Japan Cyber STAR (JC-STAR): IoT Product Security Labeling Scheme
Overview
Japan Cyber STAR (JC-STAR), officially known as “Labeling Scheme based on Japan Cyber-Security Technical Assessment Requirements,” is a Japanese labeling scheme established by the Information-technology Promotion Agency (IPA) to confirm the conformance of IoT products to defined security technical requirements. The scheme harmonizes with domestic and international standards such as ETSI EN 303 645 and NISTIR 8425.
The JC-STAR scheme was established based on the “IoT Product Security Conformity Assessment Scheme Policy” published by the Ministry of Economy, Trade and Industry (METI) in August 2024. It targets a wide range of IoT products capable of communicating with the internet, aiming to conduct evaluation and visualization of the security functions equipped with products using a common standard.
Problem Statement
Traditionally, IoT products’ security measures have presented significant challenges. Vendors have found it difficult to effectively communicate their security measures to procurers and consumers, while procurers and consumers themselves have struggled to determine whether products’ security measures are adequate. Furthermore, as government agencies and corporations increasingly adopt broad supply chain risk management practices, the current reality is that it is difficult to implement the process of verifying products’ security functions and countermeasures at the time of selection and procurement.
Solution
To address these challenges, JC-STAR establishes conformance requirements according to required security levels. Products that meet the defined conformance requirements are given a conformance label with a two-dimensional barcode, enabling procurers and consumers to easily acquire product details, conformance evaluations, security information, contact details, and other relevant data.
Important Note: The presence of a conformance label does not assure complete or perfect security. The label confirms that the IoT product meets the baseline security functions required to counter the threats assumed by the defined conformance requirements and evaluation guidance.
JC-STAR Conformance Levels
The JC-STAR scheme defines four levels of conformance requirements, each designed for different security contexts and use cases:
STAR-1 (Level 1) – Baseline Requirements
Scope: Common baseline security requirements required for all IoT products.
Assessment Method: Self-declaration of conformance. IoT product vendors themselves declare that their products satisfy the requirements.
Evaluation Process: IPA grants the conformance label based on a checklist describing the results of the vendor’s self-assessment conducted using the conformance requirements and assessment procedures specified by the scheme.
Characteristics:
•Low cost and short timeframe for acquiring the conformance label
•Reliability depends on the vendor’s credibility
•IPA conducts inspections and surveillance when doubts arise regarding conformance, with potential for label revocation if non-conformance is identified
STAR-2 (Level 2) – Product-Category-Specific Requirements
Scope: Basic security requirements specified for each IoT product category, considering its unique characteristics, in addition to STAR-1 requirements.
Assessment Method: Self-declaration of conformance. IoT product vendors themselves declare that their products satisfy the requirements.
Evaluation Process: Similar to STAR-1, IPA grants the conformance label based on a vendor’s self-assessment checklist.
Characteristics:
•Addresses product-category-specific security considerations
•Maintains low cost and short timeframe for label acquisition
•Subject to the same inspection and surveillance mechanisms as STAR-1
STAR-3 (Level 3) – Enhanced Requirements for Critical Systems
Scope: General security requirements specified in addition to STAR-1 and STAR-2 requirements for each product category. Intended for use in critical systems operated by government agencies, critical infrastructure providers, local governments, and large corporations.
Assessment Method: Third-party evaluation. An independent third-party Evaluation Body conducts the assessment.
Evaluation Process: IPA certifies and labels products based on the Evaluation/Assessment Technical Reports from independent third-party Evaluation Bodies.
Characteristics:
•Higher level of reliability compared to STAR-1 and STAR-2
•Requires independent third-party evaluation
•Longer timeframe and higher cost than lower levels
•Suitable for products with critical security requirements
STAR-4 (Level 4) – Maximum Security Requirements
Scope: The most stringent security requirements specified in addition to STAR-1, STAR-2, and STAR-3 requirements for each product category. Intended for use in the most critical systems operated by government agencies, critical infrastructure providers, and other high-security environments.
Assessment Method: Third-party evaluation. An independent third-party Evaluation Body conducts the assessment.
Evaluation Process: IPA certifies and labels products based on the Evaluation/Assessment Technical Reports from independent third-party Evaluation Bodies.
Characteristics:
•Highest level of security assurance and reliability
•Requires independent third-party evaluation
•Most stringent requirements and longest evaluation timeframe
•Reserved for products in the most critical security contexts
Application Process Overview
For New Applications (STAR-1 and STAR-2)
The application process for STAR-1 and STAR-2 levels follows a self-declaration model:
1.Preparation: Vendors prepare their IoT products in accordance with the defined conformance requirements and assessment procedures for their chosen level (STAR-1 or STAR-2).
2.Self-Assessment: Vendors conduct a comprehensive self-assessment of their products using the official assessment checklist, documenting how their products meet each requirement.
3.Application Submission: Vendors submit their application to IPA, including the completed assessment checklist and supporting documentation.
4.IPA Review: IPA reviews the submitted documentation to verify conformance with the requirements.
5.Label Issuance: Upon successful review, IPA issues a conformance label with a two-dimensional barcode to the vendor.
6.Post-Issuance Surveillance: IPA may conduct inspections and surveillance to verify ongoing conformance. Non-conformance may result in label revocation.
For New Applications (STAR-3 and STAR-4)
The application process for STAR-3 and STAR-4 levels involves third-party evaluation:
1.Preparation: Vendors prepare their IoT products in accordance with the defined conformance requirements for their chosen level (STAR-3 or STAR-4).
2.Evaluation Body Selection: Vendors select an IPA-approved independent third-party Evaluation Body to conduct the assessment.
3.Third-Party Evaluation: The Evaluation Body conducts a comprehensive technical assessment of the product, documenting conformance with all requirements.
4.Technical Report Submission: The Evaluation Body submits its Evaluation/Assessment Technical Report to IPA.
5.IPA Certification: IPA reviews the technical report and, if satisfied, certifies the product and issues a conformance label.
6.Post-Issuance Surveillance: IPA may conduct follow-up inspections to verify ongoing conformance.
Mutual Recognition Applications
JC-STAR has established mutual recognition agreements with other cybersecurity labeling schemes:
•UK PSTI Act Compliance: Vendors with products certified under the UK Product Security and Telecommunications Infrastructure (PSTI) Act can apply for JC-STAR recognition without undergoing a separate full evaluation. Application documents are available through IPA.
•Singapore Cybersecurity Labelling Scheme (CLS): Mutual recognition between JC-STAR and Singapore’s CLS began on June 1, 2026, allowing vendors to leverage compliance in one scheme toward the other.
Key Takeaways
•JC-STAR is Japan’s official IoT product security labeling scheme, designed to help procurers and consumers identify products with verified security functions.
•Four conformance levels (STAR-1 through STAR-4) cater to different security contexts, from baseline requirements for general IoT products to maximum requirements for critical infrastructure.
•Self-declaration methods (STAR-1 and STAR-2) offer low-cost, fast-track certification, while third-party evaluation methods (STAR-3 and STAR-4) provide higher assurance for critical systems.
•Mutual recognition agreements with the UK PSTI Act and Singapore CLS streamline compliance for vendors operating in multiple markets.
•Conformance labels enable transparent communication of security capabilities between vendors, procurers, and consumers, supporting informed procurement decisions.
For more information, vendors and procurers are encouraged to visit the official IPA JC-STAR website at https://www.ipa.go.jp/en/security/jc-star/index.html.
Not Sure Where to Start?
Request a free initial consultation or product assessment.
Our experts are here to help.
