A big part of the discussion around cybersecurity in the last several years has centered around the need for more transparency to help address what many consider to be a market failure of cybersecurity: the lack of a system to reassure consumers that products are safe. On the enterprise software supply chain security front, we’ve seen efforts such as software bills of material (SBOM) and self-attestation platforms for suppliers following a secure software development lifecycle, such as the National Institute of Standards and Technology’s (NIST) Secure Software Development Framework (SSDF).
However, there generally isn’t much to help consumers using security as a criterion for how they spend their money make informed purchasing decisions. This is changing on the internet of things (IoT) front, with the introduction in 2023 of the US Cyber Trust Mark program, announced by The White House in July 2023. The announcement framed the program as a voluntary measure to be embraced by smart device and IoT manufacturers to help consumers choose products that are safer and less prone to cybersecurity attacks. The program continued to gain momentum; it was announced at the 2024 Consumer Electronics Show that the EU and US have agreed to pursue a “joint roadmap” for cybersecurity labels. “We want companies to know when they test their product once to meet the cybersecurity standards, they can sell anywhere,” said Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies.
This line of thinking likely comes as a breath of fresh air from an industry that often voices concerns over the chaotic cybersecurity policy and regulatory landscape, often leading to duplicative, costly, and cumbersome requirements on technology suppliers.
If you’ve ever purchased products such as appliances and electronics, you may have noticed “Energy Star” ratings, which is a program led by the US Environmental Protection Agency and Department of Energy to help consumers understand the energy efficiency of products. Despite internet-connected software being pervasive in exponentially more consumer goods over time, there is currently no universally accepted labeling scheme for cybersecurity that would help consumers understand the security and safety of products, such as IoT or smart devices.
In modern society it isn’t just enterprises and businesses that are powered by software, but homes and personal lives as well. Appliances, electronics, wireless communication devices, and more are powered by software. This increasingly exposes consumers to cybersecurity, privacy, and safety concerns. As part of the broad goals and objectives of the 2021 Cybersecurity Executive Order (EO), NIST was directed to initiate labeling programs for devices such as consumer IoT products. NIST has published insights into what the labeling program would look like, such as their “Recommended Criteria for Cybersecurity Labeling of Consumer IoT Products”.
Simply determining the scope of what counts as an IoT product can be a challenge, as there are millions of devices now integrating software, connectivity, and digital features. According to NIST’s publication, an IoT product is defined as “computing equipment with at least one transducer and at least one network interface,”