After two years of rulemaking, accreditation, and quiet plumbing work behind the scenes, the FCC's US Cyber Trust Mark is finally about to do the thing it was designed for: appear on a box, in a store, in front of a shopper. The first wave of certified smart home cameras, baby monitors, fitness trackers, and connected appliances is expected to reach US retail shelves through 2026, each carrying a distinctive shield logo and a QR code that links to a public registry of the device's security claims.
For a federal cybersecurity program, this is a remarkably restrained piece of policymaking — and one of the most important regulatory experiments to watch this year. The Cyber Trust Mark is voluntary, it is market-facing, and it deliberately resists the temptation to dictate engineering choices from Washington. In a global IoT policy landscape increasingly tilted toward prescriptive mandates, the US has chosen a different path. We think that path is the right one — provided the FCC has the discipline to keep it that way.
What was actually adopted
The program was created by an FCC Report and Order adopted in March 2024 and formally launched in January 2025, with the Commission then spending most of 2025 authorizing Cybersecurity Label Administrators (CLAs) and a lead administrator to manage day-to-day operations, accredit testing labs, and run the public registry. Manufacturers submit a device for testing against the baseline criteria in NISTIR 8425, the National Institute of Standards and Technology's profile for consumer IoT cybersecurity capabilities, and — if conformant — receive the right to display the mark and a QR code linking to a standardized disclosure page.
The NISTIR 8425 baseline is not exotic. It asks for unique device identification, secure default configurations, data protection, the ability for authorized users to interface with the device, software update mechanisms, and clear documentation of cybersecurity state and support timelines. These are the things any reasonable buyer would already assume their $40 smart plug supported. They mostly do not.
Why voluntary is the feature, not the bug
Critics on the left and the right have argued that a voluntary mark is too weak. The European Union's Cyber Resilience Act (CRA), which entered into force in December 2024 and begins applying substantively from December 2027, takes the opposite approach: mandatory essential requirements for nearly all products with digital elements, CE-marking obligations, and significant fines. The UK's Product Security and Telecommunications Infrastructure (PSTI) Act, in force since April 2024, similarly bans default passwords and requires minimum security update disclosures by law.
Those regimes will deliver some baseline lift. They will also impose substantial compliance overhead on small manufacturers, foreclose hobbyist and open-source hardware, and freeze regulatory standards into law that the field will outgrow within a product cycle. The CRA's scope alone — covering everything from industrial controllers to children's toys — has already triggered warnings from open-source maintainers that liability exposure could push volunteer projects out of the European market.
The Cyber Trust Mark sidesteps these traps by anchoring itself to information disclosure rather than product prohibition. A non-certified device is still legal to sell. A manufacturer that drops support after eighteen months is not fined; it simply cannot truthfully display the mark, and its competitors can. The consumer, the retailer, the insurer, and the enterprise procurement officer get a verifiable signal — and the market does the punishing.
Where the model can fail
Voluntary labels work only when three conditions hold: the standard is meaningful, the verification is credible, and the signal reaches the buyer. The FCC has done reasonable work on the first two. NISTIR 8425 is technically defensible, and the CLA model — accredited third-party administrators overseen by a lead administrator — borrows from the proven architecture of Energy Star and the FCC's own equipment authorization regime.
The third condition is the open question. Energy Star succeeded because utility rebates, big-box retailer shelf-placement decisions, and federal procurement rules amplified the label into a market force. The Cyber Trust Mark will need similar tailwinds. Encouragingly, federal procurement guidance and at least some major retailers have signalled interest in giving labeled devices preferred placement. If GSA, the Department of Defense, and the Department of Veterans Affairs write the mark into IT acquisition guidance, manufacturers will move quickly.
There are also risks the FCC should guard against:
- Scope creep. Adding political content moderation, AI-safety, or speech-related criteria to what is fundamentally a device-hardening label would destroy its credibility. The mark should remain a cybersecurity attestation — narrow, technical, and stable.
- Geopolitical filtering. The FCC has signalled that devices from certain covered-list manufacturers may be ineligible. This is defensible on supply-chain grounds but should be done transparently and based on specific findings, not as a backdoor industrial policy.
- Standards capture. NIST should keep NISTIR 8425 a living, technically driven document, not a frozen 2024 snapshot. Periodic public revision with industry and academic input is essential.
The bigger picture
There are an estimated 18+ billion connected IoT devices globally, with the figure projected to roughly double by the early 2030s. The attack surface is genuinely growing, and most consumer devices ship with cybersecurity properties no informed buyer would accept if they could see them. The honest policy question is not whether to act, but how.
Europe has chosen prescription. The UK has chosen prohibition of specific worst practices. The US, with the Cyber Trust Mark, is choosing disclosure plus competition. It is the lightest-touch model of the three — and, if executed well, plausibly the most durable. A voluntary label that the market actually rewards will pull the entire device economy upward faster than a mandate that small manufacturers route around or that the next administration deregulates.
That is the bet the FCC is making in 2026. We think it deserves room to succeed.