FCC Announces Consumer IoT Cybersecurity Labeling Program – Pillsbury Winthrop Shaw Pittman

3 minutes, 56 seconds Read

The initial focus of the Labeling Program will be on consumer IoT products, with certain exceptions discussed below. Accompanying the Cyber Trust Mark will be a QR code that will take interested consumers to a product registry with information about the device, including where to find software patches and security updates. Participating manufacturers will be required to submit their IoT products to accredited test labs to confirm compliance with the IoT Labeling Program technical standards. Subsequently, a Cybersecurity Label Administrator (CLA) will evaluate the manufacturer’s application and certify the use of the Cyber Trust Mark. The following describes the different elements of the IoT Labeling Program.

Eligible Products
Initially, the IoT Labeling Program will include wireless consumer IoT products, not those designed for use in enterprise or industrial settings. Further, while the FCC reserved the right to consider expanding the Program to include wired IoT products, it limited the Program to wireless IoT products due to conform with the FCC’s clear statutory authority to regulate devices that emit radiofrequency (RF) energy.

The FCC excluded products manufactured by entities that are on the Covered List, or lists maintained by other federal agencies that require national security review such as the Department of Commerce’s Entity List. This exclusion extends to products which contain components manufactured by such entities. IoT Labeling Program applicants will be required to certify that their products comply with these restrictions. Finally, the IoT Labeling Program will exclude IoT products regulated by the Food and Drug Administration as medical devices, and motor vehicles and motor vehicle equipment regulated by the National Highway Traffic Safety Administration.

CLAs and Lead Administrator
Similar to the equipment authorization process, the FCC will not directly administer the IoT Labeling Program. Instead, test labs will apply to be designated a CLA, and a Lead Administrator will be designated by the FCC’s Public Safety and Homeland Security Bureau (PSHSB). The CLAs and Lead Administrator will be required to demonstrate expertise in cybersecurity, thorough knowledge of the FCC’s rules, and must not have any affiliation with entities on the Covered List or the Department of Commerce’s Entity List.

Technical Standard
Eligible products will be tested by CLAs to determine whether they comply with the technical criteria set forth in NIST Report 8425. The FCC noted that the criteria in the NIST Report were adopted after a multi-year deliberative process involving NIST and industry stakeholders, and the criteria reflects the baseline capabilities that consumers would expect to be included in IoT products.

The FCC designated to the Lead Administrator the task of developing the specific technical standards and testing procedures to demonstrate compliance with the NIST Report criteria. This process—which may lead to delay of program implementation—must include an opportunity for public comment and must be submitted to the PSHSB for final approval.

Registry of Cyber Trust Marks
Those products that successfully traverse the IoT Labeling Program testing and certification process will be listed in a publicly available registry which will be linked to the product’s unique QR code. The FCC specified the baseline requirements for what the registry must include for each product, i.e., product and manufacturer names, dates of cybersecurity certification, CLA information, lab conducting the conformity testing, default password change instructions, software update information, minimum support period and disclosure of a software bill of materials. The FCC delegated authority to the PSHSB to consider whether any additional information should also be included.

Further Notice of Proposed Rulemaking
The FCC is seeking further comment on whether manufacturers participating in the IoT Labeling Program should make additional certifications that (i) the products to be registered do not contain hidden vulnerabilities from high-risk countries, (ii) that the data collected by the products does not sit within, or transmit through, high-risk countries, (iii) the products cannot be remotely controlled by servers located in high-risk countries, and (iv) the products’ software and/or firmware were not developed or manufactured in a high-risk country. In this context, the FCC proposed to use the foreign advisory list maintained by the Department of Commerce to identify “high-risk” countries subject to these proposed rules, which currently lists the People’s Republic of China, including the Hong Kong Special Administrative Region, Cuba, Iran, North Korea, Russia and the Maduro Regime in Venezuela. Comments will be due 45 days after the Further Notice is published in the Federal Register.

* * *

The IoT Labeling Program represents the FCC’s initial effort to use its statutory authority over intentional RF emitting devices to proscribe a baseline of cybersecurity protections for IoT devices. Interested parties will need to monitor developments to ensure participation and compliance with the Program’s rules and policies. Please contact the authors, or your Pillsbury attorney, with any questions.

This post was originally published on the 3rd party site mentioned in the title of this this site

Similar Posts