美国网络安全信任标志

什么是美国网络安全信任标志？

近日，美国拜登-哈里斯政府宣布了引入美国网络信任标志¹的计划，旨在为消费类物联网产品提供网络安全认证和标签。该计划由美国联邦通信委员会 (FCC) 提议，旨在推广网络安全标准，为消费者提供更安全、更有保障的消费体验。

根据该计划，符合网络安全标准的消费类智能设备将被贴上美国网络安全信任标志（盾牌徽标²）。通过这一标志，有助于消费者可轻松辨别并选购那些注重网络安全的产品。此外，联邦通信委员会还计划实施一个二维码系统，该系统可链接到国家认证设备登记处。通过这一系统，消费者将能够获取更多详细信息，进一步了解他们考虑购买的智能产品。

获得美国网络安全信任标志认证需要满足哪些要求？

该计划的具体标准仍在制定中，FCC 正积极征求设备制造商和其他利益相关者的意见，以确保该计划的成功采用和实施。据悉，该计划预计采用国家标准与技术研究所 (NIST) 概述的标准。这些标准侧重于衡量网络安全的结果，而非规定具体的要求或指令。这种基于结果的方法具有灵活性，对于多元化且快速扩张的物联网 (IoT) 市场至关重要。

NIST 物联网网络安全标准涵盖多个技术和非技术领域，包括资产识别、产品配置、数据保护、接口访问控制、软件更新、网络安全状态意识、文档、信息和查询接收、信息传播以及产品教育和认知度普及。

制定标准、一致性协议和认证指南是一项复杂的工作，其中涉及许多尚未解决的问题。FCC 正在与各方利益相关者合作，以确认该计划的程序由行业主导，并采用高效的设计方式，以使其能够被迅速而广泛地采用。

什么类型的设备将有资格取得这一标志？

预计多种消费类智能产品将有资格取得这一信任标志，其中包括：

美国网络安全信任标志将于何时启用？

美国网络安全信任标志计划预计将于 2024 年底开始实施，此前 FCC 将就网络安全标志倡议征求公众意见。为了让消费者熟悉新标志，FCC 将与网络安全和基础设施安全局合作，开展消费者教育工作。此外，FCC 还助力美国的主要零售商优先考虑销售带有网络信任标志¹的产品。

UL Solutions 将如何协助您做好相关准备？

为了助力您尽快取得美国网络安全信任标志，UL Solutions 将根据 NIST IR 8259 提供评估、咨询和差距分析服务。NIST IR 8259 提供了美国网络信任标志新框架（参见 NIST IR 8425）中预期要求的基本指导。

请注意，尽管最终的 FCC 程序在评估方面可能与 NIST IR 8425 存在些许差异，但我们认为这些差异可以忽略不计。值得注意的是，NIST IR 8259 将侧重于对设备本身的评估。目前尚不确定云服务和电话应用程序是否被纳入美国网络信任标志计划的范围。它们可能包含在产品范围内，亦可能不被纳入考虑。

立即联系我们，了解我们如何助力您做好准备。

1. 拜登-哈里斯政府宣布实施智能设备网络安全标志计划，旨在保护美国消费者。（2023 年 7 月 18 日）。白宫。引自 https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/，2023 年 11 月 14 日
2. 认证标志——美国智能设备网络安全标志计划。（2023 年 9 月）。联邦通信委员会。引自 https://www.fcc.gov/cybersecurity-certification-mark，2023 年 11 月 14 日

What requirements need to be fulfilled to obtain U.S. Cyber Trust Mark certification?

The specific criteria for the program are still under development. However, according to official notices from the FCC, the program will adopt the criteria outlined by the National Institute of Standards and Technology (NIST). These criteria focus on cybersecurity controls which should be implemented for security of the entire lifecycle of an IoT product and its associated services. This approach will take into consideration risks and use cases, which is crucial in the diverse and rapidly expanding IoT market.

The NIST IoT cybersecurity criteria cover various technical and nontechnical areas, including asset identification, product configuration, data protection, interface access control, software updates, cybersecurity state awareness, documentation, information and query reception, information dissemination and product education and awareness.

Creating standards, protocols for conformance and certification guidelines is a complex matter. Various industry stakeholders are contributing their expertise and experience to develop these in a way that enables efficiency and prompt, widespread adoption. Based on these stakeholder recommendations, the FCC will make the official determination on the program’s requirements. UL Solutions, serving in the role of Lead Administrator for the program, will lead this stakeholder effort.

What types of devices will be eligible for the Mark?

Various consumer smart products are anticipated to qualify for the Trust Mark, including, but not limited to:

When will the U.S. Cyber Trust Mark begin?

The U.S. Cyber Trust Mark scheme is expected to commence in 2025. To familiarize consumers with the new label, the FCC, in collaboration with program stakeholders, will undertake consumer education efforts. Additionally, major retailers in the United States are urged to prioritize products that bear the Cyber Trust Mark¹.

What is UL Solutions' role in the U.S. Cyber Trust Mark Program? 

UL Solutions will be serving as the Lead Administrator for the program. In that role, UL Solutions will work with stakeholders to make recommendations to the FCC on a number of important program details, like applicable technical standards and testing procedures, post-market surveillance requirements, the product registry, and a consumer education campaign. UL Solutions will also approve testing labs for the program that meet the criteria established by the FCC. UL Solutions plans to apply to become a testing laboratory once the requirements and applications are released.

In addition, UL Solutions will be a Cyber Label Administrator (CLA), authorizing the use of the label for those products that meet the program standards and authorizing labels for those products that meet the program standards.

How can UL Solutions help you prepare?

To jumpstart your journey towards obtaining the U.S. Cyber Trust Mark, UL Solutions is providing assessment, advisory and gap analysis services based on NIST IR 8259, which serves as the foundational guidance for expected requirements of the new U.S. Cyber Trust Mark framework described in NIST IR 8425.

The final FCC program assessment requirements may vary from those in NIST IR 8425. However, we anticipate these variations will be minor. It is worth noting that a NIST IR 8259 assessment will solely focus on the device itself. The inclusion of cloud services and phone applications in the U.S. Cyber Trust Mark is expected to be included as part of the U.S. Cyber Trust Mark.