On August 10, the Federal Communications Commission (“FCC”) released a Notice of Proposed Rulemaking (“NPRM”) concerning the creation of a “voluntary cybersecurity labeling program that would provide easily understood, accessible information to consumers on the relative security of an IoT device or product, and assure consumers that manufacturers of devices bearing the Commission’s IoT cybersecurity label adhere to widely accepted cybersecurity standards.” The NPRM reflects the proposal previewed in Chairwoman Jessica Rosenworcel’s announcement last month, which we covered here.
The accompanying Securing Smart Devices Fact Sheet states that proposed program would be based on the National Institute of Standards and Technology’s recommended Internet of Things criteria. The Fact Sheet also outlines a number of issues for which the FCC invites public comment, including:
- The scope of devices or products for sale in the U.S. that should be eligible for inclusion in the labeling program,
- Who should oversee and manage the program,
- How to develop the security standards that could apply to different types of devices or products,
- How to demonstrate compliance with those security standards,
- How to safeguard the cybersecurity label against unauthorized use, and
- How to educate consumers about the program.
The FCC estimates that the new program “could be up and running by late 2024” if the agency votes to establish the program after the public comment period.