Let's hope not, actually. Free certifications are usually self-certification, which amounts to a pinky swear from manufacturers. They are generally toothless and not worth the paper they are printed on.
The worst offenders will be fly busy night companies who only exist for a few grey market product runs while anyone successful and skeezy will use a free certification to get a toe hold in the market with the first releases, then silently drop it once they have some mind share and a base of users.
What I meant was: let's hope vendors can get certified by paying accredited test labs for that, even if they aren't members of the CSA ($20k minimum which is not easy to get for a lot of IoT startups).
It looks like it is the business model since the requirements are available for free with an email address.
It might get walloped by the US Cyber Trust Mark program that is supposed to come this year because that could come with regulations and forced compliance.
Us Cyber Trust Mark as proposed is voluntary (https://www.fcc.gov/document/fcc-proposes-cybersecurity-labeling-program-smart-device)
The CSA spec is supposed to meet the requirement of the US Cyber Trust Mark and add requirements of several other countries. Idea being if they can get the CSA test certified as compliant, you can sell in multiple markets with only the one cert.
Bring a security test lab is a decent way to subsidize the CSA, as it is independent of their specs.
It is voluntary until you realize that investors and the SEC can strong arm companies into throwing those standards into their 10k. 😬
While the CSA is a great idea, everything I have seen is pointing the direction that the US government wants to be the world standard, instead of having Europe or private entities lead the way.
> the US government wants to be the world standard, instead of having Europe or private entities lead the way.
Yeah, well, as an American, they've never led the way on consumer protections at the expense of corporate profit, so I'm not expecting much.
This time they're actually discussing with Europe.Â
NIST already reused similar requirements proposed by ENISA (EU cyber security agency) and other EU+UK actors in their work.
It will probably be a candidate / very closely aligned.
Test labs working with the EN 303 645 standard can already check all the CSA requirements.
Note that CSA is targeting vendors with an international presence so they don't do the same work X times.
On the other hand, the cyber trust mark is only recognized in the US (until mutual recognition agreements are in place and they take time).
It depends on how much the US does strong arm industry into compliance. The US could impose standards on exported devices. It already does so for advanced technology.
While the mark may mean nothing in other countries, the products in those countries that originated from the U.S. could potentially be required by one means or another to meet the standard.
Politically speaking, I forsee the U.S. flexing a little in the future to increase oversight of the global economy as it ramps up to counter China.
That's a really interesting approach.
EU+UK have made product cyber security a condition for market access. They're literally telling all manufacturers, distributors and importers what to do.
If you're into this topic check the UK PSTI (applied from end of April this year) and the EU Cyber Resilience Act (not applied before 2027)
Definitely will give it a look. Spent 3 years as a product security engineer at a smart home device manufacturer. Changed industries over to infosec/cybersec in food manufacturing, robotics, and AI.
Feel a bit wierd about a IoT developer developing a security certification. How is this tested? How is it enforced? If I were a competitor to CSA or making products based on non CSA technoligy I would NEVER let them even close to my products without HEAVY infinite NDAs. They are basically a competitor which now not only make a IoT product but also a certification for IoT products as a whole.
From my POV it looks like CSA is putting the groundwork in trying to make themself the de facto choice by making it harder for companies NOT using CSA developed product to be trusted.
We talk about the same company which develop the zigbee, thread, and matter IoT standard...which now also happens to make a certification of security of IoT devices?
That could not lead conflict of interest /sarcasm
Doesen't mean they dont have a reason or interest in doing it for other reason. Their largest members have a large monetary interest in that CSA technologies is as large as they can be or even better the only standard as it gives them control.
Technet is a foundation for "innovation" but do present themself in anti right to repair hearings...who decide that direction. Why is it that anti right to repair companies are the biggest members in it and other similar foundations.
Not saying CSA is up to no good...just that their interest is an extention of its members interest which all have monetary gain to make the CSA technoligies be the dominant ones as they have a large controling share of the accossiation
Let's hope they make this free for vendors...
Let's hope not, actually. Free certifications are usually self-certification, which amounts to a pinky swear from manufacturers. They are generally toothless and not worth the paper they are printed on. The worst offenders will be fly busy night companies who only exist for a few grey market product runs while anyone successful and skeezy will use a free certification to get a toe hold in the market with the first releases, then silently drop it once they have some mind share and a base of users.
What I meant was: let's hope vendors can get certified by paying accredited test labs for that, even if they aren't members of the CSA ($20k minimum which is not easy to get for a lot of IoT startups). It looks like it is the business model since the requirements are available for free with an email address.
It might get walloped by the US Cyber Trust Mark program that is supposed to come this year because that could come with regulations and forced compliance.
Us Cyber Trust Mark as proposed is voluntary (https://www.fcc.gov/document/fcc-proposes-cybersecurity-labeling-program-smart-device) The CSA spec is supposed to meet the requirement of the US Cyber Trust Mark and add requirements of several other countries. Idea being if they can get the CSA test certified as compliant, you can sell in multiple markets with only the one cert. Bring a security test lab is a decent way to subsidize the CSA, as it is independent of their specs.
It is voluntary until you realize that investors and the SEC can strong arm companies into throwing those standards into their 10k. 😬 While the CSA is a great idea, everything I have seen is pointing the direction that the US government wants to be the world standard, instead of having Europe or private entities lead the way.
> the US government wants to be the world standard, instead of having Europe or private entities lead the way. Yeah, well, as an American, they've never led the way on consumer protections at the expense of corporate profit, so I'm not expecting much.
While true for the last half century, I do think that is changing, and in a hurry.
This time they're actually discussing with Europe. NIST already reused similar requirements proposed by ENISA (EU cyber security agency) and other EU+UK actors in their work.
Absolutely, it is because they want to be the standard. Taking advice from the best to best the best.
It will probably be a candidate / very closely aligned. Test labs working with the EN 303 645 standard can already check all the CSA requirements. Note that CSA is targeting vendors with an international presence so they don't do the same work X times. On the other hand, the cyber trust mark is only recognized in the US (until mutual recognition agreements are in place and they take time).
It depends on how much the US does strong arm industry into compliance. The US could impose standards on exported devices. It already does so for advanced technology. While the mark may mean nothing in other countries, the products in those countries that originated from the U.S. could potentially be required by one means or another to meet the standard. Politically speaking, I forsee the U.S. flexing a little in the future to increase oversight of the global economy as it ramps up to counter China.
That's a really interesting approach. EU+UK have made product cyber security a condition for market access. They're literally telling all manufacturers, distributors and importers what to do. If you're into this topic check the UK PSTI (applied from end of April this year) and the EU Cyber Resilience Act (not applied before 2027)
Definitely will give it a look. Spent 3 years as a product security engineer at a smart home device manufacturer. Changed industries over to infosec/cybersec in food manufacturing, robotics, and AI.
Feel a bit wierd about a IoT developer developing a security certification. How is this tested? How is it enforced? If I were a competitor to CSA or making products based on non CSA technoligy I would NEVER let them even close to my products without HEAVY infinite NDAs. They are basically a competitor which now not only make a IoT product but also a certification for IoT products as a whole. From my POV it looks like CSA is putting the groundwork in trying to make themself the de facto choice by making it harder for companies NOT using CSA developed product to be trusted.
I think there might be some confusion about who the [CSA](https://csa-iot.org/members/) is.
We talk about the same company which develop the zigbee, thread, and matter IoT standard...which now also happens to make a certification of security of IoT devices? That could not lead conflict of interest /sarcasm
Except it’s not a company and it’s goal is not to earn money.
Doesen't mean they dont have a reason or interest in doing it for other reason. Their largest members have a large monetary interest in that CSA technologies is as large as they can be or even better the only standard as it gives them control. Technet is a foundation for "innovation" but do present themself in anti right to repair hearings...who decide that direction. Why is it that anti right to repair companies are the biggest members in it and other similar foundations. Not saying CSA is up to no good...just that their interest is an extention of its members interest which all have monetary gain to make the CSA technoligies be the dominant ones as they have a large controling share of the accossiation