- with readers working within the Advertising & Public Relations and Telecomms industries
On June 6, 2025, the regulatory landscape for manufacturers of connected devices changed significantly with the implementation of Executive Order 14306, which extends the reach of the Federal Communications Commission's (FCC) Final Rule on Cybersecurity Labeling for Internet of Things (IoT) Products (Final Rule) and makes the voluntary FCC regime compulsory for connected products sold to the federal government after Jan. 4, 2027. For legal and compliance teams advising manufacturers of connected devices, understanding the compliance obligations under these new frameworks is essential.
FCC's Final Rule: Cybersecurity Labeling for IoT Products
In 2024, the FCC finalized its rule authorizing the use of cybersecurity labeling (the U.S. Cyber Trust Mark) for a broad range of consumer IoT devices. The Final Rule mandates that manufacturers that use the labeling ensure their connected devices meet baseline cybersecurity standards, such as secure software updates, data protection measures and vulnerability reporting mechanisms. Devices that comply will bear a cybersecurity label, signaling to consumers that the product meets federal guidelines. The Final Rule points to NISTIR 8425 as the operative set of baseline cybersecurity standards.
For connected device manufacturers, compliance means:
- Establishing robust cybersecurity protocols during the product design phase
- Maintaining documentation demonstrating adherence to FCC standards
- Participating in third-party assessments or self-attestation processes, as specified by the rule
- Ensuring ongoing compliance, including timely software updates and incident response plans
Impact of Executive Order 14306
Executive Order 14306 reinforces and expands upon federal cybersecurity initiatives. While originally focused on promoting competition, the order now explicitly directs the Federal Acquisition Regulatory Council to require U.S. Cyber Trust Mark labeling on all federally procured connected devices after Jan. 4, 2027. This means manufacturers seeking to sell to the federal government – or whose products may be used in critical infrastructure – must adhere to the FCC's labeling requirements and may face additional scrutiny regarding supply chain security and data privacy. The timeline afforded the FAR Council to amend the Federal Acquisition Regulations to incorporate these requirements is notable as well. EO 14306 requires the agency members of the FAR Council to jointly take steps to amend the Federal Acquisition Regulations within one year of June 6, 2025. As a result, organizations may have as little as six months to assess the reach of the amended Federal Acquisition Regulations and bring products into compliance for procurement by the federal government in 2027.
Near-Term Compliance Steps
- Review product portfolios: Assess which devices fall under the scope of the FCC's rule, EO 14306 and the amended Federal Acquisition Regulations.
- Update compliance programs: Align internal policies and procedures with new labeling and security standards.
- Monitor regulatory guidance: Stay abreast of FCC updates and agency interpretations of EO 14306, as enforcement priorities may evolve.
- Engage stakeholders: Work with product development, IT and supply chain teams to ensure compliance at every stage of the life cycle of each device.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
