On June 18, 2023, the Biden-Harris administration announced the launch of a new “U.S. Cyber Trust Mark” program (hereinafter the “Program”). First proposed by Federal Communication Commission (“FCC”) Chairwoman Jessica Rosenworcel, the Program aims to increase transparency and competition across the smart devices sector and to assist consumers in making informed decisions about the security of the devices they purchase.

Program Implementation and Standard Development

The Program is anticipated to be implemented by 2024, and participation in the Program will be voluntary. The FCC is expected to seek public comment prior to the implementation of the Program. The FCC will also collaborate with other regulators and the U.S. Department of Justice “to establish oversight and enforcement safeguards to maintain trust and confidence in the program.”

The National Institute of Standards and Technology (“NIST”) will be responsible for establishing specific standards devices will need to meet for certification. Of particular note, NIST has also been directed to immediately begin working toward defining cybersecurity requirements for consumer-grade routers to limit their vulnerability. The White House Press Release (the “Press Release”) announcing the Program acknowledged that such routers represent a “higher-risk type of product that, if compromised, can be used to eavesdrop, steal passwords, and attack other devices and high value networks.” NIST’s consumer-grade router effort is to be completed by the end of 2023 and is likely to incorporate the prior including the  NIST IR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers. The FCC will then decide whether the Trust Mark program should be expanded to include such consumer-grade routers.

Practical Aspects of the Trust Mark

The Trust Mark itself will be trademarked by the FCC and consist of a shield logo signaling that a device meets the government’s established cybersecurity criteria. The Trust Mark label will also incorporate a QR code that links to a newly established “national registry of certified devices” (the “National Registry”). This National Registry is intended to provide additional “specific and comparable security information” about certified devices to provide consumers with more security-related to inform purchasing decisions. The final scheme is likely to reflect elements of other global IoT labelling efforts, such as Singapore’s Cyber Security Labelling Scheme, to which U.S. officials have previously pointed as a model framework.

Future Initiatives

The Press Release announced that the U.S. Department of Energy (“DOE”) and DOE National Labs will be collaborating with industry partners to “research and develop cybersecurity labeling requirements for smart meters and power inverters, both essential components of the clean, smart grid of the future.” Additionally, the U.S. Department of State will begin engaging international stakeholders to facilitate reciprocity among the growing spectrum of global IoT security schemes, which could otherwise create challenges for the same devices sold in multiple markets.

Crowell & Moring LLP and its global policy affiliate Crowell & Moring International LLC are continuing to monitor the development of these standards and the expansion of the Trust Mark initiative.


Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Sarah Rippy Sarah Rippy

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She…

Sarah Rippy is an attorney in Crowell & Moring’s Denver office and a member of the Privacy & Cybersecurity Group.

During law school, Sarah was executive editor of the Colorado Technology Law Journal and an active member of the Silicon Flatirons Center. She joins the firm after a year serving as a Westin Research Fellow at the International Association of Privacy Professionals, where she focused on state law developments, including the California Privacy Rights Act (CPRA), the Colorado Privacy Act (CPA), and the Virginia Consumer Data Protection Act (VCDPA).

Photo of Evan D. Wolff Evan D. Wolff

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical…

Evan D. Wolff is a partner in Crowell & Moring’s Washington, D.C. office, where he is co-chair of the firm’s Chambers USA-ranked Privacy & Cybersecurity Group and a member of the Government Contracts Group. Evan has a national reputation for his deep technical background and understanding of complex cybersecurity legal and policy issues. Calling upon his experiences as a scientist, program manager, and lawyer, Evan takes an innovative approach to developing blended legal, technical, and governance mechanisms to prepare companies with rapid and comprehensive responses to rapidly evolving cybersecurity risks and threats. Evan has conducted training and incident simulations, developed response plans, led privileged investigations, and advised on hundreds of data breaches where he works closely with forensic investigators. Evan also counsels businesses on both domestic and international privacy compliance matters, including the EU General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework.

Photo of Neda Shaheen Neda Shaheen

Neda M. Shaheen is an associate in the Washington, D.C. office of Crowell & Moring, and is a member of the Privacy and Cybersecurity and International Trade Groups. Neda focuses her practice on representing her clients in litigation and strategic counseling involving national…

Neda M. Shaheen is an associate in the Washington, D.C. office of Crowell & Moring, and is a member of the Privacy and Cybersecurity and International Trade Groups. Neda focuses her practice on representing her clients in litigation and strategic counseling involving national security, technology, cybersecurity, trade and international law. Neda joined the firm after working as a consultant at Crowell & Moring International (CMI), where she supported a diverse range of clients on digital trade matters concerning international trade, national security, privacy, and data governance, as well as advancing impactful public-private partnerships.

Photo of Garylene “Gage” Javier Garylene “Gage” Javier

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that…

Garylene “Gage” Javier, CIPP/US is a Privacy & Cybersecurity associate in the firm’s Washington, D.C. office. Gage practices focuses on privacy, data security, and consumer protection, assisting financial services clients overcome regulatory challenges and achieve their business goals. Gage assists clients concerns that arise from state and federal laws that apply to data privacy and information security, including: the Gramm-Leach-Bliley Act (GLBA); California Consumer Privacy Act (CCPA); California Privacy Rights Act (CPRA); California Financial Information Privacy Act (CFIPA); the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule; the Virginia Consumer Data Protection Act (CDPA); and the EU General Data Protection Regulation (GDPR).

Photo of Kate Growley Kate Growley

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy…

Kate M. Growley (CIPP/US, CIPP/G) is a director with Crowell & Moring International and based in Hong Kong. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients understand, navigate, and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).