Cybersecurity Labelling Scheme

General

1. Is the Cybersecurity Labelling Scheme (CLS) compulsory and would it apply to all IoT products?

The CLS will be launched as a voluntary scheme to allow time for the market and manufacturers to understand how the scheme benefits them. CSA will monitor the response to the scheme and consider when it will be suitable for the labelling scheme to be made mandatory for IoT consumer devices. For more information on the categories of IoT devices which are required to have a Cybersecurity Label, please refer to CLS For Manufacturers

2. Is the CLS benchmarked against international standards?

This scheme takes reference from the ETSI EN 303 645 ‘Cyber Security for Consumer Internet of Things: Baseline Requirements’ (ESTI is a European Standards Organisation). This standard is also recognised by many other non-European nations such as Australia and the US.

3. Is the Cybersecurity Label recognised by other nations?

Yes. The Cybersecurity Label is currently recognised in Finland. Under the MoU with Finland, consumer IoT products that have met the requirements of Finland’s Cybersecurity Label are recognised as having met the requirements of Level 3 of Singapore’s Cybersecurity Labelling Scheme, and products with CLS Level 3 and above are similarly recognised by Finland. CSA is looking to establish more mutual recognition with like-minded partners.

4. Why is it that only CLS Levels 3 and 4 labels are recognised by Finland under the MoU?

This is because the Finnish Cybersecurity Label requires that IoT products undergo testing by 3rd party independent test laboratories, which are equivalent to CLS Levels 3 and 4.

5. Would there be enforcement or revocation of the labels?

When a product is found to not satisfy the requirements declared, CSA will request that the manufacturer undertake rectification measures, or have the label reviewed or removed.

6. Is it impossible to hack a CLS labelled product?

CLS offers a basic level of security assurance to improve device cybersecurity hygiene by implementing basic safeguards and eradicating common mistakes and vulnerabilities.

CLS labelling does not preclude the device from being hacked given the dynamism of the cybersecurity threat landscape. However, manufacturers applying for CLS are required to have an open vulnerability report and management channel, and for them to update their software in a timely manner.

Users seeking higher security assurance for industrial use (e.g. enterprise, manufacturing, industrial, healthcare usage) are strongly recommended to consider devices certified under formal evaluation and certification schemes such as the Singapore Common Criteria Scheme.

7. What is the difference between the Singapore Common Criteria Scheme (SCCS) and the Cybersecurity Labelling Scheme (CLS)?

The two schemes cater to a disparate range of products.

The Common Criteria is based on an international standard (ISO/IEC 15408) for the security evaluation of IT products and is commonly used to provide moderate to high-security assurance typically expected of enterprise IT products.

On the other hand, the Cybersecurity Labelling Scheme is a basic cybersecurity hygiene scheme for consumer smart devices. It takes reference from an international standard (ETSI EN 303 645) which provides a set of baseline security and data protection provisions that are applicable to consumer IoT products connected to network infrastructure (such as Internet or home network) and aims to provide basic security assurance.

For Consumers

1. How do I verify the authenticity of the Cybersecurity Label?

You can check this link here to access the current list of CLS-labelled products. Only products labelled by CSA will be listed. If you come across a product that is not listed on CSA’s website but bears the Cybersecurity Label, please alert us at cls_iot@csa.gov.sg.

For Manufacturers

1. How is the Cybersecurity Labels used?

Manufacturers can affix the Cybersecurity Label in a conspicuous and unobstructed position on the product packaging. The labels can also be displayed in all advertisements and promotional material of labelled products. This includes, but is not limited to, websites, online stores and printed catalogues.

2. How long does the application take?

Applications for Tiers 1 and 2 will take up to 5 working days to be processed. Applications for Tiers 3 and 4 will take an estimation of 3 weeks to be processed, due to the involvement of lab tests and assessments.

3. How long will a Cybersecurity label be valid for?

The validity of the label is the period during which the manufacturers will support the device with security updates, up to a maximum of a period of 3 years.