The Federal Communications Commission (FCC) is providing a new level of protection for consumers who are worried about potential cybersecurity risks to connected consumer devices. Last week, the agency adopted a voluntary labeling program that manufacturers of "smart" wireless, internet-connected consumer devices can follow to indicate to consumers that the device meets certain cybersecurity protections.
The FCC has set out the framework for an Internet of Things (IoT) labeling program by which a manufacturer of eligible products may mark a product with an FCC IoT Label that incorporates the federal government's Cyber Trust Mark. The goal, according to the agency, is to "help consumers make better purchasing decisions, raise consumer confidence with regard to the cybersecurity of the IoT products they buy to use in their homes and their lives, and encourage manufacturers of IoT products to develop products with security-by-design principles in mind."
Eligible devices will need to demonstrate compliance with cybersecurity criteria that follow those developed by the National Institute of Standards and Technology (NIST), the federal agency within the Department of Commerce that leads the research and design of cybersecurity standards for government and industry. The FCC will select at least one third-party administrator to act in its stead. This lead administrator will be responsible for:
- Determining the precise standards and testing that eligible devices must meet
- Creating and overseeing a process that will ensure that the label is appropriately used
- Collaborating with stakeholders and reporting to the FCC changes in NIST cybersecurity standards that may impact the FCC program
To place an FCC IoT Label on a device, a manufacturer must certify that it complies with the appropriate standards. Devices also must have a CR code that will allow consumers to scan for additional information regarding the product's security.
Like the FCC's equipment certification program, manufacturers will need to put a device through a two-step process where it is first tested by a test lab and then approved by a Cybersecurity Label Administrator (CLA). Test labs accredited according to certain standards (i.e., ISO/IEC 17025) may test devices for compliance before the label is granted. CLAs may charge manufacturers a fee for review of an application for use of the FCC IoT Label.
Certain devices are specifically excluded from the program. These include medical devices, motor vehicles, and "motor vehicle equipment" (defined by the U.S. Code). Also excluded are external components, including external third-party components that are outside a manufacturer's control. And devices on the FCC's Covered List, which have been determined to be a threat to national security, cannot obtain a label.
The FCC also issued a Further Notice of Proposed Rulemaking (FNPRM) that considers imposing other national security requirements on manufacturers, suggesting the agency may add to these rules. One set of questions asks whether the FCC should require that participating manufactures disclose whether firmware and/or software was developed and manufactured in "high-risk" countries and disclose the countries in which firmware and software updates will be developed and deployed.
Another proposal would be to require manufacturers to reveal whether the data collected by the product is stored in or transits a "high-risk" country or countries. And the FCC asks whether it should bar from participating in the program products that can be remotely controlled by servers located in "high-risk" countries, defined as those on the Department of Commerce's list of foreign adversaries.
The FCC's actions here are just the first step in what is likely to be at least a year-long process of assigning outside administrator duties and developing all the many the details underlying the requirements. Comments on the FNPRM proposals will be due 30 days after the item is published in the Federal Register.
Contact Laura Stefani to discuss the FCC's new Internet of Things cybersecurity labeling program.