On July 30, 2024, the Federal Register published the Federal Communications Commission (the “FCC”) Report and Order (the “Order”) creating a voluntary cybersecurity labeling program for Internet of Things (“IoT”) devices.  As reported in our blog post issued shortly before the Order was approved on March 14, 2024, this program is intended to “provide consumers with an easy-to-understand and quickly recognizable FCC IoT Label that includes the U.S. Government certification mark (referred to as the U.S. Cyber Trust Mark).”  While there are several steps remaining to fully establish the program, this Order represents a significant milestone in policymakers’ efforts to launch a federal cybersecurity labeling program for internet connected devices.

The Order

The Order was approved unanimously, receiving enthusiastic bipartisan support.  In her statement, Chairwoman Jessica Rosenworcel said that the Cyber Trust Mark “has the power to become the worldwide standard for secure Internet of Things devices.”  Fellow Democratic Commissioner Geoffrey Starks wrote, “I strongly support the Order we adopt today.”  And Republican Commissioner Nathan Simington stated that he was “thrilled that [the FCC is] enacting this Order…it has the potential to be the beginning of a new era for American cybersecurity policy.”

Since our last blog post on March 5, the Order has been updated slightly.  The definition of “Consumer IoT Products,” which covers “IoT products intended primarily for consumer use, rather than enterprise or industrial use,” now excludes motor vehicles and motor vehicle equipment regulated by the National Highway Traffic Safety Administration.  The definition previously only excluded medical devices regulated by the Food and Drug Administration.  The final Order also includes additional direction regarding how the Cyber Security Label Administrators should engage stakeholders and updates on other administrative matters.

The Order was published in the Federal Register on July 30, 2024, and is effective August 29, 2024.  However, several of the Order’s amendments to FCC rules (those that involve new or modified information collection requirements) will not become effective until after OMB completes its review under the Paperwork Reduction Act.  These amendments relate to application requirements for the Cyber Security Label, the process for granting authorization to use the Cyber Security Label, requirements for grantees to retain records, and other items.

The Further Notice

When the FCC adopted the Order in March 2024, it also adopted a Further Notice of Proposed Rulemaking (the “Further Notice”) related to the program.  The Further Notice sought comment on requiring additional declarations from manufacturers to instill confidence that products bearing the Cyber Trust Mark are not vulnerable to attacks from “high-risk countries” as defined by the Department of Commerce in 15 CFR § 7.4.  The Further Notice sought comment on whether manufacturers should have to declare if software was developed in or deployed from within a high-risk country, if data collected by IoT products is stored in or passes through a high-risk country, and that the products cannot be remotely controlled from within a high-risk country.  The Further Notice also asked about the level of detail that should be required for information related to high-risk countries and whether a product’s connection to high-risk countries should make it ineligible for the label altogether.  Comments on the Further Notice closed on April 24, 2024, and reply comments were due on May 24, 2024.

Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors, television companies, trade associations, and other entities on a wide range of media and technology matters. Jennifer has almost three decades of experience advising clients in the communications, media and technology sectors, and has held leadership roles in these practices for almost twenty years. On technology issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including product counseling and technology transactions related to connected and autonomous vehicles, internet connected devices, artificial intelligence, smart ecosystems, and other IoT products and services. Jennifer serves on the Board of Editors of The Journal of Robotics, Artificial Intelligence & Law.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements, network affiliation and other program rights agreements, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Conor Kane Conor Kane

Conor Kane advises clients on a broad range of privacy, artificial intelligence, telecommunications, and emerging technology matters. He assists clients with complying with state privacy laws, developing AI governance structures, and engaging with the Federal Communications Commission.

Before joining Covington, Conor worked in…

Conor Kane advises clients on a broad range of privacy, artificial intelligence, telecommunications, and emerging technology matters. He assists clients with complying with state privacy laws, developing AI governance structures, and engaging with the Federal Communications Commission.

Before joining Covington, Conor worked in digital advertising helping teams develop large consumer data collection and analytics platforms. He uses this experience to advise clients on matters related to digital advertising and advertising technology.