TAKEAWAYS
- The Federal Communications Commission (FCC) has created a baseline for wireless consumer IoT products to protect against cybersecurity threats.
- The voluntary program uses criteria established by the National Institute of Standards and Technology (NIST).
- The program also incorporates a private sector role for reviewing products before labeling is approved.
Reflecting the growing concern with cybersecurity threats associated with Internet of Things (IoT) products, the Federal Communications Commission (FCC) adopted rules at its March 2024 meeting to implement a new Voluntary Cybersecurity Labeling Program. The new label— “U.S. Cyber Trust Mark”—will be affixed on wireless consumer IoT products that go through the voluntary review program to ensure that the products comply with baseline cybersecurity criteria established in the September 2022 NIST Report 8425.
The initial focus of the Labeling Program will be on consumer IoT products, with certain exceptions discussed below. Accompanying the Cyber Trust Mark will be a QR code that will take interested consumers to a product registry with information about the device, including where to find software patches and security updates. Participating manufacturers will be required to submit their IoT products to accredited test labs to confirm compliance with the IoT Labeling Program technical standards. Subsequently, a Cybersecurity Label Administrator (CLA) will evaluate the manufacturer’s application and certify the use of the Cyber Trust Mark. The following describes the different elements of the IoT Labeling Program.
Eligible Products
Initially, the IoT Labeling Program will include wireless consumer IoT products, not those designed for use in enterprise or industrial settings. Further, while the FCC reserved the right to consider expanding the Program to include wired IoT products, it limited the Program to wireless IoT products due to conform with the FCC’s clear statutory authority to regulate devices that emit radiofrequency (RF) energy.
The FCC excluded products manufactured by entities that are on the Covered List, or lists maintained by other federal agencies that require national security review such as the Department of Commerce’s Entity List. This exclusion extends to products which contain components manufactured by such entities. IoT Labeling Program applicants will be required to certify that their products comply with these restrictions. Finally, the IoT Labeling Program will exclude IoT products regulated by the Food and Drug Administration as medical devices, and motor vehicles and motor vehicle equipment regulated by the National Highway Traffic Safety Administration.
CLAs and Lead Administrator
Similar to the equipment authorization process, the FCC will not directly administer the IoT Labeling Program. Instead, test labs will apply to be designated a CLA, and a Lead Administrator will be designated by the FCC’s Public Safety and Homeland Security Bureau (PSHSB). The CLAs and Lead Administrator will be required to demonstrate expertise in cybersecurity, thorough knowledge of the FCC’s rules, and must not have any affiliation with entities on the Covered List or the Department of Commerce’s Entity List.
Technical Standard
Eligible products will be tested by CLAs to determine whether they comply with the technical criteria set forth in NIST Report 8425. The FCC noted that the criteria in the NIST Report were adopted after a multi-year deliberative process involving NIST and industry stakeholders, and the criteria reflects the baseline capabilities that consumers would expect to be included in IoT products.
The FCC designated to the Lead Administrator the task of developing the specific technical standards and testing procedures to demonstrate compliance with the NIST Report criteria. This process—which may lead to delay of program implementation—must include an opportunity for public comment and must be submitted to the PSHSB for final approval.
Registry of Cyber Trust Marks
Those products that successfully traverse the IoT Labeling Program testing and certification process will be listed in a publicly available registry which will be linked to the product’s unique QR code. The FCC specified the baseline requirements for what the registry must include for each product, i.e., product and manufacturer names, dates of cybersecurity certification, CLA information, lab conducting the conformity testing, default password change instructions, software update information, minimum support period and disclosure of a software bill of materials. The FCC delegated authority to the PSHSB to consider whether any additional information should also be included.
Further Notice of Proposed Rulemaking
The FCC is seeking further comment on whether manufacturers participating in the IoT Labeling Program should make additional certifications that (i) the products to be registered do not contain hidden vulnerabilities from high-risk countries, (ii) that the data collected by the products does not sit within, or transmit through, high-risk countries, (iii) the products cannot be remotely controlled by servers located in high-risk countries, and (iv) the products’ software and/or firmware were not developed or manufactured in a high-risk country. In this context, the FCC proposed to use the foreign advisory list maintained by the Department of Commerce to identify “high-risk” countries subject to these proposed rules, which currently lists the People’s Republic of China, including the Hong Kong Special Administrative Region, Cuba, Iran, North Korea, Russia and the Maduro Regime in Venezuela. Comments will be due 45 days after the Further Notice is published in the Federal Register.
* * *
The IoT Labeling Program represents the FCC’s initial effort to use its statutory authority over intentional RF emitting devices to proscribe a baseline of cybersecurity protections for IoT devices. Interested parties will need to monitor developments to ensure participation and compliance with the Program’s rules and policies.
[View source.]
