CSA Product Security 1.1 looks beyond the device

The Connectivity Standards Alliance released Product Security 1.1 on June 17, 2026, expanding its IoT security certification program from individual devices to larger connected systems. CSA says the new version can cover IoT devices, apps, remote processes, and gateways, with two assurance levels depending on how much independent testing is involved.

That makes this a useful standards update for Matter buyers, but it is not a new Matter feature. Product Security is a separate certification program from Matter, even though CSA runs both. Matter tells you something about a device's interoperability path. Product Security is meant to give manufacturers and regulators a common way to evaluate baseline security claims.

The buyer-level version is simple: a smart home product is rarely just the piece of hardware on the wall. A lock may depend on a phone app, cloud service, account system, firmware update path, and gateway. A certification program that can examine more of that system is more useful than one that only looks at the accessory in isolation.

What changed in version 1.1

CSA says Product Security 1.1 adds coverage for complete IoT systems and introduces two assurance levels. Level 1 uses a supplier self-assessment reviewed by an authorized test laboratory. Level 2 adds independent assessment and functional testing by an authorized test laboratory.

The second level matters because many smart home security claims sound similar on a product page. "Secure," "encrypted," and "privacy-focused" do not tell a buyer who checked the claim or whether the app, cloud path, and gateway were part of the review. A higher-assurance path gives manufacturers a clearer way to say more than "trust us," though buyers will still need to see which exact products earn which level.

CSA also says version 1.1 covers cybersecurity requirements for the European Union Radio Equipment Directive harmonized standards and Singapore's Cyber Security Labeling Scheme. That is mostly a manufacturer and regulator detail, but it could matter to buyers if it reduces the number of regional security labels and makes security certification easier to compare across markets.

Why Matter homes should care

Matter homes are mixed homes by design. A buyer might use an Apple TV as a Thread border router, Google Home for voice control, a manufacturer's app for firmware updates, and Home Assistant for automations. The device can be Matter-compatible and still rely on other software and services that deserve security scrutiny.

That is where system-level security review fits. Matter does not remove the need for vendor apps, accounts, update servers, bridge firmware, or cloud services in every product category. Some accessories work locally for basic control but still keep important features inside the brand app. Locks, cameras, robot vacuums, hubs, and bridges are the obvious places where the surrounding system can matter as much as the radio protocol.

A Product Security mark will not tell you whether a lock exposes all features in Apple Home, whether a Thread sensor has enough range, or whether a bridge maps every device cleanly into Matter. It can, however, become one more signal when choosing between products that otherwise look similar.

What buyers should not assume

Do not treat Product Security 1.1 as a replacement for Matter certification or ecosystem compatibility. A security certification can say something about baseline security practices. It does not mean the product supports Matter, uses Thread, avoids a brand hub, exposes every feature in your preferred app, or works well in a mixed-platform home.

The reverse is also true. A Matter logo does not automatically mean the full product system has gone through this Product Security path. Buyers should look for both kinds of evidence when the category is sensitive: locks, access devices, cameras, gateways, and anything tied to occupancy, routines, or remote access.

The practical move is to read certification language closely. Check whether a manufacturer names Product Security, which version or assurance level applies, and which product or system was certified. If the label only appears in a generic company sustainability or security page, treat it as background until it is tied to the exact product you are considering.

For now, Product Security 1.1 is most useful as a sign of where smart home certification is heading. Matter buyers still need the usual compatibility checklist, but the security checklist is becoming less device-only. That is the right direction for a home where the app, hub, cloud path, and hardware all shape the real risk.