In this article, the authors discuss a recent Notice of Proposed Rulemaking issued by the Federal Communications Commission in which the agency takes a broad view of its authority to enact a cybersecurity labeling regime for Internet of Things devices.

In a new Notice of Proposed Rulemaking (NPRM),1 the Federal Communications Commission (FCC or Commission) imposes a short comment deadline for a complex new cybersecurity labeling regime for Internet of Things (IoT) devices. The NPRM also reveals that the agency – which traditionally has not regulated in the area of cybersecurity – is taking a broad view of its authority to enact this program.

At a high level, the NPRM proposes that participating entities will be able to display a Commission-created "IoT cybersecurity label" on their connected devices (the U.S. Cyber Trust Mark),2 indicating conformance with "widely accepted cybersecurity standards." Although other parts of the federal government have considered IoT security and labeling issues, this cybersecurity labeling program would be a first for the FCC. The complexity of the NPRM raises important issues for stakeholders to consider, on a compressed timeline: initial comments were due by October 9, 2023 and reply comments by November 10, 2023.

The FCC's proposal is part of a White House initiative on IoT security, which recently kicked off. While the joint White House-FCC labeling initiative is new, it follows several years of work in this area, including guidance documents and pilot programs3 by the National Institute of Standards and Technology (NIST) pursuant to a 2021 Executive Order on Improving the Nation's Cybersecurity (14028)4 and direction from Congress,5 as well as significant privacy and cybersecurity enforcement6 by the Federal Trade Commission (FTC) under Section 5 of the FTC Act.

The NPRM poses a multitude of open questions on all aspects of the labeling program – from standards development, compliance assessment, and label structure/ components, to enforcement, liability protection, and international harmonization. Further, the NPRM suggests that the Commission is envisioning a potentially complex and onerous regime involving third party product testing and an IoT product registry to be updated in real time.

Together, the complexity of the NPRM and the speed at which the FCC is proposing to move means that a broad range of stakeholders' interests are at stake. Participation by these stakeholders will help ensure that the eventual labeling program provides valuable information to consumers and offers adequate incentives and protections for industry stakeholders to participate.

THE NPRM

The NPRM seeks public comment on numerous issues related to implementation of the cybersecurity labeling program, including:

  1. The scope of eligible devices or products;
  2. Oversight and management;
  3. Development of criteria and standards;
  4. Program administration;
  5. Legal authority; and
  6. Digital Equity.

Each of these areas is addressed in more detail below.

Notably, while the FCC envisions that it will promulgate regulations to govern the program, and participants will be required to adhere to those regulations, the NPRM does not offer proposed rules.

ELIGIBLE DEVICES OR PRODUCTS

The FCC proposes to initially limit program eligibility to "IoT devices" that "intentionally emit radio frequency (RF) energy."7 The Commission builds off NIST's definition of "IoT device," defining the term as "(1) an Internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world."8 The NPRM does not expressly discuss whether this definition includes phones, but the NIST definition upon which it builds "excludes common general purpose computing equipment (e.g., personal computers, smartphones)."9

The Commission seeks comment on the scope of products that are eligible for the program, including:

  • Whether the labels should be for an entire product, rather than a device that may be a component within a product.10
  • Whether the Commission should also include devices/products outside the proposed definition that connect to Wi-Fi via an intermediary (e.g., through a Wi-Fi gateway).11
  • Whether the program should also include enterprise devices or products for industrial/business use.12

The Commission also proposes to exclude from the program any:

  1. Previously authorized equipment that has been identified as "covered equipment" on the FCC's Covered List (i.e., the list of equipment that the Commission has determined poses an unacceptable risk to the United States);
  2. Equipment that, now or in the future, has been placed on the Covered List;
  3. Any IoT device that is produced by an entity identified on the Covered List as producing "covered" equipment; and
  4. Any IoT device that is produced by an entity identified on the Department of Commerce's Entity List, the Department of Defense's List of Chinese Military Companies, or similar lists.13

OVERSIGHT AND MANAGEMENT OF THE IOT LABELING PROGRAM

The NPRM envisions a program wherein the Commission – as the "labeling scheme owner" – would be responsible for oversight and management of the program, including by "creat[ing] and own[ing] a new distinctive trademark to be used in [the program]" and taking "appropriate steps to authorize [the label's] overall use in a way that ensures the integrity of the mark and the label."14 It further proposes to "leverage the specialized expertise of third parties" by allowing entities to develop requirements or standards for the program and assess other parties' compliance with the program's standards.15

To demonstrate compliance with the IoT labeling program, the Commission proposes to create Cybersecurity Labeling Authorization Bodies (CyberLABs), which would be third-party entities with expertise in security and compliance testing and roughly analogous to the Commission's existing Telecommunications Certification Bodies (TCB).16 The Commission seeks comment on how to structure the application and qualification/accreditation processes for CyberLABs,17 as well as whether to allow CyberLABs to establish and assess fees for processing accreditation requests.18

To read this article in full, please click here.

Footnotes

1. https://docs.fcc.gov/public/attachments/FCC-23-65A1.pdf.

2. https://www.fcc.gov/cybersecurity-certification-mark.

3. https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/cybersecurity-labeling-consumers-0.

4. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

5. https://www.congress.gov/bill/116th-congress/house-bill/1668.

6. https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/privacy-security-enforcement.

7. NPRM ¶ 11.

8. NPRM ¶¶ 11.

9. NIST, Recommended Criteria for Cybersecurity Labeling for Consumer IoT Products at 3 n.3 (Feb. 4, 2022), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.02042022-2.pdf.

10. NPRM ¶¶ 13–14.

11. NPRM ¶ 15.

12. NPRM ¶ 16.

13. NPRM ¶¶ 17–18.

14. NPRM ¶ 21.

15. Id.

16. NPRM ¶¶ 24–25.

17. NPRM ¶ 26.

18. NPRM ¶ 50.

Originally published by Pratt's Privacy & Cybersecurity Law Report.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.