The U.S. Federal Communications Commission (FCC) officially announced on April 13 the appointment of the non-profit organization ioXt Alliance as Lead Administrator of the U.S. Cyber Trust Mark program, succeeding UL Solutions, which withdrew at the end of last year. This decision injects fresh momentum into a consumer IoT cybersecurity labeling program that has been in limbo for roughly half a year. For global IoT suppliers, however, the key questions remain: When will the label officially open for product applications? And what will the final version of the technical requirements look like?

This article provides suppliers with the comprehensive information needed to evaluate compliance investments — covering the program's overall development trajectory, the latest timeline progress, the expected regulatory implementation date, and the key technical requirements defined by NIST IR 8425.

I. Program Development Trajectory: A Three-Year Journey from Concept to Implementation

The U.S. Cyber Trust Mark is a voluntary FCC-led cybersecurity certification and labeling program for consumer IoT products, modeled after the successful Energy Star framework. 

Key milestones include:

II. When Will the Regulation Take Effect? Key Timeline Projections

Current Official Position

The FCC's official page clearly states: "The FCC will issue a separate announcement when the program is ready to accept product label applications." In other words, manufacturers cannot yet apply for the Cyber Trust Mark for their products.

The FCC has also indicated that it is still reviewing public responses to the Further Notice of Proposed Rulemaking (FNPRM), which addresses additional national security-related disclosure requirements. This remains a critical variable that will shape the final rules.

Remaining Required Steps

Before product applications can formally open, the following work must be completed:

1. ioXt submits technical standards and testing procedure recommendations: As Lead Administrator, ioXt must identify or develop IoT-specific standards and testing procedures and recommend them to the FCC for approval. While UL Solutions submitted initial recommendations in June 2025, ioXt is expected to revise and resubmit them.

2. FCC approves the label design and placement requirements.

3. FCC finalizes the national security disclosure rulemaking.

4. ioXt and CLAs establish operational infrastructure: including the CyberLAB accreditation mechanism, application review workflows, and the public-facing product registry.

5. Consumer education and outreach campaign launches.

III. Key Technical Requirements: The Ten Core Criteria of NIST IR 8425

The technical foundation of the Cyber Trust Mark is built upon NIST IR 8425: Profile of the IoT Core Baseline for Consumer IoT Products. Suppliers must understand that the standard applies to the entire IoT product system, covering the device itself, gateway hardware, mobile applications, cloud services, and data processing and storage components — not just the device alone.

NIST IR 8425 divides the requirements into two main categories comprising 10 core criteria:

▶ Technical Capability Requirements (Items 1–6)

1. Asset Identification

• Devices must have unique identifiers that users can identify

• Maintain a detailed inventory of all components (including Software Bill of Materials, SBOM)

2. Product Configuration

• Authorized users can change configuration settings through one or more device components

• Support for restoring secure default settings

3. Data Protection

• Device components must protect the security of stored data

• Users can delete sensitive information or render it inaccessible

• Data transmission between devices, components, and networks must be encrypted

4. Interface Access Control

• Device components restrict interface access to authorized users only

• All interfaces limit access and configuration change privileges

• Default weak passwords are prohibited

5. Software Update

• Device components can download, verify, and apply authenticated software updates

• All components regularly update onboard software

• Support for update integrity verification and rollback mechanisms

6. Cybersecurity State Awareness

• Devices capture component vulnerability information to detect potential cybersecurity risks

• Identify and log anomalous behavior

▶ Non-Technical Practice Requirements (Items 7–10)

7. Documentation

• Manufacturers establish and maintain documentation of all product security-related information

8. Information and Query Reception

• Provide a vulnerability disclosure channel (CVD, Coordinated Vulnerability Disclosure)

• Receive security inquiries from users and researchers

9. Information Dissemination

• Communicate security updates, known vulnerabilities, and mitigation measures to users

• Clearly disclose the minimum security update support period

10. Product Education and Awareness

• Provide product cybersecurity education to users

• Offer secure configuration guides and best practices

▶ Label Display Requirements (QR Code Disclosure Information)

In addition to displaying the shield logo, certified products must also carry a QR Code that, when scanned, discloses the following information:

• Product name, manufacturer, certification date

• The minimum support period end date, or an explicit statement that the manufacturer does not provide security updates (a critical field for consumer risk identification)

• List of supported security features

• Link to vulnerability disclosure policy

• Software update policy

▶ Extended Requirements for Specific Product Categories

NIST has released dedicated profiles for high-risk product categories:

• NIST IR 8425A: Dedicated cybersecurity requirements for consumer-grade routers, providing additional protection needed due to routers' role as network traffic hubs.

• Future extended profiles are expected for smart home hubs, baby monitors, smart locks, and other categories.

IV. Integration with International Standards: The Bridging Value of ETSI EN 303 645

For global suppliers, NIST IR 8425 and the EU's ETSI EN 303 645 have significant overlap, particularly in core areas such as password management, software updates, data protection, and vulnerability disclosure. Establishing an integrated validation plan covering both standards allows manufacturers to qualify for both U.S. and EU markets after a single round of compliance testing, which materially reduces compliance costs.

Furthermore, once the EU Cyber Resilience Act (CRA) takes full effect in December 2027, the IoT cybersecurity requirements of these two major economies will form the de facto global standard. Supply chains that build internal compliance frameworks around NIST IR 8425 + ETSI EN 303 645 will gain significant competitive advantages.

V. Assessment Recommendations for Global IoT Suppliers

Although the Cyber Trust Mark is a voluntary program, the following factors will make it effectively a de facto requirement for the U.S. market:

• Retail channel pressure: Major retailers and brands including Amazon, Best Buy, Google, LG, Samsung, and Logitech have expressed support, and may list the label as a shelf priority condition in the future.

• Enterprise procurement drivers: Federal government procurement and large enterprise IT departments may include the label as a supplier evaluation criterion.

• Rising consumer awareness: QR Code disclosure of the product support period will directly influence consumer purchasing decisions.

• Potential impact of national security disclosure provisions: If the final rules require disclosure of manufacturing location, component sources, and software development origin, supply chain transparency will become a hidden threshold for obtaining the label.

Recommended Immediate Assessment Items for Suppliers