Cybersecurity Labelling Scheme (CLS)
For Manufacturers  

Cybersecurity Levels & Assessment Tiers

The CLS comprises of four cybersecurity levels, corresponding to the number of asterisks on the label, as well as the highest assessment tier that the product has successfully completed.

There are four different tiers of assessment. Each assessment tier, to be completed in sequence, reflects the increasing resistance the product has to basic attacks that they may be commonly subjected to.

CLS Levels

 

For example, manufacturers may choose to have the product rated at CLS Level 3 (three asterisks), and hence have the product undergo assessments at Tiers 1, 2, and 3.

Cybersecurity Labelling Scheme Tier 1 Tier 1: Security Baseline Requirements
Manufacturers should follow a set of baseline security requirements based on ETSI EN 303 645[1] in the devices by eliminating ‘common mistakes’ to guard against majority of attacks based on common weakness such as default password, ensuring the availability of security updates and implementing means to manage vulnerability reporting.

Cybersecurity Labelling Scheme Tier 2 Tier 2: Lifecycle Requirements

Manufacturers should include security considerations, which are based on the IMDA IoT Cyber Security Guide[2], into the development lifecycle of the connected device to adopt security best practices (threat modelling, secure engineering approach, secure supply chain, security testing, and etc) to ensure security in the device.

Cybersecurity Labelling Scheme Tier 3 Tier 3: Software Binary Analysis

The software of the connected device is evaluated by a test laboratory using automated binary analysers to ensure that there is no known critical software weakness, vulnerabilities or malware.

Cybersecurity Labelling Scheme Tier 4 Tier 4: Penetration Testing

The connected device undergoes penetration testing by a test laboratory to provide a basic level of resistance against common cybersecurity attacks.


Registration

Application for Wi-Fi Routers (Residential Gateways)

Wi-Fi home routers which comply with the Infocomm Media Development Authority’s (“IMDA”) Technical Specifications for Security Requirements for Residential Gateways (IMDA TS RG-SEC) will qualify for Level 1 of the Cyber Security Agency of Singapore’s Cybersecurity Labelling Scheme (CLS).

It is a requirement for all Wi-Fi routers that are to be sold for local use in Singapore to comply with the IMDA TS RG-SEC and attain minimally CLS Level 1 by 12 October 2021. Manufacturers may register the Wi-Fi routers via GoBusiness, which is a one-stop portal for both IMDA TS RG-SEC and CLS registrations.

For more information on the equipment registration for the IMDA TS RG-SEC, please visit the IMDA Equipment Registration Framework website.

Once registered, as per IMDA Telecommunication Equipment Labels and Advertisements Requirements, Wi-Fi routers are required to be affixed with both the IMDA compliance label and the CSA Cybersecurity Label.

Application for IoT Device Categories

Register for CLS through the online Registration Form here.  

 

CLS Publications

Please right-click on the links below to download the respective publications:

If you are interested in receiving notifications on the release of new/updated publications, please email us at certification@csa.gov.sg to sign up for our mailing list.


Approved Labs

To access the list of CLS-approved laboratories, click here.


[1] Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, outlines 14 broad security provisions and seeks to address the most common security problems.
[2] IMDA IoT Cyber Security Guide, March 2020. The guide seeks to provide baseline recommendations, foundational concepts for IoT.