Thinking about buying physical security systems for your organization, like smart locks, surveillance cameras, access control systems, or alarm systems? If so, make sure you’re familiar with the U.S. Cyber Trust Mark, a voluntary program introduced by the federal government that is getting a lot of buzz right now.

What is it?

The U.S. Cyber Trust Mark is designed to help American consumers evaluate the cybersecurity standards of Internet of Things (IoT) devices, like refrigerators, baby monitors, fitness trackers, and refrigerators, before buying. Physical security teams also have to be on guard against bad actors, data breaches, and unauthorized access when acquiring systems for protecting businesses.

According to the official announcement: “The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devise [sic], much as EnergyStar labels did for energy efficiency.”

Eighteen months in the making, December 2024 saw the FCC’s selection of ten companies to be Cybersecurity Label Administrators, in charge of deciding which companies get the label, consumer education, and more. Going forward, the FCC will continue to oversee the administration of the program.

How does it work?

Coming soon: The process will begin in 2025. After undergoing testing, eligible manufacturers can display a trademarked shield logo. The logo is a stamp of approval indicating compliance with US National Institute of Standards and Technology (NIST) cybersecurity standards.

Additionally, there will be QR codes consumers can click on to get more information, such as:

• The timeframe for vendor support of device security
• Instructions for changing the default password 
• How to know if patches and updates are automatic
• Instructions for secure configuration of devices

Which companies are participating?

According to Security Week, participating companies include:

• Amazon
• Best Buy
• Google
• LG Electronics USA
• Logitech 
• Samsung 

Does this mean consumers don’t have to worry about cyber security for these devices?

Unfortunately, this is not the case. Consumers are still responsible for following cyber security best practices, like choosing strong passwords and keeping software and firmware up to date. 

Roger Grimes, Data-Driven Defense Evangelist at KnowBe4, expressed reservations about some aspects of the new program, especially the following: “Vendors don’t have to meet any basic cybersecurity standards. They need only publish what they do…As long as the vendor is publishing what their security policies are (i.e., educating), they don’t necessarily have to meet bare minimum cybersecurity requirements.”

Time will tell whether the U.S. Cyber Trust Mark delivers on its promise. It’s definitely a step in the right direction for raising awareness about cyber security and the many devices that have become part and parcel of protecting our businesses.