Checklist: Cyber Trust Mark Compliance

• The final specifications for the Cyber Trust Mark will not be known until late 2024. However, savvy manufacturers should have a certification plan in place well before then.

First movers stand to make significant inroads with a customer base that is becoming increasingly aware of the inherent risks of the Internet of Things (IoT). McKinsey reports that 60% of customers view security as a crucial aspect of connected devices, while only 30% of manufacturers hold the same view. For early adopters, the Cyber Trust Mark offers device makers a lucrative opportunity to differentiate themselves from the competition.

But how do you build out a test plan for certification when the standard is not final? The answer lies in looking to the standards that inspired and influenced the development of the Cyber Trust Mark program itself: NIST IR 8425 and ETSI EN 303 645.

NIST IR 8425 and ETSI EN 303 645 offer an ideal starting point for any IoT cybersecurity validation strategy. The final Cyber Trust Mark standard will likely include significant overlap between the two standards, and modifying an existing test plan should require minimal (if any) rework. Moreover, as international regulations continue to propagate, an inclusive validation plan built to cover multiple standards enables manufacturers to sell devices in multiple markets after they pass a single battery of compliance tests.

Use this simplified, user-friendly checklist to start mapping the essential test requirements for building safe, secure, and standards-compliant consumer devices.

NIST IR 8425

• Asset identity  
• Devices are uniquely identifiable to users.
• Devices maintain a detailed inventory of components. 
• Configuration changes
• Users can change configuration settings via one or more device components.
• Users can restore devices to secure default settings.
• Devices apply configuration changes to components.
• Data security  
• Device components protect stored data securely.
• Users can delete sensitive information or render it inaccessible.
• Data transmission between devices, components, and networks is secure.

Access control            

• Device components limit interface access to authorized users only.
• Components should only access the interfaces necessary for the device’s functionality.
• Access control mechanisms are in place for all device interfaces.
• All interfaces limit access and configuration changes.
• Device components maintain secure interface access control.
• Devices validate shared data between components matching specified formats.
• Devices prevent unauthorized access and data transmissions between components.
• Devices maintain access control during onboarding, startup, and reconnecting after a power outage.

Software updates        

• Device components can download, validate, and apply verified software updates.
• Onboard software regularly updates across all components.

State awareness         

• Devices capture component vulnerabilities to detect potential cybersecurity risks.

ETSI EN 303 645

• Password security      
• Default passwords are unique for every device — or defined by the user.
• Devices generate unique, preinstalled passwords via a means that reduces the risk of automated attacks.
• Authentication mechanisms use best-practice cryptography.
• After users authenticate themselves, they can easily change their authentication method.
• For non-constrained devices, authentication mechanisms protect against network interference-based brute-force attacks.