Cybersecurity Labelling Scheme (CLS)
For Manufacturers  

Cybersecurity Levels & Assessment Tiers

The CLS comprises of four cybersecurity levels, corresponding to the number of asterisks on the label, as well as the highest assessment tier that the product has successfully completed.

There are four different tiers of assessment. Each assessment tier, to be completed in sequence, reflects the increasing resistance the product has to basic attacks that they may be commonly subjected to.

CLS Levels

 

For example, manufacturers may choose to have the product rated at CLS Level 3 (three asterisks), and hence have the product undergo assessments at Tiers 1, 2, and 3.

Cybersecurity Labelling Scheme Tier 1 Tier 1: Security Baseline Requirements
Manufacturers should follow a set of baseline security requirements based on ETSI EN 303 645[1] in the devices by eliminating ‘common mistakes’ to guard against majority of attacks based on common weakness such as default password, ensuring the availability of security updates and implementing means to manage vulnerability reporting.

Cybersecurity Labelling Scheme Tier 2 Tier 2: Lifecycle Requirements

Manufacturers should include security considerations, which are based on the IMDA IoT Cyber Security Guide[2], into the development lifecycle of the connected device to adopt security best practices (threat modelling, secure engineering approach, secure supply chain, security testing, and etc) to ensure security in the device.

Cybersecurity Labelling Scheme Tier 3 Tier 3: Software Binary Analysis

The software of the connected device is evaluated by a test laboratory using automated binary analysers to ensure that there is no known critical software weakness, vulnerabilities or malware.

Cybersecurity Labelling Scheme Tier 4 Tier 4: Penetration Testing

The connected device undergoes penetration testing by a test laboratory to provide a basic level of resistance against common cybersecurity attacks.


Registration

To encourage all manufacturers to apply for the CLS, CLS application fees will be waived for a period of one year until 6 October 2021. However, do note that for CLS Level 3 and 4, the testing fees charged by the third-party independent laboratories are still applicable.

Wi-Fi home routers which comply with Infocomm Media Development Authority’s (“IMDA”) Technical Specifications for Residential Gateways (“RG”)  qualify for Level 1 of the Cyber Security Agency of Singapore’s Cybersecurity Labelling Scheme (CLS). For Technical Specification for RG, click here.

You can find out more and register for CLS through the online Registration Form here.  

 

CLS Publications

Please right-click on the links below to download the respective publications:

If you are interested in receiving notifications on the release of new/updated publications, please email us at certification@csa.gov.sg to sign up for our mailing list.


Approved Labs

To access the list of CLS-approved laboratories, click here.


[1] Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, outlines 14 broad security provisions and seeks to address the most common security problems.
[2] IMDA IoT Cyber Security Guide, March 2020. The guide seeks to provide baseline recommendations, foundational concepts for IoT.