On the 6th July, I posted about the fact that the EU and the UK are working on similar legislation in a bid to make consumer Internet of Things (IoT) safer to use.
The UK has already released its new legislation – The Product Security and Telecommunications Infrastructure Act 2022, or PSTI, whereas the EU are still deliberating on some articles for their bill which will see the Cyber Resilience Act come into force hopefully by the end of the year.
The Biden administration has now launched the US version of those mentioned above – Called the Cyber Trust Mark the proposed legislation covers very similar territory as that of the ones for the UK and the EU.
NIST standards
As with most specifications used in the US, the criteria for the new bill has been set by the National Institute of Standards and Technology (NIST) and includes many of the same things introduced in the UK law, and those of the EU.
For example, any consumer IoT will be required to have unique and strong passwords, protect data at rest and in transit with encryption, and offer ease of access to regular security updates. Manufacturers will also have to inform customers how long to expect support for the items they purchase.
Labeling
As the name suggests, the US version of the IoT security program will have a labeling system whereby all manufacturers will have to provide goods which carry a label in the form of a QR code .
Whilst the final design for the new label has not yet been agreed, a White House spokesperson said that “it will be in the form of a distinct shield logo“
This code will link to a national registry of certified devices and provide up-to-date security information, such as software updating policies, data encryption standards and vulnerability remediation.
The new program will not be mandatory for manufacturers in the US market, however, US stores which sell IoT devices will be encouraged to stock those items which carry the QR code in favour of those which do not.
Retailers such as Amazon and Best Buy have already signed up to the new initiative, alongside manufacturers such as Cisco, Logitech, Google, LG, Samsung and Qualcomm.
The U.S. Department of Energy is also working with manufacturers of devices such as smart meters and power inverters to create a similar system to that of consumer IoT.
The new mark is expected to be in use on products by 2024