On March 14, the Federal Communications Commission (“FCC”) is expected to approve a Report and Order (“R&O”) that would create a voluntary cybersecurity labeling program for Internet of Things (“IoT”) devices.  As previewed in the Notice of Proposed Rulemaking (“NPRM”) released last August, which we covered here, this IoT Labeling Program would “provide consumers with an easy-to-understand and quickly recognizable FCC IoT Label that includes the U.S. government certification mark (referred to as the Cyber Trust Mark).”  

The R&O explains that the IoT Labeling Program would “help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.”  It provides details about the program and how manufacturers can seek authority to use the FCC IoT Label:

  • Eligible Devices.  The IoT Labeling Program would focus on wireless consumer IoT products, although the R&O notes that the FCC does not “foreclose the possibility of expanding the IoT Labeling Program in the future.”  The program would exclude certain devices, including wired IoT devices, enterprise or industrial IoT products, medical devices, and communications equipment on the FCC’s Covered List maintained pursuant to the Secure and Trusted Communications Networks Act.
  • Definition of “IoT Device.”  The R&O would adopt a modified version of the National Institute of Standards and Technology’s (“NIST”) definition of “IoT device:” “(1) an Internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.”  The R&O explains that it builds off of NIST’s definition by adding “Internet-connected” as “a key component of IoT is the usage of standard Internet protocols for functionality.”
  • Program Management.  The R&O states that the FCC would retain “ultimate control” of the IoT Labeling Program as the “program owner.”  Cybersecurity Label Administrators (“CLAs”) would support the FCC by managing certain aspects of the program and authorizing use the FCC IoT Label.  One CLA would serve as the Lead Administrator, who would “identify or develop, and recommend to the Commission for approval, the IoT specific standards and testing procedures, as well as design and placement of the label” and develop a consumer education plan.  Multiple CLAs would be authorized to evaluate and approve applications from manufacturers seeking to use the FCC IoT Label.
  • Approval Process.  To seek approval to use the FCC IoT Label, manufacturers must follow a two-step process:  (1) complete product testing by an accredited and Lead Administrator-recognized lab and (2) obtain product label certification by a CLA.  The FCC would recognize certain third parties with expertise in security and compliance testing as Cybersecurity Testing Laboratories (or “CyberLABs”) to test IoT products for compliance under the first step of the approval process.  CLA-run labs and in-house testing labs may also perform the cybersecurity conformity testing for IoT products, provided that they meet the same accreditation and recognition requirements as CyberLABs.  The FCC would task the Lead Administrator to provide recommendations on how often IoT products must renew their requests to bear the FCC IoT label.
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Matthew DelNero Matthew DelNero

Matt DelNero provides expert regulatory counsel to companies of all sizes in the telecommunications, technology and media sectors. As a former senior official with the FCC and longtime private practitioner, Matt helps clients achieve their goals and navigate complex regulatory and public policy…

Matt DelNero provides expert regulatory counsel to companies of all sizes in the telecommunications, technology and media sectors. As a former senior official with the FCC and longtime private practitioner, Matt helps clients achieve their goals and navigate complex regulatory and public policy challenges.

Matt serves as co-chair of Covington’s Technology & Communications Regulation (“TechComm”) Practice Group and co-chair of the firm’s Diversity & Inclusion initiative.

Matt advises clients on the full range of issues impacting telecommunications, technology and media providers today, including:

  • Structuring and securing FCC and other regulatory approvals for media and telecommunications transactions.
  • Conducting regulatory due diligence for transactions in the telecommunications, media, and technology sectors.
  • Obtaining approval for foreign investment in broadcasters and telecommunications providers.
  • Universal Service Fund (USF) programs, including the FCC’s Rural Digital Opportunities Fund (RDOF).
  • FCC enforcement actions and inquiries.
  • Online video accessibility, including under the Communications and Video Accessibility Act (CVAA) and Americans with Disabilities Act (ADA).
  • Equipment authorizations for IoT and other devices.
  • Spectrum policy and auctions, including for 5G.
  • Privacy and data protection, with a focus on telecommunications and broadband providers.

Matt also maintains an active pro bono practice representing LGBTQ+ asylum seekers, as well as veterans petitioning for discharge upgrades—including discharges under ‘Don’t Ask, Don’t Tell’ and predecessor policies that targeted LGBTQ+ servicemembers.

Prior to rejoining Covington in January 2017, Matt served as Chief of the FCC’s Wireline Competition Bureau. He played a leading role in development of policies around net neutrality, broadband privacy, and broadband deployment and affordability under the federal Universal Service Fund (USF).

Chambers USA has recognized Matt as a “go-to attorney for complex matters before the FCC and other federal agencies, drawing on impressive former government experience.”

Photo of Jennifer Johnson Jennifer Johnson

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors…

Jennifer Johnson is a partner specializing in communications, media and technology matters who serves as Co-Chair of Covington’s Technology Industry Group and its global and multi-disciplinary Artificial Intelligence (AI) and Internet of Things (IoT) Groups. She represents and advises technology companies, content distributors, television companies, trade associations, and other entities on a wide range of media and technology matters. Jennifer has almost three decades of experience advising clients in the communications, media and technology sectors, and has held leadership roles in these practices for almost twenty years. On technology issues, she collaborates with Covington’s global, multi-disciplinary team to assist companies navigating the complex statutory and regulatory constructs surrounding this evolving area, including product counseling and technology transactions related to connected and autonomous vehicles, internet connected devices, artificial intelligence, smart ecosystems, and other IoT products and services. Jennifer serves on the Board of Editors of The Journal of Robotics, Artificial Intelligence & Law.

Jennifer assists clients in developing and pursuing strategic business and policy objectives before the Federal Communications Commission (FCC) and Congress and through transactions and other business arrangements. She regularly advises clients on FCC regulatory matters and advocates frequently before the FCC. Jennifer has extensive experience negotiating content acquisition and distribution agreements for media and technology companies, including program distribution agreements, network affiliation and other program rights agreements, and agreements providing for the aggregation and distribution of content on over-the-top app-based platforms. She also assists investment clients in structuring, evaluating, and pursuing potential investments in media and technology companies.

Photo of Andrew Longhi Andrew Longhi

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial…

Andrew Longhi is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Technology and Communications Regulation Practice Groups.

Andrew advises clients on a broad range of privacy and cybersecurity issues, including compliance obligations, commercial transactions involving personal information and cybersecurity risk, and responses to regulatory inquiries.

Andrew is Admitted to the Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.