Background

Citing consumer reliance on the connected devices woven into our everyday lives, the FCC issued a Notice of Proposed Rulemaking on creating an IoT label that will “help consumers compare IoT devices and make informed purchasing decisions, drive consumers toward purchasing devices with greater security, incentivize manufacturers to meet higher cybersecurity standards to meet market demand, and encourage retailers to market secure devices.” NPRM ¶ 2. The White House applauded this effort for a new “U.S. Cyber Trust Mark,” calling it the latest in a series of actions by the Administration to protect hard-working families. The program is expected to launch in 2024.

Scope of Devices and Products

The new labeling program would encompass smart devices ranging from medical devices, fitness trackers, GPS trackers, Internet-connected appliances, personal digital assistants, Internet-connected home security cameras, voice-activated shopping devices, home office routers, garage door openers, and baby monitors stand to be included in this new program. The FCC proposes to define an eligible IoT device as: (1) an Internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator)for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world. This definition would encompass the IoT device and any additional product components (backend, gateway, mobile app, etc.). The FCC seeks comment on whether the program should center on IoT products or devices for consumer use, or include “enterprise” devices or products intended for industrial or business use.  See NPRM ¶ ¶ 11-16. 

IoT Cybersecurity Criteria

The FCC discusses drawing from baseline cybersecurity criteria, specifically, the National Institute of Standards and Technology (NIST) Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products, for the proposed labeling program. From there, the FCC proposes convening standards organizations, industry groups, and government agencies to develop the IoT security requirements and a conformity assessment program. See NPRM ¶ ¶ 28-29.  

The Label

The label would consist of a certification mark representing that the product or device has met the FCC’s baseline consumer IoT cybersecurity standards and a scannable code directing the consumer to more detailed product information.  The FCC seeks comment on where the label should be affixed and what information about the device should be linked to the QR code. The FCC proposes that the manufacturer disclose the guaranteed minimum support time for the device or product.  The FCC also proposes that the label link to a new IoT Registry, where the public can access a catalog of devices approved pursuant to the program and review searchable IoT security-related information. See NPRM ¶ ¶ 34-44.

Demonstrating Compliance

The NPRM contemplates creation of Cybersecurity Labeling Authorization Bodies, aka CyberLABs (modeled after Telecommunications Certification bodies) that would test and assess IoT devices and products. Such CyberLABs would be evaluated, accredited, and recognized by the FCC or another third party. See NPRM ¶ ¶ 25-26. Companies would need to apply annually for the mark to demonstrate continued compliance. NPRM ¶ 47.  The FCC seeks comment on enforcement of the labeling program requirements. NPRM ¶ 51. 

Key Questions

While many applaud the FCC for helping to make IoT devices more secure and empowering consumers with greater information, questions remain about the program.

First, some have raised concerns about the FCC applying this program to products already subject to other regimes. For example, medical devices are already regulated by other agencies such as the Food and Drug Administration (FDA) and are already required to meet certain cybersecurity standards.  While FDA will likely not object to the addition of the IoT label to a medical device’s label, provided it is not viewed as false or misleading, such labelling and the testing behind it to demonstrate compliance is unlikely to be sufficient to satisfy FDA’s cybersecurity requirements.  Attention to cybersecurity risks and controls in medical devices has been increasing and FDA has likewise increased its focus.  Last month, FDA finalized its guidance on “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” and indicated its intention to refuse to accept marketing submissions without the required cybersecurity information and data.  To extent that the data and testing that is required to support the IoT labeling is disparate, will medical device companies need to generate even more cybersecurity data to receive the IoT labeling or will the data that is generated for FDA be sufficient to satisfy both requirements?  Additionally, there are a great number of software products that are marketed under enforcement discretion granted by FDA and as such do not meet FDA standards.  Would the issuance of the IOT labelling run the risk of being viewed as some sort of government endorsement that could be seen by FDA as potentially misleading, thereby undercutting the Agency’s comfort level with not actively regulating these types of products?  It will be important for medical device manufacturers to have clarity about how the two regimes fit together when it comes to a single product.

Second, there are fears that this “voluntary” program could eventually become mandatory and overly prescriptive.

Third, some have pushed for safe harbors, meaning that obtaining the label would serve as a defense against liability for damages resulting from a cyber incident.

These and other issues will need to be raised on the record so that the FCC takes them into account in developing a final rule. 

Next Steps

Stakeholders including device manufacturers and suppliers should analyze this NPRM and consider providing the FCC with feedback on the proposal.  Initial comments on the NPRM were due October 9 and reply comments will be due November 10, 2023.  Once the comment period is over, interested parties may submit ex parte filings in the docket or request meetings with the FCC to discuss relevant issues. 

The Hogan Lovells team consisting of professionals from the Communications, Internet, and Media, Privacy and Cybersecurity, and Medical Device and Technology practice groups regularly collaborate to assist manufacturers and retailers with the full spectrum of regulatory matters. We are happy to answer questions about the NPRM and what it means for your company.

* As used by the FCC, the term “devices” includes all manner of technology including medical devices regulated by the US Food and Drug Administration.