FCC Kicks Off Voluntary IoT Security Label Program With Big NPRM
In a new Notice of Proposed Rulemaking (NPRM), the Federal Communications Commission (FCC) imposes a short comment deadline for a complex new cybersecurity labeling regime for Internet of Things (IoT) devices. The NPRM also reveals that the agency—which traditionally has not regulated in the area of cybersecurity—is taking a broad view of its authority to enact this program.
At a high level, the NPRM proposes that participating entities will be able to display a Commission-created “IoT cybersecurity label” on their connected devices (the U.S. Cyber Trust Mark), indicating conformance with “widely accepted cybersecurity standards.” Although other parts of the federal government have considered IoT security and labeling issues, this cybersecurity labeling program would be a first for the FCC. The complexity of the NPRM raises important issues for stakeholders to consider, on a compressed timeline: comments will be due 30 days after Federal Register publication of the NPRM (which has not yet occurred).
The FCC’s proposal is part of a White House initiative on IoT security, which kicked off last month. While the joint White House-FCC labeling initiative is new, it follows several years of work in this area, including guidance documents and pilot programs by the National Institute of Standards and Technology (NIST) pursuant to a 2021 Executive Order on Improving the Nation’s Cybersecurity (14028) and direction from Congress, as well as significant privacy and cybersecurity enforcement by the Federal Trade Commission (FTC) under Section 5 of the FTC Act.
The NPRM poses a multitude of open questions on all aspects of the labeling program—from standards development, compliance assessment, and label structure/components, to enforcement, liability protection, and international harmonization. Further, the NPRM suggests that the Commission is envisioning a potentially complex and onerous regime involving third party product testing and an IoT product registry to be updated in real time.
Together, the complexity of the NPRM and the speed at which the FCC is proposing to move means that a broad range of stakeholders’ interests will be at stake. Participation by these stakeholders will help ensure that the eventual labeling program provides valuable information to consumers and offers adequate incentives and protections for industry stakeholders to participate.
The NPRM
The NPRM seeks public comment on numerous issues related to implementation of the cybersecurity labeling program, including: (i) the scope of eligible devices or products; (ii) oversight and management; (iii) development of criteria and standards; (iv) program administration. The NPRM also addresses and seeks input on: (v) the Commission’s legal authority to adopt the program; and (vi) promoting digital equity. Each of these areas is addressed in more detail below. Notably, while the FCC envisions that it will promulgate regulations to govern the program, and participants will be required to adhere to those regulations, the NPRM does not offer proposed rules.
Eligible Devices or Products
The Commission proposes to initially limit program eligibility to “IoT devices” that “intentionally emit radio frequency (RF) energy.” ¶ 11. The Commission builds off NIST’s definition of “IoT device,” defining the term as “(1) an Internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.” ¶ 11. The NPRM does not expressly discuss whether this definition includes phones, but the NIST definition upon which it builds “excludes common general purpose computing equipment (e.g., personal computers, smartphones).”[1]
The Commission seeks comment on the scope of products that are eligible for the program, including:
- Whether the labels should be for an entire product, rather than a device that may be a component within a product. ¶¶ 13–14.
- Whether the Commission should also include devices/products outside the proposed definition that connect to Wi-Fi via an intermediary (e.g., through a Wi-Fi gateway). ¶ 15.
- Whether the program should also include enterprise devices or products for industrial/business use. ¶ 16.
The Commission also proposes to exclude from the program any (1) previously authorized equipment that has been identified as “covered equipment” on the FCC’s Covered List (i.e., the list of equipment that the Commission has determined poses an unacceptable risk to the United States); (2) equipment that, now or in the future, has been placed on the Covered List; (3) any IoT device that is produced by an entity identified on the Covered List as producing “covered” equipment; and (4) any IoT device that is produced by an entity identified on the Department of Commerce’s Entity List, the Department of Defense’s List of Chinese Military Companies, or similar lists. ¶¶ 17–18.
Oversight and Management of the IoT Labeling Program
The NPRM envisions a program wherein the Commission—as the “labeling scheme owner”—would be responsible for oversight and management of the program, including by “creat[ing] and own[ing] a new distinctive trademark to be used in [the program]” and taking “appropriate steps to authorize [the label’s] overall use in a way that ensures the integrity of the mark and the label.” ¶ 21. It further proposes to “leverage the specialized expertise of third parties” by allowing entities to develop requirements or standards for the program and assess other parties’ compliance with the program’s standards. Id.
To demonstrate compliance with the IoT labeling program, the Commission proposes to create Cybersecurity Labeling Authorization Bodies (CyberLABs), which would be third-party entities with expertise in security and compliance testing and roughly analogous to the Commission’s existing Telecommunications Certification Bodies (TCB). ¶¶ 24–25. The Commission seeks comment on how to structure the application and qualification/accreditation processes for CyberLABs, ¶ 26, as well as whether to allow CyberLABs to establish and assess fees for processing accreditation requests, ¶ 50.
Development of IoT Cybersecurity Criteria and Standards
The Commission has not set out exact criteria for compliance beyond a general proposal to use NIST’s recommended IoT criteria from that agency’s 2022 white paper on cybersecurity labeling.[2] ¶ 27. The FCC notes that there are ten NIST criteria: (1) asset identification; (2) product configuration; (3) data protection; (4) interface access control; (5) software update; (6) cybersecurity state awareness; (7) documentation; (8) information and query reception; (9) information dissemination; and (10) product education and awareness. Id. The FCC seeks comment on how these criteria could be used to inform minimum IoT security requirements and standards for conformity assessments or for self-attestation. Id. The Commission seeks comment on whether other criteria should be considered and whether higher-risk devices should utilize separate criteria. Id.
The Commission proposes that standards would be developed jointly with industry and other stakeholders. ¶ 28. The Commission asks whether the FCC or an outside entity should convene stakeholders to develop standards. Id. The Commission proposes that the process would involve the following steps: (1) collecting information, (2) establishing requirements, (3) developing the standard, (4) reviewing and improving, and (5) implementation. ¶ 29. The Commission seeks comment on additional factors that should be considered in this process, as well as the length of time the process would take to complete. Id. The NPRM also seeks comment on whether the Commission should consider adopting existing IoT security standards, including standards for specific devices or classes of devices. Id.
While participation in the IoT labeling program would be voluntary, the Commission proposes to require participants to adhere to the standards it adopts. ¶ 30. Additionally, the NPRM seeks comment on the process for approval of standards including whether the Public Safety and Homeland Security Bureau (PSHSB) should approve standards after notice and comment in lieu of the full Commission. ¶ 31.
The Commission seeks comment on the process for conformity assessment. While the NPRM is focused on third-party assessment akin to TCB certification, it also asks whether other procedures, such as the Supplier’s Declaration of Conformity (SDoC) in the equipment authorization regime—may also be appropriate. ¶ 32.
Administration of the IoT Labeling Program
The NPRM seeks comment on several issues related to program administration, including the components of the label itself, the creation of an IoT registry, updates to that registry and renewal requirements to allow ongoing use of the label, enforcement of the labeling rules, limitations on liability and preemption for program participants, consumer education, and ensuring international integrity of the label.
IoT Label. The Commission proposes to use a single binary label with layering that will utilize a QR code. ¶ 35. Products or devices will either qualify or not qualify for the label, and a scannable QR code will direct consumers to more detailed information. Id. The Commission seeks comment on how to display the label (e.g., affixed to the device or its packaging). ¶ 36. Regarding layered information, the NPRM seeks comment on use of a QR code or URL to allow consumers to access information about the device/product, “including specific security information, such as the device manufacturers’ level of support, software update history, privacy policy, and similar information.” ¶ 37. The FCC asks several questions about what the QR code should include, such as whether the QR code will provide information that will not need to be updated or whether the QR code should link to the IoT registry page (discussed in the next paragraph) for the product. ¶¶ 38–40. The Commission also seeks comment on ensuring the integrity of the label and what features it can provide to improve consumer awareness. ¶ 55. Additionally, the FCC seeks comment on how to ensure the accessibility of its label. ¶ 56.
IoT Registry. The Commission proposes to create an IoT registry where the public may access information about devices approved under the program. ¶ 41. The Commission seeks comment on whether there are similar registries and whether it should select and oversee a third-party registry administrator for the registry. Id. The NPRM asks what information should be included in the IoT registry and how the information should be organized. ¶¶ 42–43.
Updates and Renewal. The Commission seeks comment on how to keep the relevant security information up to date, noting that cybersecurity risks are constantly changing and require constant updating. ¶ 45. The Commission proposes that vulnerabilities and updates be provided through the IoT registry. Id. Notably, the Commission seeks comment on whether manufacturers or importers of the IoT devices and products should be required to “notify the IoT registry operator when they become aware of an unpatched vulnerability that poses security risks to their IoT devices and products.” Id. The NPRM also proposes an annual renewal requirement for label applicants. ¶ 47.
Enforcement. The NPRM asks several questions about how compliance with the strictures of the labeling program will be enforced, including which agencies or entities should enforce the labeling program requirements, the role of the Commission and other entities in audits and oversight, and whether the Commission should allow consumer or third-party complaints. ¶ 51.
Limitations on Liability. The Commission also seeks comment on whether authorization to use the label and compliance with the corresponding security measures may “represent an indicium of reasonableness that might serve as a defense or safe harbor against liability for damages resulting from a cyber incident, e.g., data breach, denial of service, malware.” ¶ 52. The Commission notes that it does not “intend at this time for the labeling program in and of itself to preempt otherwise existing law.” Id.
Consumer Education. The Commission notes that the program will utilize a consumer education campaign. ¶ 53. The NPRM seeks comment on whether the campaign should be compromised of recommended NIST materials, and how to fund any outreach campaign, including whether to use “public or private partnerships.” ¶ 54.
International Integrity. Finally, the NPRM seeks comment on how the Commission should “coordinate and engage with other international bodies maintaining labeling programs to develop recognition of the Commission’s IoT Label, and where appropriate, mutual recognition of those international labels.” ¶ 55. It also asks what steps the agency should take to “ensure the FCC label is not mistaken for compliance with IoT security or RF-emission standards in other countries.” Id.
Legal Authority to Promulgate the Proposed Rules
The Commission asserts broad legal authority over cybersecurity under Section 302(a)(1) of the Communications Act. Under that provision, the “Commission may, consistent with the public interest, convenience, and necessity, make reasonable regulations (1) governing the interference potential of devices which in their operation are capable of emitting radio frequency . . . in sufficient degree to cause harmful interference to radio communications.” The Commission reasons that its “proposed labeling program rules are intended to ensure that IoT devices have implemented certain minimum cybersecurity protocols to prevent their being hacked by bad actors who could cause the devices to cause harmful interference.” ¶ 59.
The Commission also seeks comment on whether it has authority under other provisions of the Communications Act, including:
- Section 302(a)(2), which allows the Commission to promulgate “reasonable regulations . . . establishing minimum performance standards for home electronic equipment and systems to reduce their susceptibility to interference from radio frequency energy.” ¶ 60.
- Section 333—which prohibits persons from “willfully or maliciously interfer[ing] with or caus[ing] interference to any radio communications of any station licensed or authorized by or under [the Communications Act] or operated by the United States Government”—in tandem with the FCC’s ancillary authority. ¶¶ 60, 64 & n.106.
- Section 301, which grants the FCC its general licensing authority. ¶ 63.
- Any other source of authority, “including [the Commission’s] authority pursuant to Titles II and III as well as its [ancillary] authority.” ¶ 64.
The Commission also seeks comment on its authority to enforce compliance with the labeling scheme by voluntary participants. ¶ 65. In particular, it asks, among other questions, whether “participants in the labeling program [would] already be holders of authorizations within the meaning of section 503(b)(5) of the Act,” such that the Commission could enforce the program rules against a participant without first issuing a citation. Id.
Digital Equity
Finally, the Commission notes its “continuing effort to advance digital equity for all” and invites comment on equity-related considerations associated with the issues raised by the NPRM and the labeling program. ¶ 66.
Next Steps
Comments on the labeling NPRM will be due 30 days from Federal Register publication of the item. Reply comments will be due 45 days following Federal Register publication.
* * *
For more information about the NPRM or IoT cybersecurity issues, or for assistance participating in the proceeding, please contact the authors.
[1] NIST, Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products at 3 n.3 (Feb. 4, 2022),
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.02042022-2.pdf.
[2] See NIST, Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products (Feb. 4, 2022),
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.02042022-2.pdf.