U.S. Cyber Trust Mark: Security Guidance for IoT Product Designers

January 23, 2024

Blog

The opening sentence of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, published back in May 2021, is: ‘The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector, the private sector, and ultimately the American people’s security and privacy.’ The president added: ‘…cybersecurity requires more than government action. Protecting our nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.’

The recent White House announcement of the U.S. Cyber Trust Mark is thus unsurprising and is expected to be rolled out in 2024. The Executive Order seeks to initiate a consumer cybersecurity labeling initiative, prioritizing user-friendliness. Indeed, this program extends far beyond the scope of efforts aimed at enhancing the gathering and handling of cybersecurity information by U.S. agencies, safeguarding cloud services, strengthening software supply chain security, and enhancing the detection and response to security events.

The Executive Order provides explicit guidance to the National Institute of Standards and Technology (NIST) within the Department of Commerce to develop standards and recommendations aimed at enabling consumers to make informed choices regarding the security status of the products they currently possess or intend to acquire.

Guidance for Enhancing Security

In 2020, NIST released the NIST IR 8259 series, a generic and all-encompassing guide for IoT product developers. Recognizing the need for more specific guidelines, NIST subsequently unveiled the NIST IR 8425 standard in September 2022. This standard was formulated based on cybersecurity considerations tailored to consumer Internet of Things (IoT) products, drawing on insights gleaned from previous incidents like the Mirai malware attacks and unauthorized breaches of home security camera data.

The NIST IR 8425 standard forms the cornerstone of the newly introduced U.S. Cyber Trust Mark. It is expected that manufacturers of connected consumer devices participating in the cybersecurity labeling program will be required to adhere to this NIST guidance and obtain certification for their products accordingly. Once certified, these manufacturers would then be permitted to affix the U.S. Cyber Trust Mark logo to their products. Additionally, it is expected that they must also include a QR code that purchasers would be able to scan to confirm certification validity as cybersecurity threats evolve and necessitate patches.

Extended Scope Beyond Products

At this point, it is important to emphasize that the reach of the U.S. Cyber Trust Mark and NIST IR 8425 extends far beyond an individual smart device, or IoT device; it encompasses all other essential components that, once combined, are part of the IoT product, like a cloud server or a companion smartphone app.

In addition to the functionalities of the final product and its associated components, the consumer profile outlined in the NIST IR 8425 standard encompasses the actions of the IoT product developer. This implies that smart device manufacturers must establish a comprehensive company-wide security process, commencing at the early stages of development. This documentation-heavy process includes risk assessments, and detailed product requirements and specifications. This process continues throughout the development cycle, encompassing the creation of a software bill of materials (SBoM), ensuring product compliance with NIST IR 8425 capabilities, and verifying the product’s resilience against known vulnerabilities.

Furthermore, it extends across the entire lifecycle of the device, incorporating the capacity to educate customers and other stakeholders within the IoT product ecosystem regarding cybersecurity-related information, see Figure 1. This encompasses guiding customers on how to securely use the product, disseminating public and customer notifications regarding pertinent cybersecurity developments (e.g., updated support terms, breach discoveries, necessary maintenance tasks, etc.), and establishing mechanisms for receiving reports of issues that impact the product’s security.

Figure 1: Based on NIST IR 8259 IoT Device Cybersecurity and Non-Technical Supporting Core Baseline Requirements

As a result, the U.S. Cyber Trust Mark represents more than just a policy; it signifies a fundamental shift in the consumer electronics industry toward enhancing product security and adopting new methodologies, processes, and sustained customer support. Although participation in this program is voluntary, its current stage forms the cornerstone of a broader movement in which IoT product developers will be incentivized by consumer preferences to implement cybersecurity safeguards. Security and privacy are increasingly becoming key factors influencing consumers’ purchasing decisions.

IoT product developers possessing the cybersecurity expertise to meet these requirements will be able to showcase their products and gain recognition in the market. Meanwhile, for other IoT product developers, this presents an opportunity to cultivate cybersecurity proficiency through collaboration and partnerships with security experts within the supply chain.

Unified and System-Based Security

In recognition of these evolving market trends and a dedicated commitment to simplifying security deployment and utilization, NXP initiated a comprehensive company-wide program in 2020. The EdgeLock Assurance Program encompasses various aspects of security, both technical and non-technical.

It uses the Security Maturity Process (SMP), a mandatory process at NXP that is used to verify and validate security for all new products with security features. The company’s security experts perform reviews and assessments of the device’s security concept, architecture, design and implementation. Furthermore, the internal vulnerability lab conducts penetration tests, simulations and silicon analysis in parallel with gates and milestones of the product development process. In the post-release lifecycle, the company’s NXP product security incident response team manages product security incidents should they occur.

Today, the program serves as the cornerstone for IoT product developers aiming to align with the NIST IR 8425 security criteria and attain the newly introduced U.S. Cyber Trust Mark. It not only assists IoT product developers in their activities, in particular, for the requirements for product documentation, proof of conformance, product maintenance and support over the product lifecycle, but also provides essential product security features.

Independent Security Assessments

Simplifying and accelerating the deployment of security in IoT and the conformance to regulations and standards is key. The EdgeLock Assurance Program includes a category for products under third-party security evaluation according to a defined framework, such as the Common Criteria (CC) or Security Evaluation Standard for IoT Platforms (SESIP) methodology. Component pre-certification in IoT, for example, is a concept whereby a SESIP certificate obtained for an NXP chip can be re-used by IoT product developers for IoT device certifications like the U.S. Cyber Trust Mark. Once established, in collaboration with the industry, this pre-certification is expected to provide clear benefits for IoT product developers, including accelerated proof of compliance and end- product certification.

NXP is currently collaborating with the Connectivity Standard Alliance (CSA), under the Product Security Working Group, to create a single, global program for consumer IoT product security certification. This certification program aims to meet the requirements of emerging standards and regulations around the world, including the U.S. Cyber Trust Mark, the Singapore Cybersecurity Labeling Scheme and the Cyber Resilient Act in Europe.

---

Denis Noel is currently Director, Strategy & Marketing, in the Business Unit Secure Connected Edge at NXP Semiconductors. In this role he is responsible for the security strategy across the entire NXP Edge Processing portfolio. Denis has extensive expertise in the areas of connectivity, security and semiconductors with more than 25 years of experience in global High-Tech companies. Most recently, Denis served as Head of Product Marketing for Smart Product Authentication, driving the adoption of NFC, discrete secure elements and cloud security services in the IoT space.  Prior to that, Denis held several business development, marketing, R&D and management positions at Thales, Philips and later NXP. He led multiple innovation and technology development projects in such fields as wireless LAN, ultra-low power wireless body area networks (WBAN), in-vehicle networks, avionics transmissions, digital video broadcasting systems and secure RFID tags. Denis holds a M.S. degree in Electrical Engineering and M.S. degree in Management from University of Louvain-La-Neuve (UCL), Belgium.

Carlos Serratos is a specialist in IoT security and regulatory compliance. In his role as IoT Certification Expert at NXP, he engages with policymakers, regulators, and industry across verticals and regions, addressing trust enablement issues for compliance, risk management, and accountability purposes. He’s a matter expert in security regulatory compliance, the development of schemes and standards, and their applicability in IoT markets. He is currently participating in the Connectivity Standards Alliance Product Security Working Group, co-chairing the Product Security Certification and Regulatory activities.