Launch of IoT Product Security Labeling Scheme (JC-STAR)

1. Background and Purpose:

With the advancement of digitalization, the number of IoT products such as routers, network cameras and sensors has been rapidly increasing in recent years, and so is the number of cyber-attacks that target their vulnerabilities. Against this backdrop, countries around the world are considering schemes to ensure security measures of IoT products.

METI aimed to establish a scheme to promote IoT products that have appropriate security measures in place while taking into account similar efforts in other countries. To this end, METI advanced discussions in the “Study Group for Establishment of a IoT Product Security Conformity Assessment Scheme” (hereinafter referred to as the “Study Group”) since November 2022. Following a public comment period (from March 15 to April 15, 2024 JST), the final report of this Study Group was published in August 2024, outlining the policy for establishing this scheme.

In this policy, it was indicated that the scheme would launch in part within FY2024. Today, IPA has started accepting applications for JC-STAR* STAR-1, or the unified baseline criteria for all IoT products in scope.

2．Overview of JC-STAR

JC-STAR aims to evaluate and visualize IoT product security using a common standard, enabling purchasers and procurers of IoT products—from government agencies to private companies and general consumers—to easily select products that meet their desired security levels.
The outline of the scheme is as follows:

• The scheme targets a wide range of IoT products with the ability to send and receive data over the Internet using Internet Protocol (IP), including products that are indirectly connected to the Internet (excluding PCs, smartphones, etc.).
• The scheme is a voluntary multi-level scheme that establishes security requirements to address minimum threats common to all IoT products in scope as a unified baseline (STAR-1), as well as security requirements per product category to address characteristics of each product category (STAR-2, STAR-3, and STAR-4).
• For STAR-1 and STAR-2, labels will be granted by IPA based on self-declarations of conformity in order to promote the dissemination of the scheme. For STAR-3 and STAR-4, labels will be granted based on third-party evaluations by independent test laboratories, as they are intended for procurement use by government agencies and critical infrastructure providers, and require high reliability.
• IoT products that obtain the label can affix the label on the product itself, package, etc. The conformity label includes a QR code with a URL of the webpage for the labeled product managed by IPA. This allows various types of information such as vendor information, product information, label information, security information (updates, vulnerability information of the product, etc.), and contact information to be managed in an up to date and streamlined manner.
• The validity period for the STAR-1 label is up to two years. The application fee for STAR-1 is 110,000 JPY (tax included) for applications received by September 30, 2025. Note: The regular price is 198,000 JPY (tax included).

• Scheme Logo
• Label (image)

3. Future Schedule

For STAR-1, a list of labeled products will be published on the IPA website around early May 2025. Additional labeled products will be added as soon as they are approved.

For STAR-2 and above (higher-level security conformance criteria to be developed per IoT product category), conformance criteria are being developed in working groups held by METI and IPA, with a focus on two priority product categories: network cameras and network devices (such as routers), which are expected to be utilized in government procurement. Applications for STAR-2 and above of these two product categories are planned to be accepted after January 2026. STAR-2 and above conformance criteria for other product categories, such as smart home devices, are expected to be developed in due course to expand the scheme.

On requiring JC-STAR labeled products in government procurement, the Guidelines for the Establishment of Standards for Cybersecurity Measures for Government Agencies and Related Agencies (FY2023 Edition), revised in part in July 2024, have indicated the plan to "include the acquisition of STAR-1 or above in the procurement criteria for devices by the end of FY 2025, taking into account status of scheme development, and subsequently STAR-2, STAR-3 and above in a timely manner, subject to expansion of product categories."

METI will also advance discussions within the Japanese government to ensure the scheme’s utilization in procurement of local governments and critical infrastructure operators through relevant guidelines.

Furthermore, METI will continue to pursue interoperability and mutual recognition with schemes of other countries to reduce IoT product vendors' cost of conformity assessment required when exporting IoT products. Specifically, METI will continue negotiations with foreign authorities for mutual recognition with Singapore (Cybersecurity Labelling Scheme), the UK (PSTI Act), the US (U.S. Cyber Trust Mark), and the EU (Cyber Resilience Act).

Related Links

• IPA Japan Cyber STAR (JC-STAR) English Website
• METI IoT Product Security Conformity Assessment Scheme Policy (September 2024)

Related Links (in Japanese)

• METI Study Group for Establishment of a IoT Product Security Conformity Assessment Scheme

Division in Charge

Cybersecurity Division, Commerce and Information Policy Bureau