On March 15, 2024, the FCC released the Report and Order and Further Notice of Proposed Rulemaking (“R&O” and “FNPRM” respectively) adopting a voluntary cybersecurity labeling program for wireless IoT products. The item was adopted at the March Open Meeting.
Specifically, the Order adopts a framework that will permit manufacturers to apply for authority to utilize the FCC IoT Label for wireless consumer IoT products and devices that meet certain cybersecurity requirements. The FCC defines “an IoT device to include (1) an Internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.” It defines an IoT product as an “IoT device and any additional product components (such as backend, gateway, mobile app) that are necessary to use the IoT device beyond basic operational features.” The FCC IoT Label will be limited to wireless consumer IoT products and will exclude products that are primarily intended to be used in manufacturing, healthcare, industrial control, or other enterprise applications. In addition, any products on the Covered List or products manufactured by companies on the Covered List will be excluded.
Similar to the FCC’s equipment authorization process, the FCC will require applicants to submit their products to an FCC-accredited and authorized CyberLab (whether third-party, in-house, or Cyber Security Administrator run), which will test the IoT product for compliance with FCC rules and generate a test report. Applicants will then be required to file an application with a Cybersecurity Label Administrator (“CLA”), a third-party administrator appointed by the FCC’s Public Safety and Homeland Security Bureau (“PSHSB”) to manage certain aspects of the labeling program and authorized to certify applications for authorization to use the FCC IoT Label. The FCC will also appoint a Lead Administrator from among the CLAs, which will be responsible for oversight and administrative duties, including reviewing and approving CyberLabs. To receive approval, Manufacturers that seek to utilize the FCC IoT Label will be required to ensure that their devices comply with standards developed by an FCC-appointed third-party administrator, which will be based on the NIST recommended IoT criteria (“NIST Core Baseline”), discussed in detail in NISTIR8425.
The FCC will also utilize a QR Code in conjunction with the FCC IoT Label. The QR Code will link to a registry with consumer-friendly information about the security of the product. The FCC will also conduct regular audits and post-market surveillance of products utilizing the mark to ensure that consumers can continue to receive the benefit of the mark.
The FNPRM seeks comment on whether to require manufacturers to disclose whether firmware and/or software were developed and manufactured in high-risk countries and whether data collected by the product is stored in or transits a high-risk country or countries.
Please Contact Us if you have any questions.