The New United States Cybersecurity Label Drives Forward the IoT

This morning, the White House, in partnership with the National Security Council and the Federal Communications Commission, unveiled full details about their US Cybersecurity Labeling Program for consumer IoT device security. This program will help consumers shop with confidence by giving them an objective way to find products with a baseline level of security. The Connectivity Standards Alliance supports this important step, which bolsters and expands safety and security across the IoT industry.

Results from recently conducted research from Omdia demonstrate this need for IoT device security, with 84 percent of consumers indicating that security is an important consideration when making a purchasing decision.

Last year, the Connectivity Standards Alliance, now with over 620 global members, made the crucial decision to form a new working group to address this critical need. Today, more than 130 companies actively work within the Product Security Working Group.

This new Working Group is creating a single global program for consumer IoT product security certification suitable for meeting the requirements of emerging standards and regulations around the world, including the US Cybersecurity Label. Products certified under this Alliance certification program will be required to demonstrate conformance to the Working Group’s globally harmonized specification. The specification and certification will initially be based on the National Institute of Standards and Technology (NIST) IR 8425, European Telecommunications Standards Institute (ETSI) EN 303 645, and the Singapore Cybersecurity Labeling Scheme.

By basing the program on government standards and regulations, recognition by multiple government labels, such as the new US Cybersecurity Label, can be efficiently achieved. Consumers worldwide can select from a multitude of certified products with confidence, while manufacturers enjoy a single certification program that demonstrates conformance, avoiding the need for duplicative testing and certification in each country.

With the Product Security Working Group certification program still in development, the following Alliance members are publicly committing in conjunction with the White House event today to have their products certified after the program launches: August, Comcast, Google, Infineon Technologies, LG Electronics USA, Logitech, NXP Semiconductors, Schlage, and Yale.

Additionally, as product manufacturers rely on secure hardware and software components to satisfy many of the requirements, we also have Alliance members committing to provide components for the development of conformant products, including: Espressif, Infineon Technologies, Nordic Semiconductor, NXP Semiconductors, Qorvo, Inc., Silicon Labs, and STMicroelectronics. 

“The US Cybersecurity Label for consumer IoT device cybersecurity is an essential step in building trusted IoT products and ecosystems,” said Steve Hanna of Infineon and Chair of the Product Security Working Group Steering Committee. “By building on the foundational work of the US and other countries and regions, we are committed to delivering a single certification program that aligns with various local requirements so that consumers have a wide selection of security-certified products.”

The Alliance’s efforts to build on global security standards have leaned heavily on data in the recent Omdia report, which cataloged actions in several countries leading the way on standards and included work from the National Institute of Standards and Technology and the European Telecommunication Standards Institute, among others. If actions are not appropriately coordinated and harmonized, the current global fragmentation of standards could lead to a chasm between emerging and established IoT ecosystems. For this reason, the Product Security Working Group’s efforts are critical. Recent meetings with regulatory bodies on the leading edge of IoT security from around the world have shown strong support for a coordinated approach like the one taken by the Alliance and this Working Group.

“To prevent fragmentation of IoT cybersecurity, we must create a global baseline of capabilities backed by standards deployed across the world,” said Eugene Liderman of Google and a Member of the Product Security Working Group Steering Committee. “That requires alignment on many levels, including active dialog with standards bodies, policymakers, regulators, and consumer and technology advocacy groups. This truly is a global mission.”

The Alliance supports government standards and programs such as the US Cybersecurity Label as they play an essential role in recognizing products that meet necessary IoT security requirements. With billions of devices hitting the market, regulatory conformance schemes will be challenged to scale to a rapidly expanding portfolio; disparate bodies around the world must coordinate to address this challenge.  

As the convenience and value of connected devices is enjoyed by more consumers worldwide, the Alliance is committed to bringing together consumer IoT security requirements through global collaboration and fostering a strong security baseline for all devices. By achieving this goal, consumers will be well protected, we will gain and keep their trust and the impact of our efforts will grow exponentially, benefiting governments, their citizens, and the IoT industry.  

In addition to the companies noted above, other companies supporting the mission of the Alliance Product Security Working Group include: Altice Labs, Amazon, CommScope, Inc., Canonical, DEKRA, DigiCert, Element Materials Technology, HooRii Technology, Kudelski IoT, Qualcomm, Resillion, Samsung Electronics Co., Ltd., Schneider Electric, Signify (Philips Hue and WiZ), StrongAuth, Inc. (dba StrongKey), TÜV Rheinland, Tuya Smart, ubisys, and UL Solutions.