U.S. Cyber Trust Mark: New Lead Administrator, Old Questions – What IoT Manufacturers Need to Know Now

The FCC has appointed ioXt Alliance as the new lead administrator – or certification oversight body – for the U.S. Cyber Trust Mark, the IoT security label that becomes mandatory for all suppliers to U.S. federal agencies in 2027. The move sounds like a fresh start. But anyone familiar with the backstory will recognize a pattern that has less to do with cybersecurity than with Washington politics.

What Is the U.S. Cyber Trust Mark?

The U.S. Cyber Trust Mark is a voluntary certification label administered by the Federal Communications Commission (FCC) – the U.S. federal agency responsible for communications regulation – for wireless consumer IoT products. These include connected household devices: smart door locks, baby monitors, fitness trackers, smart speakers, and security cameras. To display the label, manufacturers must have their product tested by an accredited laboratory and demonstrate compliance with the cybersecurity criteria set out in NIST IR 8425 – a framework published by the U.S. National Institute of Standards and Technology. Requirements include unique device identifiers, configurable security settings, data protection, access control, and the ability to issue software updates throughout the product’s lifetime.

The label appears on product packaging alongside a QR code. Consumers can scan it to access information about the product’s security status, the manufacturer’s support period, and its update policy. The concept is similar to the well-known Energy Star label – but for cybersecurity rather than energy efficiency.

What sets this program apart from other certification schemes: an Executive Order signed first by Biden – and subsequently retained by Trump – mandates that the U.S. federal government will procure only Cyber Trust Mark-labeled IoT devices from January 4, 2027 onwards. To be clear: for the general consumer market, the label remains entirely voluntary. Private customers, retailers, and businesses can continue to buy and sell uncertified devices. The obligation applies exclusively to suppliers serving federal agencies. That may sound like a niche – but it is not. The U.S. consumer IoT market is estimated at around $76 billion for 2025, and federal agencies rank among the largest institutional buyers of connected devices. Beyond that, certification programs of this kind tend to create market pressure well beyond their mandatory scope: once major retailers like Amazon and Best Buy – both of which have already signaled their support for the program – begin prioritizing labeled products, what starts as a procurement requirement can quickly become a de facto market standard.

Who Is ioXt – and Why Were They Chosen?

The ioXt Alliance is a non-profit organization based in Newport Beach, California. It positions itself as the global standard for IoT security and was co-founded by companies including Google, Amazon, T-Mobile, and Comcast. With more than 600 member organizations, ioXt operates its own IoT device certification program – built around eight security principles covering device security, upgradability, and transparency.

As the new lead administrator, ioXt now takes on operational control of the entire Cyber Trust Mark ecosystem: it coordinates the Cybersecurity Label Administrators (CLAs) – the accredited certification bodies responsible for individual product assessments –, operates the public device registry, refines technical standards and testing procedures, and is expected to advance the label’s international interoperability. The FCC’s public justification for the choice is brief: ioXt is described as an “independent, U.S.-based non-profit organization focused on improving the security, privacy, and transparency of IoT products.” Chairman Carr has offered no more detailed explanation.

The Predecessor and Its Forced Exit

To understand why ioXt is now taking the helm, the immediate backstory matters. In late 2024, the Biden-era FCC selected UL Solutions – one of America’s most established testing conglomerates, with over 130 years of history – as lead administrator. The company had already launched an extensive stakeholder process to define testing standards and submitted initial recommendations to the FCC.

But shortly after Trump took office, FCC Chairman Brendan Carr began questioning the program. In June 2025, Carr publicly confirmed that he had directed the FCC’s internal national security council to investigate the program. The allegation: UL Solutions had a joint venture with a Chinese state-owned enterprise and operated 18 testing facilities in China, including three at locations described as “particularly alarming.” In December 2025, UL Solutions drew the conclusion and withdrew.

Not everyone agreed with Carr’s assessment. Biden’s former cybersecurity adviser Anne Neuberger disputed the investigation: UL Solutions could be contractually required to conduct all testing outside China – and was simply the fastest and most experienced path to getting the program operational. A former government official told industry media the investigation was simply “a joke.”

Brendan Carr: Trump’s Man at the FCC – and a Striking Contradiction

To understand Brendan Carr, his political background is essential. Trump appointed Carr on January 20, 2025 – the first day of his second term – as FCC Chairman. Carr is no neutral technocrat: he is the author of the FCC chapter in Project 2025, the Heritage Foundation’s 922-page government overhaul blueprint widely regarded as the policy template for Trump’s second term. Sixteen members of Congress filed for an ethics investigation into Carr, alleging he improperly used his official FCC title in the writing of that political document.

Carr’s conduct in office follows recognizably political lines. At CPAC 2026 – the annual gathering of American conservatives – Carr publicly boasted that PBS and NPR had lost their funding, prominent journalists had lost their platforms, and CBS was under new ownership – all presented as victories for Trump in his war on the “fake news media.” The FCC, once constitutionally conceived as an independent regulatory body, has removed the word “independent” from its own website.

The most striking contradiction in the Cyber Trust Mark story: Carr himself voted unanimously in favor of the program with UL Solutions as recently as 2024. He has never publicly explained what changed – beyond a general invocation of “national security.”

A deeper, systemic contradiction is even more pointed: while Carr frames Chinese connections as an intolerable security risk for the IoT label, the Trump administration has simultaneously dissolved the Cyber Safety Review Board – the body responsible for investigating major cybersecurity incidents – and cut substantial staffing at the Cybersecurity and Infrastructure Security Agency (CISA). Security experts have called out this contradiction publicly: the China rhetoric around the Cyber Trust Mark looks selective when genuine federal cybersecurity infrastructure is being dismantled at the same time.

The ioXt Paradox: Chinese Members Included

The appointment of ioXt as a “safe” alternative to UL Solutions does not fully hold up under scrutiny. ioXt has demonstrably certified Chinese manufacturers – including companies that have already been flagged as security risks in Washington.

Most notable is Tuya. The Chinese IoT platform provider – whose technology is embedded in hundreds of millions of connected household devices worldwide – has certified products through ioXt. As far back as 2021, Republican senators Marco Rubio, Rick Scott, and Tom Cotton called for sanctions against Tuya: as a Chinese company, they argued, Tuya is legally obligated under China’s Data Security Law to share user data with the Chinese government upon request – an allegation Tuya disputes. Also certified through ioXt: Midea, one of the world’s largest home appliance manufacturers headquartered in China, and Lenovo.

There is a legal distinction between the UL Solutions and ioXt cases worth acknowledging: UL is suspected by the Trump administration of having direct Chinese corporate ties; ioXt is a U.S. non-profit that counts Chinese companies among its customers. These are not the same thing. Nevertheless, a question remains unanswered in any public forum: how is a security label supposed to prevent Chinese influence on U.S. networks when the very Chinese manufacturers flagged as security risks in Washington can still obtain that label through ioXt?

What This Means for Manufacturers – Practically and in Terms of Timing

For IoT manufacturers worldwide – including those in Europe – the consequences are real, even though the program is not yet accepting applications. Non-U.S. manufacturers are generally eligible to apply for the Cyber Trust Mark, provided they are not on U.S. exclusion lists – such as the Department of Defense’s list of Chinese military companies. Anyone on that list is barred from the program.

The central deadline is January 4, 2027: from that date, the U.S. federal government will procure only certified IoT devices. That might sound like sufficient time. It is not. Following the change in administrator, the program is effectively back at the beginning of a multi-step process: ioXt must first propose testing standards for at least one product category; those standards must go through a public comment period; the FCC must approve them; testing laboratories and CLAs must then be accredited – only after all of that can manufacturers submit applications. Industry experts had already warned, before the administrator change, that the program was far from ready for market.

The financial implications cannot be precisely quantified at this stage – the FCC has not yet published official testing fees. What industry experts are already stating clearly: the burden of implementation, compliance management, and certification will increase, and smaller manufacturers could face serious pressure if costs are not offset by support measures. There is a further complication: certification covers not just the device itself, but the entire IoT product – including apps, cloud backend, and gateway – which significantly expands the scope of testing.

There is one piece of good news for European manufacturers: companies already compliant with the EU Cyber Resilience Act (CRA) – the EU regulation on cybersecurity requirements for digital products, adopted in 2024 and mandatory from 2027 – will find that their work covers much of what the Cyber Trust Mark requires. Both programs are built on similar foundations: security by design, mandatory updates throughout the product lifecycle, and vulnerability management. Manufacturers already in good shape for the EU market have a meaningful head start.

Conclusion: The Right Program, the Wrong Process

A cybersecurity label for IoT devices is both necessary and overdue. 31 percent of enterprise IoT buyers cite cybersecurity as the single biggest barrier to IoT adoption – an industry-wide standard backed by government mandate could make a real difference. The principle of using federal procurement as a lever to set market standards is well established: the 1993 Executive Order tying federal computer purchases to Energy Star criteria is widely regarded as one of the most successful public-private partnerships in U.S. history, with nearly 90 percent of American households now recognizing the Energy Star brand. There is an unintentional irony here: the same administration seeking to deploy this mechanism for IoT security is simultaneously considering abolishing Energy Star – the most successful example of that very mechanism.

What burdens this program is not its substance but its political handling. An FCC chairman who votes for a program, then blocks it for political reasons, appoints a new administrator without detailed justification, and simultaneously weakens real federal cybersecurity infrastructure – that leaves questions that cannot be answered by invoking “national security” alone. The appointment of ioXt does not resolve the problem of Chinese connections as long as the same Chinese manufacturers flagged as security risks in Washington can continue to obtain the label through ioXt.

For IoT manufacturers – in Europe and worldwide – the practical message remains: do not wait for clarity. The deadline is fixed, and the political will to enforce the program is bipartisan – Trump retained Biden’s Executive Order. Starting or completing CRA compliance now simultaneously lays the foundation for U.S. certification. Time is the scarcest resource in this process.