One of the Biden Administration’s last cybersecurity efforts included the Cyber Trust Mark program, an initiative that helps consumers identify Internet of Things (loT) devices with enhanced cybersecurity protections. This was first introduced in 2023 as part of the broader collaboration under the EU-US Joint Cyber Safe Products Action Plan. Modeled after the Energy Star program, the goal is to improve IoT security by labeling products that pass a U.S.-sponsored cybersecurity audit. Devices like baby monitors, fitness trackers, and smart thermostats that qualify can display the insignia on their packaging.
This program will have a significant impact on engineers, especially those who work on secure systems, embedded tech, and the software supply chain. Securing software isn’t just a one-time task, it’s an ongoing process, especially in a world that is driven by open-source code. With many industries’ heavy reliance on legacy systems and established technologies, many engineers are left wondering if the effort required by this program is really worth it.
While several Biden-era cybersecurity initiatives were recently rolled back, the Cyber Trust Mark was notably preserved by the Trump administration. Its continuation signals bipartisan recognition of the importance of consumer IoT security and is a positive sign for the industry.
Moving Beyond the Label to Maintain Cybersecurity
While the Cyber Trust Mark is an important initial step in making sure that IoT devices abide by certain security standards, it’s important to understand that security is an ongoing process. The real challenge is not just in obtaining the certification, but in sustaining that security over time. Even though the mark can indicate that the device meets specific security requirements in the moment, it can always change as cybersecurity is a constantly changing field.
Organizations must be proactive about managing open-source software vulnerabilities, as these components make up a large portion of code in many IoT devices. Many of these open-source dependencies are outdated, unmaintained with known security weaknesses. For example, developers may not fully know what’s in the software they’re using, which could be leaving gaps in security that will be exploited by cyber attackers. It’s important for engineers, especially in industries like defense, to continuously assess and update the software in IoT devices, ensuring that vulnerabilities are addressed as new risks come to the forefront.
Ensuring long-term security means creating a proactive culture of monitoring and remediation. Organizations should be adopting tools that can assess the security of IoT software, particularly open-source components, so that they can manage these risks in real-time. Gaining full visibility into each device’s software composition through a comprehensive Software Bill of Materials (SBOM) enables engineers and security teams to uncover hidden dependencies and assess potential vulnerabilities, helping them proactively defend against cyber threats before they materialize.
Implementing Principles for Security by Design
Once organizations recognize that the Cyber Trust Mark is just the beginning, the next logical step is leveraging secure-by-design principles. This approach requires that security is built into the software from the very start of development, rather than afterwards. Security teams need to actively manage and update their software throughout its lifestyle.
Organizations need to be cautious when using third-party components in IoT devices. It’s important not to accept them without scrutiny. To ensure safety, companies should ask their vendors for a list of all software used (SBOM) and proof that security testing has been done on the software. This helps build trust and improve the security of IoT devices.
As cyber threats continue to change, it’s important for software engineers and security teams to keep learning about new risks and ways to protect systems. Without regular training, teams may struggle to handle new threats, leaving systems more vulnerable. Keeping up with training helps them stay prepared and better protect the devices they work on.
Looking to the Future
The Cyber Trust Mark is a great start to help safeguard loT devices and systems. By continuing to increase awareness, organizations need to utilize software supply chain security tools, and provide continuous training for software engineers, so they can continue to better meet compliance standards and create a strong defense against software supply chain attacks.
The Cyber Trust Mark provides a valuable starting point, but the real challenge will be in the ongoing effort to secure the software that powers IoT devices, ensuring that security is maintained beyond just the first step. Ultimately, to ensure security at an overarching level, the key is to proactively address the escalating risks of software supply chain attacks with comprehensive, automated security across the entire software lifecycle.
About Nick Mistry:
Nick Mistry is the SVP and CISO at Lineaje, with over 20 years of experience in the development and implementation of new and emerging technology solutions. Nick has experience leading cloud security, application security and cyber initiatives at multinational corporations and government. Also led technical architecture efforts to implement the US Federal Government Data Consolidation program, FedRAMP and HealthCare.gov “fix it” initiatives supporting DoD, GSA and CMS respectively. Recipient of the Ken Ernst North America Innovators Award.
Join our LinkedIn group Information Security Community!
