FCC Seeks Comments on Proposed Rules for its IoT Device Cybersecurity Labeling Program
On August 25, 2023, a summary of the Federal Communications Commission’s (“FCC” or “Commission”) recent Notice of Proposed Rulemaking (“NPRM”) – seeking comment on its proposed cybersecurity labeling program for Internet of Things (“IoT”) devices – was published in the Federal Register, setting the comment deadline of September 25, 2023, with reply comments due by October 10, 2023. The program’s purpose is to provide consumers with easily accessible information on the security of a given IoT device. While the proposed plan will be voluntary, the Commission expects that it will incentivize manufacturers to adhere to higher cybersecurity standards, encourage retailers to market more secure IoT devices, and drive consumers to purchase devices with greater security. The Commission avers that the “proposed IoT label would offer a government-backed symbol for devices that comply with IoT cybersecurity standards.”
The FCC is basing its labeling program on the Environmental Protection Agency’s (“EPA”) ENERGY STAR system. Products bearing the ENERGY STAR label authenticate those that have met strict energy efficiency standards. The EPA lists ENERGY STAR-certified products on its website and provides information about government rebates for the purchase of merchandise that saves energy. Consequently, one substantial advantage of ENERGY STAR certification is government-sanctioned product staging.
It is possible that the FCC may implement a similar type of “advertising” for IoT products that are labeled as meeting its cybersecurity standards. As delineated below, the FCC seeks comments on many different proposals for executing its IoT labeling process. If enough commenters advocate for a listing of labeled IoT devices, the FCC will be required to seriously consider and respond to those comments, perhaps favorably. For that and other reasons, it is important for IoT stakeholders to make their voices heard in this proceeding.
Commission proposals include:
- types of IoT products eligible for labeling;
- oversight and management of the labeling program;
- development of cybersecurity criteria and standards; and
- administration of the labeling program.
Eligible IoT Devices
The FCC proposes to allow only devices that meet the following definition of an IoT device to be eligible for the program: “(1) an Internet-connected device capable of intentionally emitting RF energy [i.e., intentional radiator] that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.” The FCC seeks comments on whether this proposed definition unduly limits devices that should be eligible for participation in the labeling program.
The Commission also proposes to exclude all devices that pose a risk to U.S. security produced by certain entities that are included in the FCC’s Covered List and similar lists released by other federal government agencies such as the Department of Defense and Department of Commerce. Comments are sought as to how such exclusion should be implemented (e.g., applicants attesting that the equipment submitted is not on any list of prohibited devices) and whether any other types of questionable IoT equipment should be excluded from the program.
Oversight and Management of the IoT Labeling Program
The FCC proposes “a public-private partnership in the oversight and administration of [the] labeling program, subject to ultimate Commission supervision.” This includes having third parties engage in the management and administration of the labeling program, under FCC supervision. The third parties would be authorized to develop requirements and standards for approval by the FCC and assess IoT products for conformity with those requirements and standards. The proposed procedures, which include the creation of Cybersecurity Labeling Authorization Bodies (“CyberLABs”) would be similar to those of the Commission’s existing radiofrequency equipment certification process, wherein Telecommunications Certification Bodies (“TCBs”) test devices for compliance with the FCC’s technical rules, and issue certifications for all approved equipment.
The Commission seeks comment on, among other things, how to structure the application and qualification/accreditation processes for CyberLABs, as well as whether to allow CyberLABs to establish and assess fees for processing accreditation requests.
Development of IoT Cybersecurity Criteria and Standards
The FCC proposes to use the National Institute of Standards and Technology’s (“NIST”) IoT criteria as the basis for the labeling program. The NIST criteria include: (1) asset identification; (2) product configuration; (3) data protection; (4) interface access control; (5) software update; (6) cybersecurity state awareness; (7) documentation; (8) information and query reception; (9) information dissemination; and (10) product education and awareness.
The FCC seeks comment on how these criteria could be used to inform minimum IoT security requirements and standards for conformity assessments or, in appropriate cases, for self-attestation. The Commission also seeks comment on whether other criteria should be considered and whether higher-risk devices should utilize separate criteria. The FCC further solicits comments on its proposal that standards should be developed jointly with industry and other stakeholders, and the process for developing such standards.
Administration of the Labeling Program
The Commission seeks comment on many issues pertaining to administration of the labeling program:
The FCC proposes to implement a single binary label with layering; products or will either qualify to carry the label or not qualify and “layers” of the label would include the Commission’s IoT mark representing that the product or device has met the Commission’s baseline consumer IoT cybersecurity standards and a scannable code (e.g., a two-dimensional barcode (“QR code”)) directing the consumer to more detailed information of the IoT product.
The Commission seeks comment on matters such as:
- the use of the QR code and what type of information should be included;
- where the label should be displayed on the product;
- accessibility of the label; and
- whether the QR code should be linked to an IoT registry (discussed below).
The FCC proposes to implement an IoT registry where the public may access a catalog of program-approved products. The Commission seeks comment on whether such a registry should be created, as well as what type of information should be included within the IoT registry and associated with the QR code.
Updates and Renewal
The Commission seeks comment on how to keep the relevant security information up to date, as well as whether manufacturers or importers of the IoT devices and products should be required to “notify the IoT registry operator when they become aware of an unpatched vulnerability that poses security risks to their IoT devices and products.” The FCC also proposes an annual renewal requirement for label applicants and seeks comment on same.
The FCC solicits comments about how compliance with the labeling program will be enforced, including which agencies or entities should enforce the labeling program requirements, the role of the Commission and other entities in audits and oversight, and whether the Commission should allow consumer or third-party complaints.
Limitations on Liability
The Commission seeks comment on whether authorization to use the label and compliance with the corresponding security measures may “represent an indicium of reasonableness that might serve as a defense or safe harbor against liability for damages resulting from a cyber incident, e.g., data breach, denial of service, malware.” The Commission does not, at present, intend for the labeling program to preempt existing law.
The Commission proposes a consumer education campaign on the labeling program. The FCC invites comments on various matters pertaining to what type of information should be provided to the public, including the intent and scope of the program, product criteria, and responsibilities of consumers (e.g., not modifying a device in a manner that could compromise its cybersecurity).
The FCC seeks comment on how the Commission should “coordinate and engage with other international bodies maintaining labeling programs to develop recognition of the Commission’s IoT Label, and where appropriate, mutual recognition of those international labels.”
NEED HELP WITH ROBOCALL MITIGATION, COMPLIANCE AND LITIGATION?
The CommLaw Group Can Help!
Given the complexity and evolving nature of the FCC’s rules, regulations and industry policies & procedures around Robocall Mitigation and Compliance issues (e.g., Stir/Shaken, TRACED Act, FCC Rules & Regulations, US Telecom Industry group, ATIS, NECA, VoIP Numbering Waivers, Know Your Customer and the private sector ecosystem), as well as the increased risk of business disputes, consumer protection enforcement by state attorneys general, and even civil litigation, and anticipating the potential torrent of client questions and concerns, The CommLaw Group formed a “Robocall Mitigation Response Team” to help clients (old and new) tackle their unique responsibilities.
CONTACT US NOW, WE ARE STANDING BY TO GUIDE YOUR COMPANY’S COMPLIANCE EFFORTS
Michael Donahue — Tel: 703-714-1319 / E-mail: mpd@CommLawGroup.com
Rob Jackson – Tel: 703-714-1316 / E-mail: rhj@CommLawGroup.com
Ron Quirk – Tel: 703-714-1305 / E-mail: req@CommLawGroup.com