FCC Proposes Voluntary Cybersecurity Labeling Program for Internet of Things Devices

Davis Wright Tremaine LLP
"U.S. Cyber Trust Mark" label would indicate an IoT device meets specified cybersecurity standards
The Federal Communications Commission (FCC) has published its notice of proposed rulemaking (the NPRM) detailing the proposed creation of a voluntary cybersecurity labeling program for Internet of Things (IoT) or "smart" devices. The program would permit IoT devices or products that meet certain cybersecurity standards to use an FCC-endorsed label known as the "U.S. Cyber Trust Mark." Under the FCC’s proposal those cybersecurity standards would be developed from baselines established by the National Institute of Standards and Technology (NIST) pursuant to a 2021 executive order on cybersecurity. Comments on the NPRM are due September 24, 2023, and reply comments are due October 9, 2023. According to press releases from the White House and FCC, the FCC could launch this labeling program in late 2024.
In an August 8, 2023, press release, FCC Chairwoman Jessica Rosenworcel noted that the FCC’s proposed cyber labeling program "would raise awareness of cybersecurity" and help consumers "make more informed purchasing decisions about device privacy and security." Chairman Rosenworcel likened U.S. Cyber Trust Mark to the Environmental Protection Agency’s ENERGY STAR program that helps consumers identify energy-efficient appliances and encourages companies to produce them in the marketplace.
Key provisions of the U.S. Cyber Trust Mark program, as set forth in the NPRM, include the following:
Proposed Definition of IoT Devices and Potential Inclusion of IoT Products
The NPRM proposes a definition of "IoT devices" that would be eligible for the program by modifying NIST’s definition. NIST defines IoT devices as "[d]evices that have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth) for interfacing with the digital world. The NPRM proposes two modifications to that definition: first, by adding the term "Internet-connected" because Internet usage is a key element of the IoT in question; and second, by requiring that devices be capable of intentionally emitting radio frequency energy because this comports with the FCC’s statutory jurisdiction. As to the second modification, the FCC seeks comment on whether the proposed definition unduly limits the scope of the program, and unintentional and incidental radiators should be also included. Alternatively, the FCC asks if unintentional and incidental radiators should be included at a later date and what authorities would support including additional IoT devices or products within the proposed IoT labeling Program.
The NPRM also asks whether the U.S. Cyber Trust Mark program should be limited to "IoT devices" or should apply to a broader set of "IoT products" that include "any additional product components (e.g., backend, gateway, mobile app, etc.) that are necessary to use the IoT device beyond basic operational features."
Additionally, the FCC proposes to exclude from the labeling program any equipment that is: (1) on the FCC’s Covered List—i.e., equipment "deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons"; (2) developed by an entity that produces equipment on the Covered List; and (3) is on other prohibited lists such as those published by the Department of Commerce and Department of Defense.
Many important questions about the U.S. Cyber Trust Mark program remain unanswered. Among other things, the NPRM leaves open how the program will be administered (for example, by the FCC or a third party), how violations of the program will be enforced, which entities will be eligible to serve as CyberLABs, and what obligations participating manufacturers will have to report vulnerabilities and other security risks.
[1] The FBI recently published a report indicating that QR codes come with their own set of security vulnerabilities, specifically noting that "cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information."
[2] The NPRM appears to use the term "manufacturer" broadly to refer to a variety of entities that may offer IoT devices, products and services—including, for example, software developers and sellers—and not exclusively to the entity that actually manufactured a particular device.
[View source.]
See more
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Davis Wright Tremaine LLP | Attorney Advertising
Refine your interests »
Back to Top
Explore 2023 Readers’ Choice Awards
Copyright © JD Supra, LLC