九州体育

Moving beyond the label: How U.S. defense can successfully adapt the Cyber Trust Mark Program

Product

May 08, 2025

As the Biden administration prepared to transition out of the White House, one of its last cybersecurity efforts was to launch the Cyber Trust Mark program. First introduced in 2023 and part of the broader collaboration under the EU-US Joint Cyber Safe Products Action Plan, the initiative helps consumers purchase Internet of Things (IoT) devices with enhanced cybersecurity protections.

Modeled after the Energy Star program, the goal is to improve the security of IoT devices by labeling products that have passed a U.S.-sponsored cybersecurity audit. Products like baby monitors, fitness trackers, and smart thermostats that qualify can display the insignia on any advertising and packaging.

While the Cyber Trust Mark program was initially designed for consumer IoT devices, its implications extend to the defense sector, where IoT-enabled technologies such as smart helmets, drones, motion and infrared sensors, and communications systems play a critical role. Given that modern software is 70% to 90% open source, and IoT devices similarly integrate software from multiple third parties – so much of which is open source – the software supply chain has become an undeniable security concern.

The program’s intent is clear: to ensure stronger security standards across the board. However, beyond implementing secure software development practices, simply knowing what’s in the software is critical. Furthermore, understanding the origins of software is just as important, especially when adversarial nations are known to be actively tampering with the complex software supply chain. In some cases, these compromises are buried 60 layers deep in open-source dependencies, which makes these vulnerabilities nearly impossible to detect without specialized tools.

The Cyber Trust Mark initiative has implications for defense software engineers, especially those directly working on secure systems, embedded technology, and the software supply chain. The driving purpose behind it is that the industry must meet stronger security standards and potentially update legacy systems.

While the new administration has yet to signal specific plans regarding the continuation or modification of this program, given the bipartisan nature of cybersecurity concerns, the Cyber Trust Mark initiative will likely persist. But for it to be truly effective, especially in national security applications, the program must evolve beyond a simple label. It must incorporate tamper detection, threat intelligence, and rigorous verification of software origins. A “Trust Mark” alone is not enough; what is needed is a “Trust Model” – one that can be independently verified rather than self-attested.

Like many security-oriented industry issues, the answer is that it can be successful if done correctly.

Overcoming the top challenge: awareness

Unlike other government initiatives, the Cyber Trust Mark program is completely voluntary. Not all manufacturers have to participate, limiting its effectiveness. In addition, defense buyers may not understand the significance of the Cyber Trust Mark, affecting its influence on purchase decisions.

Even if the program was mandatory, similar efforts have received lackluster adoption. For example, the Cybersecurity & Infrastructure Agency’s (CISA’s) Secure Software Development Attestation Form, which was mandatory under Executive Order (EO) 14028 (issued in May 2021), required software producers who work with the federal government to adhere to and confirm the deployment of key software security practices. Shortly before the deadline, 80% of organizations revealed they were not prepared.

This challenge is not unique to defense. The healthcare sector recently faced a similar reality with the FDA’s Software Bill of Materials (SBOM) and Vulnerability Disclosure Requirements (VDR) mandates for medical device manufacturers. As of October 2023, the FDA required all premarket submissions to include an SBOM that lists all software components and their vulnerabilities, as well as a VDR to ensure proactive identification and mitigation of security risks. The defense industry can learn from the medical sector’s growing pains – the lessons are that awareness and enforcement are key to making cybersecurity initiatives successful.

To ensure that the Cyber Trust Mark program is widely adopted in the defense industry, it’s essential that key stakeholders first prioritize taking the time to educate engineers on the initiative and what it means, and come up with a plan to evaluate potential IoT technologies based on this assessment.

The beginning of security, not the end

For the Cyber Trust Mark program to be effective in defense applications, organizations must recognize that the label itself does not guarantee security – it is only a starting point.

IoT devices used by the military rely on software, and as 70% to 90% of modern software is open source, understanding what’s inside that software is a national-security priority. A product may be labeled as “secure” today, but if its software components contain vulnerabilities; are sourced from adversarial nations; or rely on outdated, unmaintained open-source libraries, then the label offers a false sense of security.

This factor is particularly urgent given the rise of nation-state cyberattacks on the software supply chain. Of the 600 million daily cyberattacks Microsoft customers face, 24% originate from nation-state actors. With adversaries embedding malicious code deep within software supply chains, defense organizations must look beyond compliance checkboxes and develop continuous security-monitoring mechanisms.

Building a trust model for the critical-software supply chain

Given the increasing complexity of IoT software, defense organizations cannot afford to rely solely on labels like the Cyber Trust Mark. Instead, we must build a “Trust Model” for the software supply chain, using such aspects as:

• Tamper detection: Ensuring software integrity is maintained throughout its life cycle.
• Threat detection: Monitoring real-time security threats against software components, including open-source dependencies.
• Software origin verification: Identifying whether software contributors are from adversarial nations and detecting unauthorized modifications in deep software layers.
• Independent verification: Moving beyond self-attestation to a system where third-party security audits validate software integrity at multiple levels.

Just as the FDA’s SBOM and VDR mandates pushed and continue to push medical device manufacturers to validate software integrity and mitigate vulnerabilities, defense organizations must implement similar frameworks to ensure continuous monitoring, threat mitigation, and supply-chain security. The lessons learned from the medical sector can be directly applied to national security.

Defense organizations must use the Cyber Trust Mark as a guide, not rely on it. Securing software must be an ongoing process – especially in the current open-source software code-driven world. Despite making up a majority of the code developers write, company research found that more than 95% of security weaknesses stem from open-source dependencies. Of these, over half have no known fixes, and 70% of open-source components are no longer maintained or poorly maintained.

Follow secure-by-design principles

Once the defense sector becomes aware of the Cyber Trust Mark and recognizes it only as the beginning of cybersecurity for IoT, it’s vital to address the open-source element of IoT.

Until recently, developers and security teams agreed that “shifting left” was the best way to prevent software supply chain attacks that could compromise open-source dependencies. This meant that security evaluations were conducted earlier in the development process before any code was written. Most likely, this is the mindset used by the U.S. government to conduct the cybersecurity audit that leads to the Cyber Trust Mark. The problem lies with open-source code, given developers don’t know exactly what is in software, and security teams are then left in the dark. The overwhelming majority of open-source code (82%, according to company research) is inherently risky due to vulnerabilities, security issues, code quality, or maintainability concerns.

Defense software engineers must “shift left” of the shift-left approach and follow secure-by-design principles to secure the software that fuels IoT devices and thereby secure its further use in critical defense applications. This means:

1. Maintaining and updating software bill of materials (SBOMs) for IoT software: Defense engineers and cybersecurity teams must understand every layer of software within IoT devices for a stronger cybersecurity posture. A complete SBOM provides visibility into dependencies, aiding security, compliance, and vulnerability management.
2. Choose the right tools: Defense organizations need the right tools to assess open-source components, identify any vulnerabilities, and remediate these issues before threat actors discover them.
3. Implement real-time solutions: Defense and military software engineers need more than just a testing mechanism; they need real-time solutions that continuously assess code as the device is being used.
4. Assess and mitigate risks of third-party software: In addition to performing security audits of any third-party software from defense vendors and suppliers, defense organizations should also require any third-party software components to be accompanied by an SBOM and proof of security testing.
5. Train defense software engineers and security teams: Defense software engineers need continuous training to understand pain points, signs of issues, and implications of the decisions on the overall security posture to improve collaboration and prevent future issues.

Moving toward a verified, resilient supply chain

The success of the Cyber Trust Mark program depends on how it is applied within the defense sector. Security cannot be treated as a one-time certification; it must be a proactive, continuous process that prioritizes open-source security, threat intelligence, and real-time software validation.

To truly secure IoT software in defense applications, organizations must:

• Raise awareness about the risks of open-source software and the software supply chain.
• Leverage advanced security tools to detect, assess, and remediate vulnerabilities in real time.
• Adopt a “trust model” that extends beyond a label and incorporates independent verification mechanisms.
• Embed continuous security practices into procurement, development, and operational processes.

The Cyber Trust Mark alone is not enough to protect national security, but if implemented alongside a rigorous software supply chain security framework, it can serve as a foundational step in building a more resilient, trusted future for defense software.

Nick Mistry is a Senior Vice President and CISO at Lineaje. He also serves in an advisory role to the government agency CISA through industry-government working groups. At Lineaje, Nick has led advancements to its Software Supply Chain Security Management technology platform, including the introduction of BOMbots from Lineaje AI and Lineaje’s Open-Source Manager.

Lineaje