If you have read our previous two articles about JC-STAR, you may feel this way:You roughly understand what JC-STAR is for, yet still feel confused about its specific evaluation rules.

This confusion is common. The most confusing part of JC-STAR lies in its overall structural logic.This article fully clarifies the complete framework of JC-STAR in one simple breakdown.

1. Overall Framework Overview

Simply put:JC-STAR = Star Rating System + Evaluation Scope + Core Security Dimensions

It is a three-dimensional evaluation system, not a simple scoring checklist.If you only regard JC-STAR as a score-based exam, you will struggle to understand its compliance logic.

2. Layer 1: Star Rating System

JC-STAR adopts tiered star labeling for IoT security grading, with two core rules:

1. Star levels represent complete security capability sets, not fractional scoresThere is no “60 points pass” or “80 points excellent”.To obtain a specific star grade, products must satisfy all mandatory requirements of that tier.Missing any single item will directly block star upgrading, instead of simple point deduction.

2. Star levels are progressive and cumulativeHigher-star compliance must fully meet all requirements of lower tiers.Security controls are stacked layer by layer.This explains why many seemingly secure products remain stuck at medium or low star levels.

3. Layer 2: Full-Scope Evaluation Objects

Most manufacturers underestimate this core rule.JC-STAR never assesses hardware devices in isolation.

The full evaluation scope covers:

• Physical smart devices
• Supporting mobile APPs
• Cloud platforms and backend services
• End-to-end interaction between device, APP and cloud

Clear reminder:If your IoT product relies on cloud connection or mobile control, these components will definitely be included in the assessment.Independent hardware-only testing is almost impossible.

4. Layer 3: Core Security Assessment Dimensions

Beyond evaluated assets, JC-STAR focuses on systematic security capabilities rather than isolated technical points.

Key assessment categories:

1. Identity & AuthenticationDefault password management, mandatory initialization, device pairing and binding logic.Core focus: Identity verification and trusted interaction mechanisms.

2. Communication SecurityTransmission encryption, complete certificate verification, anti-interception and anti-tampering design.Improper encryption without effective verification is a common failure point in lab tests.

3. Credential & Key ManagementHard-coded keys, universal shared credentials, key update and rotation mechanisms.Key management must cover the full product lifecycle.

4. Firmware & Lifecycle SecuritySecure OTA updates, anti-rollback protection, long-term vulnerability response mechanisms.Lifecycle security carries high weight in Japanese market evaluation.

5. User-Oriented Security DesignOut-of-box secure status, clear risk notification, and non-weakened security settings.This dimension is often ignored by R&D teams.

5. Visual Framework Logic

The easiest way to understand JC-STAR is with a structural diagram:

• Horizontal axis: Device / APP / Cloud platform
• Vertical axis: Authentication, communication, key management, firmware update, lifecycle management
• Outer layer: Progressive star rating requirements

This framework directly exposes missing designs and unassigned security responsibilities.

6. What This Framework Means for Manufacturers

1. JC-STAR cannot be fixed through temporary patch modification
2. It is essentially a comprehensive security architecture review
3. Early structural alignment greatly reduces subsequent rectification costs

Most compliance failures stem from unreasonable early-stage design frameworks, rather than technical difficulties.

7. Follow-up Content Preview

With this full JC-STAR panorama, we will further unpack detailed rules one by one:Why default passwords are a red-line violationStandard-compliant device pairing designKey inspection items for communication securityHigh-risk failure points of firmware upgrade mechanisms