I think it is a good start, but they should include metrics on sales, etc. to understand how much impact it makes in the marketplace.  My guess is that it needs to be followed up by something with much more clout, but I could be wrong.  The big players may take it seriously enough (And CA having its own laws would make that easier anyway) to move a solid chunk of the market to a more secure default position.  Like herd immunity, that could cut down on the overall impacts.  Anything to move us forward at this point.

---

@Caute_cautim wrote:

 

What do you think of this voluntary approach? 

 

---

IF it's approved, I think it's a good staring point and a good way to see if the IoT manufacturers will voluntarily adopt the standards within the program. Eventually, I'd like to see this mandatory in industries categorized as critical infrastructure.

 

---

 

Will it work or does it need more clout?

 

---

I hope so. IF it's approved, as consumers we need to help this along by only buying IoT products with the Cyber Shield label or any other frameworks the IoT device adheres to. Leaving customer reviews along the lines of, "Your product looks great but unfortunately I couldn't buy it because it doesn't adhere to current IoT standards to keep me safe". As security professionals, we'll need to step up and be loud about this IF it gets approved.
 

Edit: Cyber Shield Bill   

I think it's important to always offer voluntary approaches first. Self-policing can work and requires less regulatory overhead. This would be a good way to get IoT security onto the radar of tech companies by providing a badge. With a little marketing, that badge could be like the term "organic", driving a new level of improvement.

However, if the certification does not come with testing, there is no point.