Originally published on https://www.ravepubs.com/cyber-trust-mark-av-iot-regulations/ 

I recently attended a few cybersecurity education sessions at InfoComm 2025. (Yes, there were multiple sessions focused on security — that alone is pretty newsworthy.) During one of the classes, someone in the audience said something along the lines of: Government security regulation isn’t necessary — eventually, the less secure vendors will gain a bad reputation due to data breaches and lose business to the more secure ones.

It was a very capitalist idea, and while I support capitalism, I don’t fully agree with the “less is more” view when it comes to governance, risk and compliance (GRC). If I open a pizzeria next to another pizzeria, sure — one will probably do better, and the other might fail. But when a pizza shop fails, the business owners take the loss. When security fails, customers are the ones who lose.

No matter what anyone says, security is rarely a business owner’s top priority. It’s often traded for convenience. Using multi-factor authentication (MFA) every time you log in is annoying. Creating a unique password for every user, page or device feels like a chore. But the combo of MFA and unique, strong passwords will prevent most cyberattacks.

Government to the Rescue

In 2019, California Gov. Jerry Brown (a.k.a. Moonbeam) signed SB 327, a law requiring “anyone manufacturing an Internet-connected device to set unique passwords or force users to change the password before they can use it.”

Why? Because far too many manufacturers were shipping devices with usernames and passwords like Admin/Admin, and worse — listing them right in the online manuals. AV integrators, IT folks and home users often didn’t bother changing the defaults. Malicious actors would look up the manuals, and boom, they were in.

Some hacked signage examples here.

So, California — America’s Favorite Regulator — stepped in. The result? Many AV device manufacturers had to scramble to comply with the new law by Jan. 1, 2020.

Obviously, this new law caused the COVID-19 pandemic and everything else in 2020. (Kidding. But fair warning—this is about to get political. Biden vs. Trump political. But I promise, it’s all in the name of better security.)

In January 2025, then-President Joe Biden (or maybe just his autopen) signed Executive Order 14144, which aimed to strengthen and promote innovation in the nation’s cybersecurity. One highlight of the order: a directive to improve encryption for voice and video communications.

“Modern communications such as voice and video conferencing and instant messaging are usually encrypted at the link level but often are not encrypted end-to-end… Within 180 days… the Director of OMB shall take appropriate steps to require agencies to:
(i) enable transport encryption by default; and
(ii) where technically supported, use end-to-end encryption by default while maintaining logging and archival capabilities…”

End-to-end encryption? Haven’t we been talking about that since 2020?

And logging? I covered the pros and cons of that last year at InfoComm 2024.

EO 14144 also states that by Jan. 4, 2027, all vendors selling consumer Internet of Things (IoT) products to the federal government — defined under 47 CFR 8.203(b) — must include U.S. Cyber Trust Mark labeling.

What Is the Cyber Trust Mark?

Launched by the FCC in January 2025, the Cyber Trust Mark is a voluntary labeling program for wireless consumer IoT products.

The idea is to make cybersecurity visible — like an Energy Star label, but for network security. Eligible products include:

• Smart home cameras
• Voice-activated shopping devices
• Fitness trackers
• Smart appliances
• Baby monitors
• Garage door openers

(Not included: personal computers, smartphones or routers — though NIST is working on router guidelines.)

Then, in June 2025, Trump 2.0 signed his own executive order: Sustaining Select Efforts to Strengthen the Nation’s Cybersecurity and Amending Executive Orders 13694 and 14144

This new EO essentially rewrites Biden and Obama’s orders — cutting what Trump labeled as “inappropriate measures.” But notably, it keeps the encryption requirements and the Cyber Trust Mark label for IoT vendors working with the federal government.

The target date for implementation? Still Jan. 4, 2027. So yes — Trump and Biden agree on the need for the Cyber Trust Mark. (Shhh … don’t tell anyone.) And while this label is technically aimed at consumer electronics, I believe it will have a big impact on the professional AV industry too. For one, the initial cyber mark FAQ stated that “NIST is working to define cybersecurity requirements for consumer-grade routers.”

Why the AV Industry Should Care

Let’s be real — AV systems run on routers. We also know there’s a fine line between consumer-grade and pro-grade AV. That’s the whole idea behind “prosumer,” right? TVs and flat panels? Basically the same now. Some have tuners, some have Wi-Fi — but you’d be hard-pressed to find one without either.

AV integrators are already using:

• iPads instead of proprietary control panels
• IP-based cameras and iPhones
• USB mics and smart displays

So — aren’t we already using consumer devices in corporate and government installs?

I predict the Cyber Trust Mark will hit the AV marketplace in the next couple of years, just like California’s SB 327 or Europe’s GDPR. And, just like with HDMI or 4K or whatever Mark Coxon is writing about these days, AV integrators will complain.

Because — for some reason — our industry doesn’t like change. We make a living off of upgrading technology … yet we refuse to adopt it ourselves. Until someone (or some government) forces us to.

If you liked this article, check out more from PK:

• CISA Cybersecurity Advisory Highlights
• Securing AV After Florida Water Treatment Plant Attack