On March 14, the Federal Communications Commission (“FCC”) is expected to approve a Report and Order (“R&O”) that would create a voluntary cybersecurity labeling program for Internet of Things (“IoT”) devices. As previewed in the Notice of Proposed Rulemaking (“NPRM”) released last August, which we covered here, this IoT Labeling Program would “provide consumers with an easy-to-understand and quickly recognizable FCC IoT Label that includes the U.S. government certification mark (referred to as the Cyber Trust Mark).”
The R&O explains that the IoT Labeling Program would “help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.” It provides details about the program and how manufacturers can seek authority to use the FCC IoT Label:
- Eligible Devices. The IoT Labeling Program would focus on wireless consumer IoT products, although the R&O notes that the FCC does not “foreclose the possibility of expanding the IoT Labeling Program in the future.” The program would exclude certain devices, including wired IoT devices, enterprise or industrial IoT products, medical devices, and communications equipment on the FCC’s Covered List maintained pursuant to the Secure and Trusted Communications Networks Act.
- Definition of “IoT Device.” The R&O would adopt a modified version of the National Institute of Standards and Technology’s (“NIST”) definition of “IoT device:” “(1) an Internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.” The R&O explains that it builds off of NIST’s definition by adding “Internet-connected” as “a key component of IoT is the usage of standard Internet protocols for functionality.”
- Program Management. The R&O states that the FCC would retain “ultimate control” of the IoT Labeling Program as the “program owner.” Cybersecurity Label Administrators (“CLAs”) would support the FCC by managing certain aspects of the program and authorizing use the FCC IoT Label. One CLA would serve as the Lead Administrator, who would “identify or develop, and recommend to the Commission for approval, the IoT specific standards and testing procedures, as well as design and placement of the label” and develop a consumer education plan. Multiple CLAs would be authorized to evaluate and approve applications from manufacturers seeking to use the FCC IoT Label.
- Approval Process. To seek approval to use the FCC IoT Label, manufacturers must follow a two-step process: (1) complete product testing by an accredited and Lead Administrator-recognized lab and (2) obtain product label certification by a CLA. The FCC would recognize certain third parties with expertise in security and compliance testing as Cybersecurity Testing Laboratories (or “CyberLABs”) to test IoT products for compliance under the first step of the approval process. CLA-run labs and in-house testing labs may also perform the cybersecurity conformity testing for IoT products, provided that they meet the same accreditation and recognition requirements as CyberLABs. The FCC would task the Lead Administrator to provide recommendations on how often IoT products must renew their requests to bear the FCC IoT label.