USA Introducing IoT cybersecurity labelling scheme

The IoT Cybersecurity Improvement Act introduced by the US government in November last year requires federal procurement and use of IoT devices to comply with basic security requirements to be determined by National Institute of Standards and Technology (NIST).

At a recent workshop held by the NIST the main theme this time was a proposed labelling program for cyber security of IoT (Internet of Things), based on a Presidential Order from May this year concerning the security of regular consumers. Thereby, the US is joining the countries that either have introduced such labelling schemes or are about to do so.

The industry is worried about new requirements driving the cost of IoTs, which ultimately will be passed on to the consumers. A recent survey demonstrated, however, that consumers are willing to pay up to 40% more, if ensured greater security and privacy.

The workshop got practical input of representatives from Singapore and the UK, who have chosen the standard ETSI/EN 303 645, (which is same used for Nemko’s IoT cyber security certification program).

As the main purpose is to increase security of products used by consumers, it is likely to be used a label shown on the actual product or its packaging.

Amongst the matters to be decided is also whether to have a label based on passing a fixed acceptable rating, or as typically used for energy efficiency, a label indicating which of predetermined classes/ratings the product is found to comply with. This is a crucial question, since recognition by the consumers is what really matters.

Another important issue is the form and extent of follow-up to ensure that the cyber security of the labelled products maintain the compliance of the initially tested/assessed product.

 For more information, please contact

* This article is edited by Trond Sollie


P.S. If you know of colleagues or others you think should get this monthly newsletter, please refer to this link for registration.