Is NISTIR 8425 mandatory in the United States?

No. NISTIR 8425 is a non-normative profile published by NIST in September 2022. It describes a technical baseline for consumer IoT products. The US Cyber Trust Mark program built on this baseline is also voluntary. Manufacturer participation is discretionary, unlike the UK PSTI Act or the future EU Cyber Resilience Act, both of which are mandatory in their scope.

How does NISTIR 8425 differ from NIST SP 800-213?

Both documents are published by NIST but target different audiences. NIST SP 800-213 and the 800-213A series define a baseline for IoT products acquired by US federal agencies, under the IoT Cybersecurity Improvement Act of 2020. NISTIR 8425 adapts the same approach to the consumer market, with simplified expectations. The FCC built the Cyber Trust Mark on 8425, addressed to consumers.

Who can issue the US Cyber Trust Mark?

The FCC is the program administrator. It accredits Cybersecurity Label Administrators (CLAs), private entities that process applications and maintain the public registry. Technical evaluation is delegated to accredited laboratories called CyberLABs, which verify conformity to the IoT baseline derived from NISTIR 8425. The manufacturer cannot self-declare the label.

What is the Cyber Trust Mark registry?

Every labelled product must have a public record in an online registry maintained under FCC oversight, reachable through the QR code printed on the packaging. The record contains, at minimum, the declared security support period, the vulnerability reporting channel, the secure-setup procedure, and the end-of-support policy. Any material change to this information must be reflected during the label's validity period.

How many capabilities does the NISTIR 8425 baseline define?

NISTIR 8425 defines six technical product capabilities (asset identification, product configuration, data protection, interface access control, software update, cybersecurity state awareness) and four non-technical organisational capabilities (documentation, query reception, information dissemination, education and assistance). A support period must be declared when the label is applied and published in the registry.

Is the US Cyber Trust Mark recognised in Europe?

Not yet through a formal arrangement. The NISTIR 8425 baseline is close to ETSI EN 303 645 and the EN 18031 series, which paves the way for mutual recognition agreements between the FCC and the European Commission or ENISA under the Cybersecurity Act. Talks were announced in 2024 and 2025. Until an agreement is signed, a manufacturer targeting both markets must run two separate evaluations.

When does the label become operational?

The FCC adopted the Report and Order on 14 March 2024. The first wave of CLA accreditation began in 2024; CyberLAB accreditation and registry rollout span 2025 and 2026. The first labelled products are expected on the US market starting in 2025, with a progressive ramp through 2026 and beyond.

What happens when the declared support period expires?

Expiration of the declared support period is a transparency signal, not an automatic market-withdrawal trigger. The product can still be sold, but the manufacturer must notify buyers through the registry and on packaging. The label becomes void for new purchasers, and the registry record moves to "support ended" status. The FCC can sanction a manufacturer that keeps the label without honouring the declared period.

NISTIR 8425 and the US Cyber Trust Mark: consumer-IoT label

Author Hugues Orgitello Last updated 27 May 2026 ~16 min read

Guide - NISTIR 8425 / US Cyber Trust Mark

Published in September 2022 by the National Institute of Standards and Technology, NISTIR 8425 ("Profile of the IoT Core Baseline for Consumer IoT Products") supplies the technical baseline on which the Federal Communications Commission built the voluntary US Cyber Trust Mark program, adopted in March 2024. The label, materialised by a logo and a QR code printed on consumer-IoT product packaging, is administered by the FCC, processed by accredited Cybersecurity Label Administrators, and evaluated by CyberLAB laboratories. This guide covers the content of NISTIR 8425, the program architecture, the mandatory registry record, and the comparison with the European Cyber Resilience Act and the UK PSTI Act. It distinguishes NISTIR 8425 from NIST SP 800-213, the sibling document for federal acquisition.

Origin: Executive Order 14028 and the political mandate

On 12 May 2021, the President of the United States signed Executive Order 14028, "Improving the Nation's Cybersecurity". The order reacted to the documented software compromises of 2020 and 2021 (SolarWinds, Kaseya, Colonial Pipeline) and tasked NIST with several policy missions: a Software Bill of Materials framework, cybersecurity criteria for critical software, and labelling of consumer IoT products and software.

Section 4(s) of the order explicitly directed NIST, in consultation with the Federal Trade Commission and other agencies, to define a voluntary cybersecurity labelling program for consumer IoT products. The driving logic was consumer information: buyers had no easy way to compare the security posture of two IP cameras, two connected thermostats, or two smart locks.

NIST responded in two stages. A first document, NISTIR 8259 (2020), had already described the cybersecurity capabilities expected of an IoT device in general terms. NISTIR 8259A derived a minimal technical-capability profile from it. NISTIR 8425, published in 2022, applies the approach to the consumer IoT case, simplifying and reorienting vocabulary toward the general public.

In parallel, the FCC opened a rulemaking process (Notice of Proposed Rulemaking, FCC 23-65) in 2023 to carry the program. After public consultation, the FCC adopted Report and Order FCC 24-26 on 14 March 2024, formally establishing the US Cyber Trust Mark as an FCC-administered program under then-chair Jessica Rosenworcel.

NISTIR 8425: profile and scope

NISTIR 8425 is a short document organised around a single objective: define what a consumer IoT product must be able to do, and what the organisation selling it must be able to provide, to deserve a consumer's trust.

The scope targets "consumer IoT products", meaning connected devices intended for domestic, personal, or leisure use. The definition aligns with ETSI EN 303 645 without being a verbatim copy:

connected-home equipment: thermostats, lighting, plugs, locks, sensors, smoke detectors, consumer IP cameras, video doorbells, voice assistants;
wearables: smart watches, fitness trackers, sleep or consumer health-tracking devices;
equipment for children: baby monitors, connected toys;
connected leisure equipment: weather stations, scales, sports equipment.

Out of scope: FDA-regulated medical devices, automotive vehicles, industrial and professional equipment, and products acquired by federal agencies (which fall under NIST SP 800-213).

NISTIR 8425 establishes a structural distinction between two capability families: technical product capabilities, embedded in the object and its software, and non-technical organisational capabilities, which concern process, documentation, and assistance.

Six technical product capabilities

The heart of NISTIR 8425 is six technical capabilities. Each is described as an expected outcome, without prescribing a specific technology. This outcome-based formulation matches the EN 303 645 approach and is meant to remain stable as technologies evolve.

Capability	Expected outcome
Asset Identification	The product identifies itself uniquely and logically on the network and in the user inventory.
Product Configuration	The product configuration is modifiable through authenticated action by an authorised user.
Data Protection	Data stored and transmitted by the product is protected for confidentiality and integrity.
Interface Access Control	Every exposed logical or physical interface is protected by appropriate access control.
Software Update	The product can receive signed and verified software updates during the declared support period.
Cybersecurity State Awareness	The product, or its companion service, provides the user with a view of its security posture (update availability, credential state, integrity).

A quick read shows proximity to provisions 5.1 to 5.13 of EN 303 645. "Software Update" covers provision 5.3 and its support-period requirement. "Interface Access Control" maps to provisions 5.1, 5.4 and 5.6. "Data Protection" overlaps 5.5 and 5.8. The convergence is intentional, and several NIST documents cite EN 303 645 as a comparative reference.

NISTIR 8425 does not fix a verifiable atomic-requirement checklist. The Cyber Trust Mark program, via FCC and CLA published technical criteria, is what translates the six capabilities into concrete test cases. This two-tier construction (stable baseline, evolving operational criteria) aims to keep the baseline durable while letting the FCC adjust the criteria to emerging threats and field experience.

The functional approach has another merit. It allows sector profiles (connected toys, consumer health, children's equipment) to be added without disturbing the NISTIR 8425 structure. NIST published preparatory notes in 2024 on these derivatives, which could take the form of complementary profiles numbered 8425-1, 8425-2, etc., similar in spirit to the 800-213A series for federal markets.

Non-technical organisational capabilities

NISTIR 8425 acknowledges that IoT product cybersecurity is not reducible to what the object itself does. A perfectly designed device stops being secure if its manufacturer does not handle reported vulnerabilities, does not publish updates, or does not document end-of-support.

Four non-technical capabilities are defined:

Documentation: the manufacturer maintains accessible documentation on the product's security functions, configuration, interfaces, and support period.
Information and Query Reception: the manufacturer publishes a channel to receive security queries (users, researchers, authorities) and responds within documented timeframes.
Information Dissemination: the manufacturer actively distributes relevant information (updates, alerts, end-of-support) to users and to the Cyber Trust Mark registry.
Product Education and Awareness: the manufacturer supplies the user with the elements needed to operate the product securely (setup guide, best practices, meaning of the label).

A cross-cutting requirement adds: the declaration and maintenance of a security support period, expressed as calendar duration from market placement. This declaration is mandatory to apply the label and appears in the registry.

The coupling of technical and non-technical capabilities is an explicit response to repeated failures observed since 2016. The Mirai botnet did not exploit sophisticated cryptographic vulnerabilities; it leveraged known default passwords, exposed telnet interfaces, and an absence of updates. The cause was not only technical; it was organisational: no channel to report a vulnerability, no public commitment on maintenance, no information to users on end-of-support. NISTIR 8425 addresses both dimensions together.

US Cyber Trust Mark program architecture

The program adopts a four-tier architecture, formalised by Report and Order FCC 24-26.

Actor	Role	Authority basis
FCC	Program administrator, final authority, registry oversight, sanctions	47 CFR Part 8, dedicated subchapter
CLA (Cybersecurity Label Administrator)	Application processing, market surveillance, operational maintenance of registry records	FCC accreditation
CyberLAB	Technical evaluation of the product against the NISTIR 8425 baseline and FCC criteria	Extended ISO/IEC 17025 accreditation, recognised by the FCC
Manufacturer	Design, application, support-period declaration, maintenance	Commitment agreement signed at filing

The FCC does not perform evaluations itself. It accredits CLAs and recognises CyberLABs, which run application processing and testing. The manufacturer chooses a CLA, which mandates or accepts a CyberLAB. The CyberLAB runs the evaluation, produces a report, and transmits it to the CLA. The CLA, after review, decides on granting the right to use the label and publishes the registry record.

This scheme multiplies processing capacity while preserving a single authority point. It echoes the European Notified Body model without sharing its transverse legal basis.

CLAs are selected through an open FCC call for candidates. The Report and Order details eligibility: proven IoT cybersecurity experience, ability to maintain a public registry, separation of commercial and processing functions, conflict-of-interest rules. Several product-certification players (UL Solutions, TUV, Intertek, specialist cybersecurity certifiers) announced their candidacy as early as 2024. The first accreditation wave was announced in late 2024.

CyberLABs are test laboratories accredited against a program-specific extension of ISO/IEC 17025. The FCC recognises accreditation issued by a third party (typically A2LA or NVLAP in the US). A CyberLAB may sit inside a CLA (integrated model) or stand alone (separated model). The market supports both configurations.

This architecture creates a traceable accountability chain. In the event of a serious incident on a labelled product, an investigation can trace from the registry record to the CLA, from the CLA to the CyberLAB, and from the CyberLAB to the manufacturer. The FCC retains the power to audit every link and apply tier-specific sanctions.

The label and the QR code

Physical application of the label on the product, packaging, or documentation follows a visual specification defined by the FCC. The label includes two mandatory elements:

a graphic mark Cyber Trust Mark, an FCC-defined logotype, readable without special equipment and accompanied by a short legend;
a unique QR code scannable by any smartphone, pointing to the product record in the Cybersecurity Information Registry.

The QR code is central. It guarantees that information shown to the buyer is fresh, controlled, and traceable. A paper label ages; a QR code resolved server-side is updated in near real time by the CLA.

The QR target record contains, at minimum, the following:

manufacturer name and product, commercial references;
CLA identifier, CyberLAB identifier, evaluation dates;
applied baseline (NISTIR 8425 in its in-force version, optionally with sector profiles);
declared security support period, expected expiration date;
vulnerability reporting channel;
initial secure-setup procedure;
end-of-support policy (in particular, what happens at expiration of the declared period);
material-change history for the record.

The manufacturer must keep the record current. Any significant change (move to a new firmware major version, modification of residual support period, treatment of a discovered vulnerability) triggers a registry update.

The graphic design of the label has a precise spec: minimum height, contrast, position relative to other regulatory marks (FCC ID, CE marking for multi-market products, electrical marks), and coexistence with the QR code. The label can appear on the product itself, primary packaging, secondary packaging, and in electronic documentation. The manufacturer chooses the most pertinent location given the product format, subject to visibility before purchase.

This pairing of physical mark and digital registry solves a structural problem of paper labels: informational obsolescence. A product remains on shelves for years after packaging is printed. With a QR code, the informational content evolves server-side while the graphic mark stays stable. This "living label" logic is one of the program's main innovations over earlier schemes.

Schematic of the chain

[ Manufacturer ]
      |
      | files
      v
[ Accredited CLA ] -- mandates --> [ Accredited CyberLAB ]
      |                                       |
      | reviews report <-------- sends -------+
      v
[ Right to use the label ]
      |
      | publishes record
      v
[ Cybersecurity Information Registry (FCC) ]
      ^
      | scans QR
      |
[ Consumer ] <-- sees label --- [ Product / packaging ]

The FCC retains an audit right on CLAs, on CyberLABs, and indirectly on manufacturers. A breach can lead to withdrawal of the right to use the label and to standard regulatory sanctions under 47 USC.

The support period: critical point

The declared security support period is the major innovation of the program compared with earlier schemes. Three principles apply.

Commitment principle. The duration declared by the manufacturer is a public commitment. The label is not granted if no duration is declared. The FCC sets no minimum, with the market expected to reward longer commitments.

Visibility principle. The duration is visible before purchase, on packaging and in the registry record. This transparency lets consumers factor the criterion into their buying decision.

End-of-life transparency principle. Expiration of the declared period does not prohibit sale. It triggers a registry update to "support ended" status for the product. The label becomes void for new buyers. The manufacturer must inform existing users through the declared channels.

Keeping a label without honouring the declared support period is a program violation. The FCC can withdraw the right to use the label and apply sanctions on consumer-protection grounds.

Comparison with other regimes

The US program is not isolated. It fits into an international movement of IoT-cybersecurity regulation and labelling. The table below summarises the main differences.

Dimension	US Cyber Trust Mark	EU Cyber Resilience Act	UK PSTI Act 2022
Status	Voluntary	Mandatory	Mandatory
Authority	FCC + CLA + CyberLAB	Commission + national surveillance authorities	OPSS (UK)
Scope	Consumer IoT	Any product with digital elements	Consumer IoT
Technical baseline	NISTIR 8425	CRA harmonised standards, in progress	EN 303 645 (first three provisions)
Declared support period	Mandatory to apply the label	Mandatory (generally at least 5 years)	Mandatory
Date	Adopted March 2024, rollout 2025-2026	Applicable 11 December 2027	Applicable 29 April 2024
Sanctions	Label withdrawal, FCC sanctions	Fines up to 15 M EUR or 2.5% global turnover	Fines up to 10 M GBP or 4% global turnover
International recognition	Discussions with EU in progress	EUCC-based recognition being built	Convergence with CRA in progress

Beyond these three regimes, other jurisdictions have set up voluntary consumer-IoT labels:

Singapore Cybersecurity Labelling Scheme (CLS), four levels, mandatory for Wi-Fi routers sold in Singapore since 2020, based on EN 303 645.
Finland Traficom cybersecurity label, since 2019, valid three years, based on EN 303 645.
Australia Code of Practice: Securing the Internet of Things for Consumers, voluntary, based on EN 303 645.
India CCS for IoT operated by STQC, based on EN 303 645.

All these schemes converge on the same technical grammar: identification, configuration, update, data protection, access control, vulnerability handling, support-period declaration. Differences lie in legal status, administering body, and depth of detail in the criteria.

The convergence is not accidental. Most participants in the ETSI EN 303 645 work also contributed to NIST consultations on NISTIR 8425 and to the FCC process. Regulators themselves exchange through the Cybersecurity Tech Accord, the Global Forum on Cyber Expertise, and the OECD. This expert circulation drives a progressive homogenisation of baselines, pending formal mutual-recognition agreements.

The contrast between voluntary and mandatory status deserves correct reading. A manufacturer targeting EU and UK has no choice: they must comply with the CRA and the PSTI Act. A manufacturer targeting only the US market can, in theory, ignore the US Cyber Trust Mark. In practice, several distributors and online marketplaces have signalled a preference for labelled products, which turns the voluntary label into a near-commercial obligation. The line between regulation and market pressure blurs quickly on this kind of program.

Alignment with ETSI EN 303 645

NISTIR 8425 and ETSI EN 303 645 emerged from parallel work around the same observations. The convergence is high, with two practical consequences.

First, a product already evaluated against EN 303 645 covers a substantial part of NISTIR 8425 expectations. The residual work concerns FCC-specific documentation, CyberLAB test-case mapping, and ongoing registry maintenance. A manufacturer that has already run a TS 103 701 evaluation has a clear operational advantage.

Second, the prospect of a mutual-recognition agreement between the United States and the European Union is open. The European Cybersecurity Act (Regulation EU 2019/881) allows ENISA to sign agreements with third-country authorities under the future EUCC scheme. The FCC signalled interest in such agreements in 2024 and 2025. As of writing, no formal agreement is in force.

A manufacturer targeting both markets must therefore, for now, run two separate processes: a RED 3.3 / EN 18031 dossier for the EU and a Cyber Trust Mark application to a CLA for the US. Evaluation artefacts (policies, logs, configuration, vulnerability lists) are largely common.

Distinction from NIST SP 800-213

NIST SP 800-213 and the 800-213A series define an IoT baseline for US federal-government acquisition. This baseline is more demanding than NISTIR 8425 because it targets government use cases (multi-level access control, centralised logging, integration with federal identity-management tools, FIPS conformance).

Confusing the two references is a common mistake. A product compliant with NIST SP 800-213 is probably also NISTIR 8425 compliant, but the converse does not hold. The table clarifies.

Criterion	NISTIR 8425	NIST SP 800-213 / 800-213A
Target audience	Consumer general public	US federal agencies
Legislative source	EO 14028	IoT Cybersecurity Improvement Act 2020
Status	Voluntary (via Cyber Trust Mark)	Mandatory for federal acquisition
Depth	Minimal baseline	Baseline plus extended capabilities
Verification	CyberLAB + CLA	Verification by the acquiring agency

For a manufacturer targeting only the US consumer market, NISTIR 8425 is the only document to master. For one also targeting the federal public sector, NIST SP 800-213 must be reviewed too.

For a manufacturer: practical sequence

A Cyber Trust Mark project breaks into five phases for a product already in development.

1. Scoping and CLA selection. Identify CLAs accredited by the FCC at the time of the application, assess their procedures, lead times, and indicative costs. Confirm the product scope (firmware versions, hardware variants, companion services).

2. Self-assessment against NISTIR 8425. Map the product against the six technical capabilities and four non-technical capabilities. For each capability, list available evidence, identify gaps, and plan corrective actions. A manufacturer that has already run an EN 303 645 evaluation reuses a substantial part of the material.

3. CyberLAB evaluation. The CyberLAB runs the test program, examines documentation, verifies the presence of reporting channels and the coherence of the declared support period. Non-conformities trigger corrective actions and partial retest.

4. CLA decision and publication. The CLA reviews the CyberLAB report, rules on granting the right to use the label, and publishes the record in the registry. The manufacturer can then apply the label and QR code on the product and packaging.

5. Maintenance. The manufacturer keeps the record current for the label validity period, applies announced updates, communicates on vulnerabilities and end-of-support, and retains evaluation artefacts for audit.

Common pitfalls observed

Three classes of mistakes recur in the first dossiers prepared by manufacturers in 2024 and 2025.

Believing the label is mandatory. The US Cyber Trust Mark is voluntary. No federal law requires it for selling a consumer IoT product in the US. This confusion leads some importers to over-prioritise the label relative to effective obligations (FCC Part 15, FCC Part 18, NRTL electrical certifications).

Skipping registry-record publication. The printed label does not stand alone. Without a public record reachable via the QR code, the label is not valid. A labelled product whose record is unpublished or points to a stale page violates the program.

Declaring an unsustainable support period. The support period is a contractual commitment. A manufacturer announcing ten years to stand out commercially, without a realistic firmware-maintenance budget over ten years, exposes itself to early void and reputational loss. A short period honoured beats a long one not delivered.

Other secondary pitfalls concern the confusion between FCC Part 15 (radio-frequency compatibility) and the Cyber Trust Mark (cybersecurity), two programs administered by the same agency but governed by distinct rules. The two can coexist on a single product, but one does not imply the other.

A fourth pitfall concerns the evaluated scope. A modern IoT product often relies on a cloud service, a companion mobile app, and embedded firmware. The Cyber Trust Mark program covers the full functional set needed for device security, including critical companion services. A manufacturer declaring only the embedded firmware and omitting the cloud service submits an incomplete dossier. The CyberLAB review must cover the full functional surface.

A fifth pitfall affects multi-market products. A manufacturer that obtains the label in the US and prints the QR code on packaging also destined for export to the EU, UK, or Canada must check that the QR code and registry record do not conflict with local labelling rules. The registry record is in English and hosted in the US, which can raise consumer-information rights questions in some jurisdictions.

Outlook 2026 and beyond

Three developments shape the program's agenda.

First, registry rollout. The FCC and CLAs are working toward an operational registry at the scale of several thousand products, with query APIs for aggregators (marketplaces, comparators, distributors). Registry service quality conditions QR-code credibility.

Second, sector profiles. NISTIR 8425 is meant to be complemented by sector profiles (consumer health, toys, equipment for children, consumer automotive). NIST publishes preparatory notes on these derivatives, which may become published documents.

Third, international agreements. FCC-ENISA and FCC-UK OPSS discussions on mutual recognition of evaluations are announced as priorities. Success would lower double-conformity costs for exporting manufacturers.

For a design office working today on a consumer IoT product targeting the US and EU markets, the prudent trajectory is to aim from the start at convergence: structure the dossier around the six NISTIR 8425 capabilities, which broadly cover EN 303 645 provisions and the future CRA essential requirements, and plan the two routes in parallel.