Last month, the U.S. Federal Communications Commission (FCC) officially approved the "Cybersecurity Labeling for Internet of Things" through a public vote. This voluntary American network trust mark (Cyber Trust Mark) cybersecurity labeling program for "wireless consumer IoT products" provides consumers with an easy-to-understand and quickly identifiable FCC IoT label. This mark indicates that the product meets the program requirements and the FCC's minimum cybersecurity standards. It comes with a QR code that leads consumers to a registry containing specific information about the IoT product. The program aims to help consumers make better purchasing decisions, increase their confidence in the cybersecurity of IoT products they buy for home and lifestyle, and encourage IoT product manufacturers to consider security design principles in product development.
In August 2023, the FCC passed a Notice of Proposed Rulemaking, IoT Labeling NPRM, proposing this voluntary program and broadly soliciting opinions from all parties.
In the "Cybersecurity Labeling for Internet of Things" approved by this vote, the FCC issued the Final Rule and provided a detailed Introduction before the text of the Final Rule. This introduction addressed and discussed comments from various parties on the NPRM, enhancing understanding of the reasons and specific implications behind the rulemaking of the Final Rule.
Main Content of the "Cybersecurity Labeling for Internet of Things":
1. Nature of the Program
The program is a voluntary cybersecurity labeling program established by the FCC for wireless consumer IoT products. Although participation is voluntary, those who choose to participate must comply with the program's requirements to obtain permission to use the FCC IoT label with the Cyber Trust Mark.
2. Applicability of the Program
In the Introduction, it is stated that the program applies to "wireless consumer IoT products," with a detailed definition provided.
- Applicable to wireless IoT only The FCC's initial IoT label program will focus on wireless consumer IoT devices, thus excluding wired IoT devices. However, the inclusion of wired consumer IoT products in the future is possible.
- Applicable to consumers-centric IoT The FCC supports the adoption of an IoT label program that includes consumer-centric IoT products, focusing on consumer IoT products rather than business or industrial IoT products. The following devices will not be included in the scope of the FCC's IoT label program:
- Medical devices regulated by the U.S. Food and Drug Administration (FDA);
- Motor vehicles and motor vehicle equipment regulated by the National Highway Traffic Safety Administration (NHTSA);
- Devices/products produced by certain entities:
- Any communications equipment on the controlled list maintained by the FCC under Section 2 of the Secure and Trusted Communications Networks Act (STCNA);
- Any IoT device produced by entities on the controlled list and identified as producing "controlled" equipment (i.e., listed entities or any of their subsidiaries or affiliates); and
- Any other product produced by entities on the controlled list identified as producing "controlled" equipment, or any product containing components of equipment or products produced by such entities.
- IoT devices or IoT products produced by any entity, its affiliates, or subsidiaries on the Department of Commerce Entity List and/or the Department of Defense's list of Chinese military companies; and
- Products produced by any entity or its affiliated entity owned or controlled by any individual or entity that has been suspended or prohibited from receiving federal procurement or financial awards, including all entities and individuals deemed ineligible for awards in the General Services Administration award management system.
The FCC does not rule out extending the IoT labeling program to non-consumer IoT products in the future, but it believes that this initial scope will be most effective and convenient for providing value to consumers without adding complexity to the business environment.
- Applicable to IoT products, not limited to IoT devices
- IoT Products The Final Rule adopts the National Institute of Standards and Technology (NIST) definition for “IoT Products”: IoT devices and any additional product components necessary beyond the basic operational functionality (e.g., backend, gateway, mobile applications), including data communication links with components outside this scope, but excluding external components and any third-party components outside the manufacturer's control. The definition shows that IoT products have a broader scope than IoT devices. In the introduction, the FCC states it is necessary to apply the program to IoT products, not just IoT devices, because most IoT devices sold to consumers would not function effectively without these additional components. The FCC mentions in the introduction, "We do not require manufacturers to be responsible for third-party products or devices (including applications) beyond their control. However, if a manufacturer allows third-party applications to connect and control its IoT products, the manufacturer is responsible for the security of that connection and the applications, if such applications are present on the IoT product." Additionally, "If product components support other IoT products through additional functions and interfaces, these alternative functions and interfaces can be considered separate from the IoT product through risk assessment and do not constitute part of the authorization."
- IoT Devices The definition of “IoT Devices,” as adopted in the Final Rule, is a revised version of the NPRM's take on the NIST definition: (1) networked devices capable of intentionally emitting radiofrequency energy, equipped with at least one sensor (sensor or actuator) for direct interaction with the physical world, and (2) having at least one network interface (such as Wi-Fi, Bluetooth) for connectivity with the digital world. This definition builds on NIST's, adding "internet connectivity" as a requirement because "a key component of the Internet of Things is using standard internet protocols to function." Moreover, the FCC does not narrowly define "internet-connected devices" as those that could "disconnect from the internet and therefore no longer be 'IoT devices'"; instead, if a device can connect to the internet, the fact that it might not be connected at any given time does not disqualify it from participating in the IoT labeling program. The FCC does not exclude the possibility of extending the IoT labeling program to devices not connected to the internet in the future.
Note:The FCC directs the lead administrator to work with the CLA and other stakeholders (e.g., cybersecurity experts from industry, government, and academia) at its discretion, and suggest any appropriate modifications to the labeling program standards and testing procedures to the FCC within 45 days after NIST publishes updates or changes, or new guidelines are adopted by NIST, to remain consistent with NIST guidelines.
CLA (Cybersecurity Label Administrator): An accredited third-party entity recognized and authorized by the FCC to manage and execute the labeling program according to FCC regulations.
Lead Administrator: A CLA selected from among the CLAs, responsible for executing other administrative duties of the program.
3. Consumer-centric IoT Product Standards
The FCC did not specify the standards for products to receive the label in the Final Rule, which remains an open issue, so the specifics of product standards were not detailed in the Final Rule.
In the introduction, the FCC believes it is necessary to establish standards to manage the IoT labeling program in a fair and impartial manner and to ensure that products with the FCC IoT label have undergone the same standard testing, building consumer trust in the cybersecurity of these labeled products.
The FCC bases this program on the IoT standards recommended by NIST (NIST Core Baseline), discussed in detail in NISTIR 8425. NIST standards include the following IoT product capabilities: (1) asset identification; (2) product configuration; (3) data protection; (4) interface access control; (5) software updates; and (6) cybersecurity status awareness. NIST standards also include the following activities for IoT product developers: (1) documentation; (2) information and inquiry reception; (3) information release; and (4) product education and awareness.
However, the NIST Core Baseline is a general guideline, and the FCC believes it must be further developed into a requirements document (i.e., standards) and corresponding testing procedures, demonstrating how products with the FCC IoT label comply with NIST standards and ensuring consistency in a product category.
The FCC does not anticipate establishing or determining a single standard applicable to all consumer IoT products. However, a set of standards can be established or determined for each product type or category. The FCC instructs the lead administrator to take on the preliminary development of the standards supporting the NIST Core Baseline, working with the CLA and stakeholders (such as industry, government, and academia cybersecurity experts) to submit recommendations for identifying and/or developing technical standards and testing procedures to the Public Safety and Homeland Security Bureau (PSHSB) for review and approval.
4. Label Application Process
The FCC adopts a two-step process that manufacturers must follow when seeking authorization to use the Cyber Trust Mark:
(1) Test the IoT product in a laboratory accredited and recognized by the lead administrator (CyberLAB, CLA laboratory, or internal laboratory) to verify compliance with FCC rules and generate a test report;
(2) Apply to the CLA to prove that the product fully complies with all relevant FCC IoT labeling program rules.
CyberLAB (Cybersecurity Testing Laboratory): An accredited third-party entity recognized and authorized by the CLA to evaluate consumer IoT products that meet the labeling program requirements.
The FCC provides an extensive description of the above two steps in the introduction, outlining the process for applying for the FCC IoT label as follows:
- The applicant must determine that the product is eligible according to FCC rules;
- The applicant sends the product for testing to a CyberLAB, CLA laboratory, or manufacturer's internal laboratory accredited and recognized by the lead administrator;
- The applicant obtains a compliance and conformance report from the laboratory; and
- Follow the procedure to submit an authorization application for using the FCC IoT label to the CLA:
- Using the CLA's application process, the entity seeking authorization to use the FCC IoT label will submit an application developed by the PSHSB;
- Each application must include a compliance report issued by an accredited CyberLAB, CLA laboratory, or internal laboratory, with the laboratory's testing and reporting rigor equivalent to that of CyberLAB.
- The CLA will review the application and certification documents to ensure they are complete and comply with FCC rules and will approve or reject the application.
- If the application is approved, the CLA will provide the applicant with an approval notice and authorize the FCC IoT label to be affixed to the authorized product. If the application is rejected, the CLA will issue a rejection notice to the applicant and explain the reasons for the rejection.
Reapplication after Rejection
The applicant can only resubmit an application for the rejected product after the defect identified by the CLA is corrected.
The applicant must indicate in its application:
- That it is resubmitting the application after rejection;
- The name of the CLA that rejected the application;
- And the CLA's explanation of the reason for the rejection.
Failure to disclose a rejected application for the same or fundamentally similar product will result in the application being rejected, and the FCC will take other regulatory and/or legal actions it deems appropriate.
Application Outcome Review
- Anyone dissatisfied with the CLA's decision must first apply to the CLA for a review.
- After applying to the CLA for a review, one can apply to the FCC for a review if still dissatisfied with the CLA's decision.
The FCC also makes specific requirements for applicants, notably that applicants will provide a declaration at the time of application, stating that all information required to be declared is true and correct, with violations subject to perjury.
5. Labels
- Cyber Trust Mark The FCC adopts a binary label system for the IoT labeling program, where products are either eligible to carry the label or ineligible (i.e., cannot carry the label), unlike Singapore, which uses multi-tier labels. Because the labeling program is designed to better enable ordinary consumers to distinguish between labeled products, as labeled products may offer better basic security than those without labels.
- QR Code The FCC requires products with the Cyber Trust Mark to also include a corresponding QR code, leading consumers to a registry containing specific information about the IoT product.
To more specifically implement the label and QR code to prompt consumers, the FCC instructs the lead administrator to work with stakeholders as needed and further propose to the FCC to clarify the following details:
- How to design the FCC IoT label with the Cyber Trust Mark and QR code (e.g., size and spacing) and the placement of such labels (e.g., on product packaging);
- Whether to include the product support end date on the labels of certain products or product categories;
- Whether including other security and privacy information (e.g., sensor data collection) on the label is useful to consumers;
- The use of the FCC IoT label in store displays and advertising.
- Registry
The registry refers to the consumer IoT product information that meets the labeling program requirements provided to consumers, accessible via the QR code link displayed with the FCC IoT label on the compliant consumer IoT product.
The registry contains information provided by the entity authorized to use the FCC IoT label (e.g., manufacturer) through an API, which the FCC says will be a universal API presented in a simple and uniform way to provide information to consumers, mainly including: product name, manufacturer name, date the product obtained the label, and the current status of the label (if applicable), instructions for modifying the default password (with specific explanations when the default password cannot be modified), information about whether software updates and patches are automatic, and how to access security updates/patches if not automatic, totaling 11 pieces of information.
The FCC also emphasizes in the introduction that the registry must be dynamic so that consumers can know whether a product has lost its authorization to use the FCC IoT label or the manufacturer no longer provides security updates.
6. Ongoing Obligations
The FCC emphasizes in the introduction that entities authorized to use the FCC IoT label must ensure that products with the FCC IoT label continue to comply with the FCC's program requirements.
The FCC recognizes the nuances of different types of products, so it agrees that certain IoT products, depending on their lifespan and risk level, may require different update standards to obtain the FCC IoT label. The FCC requires the lead administrator to work with stakeholders and submit recommendations to the Public Safety and Homeland Security Bureau (PSHSB) on how often a specific category of IoT products must reapply for authorization to obtain the FCC IoT label, depending on the product type, and these recommendations should be submitted along with the relevant standard recommendations for the IoT product or product category.
Analysis and Recommendations
One of the main reasons for the FCC's final decision on many clauses in the Introduction is to reduce obstacles to the labeling program and expedite its launch, such as the voluntary nature of the program and its limitation to the field of wireless consumer IoT products. However, the FCC's "stringent attitude" in the corresponding clauses shows its determination for the program, such as requiring testing by accredited and recognized laboratories rather than simple self-certification or third-party certification; the scope applies to IoT products, not just IoT devices.
The FCC's proposed IoT security labeling program, although voluntary, has been agreed upon by many companies during the comment phase. As the FCC mentioned in the introduction, although this is a voluntary program, consumer demand will drive its widespread adoption (because consumers tend to choose labeled IoT products). We suggest that domestic enterprises consider this program as a strategic layout to enhance product competitiveness, integrating these program requirements into product security design early on, with special attention to NIST's standard content.
Additionally, although the Final Rule has been published and the FCC has taken a detailed introduction to discuss the reasons for rulemaking, substantive issues involving guiding corporate behavior, such as specific standards for product testing and the specific use of labels, remain undecided resolutions, requiring further research and specific recommendations by authorized departments. We will also continue to pay attention to the specific conclusions of these substantive issues.
Other Resources: