S. national IoT security label at the White House. The new label supports the IoT security requirements under the National Institute of Standards and Technology (NIST) IR 8425, which resulted from an Executive Order to improve the nation’s cybersecurity. This label will recognize products that meet these requirements by permitting them to display a US government label and be listed in a registry indicating that these products meet US cybersecurity standards.
Results from recently conducted research from Omdia demonstrate this need for IoT device security, with 84 percent of consumers indicating that security is an important consideration when making a purchasing decision. In 2022, the Connectivity Standards Alliance, now with over 620 global members, made the crucial decision to form a new working group to address this critical need. Today, more than 130 companies actively work within the Product Security Working Group.
This new Working Group is creating a single global program for consumer IoT product security certification suitable for meeting the requirements of emerging standards and regulations around the world, including the US Cybersecurity Label. Products certified under this Alliance certification program will be required to demonstrate conformance to the Working Group’s globally harmonized specification. The specification and certification will initially be based on the National Institute of Standards and Technology (NIST) IR 8425, European Telecommunications Standards Institute (ETSI) EN 303 645, and the Singapore Cybersecurity Labeling Scheme.
By basing the program on government standards and regulations, recognition by multiple government labels, such as the new US Cybersecurity Label, can be efficiently achieved. Consumers worldwide can select from a multitude of certified products with confidence, while manufacturers enjoy a single certification program that demonstrates conformance, avoiding the need for duplicative testing and certification in each country.
"The US Cybersecurity Label for consumer IoT device cybersecurity is an essential step in building trusted IoT products and ecosystems," says Steve Hanna of Infineon and Chair of the Product Security Working Group Steering Committee. "By building on the foundational work of the US and other countries and regions, we are committed to delivering a single certification program that aligns with various local requirements so that consumers have a wide selection of security-certified products."
"Security is crucial for the Internet of Things. Without sufficient cybersecurity, there cannot be any IoT," states Thomas Rosteck, President of Connected Secure Systems, Infineon Technologies. "As a leading provider of semiconductors for security and IoT devices, Infineon welcomes the step the US government has made and fully supports programs to boost cybersecurity for the Internet of Things. The US label is a significant milestone towards strong global cybersecurity standards. We believe the implementation of this program will empower consumers and further boost the adoption of IoT products in the U.S. and beyond."
Infineon was involved in the development of the IoT label program through its participation as a member of the Connectivity Standards Alliance (CSA). The US cybersecurity guidelines are closely aligned with several CSA standards, including the Matter standard. Matter provides device manufacturers with a secured communication standard for a wide range of smart home applications and thus improves connectivity between smart devices from different manufacturers.
CSA’s Product Security effort (chaired by Infineon) will certify that IoT devices meet global security requirements, including those used by the U.S. national label. Together, these standards move the IoT to a higher level of interoperability and security.
The Consumer Technology Association (CTA) joined officials from the Federal Communications Commission (FCC), the National Security Council (NSC) and the National Institute of Standards and Technology (NIST) for the launch of the US Cyber Trust Mark program to give consumers more information about the cybersecurity of the Internet of Things (IoT)-connected products they buy.
"While walking CES this year, I saw IoT products that improve healthcare, transportation and energy efficiency. While IoT makes our world better, it also tempts bad actors to exploit consumers’ connected devices," says CTA president and CEO Gary Shapiro. "Research shows consumers want more information on the safety and security of their connected devices, and we agree."
"Today's announcement is a prime example of what can be accomplished through public-private cooperation. This announcement was informed by recommendations that CTA made over the past five years. The program relies on a voluntary, dynamic product certification program that requires manufacturers to use specific security measures. That certification will help educate consumers and businesses about new connected products they’re evaluating or purchasing."
Consumers can expect to see certification-ready products at CES 2024. In the interim, the CTA will continue to convene manufacturers, alliances, universities, consumer advocates, and CTA's own ANSI accredited standards body to work with federal officials as they craft final rules governing the program.
"CTA’s work created the foundation for the US Cyber Trust Mark to help consumers identify secure products," adds Michael Bergman, Vice President, Technology and Standards, CTA. "This program will minimize label footprint on packaging, while allowing for flexibility in displaying web pages for specific security parameters to consumers for participating devices."
Several major electronics, appliance, and consumer product manufacturers, retailers, and trade associations have made voluntary commitments to increase cybersecurity for the products they sell. Manufacturers and retailers announcing support and commitments today to further the program include Amazon, Best Buy, Google, LG Electronics, Logitech, and Samsung Electronics.
Participants in the announcement also include: Carnegie Mellon University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, Infineon, the Information Technology Industry Council, IoXT, KeySight, OpenPolicy, Qorvo, Qualcomm, UL Solutions, and Yale.
Under the proposed new program, consumers would see a newly created “U.S. Cyber Trust Mark” in the form of a distinct shield logo applied to products meeting established cybersecurity criteria. The goal of the program is to provide tools for consumers to make informed decisions about the relative security of products they choose to bring into their homes.
The Biden-Harris Administration announcement was held at the Eisenhower Executive Office Building and included a trade-show-style exhibition showcasing the latest technology in Internet-connected consumer products, including TVs, washing machines, and a range of consumer appliances.
www.cta.tech
www.csa-iot.org
