Cybersecurity Labelling Scheme (CLS)
Cybersecurity Levels & Assessment Tiers
The CLS comprises of four cybersecurity levels, corresponding to the number of asterisks on the label, as well as the highest assessment tier that the product has successfully completed.
There are four different tiers of assessment. Each assessment tier, to be completed in sequence, reflects the increasing resistance the product has to basic attacks that they may be commonly subjected to.
For example, manufacturers may choose to have the product rated at CLS Level 3 (three asterisks), and hence have the product undergo assessments at Tiers 1, 2, and 3.
Tier 1: Security Baseline Requirements
Manufacturers should follow a set of baseline security requirements based on ETSI EN 303 645 in the devices by eliminating ‘common mistakes’ to guard against majority of attacks based on common weakness such as default password, ensuring the availability of security updates and implementing means to manage vulnerability reporting.
Tier 2: Lifecycle Requirements
Manufacturers should include security considerations, which are based on the IMDA IoT Cyber Security Guide, into the development lifecycle of the connected device to adopt security best practices (threat modelling, secure engineering approach, secure supply chain, security testing, and etc) to ensure security in the device.
Tier 3: Software Binary Analysis
The software of the connected device is evaluated by a test laboratory using automated binary analysers to ensure that there is no known critical software weakness, vulnerabilities or malware.
Tier 4: Penetration Testing
The connected device undergoes penetration testing by a test laboratory to provide a basic level of resistance against common cybersecurity attacks.
To encourage all manufacturers to apply for the CLS, CLS application fees will be waived for a period of one year until 6 October 2021. However, do note that for CLS Level 3 and 4, the testing fees charged by the third-party independent laboratories are still applicable.
Application for Wi-Fi Routers (Residential Gateways)
Wi-Fi home routers which comply with the Infocomm Media Development Authority’s (“IMDA”) Technical Specifications for Security Requirements for Residential Gateways (IMDA TS RG-SEC) will qualify for Level 1 of the Cyber Security Agency of Singapore’s Cybersecurity Labelling Scheme (CLS).
It is a requirement for all Wi-Fi routers that are to be sold for local use in Singapore to comply with the IMDA TS RG-SEC and attain minimally CLS Level 1 by 12 October 2021. Manufacturers may register the Wi-Fi routers via GoBusiness, which is a one-stop portal for both IMDA TS RG-SEC and CLS registrations.
For more information on the equipment registration for the IMDA TS RG-SEC, please visit the IMDA Equipment Registration Framework website.
Once registered, as per IMDA Telecommunication Equipment Labels and Advertisements Requirements, Wi-Fi routers are required to be affixed with both the IMDA compliance label and the CSA Cybersecurity Label.
Application for IoT Device Categories
Register for CLS through the online Registration Form here.
Please right-click on the links below to download the respective publications:
If you are interested in receiving notifications on the release of new/updated publications, please email us at firstname.lastname@example.org to sign up for our mailing list.
To access the list of CLS-approved laboratories, click here.
 Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, outlines 14 broad security provisions and seeks to address the most common security problems.
 IMDA IoT Cyber Security Guide, March 2020. The guide seeks to provide baseline recommendations, foundational concepts for IoT.