On July 30, 2024, the Federal Register published the Federal Communications Commission (the “FCC”) Report and Order (the “Order”) creating a voluntary cybersecurity labeling program for Internet of Things (“IoT”) devices. As reported in our blog post issued shortly before the Order was approved on March 14, 2024, this program is intended to “provide consumers with an easy-to-understand and quickly recognizable FCC IoT Label that includes the U.S. Government certification mark (referred to as the U.S. Cyber Trust Mark).” While there are several steps remaining to fully establish the program, this Order represents a significant milestone in policymakers’ efforts to launch a federal cybersecurity labeling program for internet connected devices.
The Order
The Order was approved unanimously, receiving enthusiastic bipartisan support. In her statement, Chairwoman Jessica Rosenworcel said that the Cyber Trust Mark “has the power to become the worldwide standard for secure Internet of Things devices.” Fellow Democratic Commissioner Geoffrey Starks wrote, “I strongly support the Order we adopt today.” And Republican Commissioner Nathan Simington stated that he was “thrilled that [the FCC is] enacting this Order…it has the potential to be the beginning of a new era for American cybersecurity policy.”
Since our last blog post on March 5, the Order has been updated slightly. The definition of “Consumer IoT Products,” which covers “IoT products intended primarily for consumer use, rather than enterprise or industrial use,” now excludes motor vehicles and motor vehicle equipment regulated by the National Highway Traffic Safety Administration. The definition previously only excluded medical devices regulated by the Food and Drug Administration. The final Order also includes additional direction regarding how the Cyber Security Label Administrators should engage stakeholders and updates on other administrative matters.
The Order was published in the Federal Register on July 30, 2024, and is effective August 29, 2024. However, several of the Order’s amendments to FCC rules (those that involve new or modified information collection requirements) will not become effective until after OMB completes its review under the Paperwork Reduction Act. These amendments relate to application requirements for the Cyber Security Label, the process for granting authorization to use the Cyber Security Label, requirements for grantees to retain records, and other items.
The Further Notice
When the FCC adopted the Order in March 2024, it also adopted a Further Notice of Proposed Rulemaking (the “Further Notice”) related to the program. The Further Notice sought comment on requiring additional declarations from manufacturers to instill confidence that products bearing the Cyber Trust Mark are not vulnerable to attacks from “high-risk countries” as defined by the Department of Commerce in 15 CFR § 7.4. The Further Notice sought comment on whether manufacturers should have to declare if software was developed in or deployed from within a high-risk country, if data collected by IoT products is stored in or passes through a high-risk country, and that the products cannot be remotely controlled from within a high-risk country. The Further Notice also asked about the level of detail that should be required for information related to high-risk countries and whether a product’s connection to high-risk countries should make it ineligible for the label altogether. Comments on the Further Notice closed on April 24, 2024, and reply comments were due on May 24, 2024.