There’s a label coming to smart home devices that’s supposed to tell you, at a glance, whether the device you’re about to buy meets basic cybersecurity standards. It looks like a shield with a QR code. It’s called the U.S. Cyber Trust Mark, and it has had a rough year.

The program lost its lead administrator in December 2025 after the Trump administration launched a probe into UL Solutions’ alleged ties to China, including the presence of testing facilities within China’s borders. The program’s future looked uncertain for months — until April 13, 2026, when the FCC named ioXt Alliance as the new lead administrator.

For anyone who owns smart speakers, connected cameras, robot vacuums, baby monitors, or any of the other dozens of internet-connected devices that now populate the average American home, the Cyber Trust Mark is the most important consumer security program you’ve probably never heard of. Here’s what it actually does, who’s now in charge of it, and how to use it.

What the Cyber Trust Mark Actually Does

The U.S. Cyber Trust Mark is a voluntary certification program that the FCC launched based on security standards developed by NIST — the National Institute of Standards and Technology. Products that pass independent security testing earn the right to display the shield logo and a QR code on their packaging.

Scan that QR code with your phone and you’re taken to a registry entry for that specific product, where you can see what data it collects, whether it sells that data, whether it receives automatic security updates, how long the manufacturer commits to supporting the device, and what specific security tests it passed.

The types of devices covered include everything that defines the modern smart home: home security cameras, voice-activated devices, smart TVs, fitness trackers, garage door openers, baby monitors, thermostats, and connected appliances.

This is meaningful because the alternative — trying to evaluate the security of a device by reading the spec sheet or the privacy policy — is practically impossible for most consumers. Privacy policies are written by lawyers to obscure rather than inform. Spec sheets don’t mention whether the device ships with a default password shared across all units, or whether the manufacturer has committed to patching vulnerabilities, or whether the firmware update channel is encrypted.

The Cyber Trust Mark attempts to surface exactly those things, in a format that’s readable at point-of-sale.

Why UL Solutions Left — And Why It Matters

UL Solutions was selected as the original Lead Administrator in 2024. The Lead Administrator’s job is to manage the accreditation process for the labs that actually test devices, maintain the product registry that consumers can access via QR code, engage with manufacturers and other stakeholders, and serve as the liaison between the industry and the FCC.

In December 2025, UL Solutions withdrew from that role. The official reason was framed around the federal investigation into its connections to China — specifically the existence of testing and certification facilities located within China’s borders, which raised concerns about data security and the integrity of the certification process itself.

The withdrawal created a window of uncertainty. The FCC opened an application window for a new Lead Administrator from January 7 through February 9, 2026. Multiple organizations applied. On April 13, the FCC announced its selection: ioXt Alliance, effective immediately.

The change matters for a few reasons. The Lead Administrator shapes how the program is actually implemented — which standards get adopted, how quickly the registry expands, how rigorous the testing requirements become. A new administrator means a potential reset on some of those decisions, even if the underlying NIST standards remain constant.

Who Is ioXt Alliance?

ioXt Alliance — the Internet of Secure Things Alliance — is a nonprofit organization focused on improving the security, privacy, and transparency of IoT products. It was founded in 2019 and counts among its members device manufacturers, chipset makers, cloud service providers, and security firms.

The Alliance already operates its own IoT security certification program, SmartCert, which predates the Cyber Trust Mark and covers a broad range of device categories. Taking on the Lead Administrator role for the FCC’s program is a significant expansion of that work.

As Lead Administrator, ioXt is responsible for three main functions: leading stakeholder engagement to recommend device-specific security standards, developing a consumer outreach campaign to make sure people actually understand what the label means, and serving as the liaison between the FCC and the independent testing laboratories that conduct certification assessments.

FCC Chair Brendan Carr expressed confidence that ioXt would implement the program “consistent with its founding purpose.” The Alliance’s own statement framed the appointment as an opportunity to accelerate consumer access to trustworthy IoT devices.

What the Label Requires

To earn the Cyber Trust Mark, a device has to meet a set of baseline security requirements derived from NIST’s cybersecurity standards for IoT devices. The specific requirements include:

Unique default credentials. Every unit must ship with a unique default password — not a shared password printed in the manual that applies to every unit of that model worldwide. This addresses one of the single most common attack vectors: default credentials that are never changed.

Ability to reset to factory default. Devices must be capable of returning to a known, clean state. This matters for both security (removing malware or compromised configurations) and privacy (cleaning the device before you sell or dispose of it).

Software updates. The device must support the ability to receive firmware and software updates. The manufacturer must disclose the minimum update period — meaning how long they commit to pushing security patches.

Vulnerability disclosure. The manufacturer must have a published policy for how security researchers can report vulnerabilities and how the company will respond.

Data protection. The device must document what data it collects and transmit only what’s necessary for the intended function.

Encrypted communication. Data transmitted between the device and any backend servers or apps must be encrypted.

These aren’t revolutionary security requirements. They’re a floor. But they’re a floor that a surprising number of devices on retail shelves today don’t actually meet.

The QR Code Is the Real Feature

The physical label — a shield logo — is relatively easy to spot on packaging. But the QR code is where the substantive information lives.

Scan it before you buy and you can compare two devices side by side on dimensions that spec sheets never address: How long does the manufacturer commit to providing security updates? Does the device transmit data to third parties? What data does it actually collect? Has it been tested against specific attack scenarios?

This is the kind of transparency that consumer electronics has lacked for decades. Smart home devices have been sold based on features — what they can do — with almost no standardized disclosure of the security and privacy tradeoffs involved in deploying them in your home.

The Cyber Trust Mark doesn’t solve everything. It’s voluntary, which means manufacturers who know they’d fail the assessment simply don’t apply. It doesn’t address the devices already in your home. And it doesn’t update in real time if a manufacturer later discovers a serious vulnerability and fails to patch it.

But it’s the most useful consumer-facing tool for smart home security that has ever existed in the United States.

When Can You Actually Use It?

This is where the program still has work to do. The FCC has stated that an announcement will follow once the program is ready to begin accepting product certification applications under ioXt’s administration. That means the label isn’t yet visible on new products in stores — the transition to ioXt is still being operationalized.

Products certified under the previous UL Solutions administration may still carry the label, but the QR code registry needs to be fully transitioned under the new Lead Administrator before the program reaches its full potential.

The practical implication for consumers right now: the label is coming, but you can’t yet rely on its absence as a signal that a device is insecure — only its presence as a signal that it has met a minimum security standard.

What to Do Until the Label Is Everywhere

While the Cyber Trust Mark scales up, there are parallel signals worth looking for when buying smart home devices.

Manufacturer update history. Search the manufacturer’s name alongside “security update” or “firmware update” and see whether they have a pattern of actually releasing patches when vulnerabilities are discovered, or a history of abandoning products quickly.

Device age support. Avoid devices where the manufacturer’s track record shows support ending within two to three years. A smart camera you plan to use for a decade needs a manufacturer who plans to still be patching it in a decade.

Data routing. For devices from manufacturers based in countries where government data access is routine and opaque — and where independent courts don’t oversee that access — the question of where your data is stored and processed is not paranoia. It’s a practical consideration. The FCC’s foreign router restrictions of early 2026 reflected exactly this concern at the policy level.

Network isolation. Regardless of how the device was certified, keeping IoT devices on a separate network segment from your computers, phones, and financial accounts limits the blast radius if any single device is compromised. Most modern home routers support guest networks or VLAN configuration; this is worth the fifteen minutes it takes to set up.

The Cyber Trust Mark, when it reaches full operation, will make this evaluation significantly easier. The ioXt Alliance has a credible track record in IoT security certification and a clear mandate from the FCC. The transition is underway. Watch for the shield.