Add a bookmark to get started

29 February 20243 minute read

FCC to consider implementing a voluntary cybersecurity labeling program for smart products

On March 14, 2024, the Federal Communications Commission (FCC) will consider a Report and Order to establish a voluntary cybersecurity labeling program for Internet of Things (IoT) devices to help consumers determine whether the products they purchase meet applicable cybersecurity standards and to encourage manufacturers to develop IoT products with security-by-design principles in mind.  

The FCC will initially focus its labeling program on consumer rather than enterprise or industrial IoT products, but it does not foreclose the possibility of expanding the program in the future.  While final rules are being adopted, the program may not be ready to begin processing application requests until late 2024, if not later.  

Below, we provide a brief summary of the FCC’s expected decision. 

FCC’s cybersecurity labeling program for Internet of Things

What is it? 
The FCC would establish a voluntary IoT cybersecurity labeling program based on criteria developed by NIST.  The FCC label would include the US Cyber Trust Mark and a QR Code linking to a product registry that would display information about the security of products bearing the Cyber Trust Mark.

What types of products are eligible to participate?  The program would initially focus on wireless (not wired) consumer IoT products.  A modified version of a NIST definition for IOT devices being adopted by FCC leadership suggests that eligible products would include home security cameras, voice-activated shopping devices, internet-connected appliances, fitness trackers, garage door openers, and baby monitors.

Who would manage the program?  The labeling program would be administered by the FCC.  Private-sector Cybersecurity Labeling Administrators (CLAs), including a Lead Administrator, would help the Commission stand up the program and be responsible for day-to-day program management.  The Lead Administrator would be responsible for carrying out administrative responsibilities, including reviewing applications, recognizing qualified and accredited Cybersecurity Testing Laboratories (CyberLABs), and engaging in a consumer education regarding the Cyber Trust Mark.  Multiple CLAs would be authorized to receive, review, and approve or deny applications from manufacturers seeking authorization to use the FCC label.  Each application must be supported by testing conducted by an accredited lab which demonstrates that the product complies with the program’s standards.  

How would manufacturers obtain authority to use the FCC IoT Label?  Manufacturers seeking authority to use the FCC IoT label would follow a two-step process: (1) complete product testing by an accredited and Lead Administrator-recognized lab (eg, CyberLAB, CLA lab, or an in-house lab) and (2) obtain product label certification by a CLA.  The FCC would task the Lead Administrator to provide recommendations on how often (eg, annually) a given IoT product must renew the request to bear the FCC IoT label.

Please contact the author for more information.