By NHI Mgmt Group Editorial TeamDomain: Cyber SecuritySource: Cybertrust JapanPublished November 12, 2025

TL;DR: Japan and the UK have agreed to align IoT security requirements under JC-STAR and PSTI, a move that could reduce duplicate certification effort and push manufacturers toward more consistent baseline controls across markets, according to Cybertrust Japan. For identity and access teams, the key issue is whether device credentials, update channels, and reporting mechanisms are governed as lifecycle assets rather than as static product features.


At a glance

What this is: Japan and the UK are moving toward mutual recognition of IoT security labelling, with the article highlighting a broader push to align device security requirements across markets.

Why it matters: This matters because IoT governance increasingly intersects with identity, secrets, and lifecycle control, especially when device credentials and update pathways need to satisfy multiple regulatory regimes.

By the numbers:

👉 Read Cybertrust Japan's analysis of JC-STAR and PSTI mutual recognition


Context

IoT security labelling is moving from a national compliance exercise to a cross-border governance problem. When certification schemes start recognising one another, manufacturers must prove that baseline controls such as passwords, vulnerability reporting, and update periods are consistent enough to satisfy multiple markets, not just one.

The identity angle is real even though this is not a traditional IAM story. IoT devices depend on embedded credentials, update trust chains, and operational ownership across their lifecycle, which makes secrets management and offboarding part of product security rather than back-office administration.


Key questions

Q: What breaks when IoT security certification does not include lifecycle ownership?

A: Certification becomes a snapshot rather than a control. Devices may meet baseline requirements at shipping time, but still fail later if no one owns patching, credential handling, or retirement. That creates a governance gap where the product remains deployed long after its trust assumptions have expired. Lifecycle ownership is what turns compliance into operational security.

Q: Why do embedded device credentials create governance risk in IoT fleets?

A: Embedded credentials act like machine identities that are hard to see, hard to rotate, and easy to forget. If passwords, certificates, or cloud registrations are not tracked as managed assets, attackers can reuse them for persistence or lateral movement. This is why IoT governance and NHI governance increasingly overlap in real programmes.

Q: How do security teams know whether IoT vendor claims are actually working?

A: Look for evidence that passwords are unique, vulnerabilities can be reported, and update periods are enforced in practice. The right signal is not marketing language but proof that devices receive updates, that ownership is documented, and that retired devices can be revoked cleanly. If those controls are missing, the security claim is incomplete.

Q: Who is accountable when a connected device cannot be patched or retired safely?

A: Accountability should sit with the product owner, the security owner, and the procurement function together, because each influences different parts of the device lifecycle. Regulators increasingly expect that security controls survive deployment, which means ownership for patch support, disclosure, and offboarding cannot be left undefined. Shared accountability is the only defensible model.


Technical breakdown

How mutual recognition changes IoT security labelling

Mutual recognition means one country's certification baseline can be accepted, in whole or in part, by another country's scheme. In this article, JC-STAR and PSTI are being aligned through common technical requirements, including passwords, vulnerability disclosure information, and minimum update periods. That does not eliminate local regulation, but it reduces the need for manufacturers to prove the same security properties twice. The real architectural issue is consistency: if the underlying control set is weak or inconsistently implemented, recognition only scales the weakness across markets.

Practical implication: map device security requirements once, then test whether the same control evidence satisfies each jurisdiction.

Why IoT identity is mostly embedded, not user-facing

Most IoT identity is machine identity, not human identity. Devices authenticate through factory-set passwords, certificates, tokens, or cloud-linked trust relationships, and those credentials often outlive the personnel who deployed the device. That makes lifecycle controls central. A device that cannot report vulnerabilities, rotate credentials, or receive security updates on a defined cadence becomes an identity governance problem as much as a hardware problem. The article's emphasis on minimum update periods and reporting channels shows that the security model is moving toward ongoing operational accountability, not one-time certification.

Practical implication: treat device credentials and update trust as governed identities with ownership, rotation, and revocation requirements.

What cross-border baseline controls actually test

The controls named in the article are simple but consequential. Password requirements reduce trivial compromise, vulnerability reporting creates a disclosure path, and minimum update periods set an expectation for patch support. These are foundational, not advanced, controls. Their importance is that they establish whether a vendor can be trusted to maintain the product after shipment. For IoT fleets, the control question is no longer just whether a device was secure on day one, but whether the manufacturer can sustain that security across the device's operational life.

Practical implication: verify that procurement evidence includes password policy, disclosure process, and update support commitments.


Threat narrative

Attacker objective: The attacker wants durable access to IoT endpoints and their trust relationships so compromised devices can be reused for scale, persistence, or downstream intrusion.

  1. Entry occurs when large IoT fleets expose weak or default passwords, outdated firmware, or unmonitored device services to internet-facing attackers.
  2. Escalation follows when compromised devices provide a foothold into cloud-linked management planes, internal networks, or adjacent devices with shared trust.
  3. Impact appears as botnet recruitment, lateral movement, data exposure, or persistent access that survives long after the original device owner has lost visibility.

NHI Mgmt Group analysis

Cross-border IoT certification is becoming a lifecycle governance test, not a labeling exercise. The article's core significance is that mutual recognition only works when device security controls are durable after shipment. Password requirements, reporting mechanisms, and update periods are lifecycle controls, which means procurement, product, and security teams need shared ownership. If device governance stops at certification, the scheme will create compliance symmetry without operational security symmetry.

Embedded device credentials are a machine identity problem disguised as product compliance. IoT devices rely on secrets, certificates, and management-plane trust that behave like non-human identities, even when the article does not use that language. Once those credentials are shipped at scale, the failure mode becomes over-retention, weak rotation, and poor offboarding. That is exactly the kind of governance gap NHI programs are designed to close, so IoT compliance teams should coordinate with identity teams rather than work separately.

Interoperable standards will raise the floor, but they will also expose immature vendors faster. When national schemes converge, inconsistencies in patch support, disclosure workflows, and password handling become easier to compare. That makes weak product security more visible to buyers and regulators. For practitioners, the practical conclusion is that vendor evidence will matter more than claims, and product security assessments need to verify operational follow-through, not just initial conformity.

Named concept: device identity lifecycle drift is the gap between shipping a secure IoT product and keeping it governed over time. This article points to a system where certification, updates, and disclosure must remain aligned across years of deployment, not only at release. In practice, device security fails when ownership, patch support, and credential control drift apart. Teams should treat that drift as a measurable governance risk.

What this signals

IoT teams should expect certification evidence to be interrogated more like identity evidence. If a device depends on credentials, update channels, or remote management trust, those dependencies need ownership, logging, and retirement controls that can survive audit and procurement review.

device identity lifecycle drift: the gap between a product passing certification and remaining governed through updates, transfers, and end-of-life. That drift is where many connected-device risks accumulate, and it is the point at which identity, supply chain, and product security programmes have to align.

Where connected devices expose embedded credentials or cloud-linked trust, programmes should align with the same control logic used for non-human identities. Lifecycle visibility, revocation, and offboarding matter as much for devices as they do for service accounts, especially when fleets span jurisdictions.


For practitioners

  • Inventory IoT device trust dependencies Document which products rely on passwords, certificates, cloud registrations, or update services so you can compare those dependencies across JC-STAR and PSTI requirements.
  • Tie procurement to lifecycle evidence Require proof of password policy, vulnerability reporting, and minimum update support before purchase approval, not after deployment.
  • Align device identity ownership with offboarding Assign a named owner for each IoT class and define how credentials, certificates, and remote access are revoked when devices are retired or transferred.
  • Test update assurance, not just patch availability Validate that the vendor can deliver security updates within the stated minimum period and that your operations team can confirm deployment at fleet level.

Key takeaways

  • JC-STAR and PSTI alignment is really about whether IoT security controls remain valid after shipment, not just whether a device passes an initial label check.
  • The article points to a machine identity problem, because device credentials, update trust, and offboarding behave like managed identities across the product lifecycle.
  • Practitioners should demand lifecycle evidence for passwords, reporting, and update support, because cross-border recognition only works when operational controls are provable.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

MITRE ATT&CK address the attack surface, NIST CSF 2.0, NIST SP 800-53 Rev 5 and CIS Controls v8 set the technical controls, and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1IoT device trust and credential handling map to access control governance.
NIST SP 800-53 Rev 5IA-5Device passwords and credential handling are central to the article's baseline controls.
CIS Controls v8CIS-5 , Account ManagementIoT fleet identity and lifecycle ownership align with account management discipline.
ISO/IEC 27001:2022A.8.9Secure configuration and update assurance are directly implicated by IoT certification.
MITRE ATT&CKTA0006 , Credential Access; TA0003 , PersistenceWeak IoT passwords and embedded trust create credential abuse and persistence risks.

Model IoT compromise paths as credential access and persistence threats during threat modelling.


Key terms

  • IoT security labelling: A formal scheme that grades or certifies connected products against defined security requirements. It helps buyers compare baseline controls such as passwords, update support, and vulnerability reporting, but it only protects users if the label reflects ongoing operational assurance rather than one-time compliance.
  • Machine identity: A non-human identity used by a device, workload, or service to authenticate and communicate. In IoT environments, this often takes the form of embedded passwords, certificates, tokens, or cloud registrations that must be governed throughout the device lifecycle.
  • Lifecycle governance: The practice of controlling a system from onboarding through operation, support, and retirement. For IoT products, lifecycle governance means evidence of patching, disclosure, ownership, and offboarding stays current after shipment, not only at certification time.

What's in the full article

Cybertrust Japan's full article covers the policy and standards detail this post intentionally leaves for the source:

  • The specific wording of the JC-STAR and PSTI mutual recognition arrangements.
  • The 3 technical requirements in PSTI and how JC-STAR ★1 maps to them.
  • The timing and process for manufacturer evidence publication on the IPA website.
  • The broader bilateral and international coordination path beyond Japan and the UK.

👉 Cybertrust Japan's full post covers the bilateral agreement, certification mapping, and rollout timeline in more detail.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It is a practical fit for practitioners who need to connect identity control with broader security and compliance programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org