FCC Proposes Voluntary Cybersecurity Labeling Program for Internet of Things Devices
The Federal Communications Commission (FCC) has published its notice of proposed rulemaking (the NPRM) detailing the proposed creation of a voluntary cybersecurity labeling program for Internet of Things (IoT) or "smart" devices. The program would permit IoT devices or products that meet certain cybersecurity standards to use an FCC-endorsed label known as the "U.S. Cyber Trust Mark." Under the FCC's proposal those cybersecurity standards would be developed from baselines established by the National Institute of Standards and Technology (NIST) pursuant to a 2021 executive order on cybersecurity. Comments on the NPRM are due September 24, 2023, and reply comments are due October 9, 2023. According to press releases from the White House and FCC, the FCC could launch this labeling program in late 2024.
Overview of the Proposed Smart Device Labeling Program
In an August 8, 2023, press release, FCC Chairwoman Jessica Rosenworcel noted that the FCC's proposed cyber labeling program "would raise awareness of cybersecurity" and help consumers "make more informed purchasing decisions about device privacy and security." Chairman Rosenworcel likened U.S. Cyber Trust Mark to the Environmental Protection Agency's ENERGY STAR program that helps consumers identify energy-efficient appliances and encourages companies to produce them in the marketplace.
Key provisions of the U.S. Cyber Trust Mark program, as set forth in the NPRM, include the following:
- "Binary" label with "layering." The U.S. Cyber Trust Mark would be "binary," meaning that covered IoT devices or products either will or will not qualify to use the label (i.e., there would not be different levels of compliance within the required security standards). The mark would be "layered" such that consumers could easily view and understand the label on its own, but also could choose to view more detailed information via a scannable code (e.g., a QR code) or URL alongside the label linking to an IoT registry.[1] The FCC seeks comment on how participating devices or products should display the mark and code or link, and what detailed cybersecurity information should be provided via the code.
- Voluntary but Enforceable. Participation in the U.S. Cyber Trust Mark program would be entirely voluntary for IoT devices or products that comply with the established security standards. However, the NPRM makes clear that those devices or products that carry the mark would be required to comply with all program requirements. The FCC does not propose specific methods for enforcing the program's requirements but, rather, raises questions and seeks input on several possible approaches, including through civil penalties under the Communications Act, civil litigation for breach of contract or trademark infringement (i.e., using the U.S. Cyber Trust Mark without the FCC's permission), and disqualification from the program. The NPRM solicits comment on the FCC's role in audit and oversight and whether third-party or consumer complaints about allegedly non-compliant devices or products should be permitted. The NPRM likewise seeks comment on whether the program should provide some kind of defense or safe harbor for manufacturers[2] that comply with the program's requirements (while also noting that the FCC does not intend to preempt any existing laws).
- Standards Based on NIST Criteria. On May 12, 2021, President Biden issued Executive Order 14082, "Improving the Nation's Cybersecurity." Among other many other things, the President directed NIST and the Federal Trade Commission (FTC) to develop criteria for an IoT cybersecurity labeling program (DWT analyzed EO 14082 here). On February 4, 2022, NIST published its Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products (the "NIST Criteria"). Those criteria define certain cybersecurity outcomes, rather than specific cybersecurity controls, in order to provide IoT manufacturers with flexibility to meet the criteria in a way that is most appropriate to their devices or products. The NIST Criteria include product configuration, interface access control, software updates, and documentation (among others). In the NPRM, the FCC proposes to develop security standards based on the NIST Criteria jointly with the industry and other stakeholders. The NPRM asks how the NIST Criteria can be leveraged to inform minimum cybersecurity standards (assessed by testing or self-attestation) and on the stakeholder process for developing those standards.
- Third-Party Assessment. Under the NRPM, the FCC or a third-party administrator of the labeling program would accredit or recognize third parties as Cybersecurity Labeling Authorization Bodies (CyberLABs). CyberLABs would be responsible for assessing whether an IoT device or product complies with the cybersecurity standards required to use the U.S. Cyber Trust Mark. The NPRM seeks comment on how CyberLABs should be accredited and overseen, as well as on what types of entities should be eligible to serve as CyberLABs.
- IoT Registry. The NPRM calls for the development of an online IoT registry, which would be linkable in any QR code or URL included with the U.S. Cyber Trust Mark and provide searchable details about devices or products approved to use the U.S. Cyber Trust Mark, including guidance on how to use the devices or products securely. The NRPM asks how the registry should be administered and what information it should contain.
- Disclosure of Support Period. Manufacturers would be required to publish in the IoT registry the minimum length of time for which they will provide support for an IoT device or product bearing the U.S. Cyber Trust Mark. During that period, the manufacturer must identify and remediate security vulnerabilities in those devices or products. The NRPM asks whether manufacturers should be required to notify consumers when support ends and solicits comment on how end-of-support information can be made useful for consumers. As proposed, the FCC program would not dictate any minimum support period; manufacturers could disclose that they offer no support whatsoever.
- Updates and Recertification. Manufacturers of IoT devices or products using the U.S. Cyber Trust Mark would be required to maintain up-to-date information about the devices' or products' cybersecurity practices in the IoT registry. For example, manufacturers would have to publish information about a newly discovered vulnerability in a participating IoT device. Manufacturers also would be required to renew their applications to use the mark annually and provide evidence that the devices or products still meet the requirements, as tested and administered by the CyberLABs or as self-attested. The NPRM seeks comment on whether manufacturers should be required to notify the registry operator of a vulnerability or other security risk so that the registry may be updated.
- Accessibility. The NPRM would require manufacturers to ensure the accessibility of printed and online information about participating devices or products and in accordance with the Americans with Disabilities Act and the guidance developed by the Web Accessibility Initiative. The FCC requests comment on whether this requirement will best ensure that consumers with disabilities will be able to access necessary cybersecurity information.
Proposed Definition of IoT Devices and Potential Inclusion of IoT Products
The NPRM proposes a definition of "IoT devices" that would be eligible for the program by modifying NIST's definition. NIST defines IoT devices as "[d]evices that have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth) for interfacing with the digital world. The NPRM proposes two modifications to that definition: first, by adding the term "Internet-connected" because Internet usage is a key element of the IoT in question; and second, by requiring that devices be capable of intentionally emitting radio frequency energy because this comports with the FCC's statutory jurisdiction. As to the second modification, the FCC seeks comment on whether the proposed definition unduly limits the scope of the program, and unintentional and incidental radiators should be also included. Alternatively, the FCC asks if unintentional and incidental radiators should be included at a later date and what authorities would support including additional IoT devices or products within the proposed IoT labeling Program.
The NPRM also asks whether the U.S. Cyber Trust Mark program should be limited to "IoT devices" or should apply to a broader set of "IoT products" that include "any additional product components (e.g., backend, gateway, mobile app, etc.) that are necessary to use the IoT device beyond basic operational features."
Additionally, the FCC proposes to exclude from the labeling program any equipment that is: (1) on the FCC's Covered List—i.e., equipment "deemed to pose an unacceptable risk to the national security of the United States or the security and safety of United States persons"; (2) developed by an entity that produces equipment on the Covered List; and (3) is on other prohibited lists such as those published by the Department of Commerce and Department of Defense.
Looking Ahead
Many important questions about the U.S. Cyber Trust Mark program remain unanswered. Among other things, the NPRM leaves open how the program will be administered (for example, by the FCC or a third party), how violations of the program will be enforced, which entities will be eligible to serve as CyberLABs, and what obligations participating manufacturers will have to report vulnerabilities and other security risks. DWT's Privacy and Security team will continue to follow the development of the U.S. Cyber Trust Mark program, including how the FCC addresses these and other critical questions.
[1] The FBI recently published a report indicating that QR codes come with their own set of security vulnerabilities, specifically noting that "cybercriminals are tampering with QR codes to redirect victims to malicious sites that steal login and financial information."
[2] The NPRM appears to use the term "manufacturer" broadly to refer to a variety of entities that may offer IoT devices, products and services—including, for example, software developers and sellers—and not exclusively to the entity that actually manufactured a particular device.