On February 22, 2024, the Federal Communications Commission (FCC or “Commission”) released a Public Draft of a Report and Order that, if adopted, would establish a voluntary labeling program for Internet of Things (IoT) products, pursuant to which eligible products could be authorized to display the newly created U.S. Cyber Trust Mark to indicate conformance with baseline cybersecurity standards.
The FCC’s IoT labeling program is a landmark initiative that, if embraced by the private sector, could have a significant impact on the IoT ecosystem as well as the tech industry more broadly. While Congress has considered IoT security and has adopted mandates for federal agency IoT security, it has not directed the creation of a labeling program for the private sector; however, establishing a cybersecurity labeling effort has been a priority for the White House. Consistent with the White House’s goal of seeing products displaying the mark before 2024 is out, this FCC initiative has been rolled out on an accelerated timeline: the Public Draft – slated for consideration at the FCC’s March 14 Open Meeting – quickly follows the FCC’s original proposal for IoT labels.
While the Public Draft represents an important step for the program, there are many implementation, operational, and legal issues that will need to be rapidly worked through in order to meet this aggressive timetable. This will present numerous additional opportunities for manufacturers and others in the IoT space to participate. If stakeholders want to see a different approach or help refine the details of the program as set forth in the Public Draft, they have time to work with the Commission in ex parte filings or meetings. The item will come to a vote at the March Open Meeting.
Background
The White House announced the Cyber Trust Mark program in July 2023 with a kickoff event featuring FCC Chairwoman Rosenworcel and tech industry representatives, among others. Consistent with the White House’s expected timeline of getting the program up and running in 2024, the FCC followed in short order with an NPRM in August 2023. After receiving public comment, the agency has now released this Public Draft, which previews the Report and Order that will adopt rules to establish the program.
The FCC’s Notice of Proposed Rulemaking (NPRM) on an IoT labeling program was very broad and asked an array of questions. Overall, the Public Draft Report and Order would take the program in a direction that is consistent with industry feedback in several respects, such as keeping the program voluntary, leveraging the work of the National Institute of Standards and Technology (NIST) for cybersecurity standards and testing procedures, and promoting “close public-private collaboration,” such as relying on third-party certification bodies and program administrators. However, the Public Draft also would adopt measures that were more controversial in the record, including mandating the creation of an IoT product registry (albeit a “pare[d] back” version of what was proposed), requiring the mark to apply at the IoT product level (rather than at the IoT device level), and declining to afford any preemptive effect or meaningful safe harbor for program participants. The Public Draft also would make manufacturers responsible for apps that “reside on” their devices and can be used to “connect to and control” the product, as well as the “connection link” between the product and any controlling apps that do not reside on the device.
While the Public Draft addresses numerous questions posed by the NPRM, the item would leave much more work to do. Casting itself as “provid[ing] the high-level programmatic structure” for the program, the Public Draft would delegate to the Commission’s Public Safety and Homeland Security Bureau (PSHSB) and a yet-to-be-selected third-party administrator numerous implementation tasks, including the creation of standards and testing programs, the approval of testing bodies and additional third-party program administrators, details of label design and placement, the setup of the IoT registry, and a consumer education campaign – just to name a few.
If adopted at the FCC’s March 14 meeting, the new regulations or portions thereof will still need to go through review by the Office of Management and Budget (OMB) under the Paperwork Reduction Act before they can become effective, because they involve information collection by the government. It’s possible that this process can be completed in time for products to begin using the mark before the year is out, as the White House intends. But a larger question for the program is whether all of the additional implementation work can be completed in that timeframe.
Below, we provide key context for this latest FCC development, and dive into the details of the Public Draft.
Breaking Down the Public Draft
The Public Draft indicates that the Report and Order is intended to “provide the high-level programmatic structure that is reasonably necessary to establish the IoT Labeling Program and create the requirements necessary for oversight by the Commission,” but recognizes that “further development … by the private sector and other federal agencies” will be required for implementation. ¶ 13. The “high-level structure” set forth in the draft Report and Order includes the following key determinations and components:
Next Steps
The item – the substance of which is subject to updates or edits from the Commission – is scheduled for a full Commission vote at the agency’s March 14 meeting. Leading up to the meeting, stakeholders have an opportunity to raise issues or concerns about the Public Draft through meetings at the Commission or written filings. However, once the “sunshine period” commences, communications about the item will be prohibited. The sunshine period for the March 14 Commission meeting is expected to begin on March 8.
If the Report and Order is adopted, there will be numerous additional opportunities for stakeholder participation as the various directives in the item are implemented. These opportunities will include participation in the Lead Administrator’s multistakeholder process to determine recommended standards and testing procedures for the program as well as opportunities to comment on PSHSB public notices on various aspects of program implementation including standards and testing procedures, establishment of the IoT registry, and so forth.
Please contact the authors with questions about the Public Draft, the future program and its interaction with current equipment authorization regulations, or how to advocate for your company’s interests as the program is implemented.
Our Site uses cookies to improve your experience. Cookies may collect your personal information, such as IP address or device identifier, which we may disclose to our analytics partners. You may opt out of the cookies that are not strictly necessary if you wish. By using this site, you agree to our updated Privacy Policy, Terms & Conditions, and Cookies Policy.
Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.
Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.
About The Author
More Stories
From Commitments to Practice: Internet Society’s Priorities for WSIS+20 Implementation
Final Results of the 2026 Internet Society Board of Trustees Elections and IETF Selections
Community Snapshot—March