The Federal Communications Commission (FCC) recently approved a voluntary Internet of Things (IoT) labeling program. This allows manufacturers of IoT products to obtain FCC approval to display the U.S. Cyber Trust Mark on products that meet IoT cybersecurity standards. labeling program. As mentioned in the August 2023 article Privacy and security updatesThe FCC's labeling program is part of the Biden administration's National Cyber Strategy and is based on recommendations made by the U.S. Cyberspace Solarium Commission in a March 2020 report.
Key Point
The labeling program is in line with trends in Europe and Asia, which are establishing or planning similar IoT programs. Initially, the program will target manufacturers of wireless consumer IoT products such as connected or “smart” devices such as refrigerators, microwaves, televisions, air conditioning systems, and fitness trackers, but could expand in the future. there is.
Although the program is voluntary, the FCC rejected industry efforts to include a liability safe harbor, so future program participants will be left with limited options for how their labels may be used in litigation in the event of an IoT security incident. you need to consider.
Even IoT manufacturers that decline to participate should consider evaluating whether their products meet the labeling program's requirements. This is because these requirements may be considered a potential benchmark for “reasonable security” in litigation and regulatory investigations.
What is the purpose of the labeling program?
The labeling program grew out of the FCC's recognition that IoT products are essential to everyday life and are susceptible to a wide range of common cybersecurity vulnerabilities. The FCC noted that approximately 1.5 billion cyberattacks were launched against IoT devices in the first six months of 2021, based on third-party estimates. The IoT Labeling Program is designed to provide consumers with assurance regarding the baseline cybersecurity of wireless IoT products. Consumers will make informed decisions and manufacturers will be encouraged to develop their IoT products based on security-by-design principles.
This type of voluntary cybersecurity labeling program is gaining momentum globally. Singapore has already introduced a cybersecurity labeling scheme, and Japan recently announced its intention to collaborate with the US on its own IoT labeling program. And in January this year, the European Union signed her IoT safety label plan in conjunction with the US.
What types of things can the Cybertrust Mark be attached to?
This voluntary program will initially include wireless consumer IoT products, but may expand in the future.
IoT products IoT devices and additional product components (for examplebackends, gateways, mobile apps, etc.), the functionality required to use IoT devices beyond basic operational functionality.
Ann IoT deviceis an Internet-connected device that can intentionally emit radiated frequency energy, has at least one transducer (sensor or actuator) that can interact with the physical world, and has at least one network interface (for exampleWi-Fi, Bluetooth) used to interface with the digital world.
In less technical terms, IoT products are wireless smart devices that have permeated the daily lives of many consumers, such as home security cameras, internet-connected devices, baby monitors, garage door openers, fitness trackers, etc. These include voice-activated devices.
The following devices are not eligible for the labeling program:
- A medical device regulated by the U.S. Food and Drug Administration (FDA).
- Communications equipment on the list maintained by the FCC pursuant to Section 2 of the Secure and Trusted Communications Networks Act (STNCA). Applies to telecommunications and surveillance equipment manufactured by certain foreign companies.
- Any IoT device manufactured by an entity identified on the target list (In other wordsan entity designated as manufacturing “covered” equipment, or any of its subsidiaries or affiliates).
- Devices or products of companies whose names appear on certain lists maintained by other federal agencies that represent the results of national security reviews.
Who manages the labeling program?
Although the FCC oversees the labeling program, review of applications and approval of the Cyber Trust Mark is performed by the Cybersecurity Label Administrator (CLA). A lead administrator is appointed from within the CLA to act as an intermediary between the CLA and the FCC. The lead administrator will also be responsible for, among other things, stakeholder outreach, managing complaints regarding the labeling program, and approving laboratories authorized to perform conformance testing.
How should a manufacturer apply?
Manufacturers have a two-step process to obtain authorization to use the FCC IoT label, which includes obtaining both:
- Product testing by a laboratory approved by a certified principal administrator (for exampleCyberLAB, CLA lab, or in-house lab).
- Product label certification by CLA.
For a wireless consumer IoT product to be labeled with the Cyber Trust mark, the IoT product must meet technical requirements for: Product composition. Data protection. Interface access control. Software updates; Cybersecurity state awareness. IoT products must also meet the following requirements for IoT product developers, including documentation, receipt of information and inquiries, dissemination of information, and product education and awareness.
Ultimately, updates will be required to maintain the Cybertrust Mark label on IoT products, but this will likely vary depending on the type of IoT product.
Are there liability concerns?
The FCC declined to include a safe harbor or pre-emptive state law that would protect manufacturers who voluntarily apply for a Cybertrust Mark from liability. In the FCC's view, Cybertrust's IoT products bearing his mark carry a stamp of validity, even if such products are infringing. However, IoT manufacturers should be aware that materials submitted to labeling programs may be subject to consumer protection actions if their products cause a security incident or cause injury.
IoT manufacturers should also anticipate that the FCC's cybersecurity standards may emerge as new standards. de facto Standards and benchmarks. It is very similar to the framework published by the National Institute of Standards and Technology. Therefore, it may be wise for IoT manufacturers to consider whether their products meet the labeling program's standards, even if they do not seek the Cybertrust mark.
[View source.]
