[kube-system]

> Those can be described as IoT devices. They're more appropriately categorized as "consumer electronics"

IoT devices are a subset of a much broader 'consumer electronics' category.

> and often have a firmware update right out of the box.

From major, established, mature companies, yes. Many device manufacturers in this category never issue firmware updates. Which is precisely why this is one of the requirements.

> This segment is not going to care.

Some may, some may not. The federal government will care, because they will be forced by law to comply.

> no third party testing can be exhaustive enough to prevent the obvious exploit from occurring.

Of course, no cybersecurity compliance plan can prevent exploits from occurring. If you try to address cybersecurity in that way, you will fail, anyway. The point is to place controls in place which are achievable, measurable, and help to mitigate risk.

> Even to the extent they can it then enforces a product design which cannot be upgraded or modified by the user under any circumstances.

NIST's requirements require the opposite of this.

[timewizard]

> because they will be forced by law to comply.

Which means the program will have zero value outside of federal purchasing offices. They will not evaluate the criteria or care about the reality of the offering, they'll see the sticker, and know it's "default approved."

Is this a good outcome?

> mitigate risk

A sticker cannot do this.

[kube-system]

> zero value outside of federal purchasing offices

I can’t guarantee much but I can guarantee a non zero number of non federal purchasers will consider the sticker.

>> mitigate risk

> A sticker cannot do this.

Correct. The sticker itself doesn’t mitigate the risk. The adherence to the requirements necessary to qualify for the sticker do.