The U.S. government announced Tuesday that its long-awaited cybersecurity labeling program for consumer internet-connected devices will launch in 2025.
The Biden administration first introduced the U.S. Cyber Trust Mark in June 2023, saying the voluntary labeling program would “raise the bar” for internet-connected devices by enabling Americans to make informed decisions about the security of the devices they buy. While the initiative was initially slated to launch in late 2024, the White House confirmed that the program will now be “open for business” this year.
No exact launch date was given, but the announcement states that companies will “soon” be able to submit their products to one of 11 companies approved for testing to earn the label, with plans for certified products to hit store shelves in 2025.
The voluntary Cyber Trust Mark program has been likened to the “Energy Star” initiative, a voluntary labeling program designed to identify and promote energy-efficient products. Similarly, the Cyber Trust Mark is aimed at improving the security of consumer-grade internet-connected devices, including routers, home security cameras, smart speakers, and baby monitors, which often ship with easy-to-guess default passwords and no promise of continued security updates.
The White House said that retailers, including Best Buy and Amazon, will highlight products that carry the U.S. Cyber Trust Mark, which will take the form of a QR code that consumers can scan for details about the cybersecurity of the product, such as the support period for the product and whether security updates are installed automatically.
On a call with reporters on Tuesday, which TechCrunch joined, U.S. deputy national security adviser for cyber and emerging technology Anne Neuberger said the Biden administration was also finalizing an executive order that would require the U.S. government to only buy products certified with the Cyber Trust Mark starting in 2027.
Products that receive the Cyber Trust Mark label must comply with a set of cybersecurity standards developed by the National Institute of Standards and Technology (NIST), including what the White House described in 2023 as “unique and strong default passwords, data protection, software updates, and incident detection capabilities.”
The full set of standards has not yet been published, but NIST has started work on establishing recommendations for “high-risk” consumer-grade routers, which are frequently targeted by hackers.
Neuberger said the second phase of the Cyber Trust Mark will see the program aim to improve the security of routers used and marketed for small offices and home offices. In recent years, these so-called SOHO routers have become an attractive target for botnet creators, which use the device’s hijacked internet bandwidth to launch denial-of-service attacks. Neuberger did not say when the second phase of the initiative would begin.
Zack Whittaker contributed reporting.
