Skip to main content

The Biden administration is tackling smart devices with a new cybersecurity label

The Biden administration is tackling smart devices with a new cybersecurity label


The US Cyber Trust Mark would require smart products to meet certain thresholds, including ongoing software security support, to qualify for the program.

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

A collection of warning signs, bugs, and notifications emulating malware or a cyber attack. The images are placed in a connected web against a blue background.
Illustration by Carlo Cadenas / The Verge

The Biden administration is launching a new cybersecurity label for smart devices today.

In a press briefing, Federal Communications Commission (FCC) Chair Jessica Rosenworcel said the new label, called the US Cyber Trust Mark, will signify that devices bearing it meet security standards based on those established in a report by the National Institute of Standards and Technology (NIST). The voluntary program is expected to be in place in 2024, with the labels hitting devices “soon after.”

The Biden administration revealed the new Cyber Trust logo with a livestream from the White House on Tuesday morning.

A collection of different color versions of the Cyber Trust Mark — from top left to bottom right: An aqua gradient version, a black version, a green gradient version, a red gradient version, and a white version. The logo is an outline of a shield with a constellation of several boxes inside, three of which are connected by thin lines.
US Cyber Trust Mark variants.
Image: Federal Communications Commission

The program is meant to cover connected devices commonly found in the home, like smart refrigerators, smart microwaves, smart televisions, and smart climate control systems. But the announcement also lists “smart fitness trackers” as a device that would be covered by the certification and labeling program, suggesting ambitions beyond the commonly-defied smart home automation space.

It has voluntary support from several electronics, appliance, and consumer product manufacturers, retailers, and trade associations, including Google, Samsung, Logitech, Amazon, Best Buy, and the Connectivity Standards Alliance (home of the Matter smart home standard).

Think Energy Star but for the security of smart devices

The FCC is “acting under its authorities to regulate wireless communication devices” to propose the certification and labeling program, which it says would require “strong default passwords, data protection, software updates, and incident detection capabilities,” according to a press release. Rosenworcel likened it to Energy Star, which denotes products such as computers or appliances that meet certain energy efficiency standards.

The Cyber Trust label has two parts: a logo stamped on the box of a product and a QR code that buyers can scan later to verify that the device is still certified as cybersecurity threats evolve and patches are needed.

Two product boxes, each featuring a label on the front with the Cyber Trust shield, QR code, and relevant data.


Image: Federal Communications Commission

The Cyber Trust label, shown above in a gallery of screenshots from the White House livestream, has spaces for a ton of detail, particularly after you scan the QR code. On the packaging and in online listings, the FCC’s example showed quick information about what sensor data is collected and which of it is shared, as well as how security updates are applied or what kind of authentication it supports. By scanning the QR code, you’d see even more detail on your smartphone; for instance, it may include how long you can expect security updates.

The video also showed rows offering what kind of data is collected, why it’s gathered, and if the data stored can identify you, as well as whether and what kind of data is stored in the cloud. Want to know if the device maker will share or sell your data? Under the FCC’s plan, that would also be disclosed. Other relevant columns for video, audio, health devices, and location data are shown, and at the bottom, a field for other collected data. The concept also showed a user clicking the label in an online listing to see the same expanded data.

A senior FCC official said during the Q&A session after the briefing that the Commission is considering annual recertifications, but the intervals haven’t yet been decided yet, as the proposed label goes through the rule-making process and public comment period. As for who will handle certification, Anne Neuberger, deputy national security advisor, said that would fall to third-party labs like the Connectivity Standards Alliance or the Consumer Technology Association.

Neuberger said the label is necessary to “drive the market to build more secure products by design,” saying that companies being able to differentiate themselves with such a label could make them more comfortable with the higher costs of better security.

She also said the program would help drive accountability, as smart home products will have to continue issuing security patches as needed to retain their Cyber Trust label. Neuberger said in an interview with The Verge that there’s always going to be “a new zero-day,” calling it “troublesome” that, at times, when the intelligence community discloses an IoT vulnerability to companies, they say they’re done with those products and won’t issue a patch.

During the interview, Neuberger pointed to the NIST report when asked what the FCC will consider an “IoT product” under the Cyber Trust labeling program. Essentially, according to the NIST, any network-connected device with a “sensor or actuator” can be considered an “IoT device,” while the whole of that device — the associated app, the cloud back end, and required bespoke hubs — is considered the “IoT product.”

Separate networking devices like Zigbee and Z-Wave hubs that aren’t associated with any one device, though, are instead lumped in with Wi-Fi routers, which weren’t examined as part of the report. The NIST is defining the cybersecurity requirements of consumer-grade routers as a priority given the risks they present to eavesdropping, password theft, and other nefarious activities in targeted homes. It expects to complete this work by the end of 2023 so that the Commission can consider the cybersecurity requirements of routers for inclusion in the labeling program.

So far, the administration lists the following “participants” in support of today’s announcement:

Amazon, Best Buy, Carnegie Mellon University, CyLab, Cisco Systems, Connectivity Standards Alliance, Consumer Reports, Consumer Technology Association, Google, Infineon, the Information Technology Industry Council, IoXT, KeySight, LG Electronics U.S.A., Logitech, OpenPolicy, Qorvo, Qualcomm, Samsung, UL Solutions, Yale and August U.S.

Update July 18th, 11:55AM ET: Added tweet and link to the White House press release as well as a link to the livestream. Also added an image of the Cyber Trust Mark in several variants. Finally, updated with more detail on the label and a gallery of screenshots.