Cybersecurity Labeling for Internet of Things, 58211-58229 [2023-18357]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 88, Number 164 (Friday, August 25, 2023)]
[Proposed Rules]
[Pages 58211-58229]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-18357]


-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Chapter I

[PSHSB: PS Docket No. 23-239; FCC 23-65 FR ID 166265]


Cybersecurity Labeling for Internet of Things

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(Commission) proposes measures to improve consumer confidence and 
understanding of the security of their connected devices--commonly 
known as Internet of Things (IoT) devices--that are woven into the 
fabric of their everyday lives. To provide consumers with the peace of 
mind that the technology being brought into their homes is reasonably 
secure, and to help guard against risks to communications, the 
Commission proposes a voluntary cybersecurity labeling program that 
would provide easily understood, accessible information to consumers on 
the relative security of an IoT device or product, and assure consumers 
that manufacturers of devices bearing the Commission's IoT 
cybersecurity label adhere to widely accepted cybersecurity standards. 
In this regard, the Commission's cybersecurity labeling program would 
help consumers compare IoT devices and make informed purchasing 
decisions, drive consumers toward purchasing devices with greater 
security, incentivize manufacturers to meet higher cybersecurity 
standards to meet market demand, and encourage retailers to market 
secure devices. The proposed IoT label would offer a trusted, 
government-backed symbol for devices that comply with IoT cybersecurity 
standards.

DATES: Comments are due on or before September 25, 2023 and reply 
comments are due on or before October 10, 2023. Written comments on the 
Paperwork Reduction Act proposed information collection requirements 
must be submitted by the public and other interested parties on or 
before October 24, 2023.

ADDRESSES: You may submit comments, identified by PS Docket No. 23-239, 
by any of the following methods:
     Federal Communications Commission's website: https://www.apps.fcc.gov/ecfs/. Follow the instructions for submitting 
comments.
     Mail: Parties who choose to file by paper must file an 
original and one copy of each filing. If more than one docket or 
rulemaking number appears in the caption of this proceeding, filers 
must submit two additional copies for each additional docket or 
rulemaking number. Filings can be sent by commercial overnight courier, 
or by first-class or overnight U.S. Postal Service mail. All filings 
must be addressed to the Commission's Secretary, Office of the 
Secretary, Federal Communications Commission. Commercial overnight mail 
(other than U.S. Postal Service Express Mail and Priority Mail) must be 
sent to 9050 Junction Drive, Annapolis Junction, MD 20701. U.S. Postal 
Service first-class, Express, and Priority mail must be addressed to 45 
L Street NE, Washington, DC 20554.
    Effective March 19, 2020, and until further notice, the Commission 
no longer accepts any hand or messenger delivered filings. This is a 
temporary measure taken to help protect the health and safety of 
individuals, and to mitigate the transmission of COVID-19. See FCC 
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, DA 20-304 (March 19, 2020). https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
    People with Disabilities. To request materials in accessible 
formats for people with disabilities (braille, large print, electronic 
files, audio format), send an email to [email protected] or call the 
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-
418-0432 (TTY).

FOR FURTHER INFORMATION CONTACT: Erika Olsen, Acting Chief, 
Cybersecurity and Communications Reliability Division, Public Safety 
and Homeland Security Bureau, (202) 418-2868, or by email to 
[email protected]; or James Zigouris, Attorney-Advisor, Cybersecurity 
and Communications Reliability Division, Public Safety and Homeland 
Security Bureau, (202) 418-0697, or by email to [email protected]. 
For additional information concerning the Paperwork Reduction Act 
information collection requirements contained in this document, send an 
email to [email protected] or contact Nicole Ongele, Office of Managing 
Director, Performance Evaluation and Records Management, 202-418-2991, 
or by email to [email protected].

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice 
of Proposed Rulemaking (NPRM), FCC 23-65, adopted August 6, 2023, and 
released August 10, 2023. The full text of this document is available 
by

[[Page 58212]]

downloading the text from the Commission's website at: https://docs.fcc.gov/public/attachments/FCC-23-7A1.pdf. When the FCC 
Headquarters reopens to the public, the full text of this document will 
also be available for public inspection and copying during regular 
business hours in the FCC Reference Center, 45 L Street NE, Washington, 
DC 20554. To request materials in accessible formats for people with 
disabilities (Braille, large print, electronic files, audio format), 
send an email to [email protected] or call the Consumer & Governmental 
Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY).
    Regulatory Flexibility Act: The Regulatory Flexibility Act of 1980, 
as amended (RFA), requires an agency to prepare a regulatory 
flexibility analysis for notice-and-comment rulemakings, unless the 
agency certifies that ``the rule will not, if promulgated, have a 
significant economic impact on a substantial number of small 
entities.'' The Commission seeks comment on potential rule and policy 
changes contained in the document, and accordingly, has prepared an 
IRFA. The IRFA for this document in PS Docket No. 23-239 is set forth 
below in this document and written public comments are requested. 
Comments must be filed by the deadlines for comments on the document 
indicated under the DATES section of this document and must have a 
separate and distinct heading designating them as responses to the 
IRFA. The Commission reminds commenters to file in the appropriate 
docket: PS Docket No. 23-239.
    Paperwork Reduction Act: This document may contain proposed 
modified information collection requirements. Therefore, the Commission 
seeks comment on potential new or revised information collections 
subject to the Paperwork Reduction Act of 1995. If the Commission 
adopts any new or revised information collection requirements, the 
Commission will publish a notice in the Federal Register inviting the 
general public and the Office of Management and Budget to comment on 
the information collection requirements, as required by the Paperwork 
Reduction Act of 1995, Public Law 104-13. In addition, pursuant to the 
Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 
U.S.C. 3506(c)(4), the Commission seeks specific comments on how it 
might further reduce the information collection burden for small 
business concerns with fewer than 25 employees.
    Ex Parte Rules--Permit-But-Disclose. This proceeding this document 
initiates shall be treated as a ``permit-but-disclose'' proceeding in 
accordance with the Commission's ex parte rules. Persons making ex 
parte presentations must file a copy of any written presentation or a 
memorandum summarizing any oral presentation within two business days 
after the presentation (unless a different deadline applicable to the 
Sunshine period applies). Persons making oral ex parte presentations 
are reminded that memoranda summarizing the presentation must (1) list 
all persons attending or otherwise participating in the meeting at 
which the ex parte presentation was made, and (2) summarize all data 
presented and arguments made during the presentation. If the 
presentation consisted in whole or in part of the presentation of data 
or arguments already reflected in the presenter's written comments, 
memoranda or other filings in the proceeding, the presenter may provide 
citations to such data or arguments in his or her prior comments, 
memoranda, or other filings (specifying the relevant page and/or 
paragraph numbers where such data or arguments can be found) in lieu of 
summarizing them in the memorandum. Documents shown or given to 
Commission staff during ex parte meetings are deemed to be written ex 
parte presentations and must be filed consistent with Rule 1.1206(b). 
In proceedings governed by Rule 1.49(f) or for which the Commission has 
made available a method of electronic filing, written ex parte 
presentations and memoranda summarizing oral ex parte presentations, 
and all attachments thereto, must be filed through the electronic 
comment filing system available for that proceeding, and must be filed 
in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). 
Participants in this proceeding should familiarize themselves with the 
Commission's ex parte rules.

Synopsis

I. Notice of Proposed Rulemaking in PS Docket No. 23-239

A. The Internet of Things (IoT) Landscape

    1. As the world continues to become even more interconnected, 
malicious cyber campaigns become bolder and continue to threaten 
network security and privacy. Today, there are a wide range of consumer 
IoT products on the market that communicate over wired and wireless 
networks. These products are made up of various devices, and are based 
on many technologies, each of which presents a set of security 
challenges. Consumer IoT products and their component devices are 
susceptible to a wide range of relatively common security 
vulnerabilities including the continued use of default passwords, lack 
of regular security updates, and weak encryption and insecure 
authentication. Some IoT products and devices even lack any type of 
physical security. These vulnerabilities can be exploited by attackers 
to gain unauthorized access to the device or its data, launch denial of 
service (DoS) attacks, use the device as part of a larger botnet, or 
use the device as an interference generator. Compromised devices could 
also be forced to transmit at times and intervals selected by the 
attacker to interfere with other devices, either causing them to 
function improperly or causing a denial of service.
    2. The proliferation of consumer IoT devices has opened the door to 
cyberattacks on consumer products that can have serious privacy and 
national security consequences, ranging from theft of personal 
information to disruption of critical infrastructure. In just the first 
six months of 2021, for example, it was estimated ``that more than 1.5 
billion attacks have occurred against IoT devices.'' Cybersecurity 
vulnerabilities in IoT products and their devices also open a gateway 
to larger and more significant intrusions that may threaten national 
security.

B. Public and Private IoT Security Efforts

    3. Significant work has already been conducted in the realm of IoT 
cybersecurity. There are also ongoing efforts to address IoT security 
labeling across both private and public sectors. In the private sector, 
for example, the Consumer Technology Association (CTA) convened an IoT 
working group tasked with supporting the advancement of the consumer 
IoT industry, and produced a white paper addressing the current 
regulatory approach to IoT. CTA has also convened with various 
organizations to discuss IoT baseline security capabilities. In 
addition, researchers at Carnegie Mellon University (CMU) conducted 
significant research into consumer IoT purchasing and concluded there 
is a need to ``provide consumers with readily accessible information to 
help them make informed decisions about what they bring into their 
homes.'' International efforts have also advanced in the IoT labeling 
space.
    4. In May 2021, Executive Order No. 14028 also emphasized the 
importance of IoT cybersecurity, noting the ``persistent and 
increasingly

[[Page 58213]]

sophisticated malicious cyber campaigns that threaten the public 
sector, the private sector, and ultimately the American people's 
security and privacy.'' Indeed, securing the Internet of Things forms a 
significant pillar in the recently-released National Cybersecurity 
Strategy, which noted in particular the need to advance the goals of 
the E.O.'s IoT labeling efforts so that ``consumers will be able to 
compare the cybersecurity protections offered by different IoT 
products, thus creating a market incentive for greater security across 
the entire IoT ecosystem.''
    5. In this respect and pursuant to that E.O., in 2022 the National 
Institute of Standards and Technology (NIST) issued a White Paper that 
identified labeling criteria for cybersecurity capabilities of IoT 
consumer devices, informed by existing consumer product labeling 
programs and input provided by diverse stakeholders, and issued a 
summary report about creating a cybersecurity labeling program for 
consumer IoT products. Additionally, NIST produced a final report, 
Profile of the IoT Core Baseline for Consumer IoT Products (NISTIR 
8425), which identifies cybersecurity capabilities commonly needed for 
the consumer IoT sector, thereby providing a starting point for what 
consumers should consider when purchasing IoT products. From these 
efforts, NIST identified key elements of a labeling program, including 
encouraging innovation, and being practical and not burdensome, among 
other elements. In addition, NIST initiated a pilot IoT cybersecurity 
labeling program, in which it solicited contributions from stakeholders 
regarding how current and future-planned labeling efforts could align 
with the NIST recommendations. NIST describes a potential program that 
would educate the public on IoT cybersecurity capabilities, thereby 
allowing and enabling consumers in the marketplace to make informed 
choices about their IoT purchases.
    6. The foregoing priorities and efforts, Commission experience 
guiding compliance assessment programs, and prior Commission action in 
this space (including the recent Spectrum Requirements for Internet of 
Things Notice of Inquiry, ET Docket No. 21-353, Notice of Inquiry, 36 
FCC Rcd 14165 (2021), and efforts to address the potential for 
reprogrammed communications equipment to operate outside of authorized 
device parameters with the attendant risk of harmful interference) 
provide important building blocks for the Commission's analysis and 
inform its proposals today.

Discussion

C. Establishing a Voluntary Cybersecurity Labeling Program

    7. The Commission proposes to establish a voluntary cybersecurity 
labeling program. Given the nature of the IoT market, the Commission 
believes that the success of a cybersecurity labeling program will be 
dependent upon a willing, close partnership and collaboration between 
the federal government, industry, and other stakeholders. While this 
proposed program would be voluntary, entities that choose to 
participate in the Commission's program would be required to ensure 
their IoT devices and products comply with the Commission's program 
requirements the Commission proposes to codify in its rules. As 
described below, the Commission proposes the use of certain baseline 
cybersecurity criteria and the development of product standards 
informed by those criteria, as well as the parameters for labeling of 
IoT products that conform with those standards and associated 
informational requirements. IoT products qualifying for the program 
would be authorized to use the Commission's proposed new distinctive 
label signifying their participation in the program and adherence to 
the standards set. The Commission anticipates that devices or products 
bearing the Commission's cybersecurity label will be valued by 
consumers, particularly by those who may otherwise have difficulty 
determining whether a product they are thinking of buying meets basic 
security standards. The Commission seeks comment on this proposed 
approach.
    8. In adopting this document, the Commission concludes its 
consideration of IoT cybersecurity labeling issues related to the 
Notice of Inquiry in ET Docket No. 21-232 and EA Docket No. 21-233, and 
close that proceeding as to those issues. See Authorization Program; 
Protecting Against National Security Threats to the Communications 
Supply Chain through the Competitive Bidding Program, ET Docket No. 21-
232, EA Docket No. 21-233, Notice of Proposed Rulemaking and Notice of 
Inquiry, 36 FCC Rcd 10578, para. 104 (2021) (Supply Chain NOI). That 
NOI raised IoT cybersecurity labeling in the specific context of the 
Commission's existing equipment authorization program, and although the 
Commission does not formally rule out building on its equipment 
authorization program at this stage, the Commission believes that its 
proposals for a voluntary labeling program building on the efforts of 
NIST and others as reflected in this document represent the most 
appropriate, and targeted, approach to IoT cybersecurity labeling that 
the Commission wants to explore at this time. The Commission believes 
that closing the Supply Chain NOI with respect to IoT cybersecurity 
labeling issues will focus commenters on this proceeding and spur 
comments that better reflect that distinct focus. Thus, although the 
Commission hereby incorporates relevant comments in those dockets into 
this proceeding, PS Docket 23-239, the Commission also requests that, 
going forward, interested parties use PS Docket 23-239 for any filings. 
The Commission directs the Office of Engineering and Technology to 
provide public notice of the closed issues in ET Docket Nos. 21-232, 
21-233.

D. Eligible Devices or Products

    9. The Commission seeks comment on the scope of IoT devices or 
products for sale in the United States that should be eligible for 
inclusion in the Commission's labeling program. To help inform the 
program's scope, the Commission observes that the practical goal is to 
provide consumers with a clear, easily understood indicator that the 
IoT devices displaying the Commission's label satisfy certain baseline 
cybersecurity requirements and have specific cybersecurity 
capabilities. In assessing scope, the Commission seeks to ensure that 
its program would be sufficiently inclusive to be of value to consumers 
in this regard.
    10. The Commission seek comment on whether to focus the program 
initially on IoT ``devices'' (as defined in this document) and 
specifically those wireless devices that intentionally emit radio 
frequency (RF) energy. The Commission begins by considering NIST's 
definition of IoT devices. NIST defines IoT devices as those devices 
that have at least one transducer (sensor or actuator) for interacting 
directly with the physical world and at least one network interface 
(e.g., Ethernet, Wi-Fi, Bluetooth) for interfacing with the digital 
world. The Commission proposes two modifications to the NIST definition 
for purposes of its labeling program. First, the Commission proposes to 
add ``internet-connected'' to its definition because, as NIST observes, 
a key component of IoT is the usage of standard internet protocols for 
functionality, which expose IoT to related security threats and 
challenges caused by being internet-connected. Second, because the 
Commission's relevant statutory authorities recognize the more 
extensive risks of harmful interference associated with devices that 
intentionally emit RF energy, the Commission proposes to include the

[[Page 58214]]

premise that an IoT device must be capable of intentionally emitting RF 
energy. In this respect, the Commission is referring to an IoT device, 
with a wireless interface, that intentionally uses RF energy to 
communicate or interact with the physical world. Accordingly, 
incorporating the Commission's modifications, the Commission proposes, 
for purposes of the IoT labeling program, to define an IoT device as: 
(1) an internet-connected device capable of intentionally emitting RF 
energy that has at least one transducer (sensor or actuator) for 
interacting directly with the physical world, coupled with (2) at least 
one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the 
digital world. The Commission seeks comment on this proposed 
definition.
    11. The Commission proposes to focus the scope of its program on 
intentional radiators that generate and emit RF energy by radiation or 
induction. Such devices--if exploited by a vulnerability--could be 
manipulated to generate and emit RF energy to cause harmful 
interference. While the Commission observes that any IoT device may 
emit RF energy (whether intentionally, incidentally, or 
unintentionally), in the case of incidental and unintentional 
radiators, the RF energy emitted because of exploitation may not be 
enough to be likely to cause harmful interference to radio 
transmissions. The Commission seeks comment on this view. Does this 
proposed definition unduly limit the devices that should be eligible 
for participation in the cybersecurity labeling program? Are there 
specific unintentional radiators or incidental radiators that should be 
included in the program, or should they be included generally? 
Alternatively, should the Commission consider adding these devices to 
the program at a later date? The Commission also seeks comment on any 
other ways in which the Commission's proposal might be limiting or 
should otherwise be expanded. For example, would the exclusion of 
wired-only IoT devices impact the success, usefulness and effectiveness 
of this labeling program and confuse consumers, rather than adequately 
informing them on IoT devices with appropriate network security 
standards?
    12. To ensure that its program is able to be of greatest value to 
the consumer, the Commission also seeks comment on whether it should 
focus the cybersecurity labeling program on to IoT ``products,'' rather 
than IoT devices as defined above. For such purposes the Commission 
could define an IoT product consistent with the NIST definition as 
follows: An IoT device and any additional product components (e.g., 
backend, gateway, mobile app, etc.) that are necessary to use the IoT 
device beyond basic operational features. The Commission seeks comment 
on this proposed definition of an IoT product eligible for an IoT 
label.
    13. Further, the Commission seeks comment on whether a program that 
addresses products (as opposed to just devices) would be more consumer 
friendly, as the public may find it easier to understand that the 
product (as a whole) they are looking to purchase meets the IoT 
security standards, rather than trying to parse which devices (i.e., 
parts of the product) meet applicable standards. Likewise, would 
limiting the label to devices create confusion with consumers who may 
not fully understand the label does not apply to the entire product? If 
the program only encompasses devices, should the Commission 
differentiate the labeling in situations where a product contains 
multiple devices, and some devices are labeled and some are not? If so, 
how could the Commission make this differentiation without causing 
consumer confusion? How does the Commission mitigate consumer confusion 
if a device label is used in a common packaging environment? The 
Commission seeks comment on these issues.
    14. The Commission also seeks comment on whether either definition 
fully accounts not only for the IoT device or product itself, but also 
the other components that make the IoT device functional and may be 
vulnerable to attack. For example, there is a category of IoT devices 
that do not connect directly to the customer's home Wi-Fi network; 
instead, they connect to an intermediate communication device (i.e., 
Wi-Fi Gateway) which connects to the home Wi-Fi network. What are the 
risks and vulnerabilities inherent in the communication between these 
types of IoT devices or products and their environment? Are there other 
IoT devices or products that similarly have vulnerabilities that would 
be outside the scope of the Commission's proposed definition? Should 
such concerns be considered when adopting a definition for devices and/
or products that would be eligible for the labeling program? If so, 
how?
    15. Finally, the Commission recognizes that IoT devices and 
products have proliferated not only in the non-enterprise space, but 
also in the workplace from office settings to field settings, from 
medical settings to industrial settings. As such, the Commission seeks 
comment on whether to focus the IoT labeling program on consumer IoT 
devices or products intended for consumer use or include ``enterprise'' 
devices or products intended for industrial or business use, or to 
otherwise tailor the scope of devices and products covered by the 
labeling program based on their usage. If commenters propose that the 
program include a broader array of devices or products beyond the non-
enterprise setting, what additional considerations should the 
Commission take into account for these products or devices, including 
the relative sophistication and specific needs of the purchasers of 
these devices?
    16. IoT Products Excluded from the Commission's Labeling Program. 
Pursuant to the Secure and Trusted Communications Networks Act of 2019, 
and the Commission's rules, the Commission's Public Safety and Homeland 
Security Bureau (PSHSB) publishes and regularly updates a list of 
communications equipment and services produced or provided by specified 
entities (``Covered List''), which have been determined to pose an 
unacceptable risk to the national security of the United States or the 
security and safety of United States persons (``Covered List''). 
Beginning on February 6, 2023, the Commission no longer permits 
authorization of any applications for equipment certification of any 
equipment that has been identified as ``covered'' equipment on the 
Commission's Covered List. This decision did not, however, revoke any 
previously authorized equipment that now constitutes ``covered'' 
equipment, although it may do so in the future. In this proceeding, the 
Commission proposes to exclude from the labeling program any such 
previously authorized ``covered'' equipment. The Commission seeks 
comment on this proposal.
    17. In light of this prohibition, the Commission similarly proposes 
to exclude from the program any communications equipment that now, or 
in the future, has been placed on the Covered List. The Commission 
proposes to exclude any IoT device that is produced by an entity 
identified on the Covered List as producing ``covered'' equipment. 
Furthermore, the Commission proposes to exclude from the Commission's 
labeling program any device or product from a company named on the 
Department of Commerce's Entity List, the Department of Defense's List 
of Chinese Military Companies or similar lists. See, e.g., Bureau of 
Industry and Security, U.S. Department of Commerce, Supplement No. 4 to 
Part 744--Entity List, https://

[[Page 58215]]

www.bis.doc.gov/index.php/documents/regulations-docs/2326-supplement-
no-4-to-part-744-entity-list-4/file (May 19, 2023); Entities Identified 
as Chinese Military Companies Operating in the United States in 
Accordance with Section 1260H of the William M. (``Mac'') Thornberry 
National Defense Authorization Act for Fiscal Year 2021 (Pub. L. 116-
283), Tranche 2, U.S. Department of Defense, https://media.defense.gov/2022/Oct/05/2003091659/-1/-1/0/1260H%20COMPANIES.PDF (Oct. 5, 2022).
    18. The cybersecurity label has the potential to convey important 
information about a device or product's security. The Commission finds 
it could be harmful to consumers to portray such a message on devices 
or products made by companies that its sister agencies have identified 
publicly as part of their national security review. The Commission 
seeks comment on this proposal and on other government lists the 
Commission should consider. How can the Commission ensure any such 
proposed exclusion is implemented? Should applicants be required to 
include a written and signed attestation that the particular equipment 
for which they seek approval is not ``covered'' equipment (i.e., is not 
communications equipment that has been identified and placed on the 
Commission's Covered List)? Are there other products or categories of 
products that the Commission should explicitly exclude from the 
program?

E. Oversight and Management of the Proposed IoT Cybersecurity Labeling 
Program

    19. As discussed above, the Commission believes that close 
partnership and collaboration between the federal government, industry, 
and other stakeholders is vital to ensuring the success of the proposed 
voluntary IoT cybersecurity labeling program. Moreover, a collaborative 
environment that can leverage the expertise, incentives, and authority 
of various constituencies in this context would allow for the swift 
establishment and maturity of the program with broad industry and 
consumer acceptance that could adapt to a rapidly evolving threat 
landscape. As such, the Commission proposes a public-private 
partnership in the oversight and administration of this labeling 
program, subject to ultimate Commission supervision.
    20. In seeking comment on the proposed IoT labeling program, the 
Commission notes that NIST identified several key elements of a 
potential labeling program. These include the use of certain 
recommended baseline product criteria (including both technical product 
criteria that promotes cybersecurity-related capabilities and non-
technical criteria providing important product information), the use or 
development of requirements and/or standards that are informed by the 
recommended product criteria, the establishment of a conformity 
assessment program to assess whether particular products satisfy the 
developed requirements and/or standards, and the creation of labeling 
requirements for IoT products (a single label indicating that a product 
has met the baseline standard, as well as a means to access additional 
label information for the specific IoT product) that will aid in IoT 
purchasing decisions by enabling comparisons among products and 
providing important information about cybersecurity considerations. 
NIST also noted that ``one size does not fit all,'' and that multiple 
solutions might be offered.
    21. The Commission proposes to establish a program where the 
Commission would create and own a new distinctive trademark to be used 
in a voluntary program for IoT cybersecurity labeling and would take 
appropriate steps to authorize its overall use in a way that ensures 
the integrity of the mark and the label. The Commission also proposes 
to have third parties play integral roles in the management and 
administration of the labeling program. These entities would, for 
example, be authorized to conduct activities such as development of 
requirements or standards for consideration by the Commission, and 
assessment of IoT devices and products for conformity with those 
requirements or standards subject to supervision of the Commission. 
Subject to Commission oversight, third parties could evaluate and 
authorize the use of the Commission's trademark on an IoT device or 
product. In this regard, the Commission proposes to incorporate and 
leverage the specialized expertise of third parties, where appropriate, 
into its standards, application and review procedures.
    22. Oversight and Management of the Labeling Program. In NIST's 
White Paper on a cybersecurity labeling program for consumer IoT 
products, it discussed the need for management and oversight of the 
overall labeling program. Specifically, it contemplated that there 
would be one entity (the ``labeling scheme owner'') that would manage 
the labeling program, determine its structure and management, and 
perform oversight to ensure that the program is functioning 
consistently in keeping with overall objectives; further, this entity 
would be responsible for defining the conformity assessment 
requirements, developing the label and associated information, and 
conducting consumer outreach and education.'' The Commission seeks 
comment on the appropriate entity or entities to serve in the oversight 
and management of the labeling program. Should the Commission be the 
scheme owner to oversee as well as manage the labeling program? If the 
Commission takes on the role of overseeing the labeling program, should 
one or more third-party administrators, as detailed below, manage the 
tasks identified above or some portion of them? Or, should one or more 
third-party administrators be designated as the scheme owner(s), and if 
so, how should the Commission retain and exercise its oversight 
responsibilities?
    23. Use of Third-Party Administrator(s). The Commission seeks 
comment on how one or more third-party administrator(s) might be 
utilized to manage some or all of the functions outlined above as NIST 
ascribed to the labeling program scheme owner, or how such an entity, 
or entities, might otherwise manage all or some elements of the 
envisioned labeling program to ensure effectiveness, efficiency, 
consistency, and timely implementation, subject to ultimate Commission 
supervision. The Commission seeks comment on the best approach for 
utilizing the respective levels of expertise that reside in the 
Commission, other federal government entities, industry, and other 
stakeholders. In particular, the Commission seeks comment on whether 
there are existing stakeholders, public or private, who are well 
situated to convene and develop the IoT security standards among 
stakeholders as to a particular IoT device or product, or classes of 
IoT devices or products, to ensure the consistency and fair 
administration of the proposed labeling program. Further, could a 
third-party administrator approve, or submit to the Commission for 
approval, more specific standards for conformance assessment of the 
proposed criteria, or for otherwise evaluating program applicants? 
Could a third-party administrator set the requirements for testing 
laboratories? Should the Commission consider designating a third-party 
administrator or other outside entit(ies) to authorize the use of the 
envisioned cybersecurity label, and if so, what oversight should it 
exercise, for example, to ensure the integrity of the mark and label?
    24. If the Commission were to utilize one or more third-party 
administrator(s),

[[Page 58216]]

the Commission seeks comment on how it should select such 
administrator(s). What qualifications should a third-party 
administrator possess, and how should the Commission intake and 
evaluate applications? What national security considerations are 
relevant to such qualifications? Should a third-party administrator(s) 
be required to have previous experience administering an IoT product or 
similar conformity assessment program? Given the diversity in IoT 
devices and products, would it be preferable for third party 
administrators to have varying areas of expertise? What level of 
control or oversight should the Commission retain, and what level of 
guidance should be provided? Are there entities in this space that 
should be considered for this role and, if so, why? Are there benefits 
to utilizing multiple third-party administrators versus a single 
administrator? If there are multiple administrators, how could the 
Commission ensure standards are consistently applied across similar 
devices and avoid conflict among administrators? How could the 
Commission reconcile the functionalities of each administrator to avoid 
conflict? Are there other attributes or qualities that the Commission 
should require of an administrator? For example, should the 
administrator be required to be a non-profit entity? Should the 
administrator establish that it would be neutral and independent, with 
no conflicts of interest (financial or organizational) on the part of 
the organization or its officers, directors, employees, contractors, or 
significant subcontractors? Should the Commission direct PSHSB, 
coordinating with the Office of the Managing Director and the Office of 
Engineering and Technology, to develop and implement a selection or 
qualifications review process?
    25. Cybersecurity Labeling Authorization Bodies. The Commission 
seeks comment on how IoT devices or products can demonstrate compliance 
with the IoT security standards, once they are developed. In the 
context of the Commission's existing equipment authorization process, 
Telecommunications Certification Bodies (TCBs), which are accredited 
third parties recognized by the Commission, certify RF equipment based 
in part on testing for compliance with applicable technical RF 
requirements on behalf of the Commission and in accordance with the 
Commission's rules and standards. TCBs may then be subject to 
international Mutual Recognition Agreements which determine acceptance 
of their conformity assessment results by other countries. The 
Commission anticipates that it could draw from this type of program's 
organizational structure to assess IoT devices and products for 
compliance with the IoT cybersecurity standards, once they are 
developed. In the context of IoT labeling, instead of RF-based testing 
and certification, we envision that third parties with expertise in 
security and compliance testing, as described below, could fill this 
role. The Commission refers to these entities as Cybersecurity Labeling 
Authorization Bodies (CyberLABs) for purposes of this discussion. The 
Commission seeks comment on this proposal.
    26. CyberLABs Accreditation or Recognition. The Commission proposes 
that the Commission or one of its authorized third-party administrators 
would evaluate, accredit, or recognize the CyberLABs based on their 
qualifications, resources, and procedures. If the Commission were to 
authorize third party administrators to evaluate, accredit or recognize 
these entities, what oversight would the Commission exercise over these 
entities or over the process? The Commission seeks to ensure that 
CyberLABs have the necessary expertise and resources to properly test 
and assess IoT devices and products compliance with the IoT security 
standards. To become accredited or recognized for the proposed IoT 
labeling program, the Commission proposes that a CyberLAB submit an 
application demonstrating that it meets the following requirements:
     Qualifications: The CyberLAB has technical expertise in 
cybersecurity testing and conformity assessment of IoT devices and 
products.
     Resources: The CyberLAB has the necessary equipment, 
facilities, and personnel to conduct cybersecurity testing and 
conformity assessment of IoT devices and products.
     Procedures: The CyberLAB has documented procedures for 
conformity assessment.
     Continued competence: Once accredited or recognized, 
CyberLABs would be periodically audited and reviewed to ensure they 
continue to comply with the IoT security standards and testing 
procedures. In addition to periodic audits, the FCC or its third-party 
administrator would also conduct random inspections of CyberLABs to 
ensure that they are complying with the IoT security standards and 
testing and label authorization procedures. Additionally, existing 
standards, e.g., ISO/IEC 17025 could be leveraged for developing 
qualifications for a CyberLAB. See General requirements for the 
competence of testing and calibration laboratories, ISO/IEC 17025:2017 
(Nov. 2017) (available at https://www.iso.org/standard/66912.html).
    27. The Commission seeks comment on this proposed process and 
accompanying qualifications. Are they an appropriate fit for the 
Commission's objectives? Are there other options the Commission should 
consider? For example, could device manufacturers be allowed to perform 
testing and self-assessment subject to review by a third-party 
administrator or other entity? What additional qualifications, if any, 
should the Commission seek in a CyberLAB seeking to perform such as 
testing and conformity assessments? What additional controls might be 
necessary, if any, to ensure a CyberLAB remains impartial when testing 
and assessing IoT devices and products with relevant standards? Should 
the Commission take into account any national security considerations, 
or adopt Character Qualifications for CyberLABs? If so, what should 
these include? Would this accreditation or recognition process impact 
the Commission's existing, or future, Mutual Recognition Agreements 
and, if so, how might it be remedied to avoid such impact? Should 
CyberLABs be located only in the United States? If the Commission 
should consider CyberLABs located outside the United States, what 
additional scrutiny, if any, should these entities be given during the 
Commission's accreditation process? Given the sensitive information 
that will be shared with CyberLABs, should accreditation or recognition 
include reviewing CyberLABs internal security practices? If requested 
by participating firms, should CyberLABs be required to provide 
information on their own security or internal practices to firms?

F. Development of IoT Cybersecurity Criteria and Standards

    28. Applying the Baseline NIST Criteria. The Commission seeks 
comment on the adoption of the NIST's recommended IoT criteria as the 
basis for the proposed labeling program. The NIST IoT criteria are 
based on product-focused cybersecurity outcomes, rather than specific 
requirements. NIST contemplates that ``the outcome-based approach 
allows for the flexibility required by a diverse marketplace of IoT 
products'' and the ``role of the scheme owner is critical to ensure 
that supporting evidence demonstrates that the product meets the 
expected outcomes.'' The NIST criteria include: (1) asset 
identification; (2) product configuration; (3) data protection; (4)

[[Page 58217]]

interface access control; (5) software update; (6) cybersecurity state 
awareness; (7) documentation; (8) information and query reception; (9) 
information dissemination; and (10) product education and awareness. 
NIST has noted that while the first six of these criteria generally 
concern certain technical product criteria, the last four concern non-
technical product criteria. How could NIST's IoT criteria, such as 
product configuration, interface access control, product education and 
awareness, data production, asset identification, software updates, 
cybersecurity state awareness, documentation, information and query 
reception, etc., be leveraged to inform minimum IoT security 
requirements and standards in a manner that is suitable for conformity 
assessments (e.g., for technical-related testing and non-technical 
verification) in appropriate circumstances, or for self-attestation in 
others? Are there other criteria the Commission should consider? Are 
there separate criteria that should be considered for higher risk IoT 
devices or classes of devices?
    29. Standards Development Based on NIST Criteria. The Commission 
recognizes that this conformity assessment program must be based on IoT 
security standards and testing requirements that the IoT devices and 
product must satisfy to be eligible to receive and use the label. The 
Commission proposes that the IoT security standards be developed 
jointly with the industry and other stakeholders. In this regard, there 
may be a number of expert Standards Development Organizations (SDOs), 
industry groups and government agencies that have both the technical 
expertise and other requisite experience to contribute to this task. 
The Commission seeks comment on whether the Commission or an outside 
entity is in the best position to convene these stakeholders, and to 
timely develop the more specific detail that would allow the consistent 
and replicable testing necessary to ensure the outcome based NIST IoT 
labeling criteria are fulfilled. Would the Federal Advisory Committee 
Act (FACA) limit the Commission's ability to convene these 
stakeholders? The Commission seeks comment on this proposal.
    30. The Commission proposes that the IoT security requirements and 
standards would be developed and implemented through the following 
process:
     Collecting information: Conduct research, consult with 
experts, and review existing standards such as those developed and in 
use by international organizations.
     Establishing requirements: Informed by the new data, 
develop requirements that will help meet NIST core baseline criteria.
     Develop the standard: With the requirements established, 
the standard can be developed. This will involve creating a document 
that outlines the requirements in a clear and concise manner and a 
clear mapping between the standards and the device or product criteria.
     Reviewing and improving: Ensure that the standard is 
comprehensive, clear, and suitable for lab testing.
     Implementation: Conduct training, testing, and monitoring 
to ensure that the requirements are satisfied.
    31. The Commission seeks comment on the scope of this work and on 
this proposed process. What additional factors should be included or 
otherwise factored into this process? How can the Commission ensure 
that the views of small, women- and minority-owned businesses, 
including small IoT manufacturers, are considered in this process? 
Considering the amount of work that the industry, NIST, and 
international community have already completed in this area, how could 
this work be leveraged to promote the swift development of standards 
for IoT cybersecurity labeling? How long might this work take to 
complete? The Commission seeks comment on the shortest but most 
thorough path to accomplishing this work and the minimum amount of time 
it should take to develop the standards. The Commission recognizes 
there are other IoT security standards already available and seek 
comments on whether and why the Commission should consider their 
adoption. Are there standards for particular IoT devices or classes of 
IoT devices that are already sufficiently mature such that they could 
be readily--or more quickly--adopted? Should the program start with 
those devices or products?
    32. The Commission recognizes that while the IoT cybersecurity 
label would not constitute a guarantee that the participating IoT 
product can withstand every single cyberattack, it should provide 
meaningful assurance to consumers that the IoT devices and products 
that display the label satisfy certain minimum cybersecurity standards 
and have specific cyber capabilities that demonstrably reduce relevant 
vulnerabilities appropriate to the class of device. As such, while 
participation in the IoT labeling program would be voluntary, the 
Commission proposes to require those who choose to participate to 
adhere to the specific standards described above, and as recognized by 
the Commission.
    33. The Commission observes that in other contexts, it periodically 
incorporates by reference various standards established by standards-
setting bodies including, but not limited to, the American National 
Standards Institute (ANSI), Accredited Standards Committee C63 (ANSC 
C63), and the International Organization for Standardization; and the 
International Electrotechnical Commission. As the Commission has noted, 
use of industry-based standards in this context is intended to ensure 
the integrity of the measurement data associated with an equipment 
authorization. The Commission recognizes that, in addressing 
cybersecurity standards, timely adoption and speed are a prime benefit 
of a multi-stakeholder, industry-led approach, which militate in favor 
of a more streamlined process than the full Commission-level review 
described above. Accordingly, the Commission proposes if standards are 
developed by outside bod(ies), that they submit the IoT security 
standards for acceptance by the Commission prior to utilization for 
testing and other conformity evaluation. In this regard, the Commission 
proposes to direct PSHSB to place the standards on Public Notice for 
comment in accordance with the rulemaking requirements of the 
Administrative Procedure Act and, subsequent to reviewing any comments 
received, accept the standards as proposed or with amendments as 
warranted by the record. Is this sufficient, or do commenters believe a 
Commission-level rulemaking is needed? Alternatively, could an outside 
body adopt the standards and attest their conformity with the broader 
NIST criteria in a manner acceptable to the Commission, without the 
need for further action by the Commission? What other streamlined 
processes might be appropriate for prompt review and validation of IoT 
security standards?
    34. Conformity Assessments. The Commission seeks comment on the 
process for assessing conformity of consumer IoT products and devices 
under the Commission's IoT labeling program. While the Commission 
expects that third-party assessment (testing and other required 
assessment via CyberLAB, as discussed above) would provide an avenue 
for conformity assessment, the Commission proposes that other 
approaches also be considered. For example, NIST describes how 
different IoT conformity assessment activities could be leveraged to 
demonstrate that consumer IoT devices conform to technical

[[Page 58218]]

requirements, either exclusively or in combination. In addition to 
third-party testing, assessment activities could also include the 
supplier's declaration of conformity/self-attestation of the consumer 
IoT device where a statement is issued based on a comprehensive review 
that an IoT device or product comply with the IoT security standards. 
While the Commission's equipment authorization program has evolved over 
the years, as currently administered the program includes two 
procedures for equipment authorizations--certification and Supplier's 
Declaration of Conformity (SDoC). Relevant technical RF-based standards 
listed in section 2.910 of the Commission's rules are incorporated by 
reference in Part 2. The rules specify the obligations of the 
``responsible party'' (e.g., the manufacturer or importer), including 
warranting that each unit of equipment marketed under the grant of 
certification or SDoC is materially identical to the unit that was 
tested or measured. The Commission seeks comment on the extent to which 
any of these same procedures may be appropriate for the IoT labeling 
program. Are there other alternative procedures that are more suitable 
for the IoT labeling program context?
    35. Third-Party Compliance Testing and Assessment. The Commission 
proposes that conformity assessments for IoT devices and products be 
based on compliance assessment (any testing and other requisite 
assessment) that includes supporting documentation and data submitted 
by the manufacturer or importer of the IoT device or product in 
question to a third-party such as a CyberLAB, and that the third party 
administrator could authorize the use of the IoT security label only 
for devices that meet the established IoT security standards. Should 
all IoT devices or products be required to pursue third party 
compliance assessment, or are there classes of IoT devices or products 
that should allow for self-attestation?

G. Administering the IoT Labeling Program

    36. Commission to Obtain Trademark. The Commission proposes that 
the Commission utilize a certification mark to identify those products 
that meet the Commission's IoT labeling requirements. A certification 
mark is a type of trademark that is used to show consumers that 
particular goods and/or services, or their providers, have met certain 
requirements. Specifically, the mark indicates that: (1) the owner of 
the mark controls who may use the mark; (2) the owner of the mark has 
determined that the user complies with a specific standard described by 
the owner of the mark; and (3) the owner of the mark does not itself 
produce the goods or services covered by the mark. The Commission has 
applied for a mark with the United States Patent and Trademark Office 
(USPTO), and as the owner of the mark, should this proposal be adopted, 
will ensure that the IoT products and devices bearing the mark meet 
FCC-approved cybersecurity labeling program requirements. The 
Commission also seeks comment on whether the Commission should permit 
outside entities to authorize use of the mark where the terms of the 
program are met and what measures are necessary to ensure that the 
Commission is effectively controlling the use of the mark for purposes 
of trademark law.
    37. Commission IoT Label. The Commission proposes to implement a 
single binary label with layering. Under a binary label construct, 
products or devices will either qualify to carry the label or not 
qualify (i.e., not be able to carry the label) and ``layers'' of the 
label would include the Commission's IoT mark representing that the 
product or device has met the Commission's baseline consumer IoT 
cybersecurity standards and a scannable code (e.g., QR code) directing 
the consumer to more detailed information of the particular IoT 
product.
    38. The Commission seeks comment on where authorized program 
participants should affix the security IoT label. If the Commission's 
program addresses devices (rather than products), should it be affixed 
on each IoT device or on the product packaging? Should equipment that 
includes a user display screen be permitted to display the label on the 
user display screen rather than on the device itself? Should there be 
limitations or prescriptions on how companies and third-party resellers 
can use the mark in advertising or sales displays, products or 
websites? The Commission also seeks comment on other approaches with 
regard to what the label should display and where the label should be 
placed.
    39. Layered Information. The Commission seeks comment on the use of 
a QR code or URL to enable consumers to access more detailed 
information about the device or product, including specific security 
information, such as the device manufacturers' level of support, 
software update history, privacy policy, and similar information. To 
provide consumers with uniform information and minimize the potential 
for consumer confusion, the Commission proposes that there be a single 
IoT device or product registry associated with the Commission's IoT 
cybersecurity labeling program, and that any QR code or URL included 
with the FCC IoT mark provide a link to the IoT product's specific web 
page within this IoT registry. The Commission proposes to prohibit any 
additional QR codes or URLs be placed in connection with the 
Commission's IoT mark. The Commission believes that this would help 
ensure the integrity of the Commission's IoT label. If third parties 
are authorized by the Commission to grant use of the cybersecurity IoT 
label, should the Commission also permit them to generate and specify 
the QR code and the URL that can be placed next to the FCC IoT mark and 
require them to prevent the program participants from affixing other QR 
codes or URLs next to the FCC mark? Should the use of the IoT mark be 
prohibited without the associated QR code or URL? What information must 
a company include if they reference the IoT mark in product listings or 
descriptions? What alternative approaches should the Commission 
consider?
    40. QR Code. The Commission proposes that the FCC IoT label include 
a QR code that contains consumer-friendly information that is available 
without internet connection in addition to a URL to the device's or 
product's registry page, which is discussed below. (While the 
Commission thinks the use of a QR code is appropriate in conjunction 
with the layered labeling approach it is proposing here, the Commission 
acknowledges that it previously rejected its use in other contexts, 
such as the required labeling under its equipment authorization rules. 
The Commission is not proposing to revisit those decisions in the 
context of this proceeding. Similarly, the Commission intends its 
proposals to operate distinct and separate from the provisions for the 
electronic labeling of radiofrequency devices contained in its 
equipment authorization rules (47 CFR 2.935), and seeks comment on 
whether it needs to adopt or modify its rules accordingly.) In order to 
prevent consumer confusion and allow for easy comparison among devices 
or products, the Commission also proposes that the information 
contained within the QR code for each certified device or product be 
uniform and include information that is helpful to non-expert, home 
users of IoT devices and products. In this way, the label would be able 
to impact consumer purchasing decisions, which are oftentimes made 
under time pressure while the consumer is at the store choosing between 
products. The Commission proposes the QR code

[[Page 58219]]

include a description of the device's security (e.g., easy to 
understand explanation of what security standards the device meets, and 
how these standards protect the consumer). The Commission also proposes 
the QR code include a statement that while the label indicates the 
device or product meets certain cyber security criteria that reduce 
risk, it does not eliminate risk entirely and the label does not imply 
product endorsement by the label program and that the consumer is 
encouraged to visit the product registry linked by the URL provided 
therein to get the most up-to-date security and other information 
related to the IoT device or product. The Commission seeks comment on 
this proposal and what additional or other information should be 
embedded in the QR code to be of benefit to consumers.
    41. Given the static nature of the information stored in the QR 
code, the Commission urges commenters to consider the types of 
information that would be appropriate for consumer decision-making 
without needing to have the information stored in the QR code updated. 
Alternatively, the QR code could merely provide a link to the IoT 
registry page for the device or product in question, discussed below.
    42. The Commission proposes to require that the manufacturer 
disclose the guaranteed minimum support period for an IoT device or 
product, during which the manufacturer commits to identify and patch 
security vulnerabilities in the product. See NIST, Recommended Criteria 
for Cybersecurity Labeling for Consumer IoT Products, at 10 (Feb. 4, 
2022), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.02042022-2.pdf. 
While the Commission recognizes the length of such a support period is 
at the discretion of the manufacturer, and may even be zero, the 
Commission seeks comment on the benefits and drawbacks of requiring a 
manufacturer to disclose, via the label or associated registry entry, 
the length of time that an IoT device or product would be supported, 
and the level of support provided. Should they also be required to 
disclose whether all or only critical patches will be supported, the 
regularity with which such patches are made available, whether they are 
automatically deployed, or what additional steps a consumer may need to 
take to remain secure when support ends? Should the Commission require 
the manufacturer to provide notice when that support ends? How can the 
Commission ensure this information is meaningful to consumers? The 
Commission seeks comment on these options and any alternatives to help 
provide consumers with necessary, accurate, and timely information.
    43. IoT Registry. The Commission proposes the use of an IoT 
registry where the public may access a catalog of devices or products 
that are approved pursuant to the Commission's IoT labeling program. 
This IoT registry would be accessible via the internet and serve as a 
one-stop reference for the public to understand which products in the 
market bear the IoT label (e.g., consumers could check the registry 
before they shop). The IoT registry could contain IoT security-related 
information that is sortable and searchable by manufacturer or brand, 
device or product vendor, device or product name, model number, 
firmware/software build version, and other identifying variables, such 
as a unique asset identification number. The Commission seeks comment 
on this approach. Are there any similar product registries that have 
already been established or that are being initiated, and that might be 
leveraged for these purposes? Should the Commission consider selecting 
and overseeing a third-party IoT registry administrator, and if so, how 
could such an administrator be funded? Should there be more than one 
administrator or more than one registry, and if so, how should the 
Commission ensure that accurate, up to date, and complete information 
is contained in each of them? Should it be the same third-party 
administrator contemplated to manage the other aspects of the labeling 
program as described herein?
    44. The QR code and/or the URL associated with the IoT label would 
include a link to the IoT registry, which would provide detailed 
information on the IoT product through the product's web page within 
the IoT registry. The Commission seeks comment on what information 
should be included within the IoT registry and associated with the QR 
codes. If the URL is the sole piece of information associated with the 
QR code, how should registry information be presented or organized to 
ensure consumer-friendliness?
    45. The Commission proposes that, among other information, the IoT 
registry might provide the following information for each approved 
device (or product): (1) how to operate the device securely (e.g., 
basic cyber hygiene to include changing default passwords) and, if 
applicable, what level of security the device or product has achieved; 
(2) whether the product's security settings are protected against 
unauthorized changes, including disabling its security; (3) where the 
device was manufactured; and (4) when the registry information for the 
device was last updated. What other information should be included? 
Would the information included in the CMU IoT Security and Privacy 
Label (CMU Label) be an appropriate model for each IoT product's 
listing provided within the IoT registry? CMU Labels are divided into 
three major sections: (1) security mechanisms, (2) data practices, and 
(3) more information, with various data fields under these sections 
(e.g., security updates, access control, sensor type, privacy policy, 
manufacturer contact information, and platform compatibility). CMU 
Labels often link to external sites, such as manufacturers' websites, 
to provide more detailed information. Would linking to external 
websites, over which the Commission would have no oversight or control, 
be appropriate for the Commission's IoT labeling program and the IoT 
registry? How could the Commission ensure the content of the 
information provided in the external links is accurate and up-to-date? 
Are there additional exemplary labels that the Commission should 
consider? What other additional details should be disclosed to inform 
consumers of cybersecurity risks underlying the IoT product? What 
details can potentially be omitted? How can the Commission otherwise 
ensure the information provided in the IoT registry is meaningful and 
understandable by consumers?
    46. The Commission further asks whether such IoT registry might 
also be used by retailers to assist them with choosing products that 
carry the IoT label for sale in their stores and whether retailers may 
use the registry to confirm that the products that they market 
legitimately bear the FCC's IoT label. If so, should the registry 
maintain different sets of information for general consumers and 
retailers? What additional information would retailers want to see but 
is not relevant to general consumers?
    47. Updating Information. The Commission seeks comment on how to 
ensure consumers are not misled by the meaning of the IoT label and can 
obtain up-to-date information about their device or product. Unlike 
other labeling programs, such as the Commission's Broadband Consumer 
Label, or the ENERGY STAR label, the Commission's labeling program 
addresses cybersecurity risk, which is constantly changing and requires 
constant updating. For example, if a new vulnerability is discovered, 
the product would remain unsecure until that newly discovered 
vulnerability is patched. The Commission proposes that consumers

[[Page 58220]]

be made aware of any vulnerabilities or updated product information 
through the IoT registry. That way, once the product's web page within 
the IoT product registry is updated to indicate that the authorization 
to use the mark is outdated, and/or the device is no longer maintained/
updated, the consumer can understand this information by accessing the 
web page using the QR code and/or the URL provided next to the FCC IoT 
label. Should the Commission impose a duty on manufacturers or 
importers of the IoT devices and products to notify the IoT registry 
operator when they become aware of an unpatched vulnerability that 
poses security risks to their IoT devices and products? Are there other 
events that should trigger IoT product manufacturers or importers to 
notify the registry operator that their IoT registry device or product 
page should be updated?
    48. The Commission seeks comment on these proposals, and on any 
other ways to ensure consumers have up-to-date information regarding 
IoT devices or products labeled under the program, as well as have an 
understanding that the FCC cybersecurity label is not a guarantee 
against all cybersecurity threats. What additional information might be 
warranted to help minimize the potential for customer confusion?
    49. Application/Renewal. The Commission proposes that IoT label 
applicants file for renewal each year, together with supporting 
evidence that the products still meet the FCC's IoT requirements, as 
tested and administered by the CyberLABs or as self-attested. In this 
regard, the Commission seeks to ensure consumers have up-to-date 
information regarding the participating device or product, and to 
address end-of-life issues for devices previously approved, but that no 
longer warrant continued authorization to use the label. Should the 
label include the specific date, or the year, the label was awarded to 
help notify consumers how fresh the authorization is? Should the FCC 
IoT labels on the device or product have an expiration date? How does 
the Commission ensure consumers are aware of when a device with an FCC 
IoT label is no longer maintained and/or updated by manufacturers, and 
may no longer meet up-to-date cybersecurity requirements?
    50. The Commission seeks comment on this proposal to employ a 
renewal process. Should the Commission consider other timeframes on a 
shorter or longer basis? Should there be an event in the product's 
life-cycle or a security event that should trigger the applicant to 
file for an early renewal? When would such an event trigger early 
renewal, versus filing updated information with the program 
administrator and updating the IoT registry? Similarly, are there 
incidents or developments that might warrant the removal of the IoT 
cybersecurity label, and what might those circumstances be? After the 
IoT device or product is authorized for the first time, what supporting 
documents should the program participants provide to validate and renew 
their authorization to use the label? Must it be retested annually? How 
should the IoT registry reflect that an authorization to use the label 
is out of date?
    51. The Commission also seeks comment on the interplay between the 
proposed IoT cybersecurity labeling program and its current equipment 
authorization rules. Given that the review process for the proposed 
program will likely not be administered in the same manner, and by the 
same entities, as are involved in its equipment authorization program, 
the Commission proposes that they generally operate in a distinct 
manner. However, given that equipment subject to the requirements of 
the Commission's equipment authorization rules must satisfy those rules 
before they can be manufactured and sold in the United States, the 
Commission proposes that approval be granted under the cybersecurity 
labeling program only after any applicable requirements of the 
equipment authorization rules have been satisfied for the relevant 
device or product. The Commission seeks comment on these proposals and 
on any other ways in which it should address the potential interplay 
between the proposed IoT cybersecurity labeling program and its current 
equipment authorization rules.
    52. Costs. The Commission permits TCBs to establish and assess fees 
for processing equipment authorization applications and conducting 
other Commission-required tasks. The Commission anticipates that 
similarly situated third parties in this program may wish to charge for 
their services and seek comment on whether there is any oversight the 
Commission needs to exercise over such charges. Further, the Commission 
proposes, that when a proposed grant of labeling authority is submitted 
to the Commission for action it should be accompanied by an application 
fee pursuant to its authority under section 8 of the Communications 
Act. The Commission proposes to follow the fee calculation methodology 
adopted by the Commission in the 2020 Application Fee Report and Order. 
The Commission seeks comment on this proposal and any changes or 
modifications the Commission should consider here.
    53. Investigation, Disqualification, and Enforcement. Ensuring that 
the label remains a trusted and valuable resource to purchasers 
requires that the integrity of the devices and products bearing the 
label is maintained. As such, the Commission seeks comment on how to 
enforce the labeling program requirements. To the extent that non-
Commission entities are better situated to perform, and receive 
approval to perform, certain functions, should they also be required to 
conduct a certain number of random audits of the certified IoT devices 
and products to confirm that they are in compliance? Are there types of 
market surveillance that should be conducted, and by whom? Should the 
Commission allow consumer or third-party complaints? Should the 
Commission or other entities accept and process such complaints? What 
should the Commission's role be in audit and oversight? For any non-
compliance, the Commission could rely on a combination of enforcement 
procedures such as administrative remedies under the Communications Act 
(e.g., show cause orders, revocation proceedings, forfeitures, consent 
decrees, cease and desist orders, and penalties) or civil litigation 
for breach of contract or trademark infringement, in which the 
Department of Justice (DOJ) would participate. As noted above, the 
Commission also seeks comment on what, if any, additional measures are 
necessary to ensure that the Commission is effectively controlling use 
of the certification mark for purposes of trademark law. What 
enforcement measures would be appropriate for firms that falsely put 
the IoT certification mark or label on their products? How would it be 
enforced if firms are outside of the United States? In the more 
contractual context of the ENERGY STAR program, EPA has set out certain 
Disqualification Procedures that it would apply if a product fails 
third-party verification testing, or if it fails subsequent Department 
of Energy (DOE) appliance testing or in the event of product 
nonconformity. In particular, this process gives the ENERGY STAR 
Partner notice and an opportunity to dispute the assessment with EPA 
before a formal disqualification decision is made. The Disqualification 
Procedures specify certain steps that ENERGY STAR Partners must take in 
the event of a disqualification (e.g., removing references to ENERGY 
STAR in the product labeling, marketing, etc.). Should the Commission 
adopt a similar

[[Page 58221]]

disqualification procedure under its rules? What enforcement measures 
would be appropriate in addition to revoking authorization to use the 
IoT label? What procedures or consequences should apply where a device 
or product was certified under one set of standards but is not capable 
of meeting a new or updated standard adopted later? How should the 
participants address the products that have the IoT security labels 
affixed to their products when their products become non-compliant? If 
an applicant is denied authority to use the Commission's IoT label, 
should they be able to appeal that decision? The Commission also seeks 
comment on any recordkeeping and audit requirements for compliance 
review purposes.
    54. Conversely, where a program participant has received 
authorization to utilize the Commission's IoT Label and has 
appropriately maintained the device's security measures, does this 
represent an indicium of reasonableness that might serve as a defense 
or safe harbor against liability for damages resulting from a cyber 
incident, e.g., data breach, denial of service, malware? While the 
Commission clarifies that it does not intend at this time for the 
labeling program in and of itself to preempt otherwise existing law, 
are there other affirmative measures that the Commission should 
consider adopting that should be afforded to devices that have achieved 
and maintained a Commission IoT security label?
    55. Consumer Education. The Commission expects that the success of 
this program will rely upon a robust education campaign with shared 
responsibilities among the scheme owner, manufacturers, retailers, 
industry, and non-profit security groups to promote label recognition, 
brand trust, and transparency of what the Commission's IoT 
cybersecurity label means. The Commission seeks comment on whether the 
education campaign used should be comprised of the consumer education 
materials recommended by NIST, which include providing consumers online 
access to information addressing:
     Intent and Scope: What the label does and does not mean, 
including addressing potential misinterpretations (e.g., stating that 
meeting the label security criteria reduces risk but does not eliminate 
it entirely, and that labeled products are not necessary more secure 
than unlabeled products); and a statement that the label does not imply 
product endorsement by the Commission;
     Product Criteria: The cybersecurity properties that must 
be met for a device to have the Commission label and how and why these 
properties were selected; including information on how the criteria 
address security risks both to the consumer and to others for common 
intended uses of the products;
     A glossary of applicable technical terms written in plain 
English;
     General information about conformity assessment and how 
cybersecurity properties are evaluated;
     Declaration of Conformity: The device's specific 
declaration of conformity to the IoT security standards, including the 
date the label was last awarded;
     Scope: The kinds of devices eligible for the label and an 
easy way for consumers to identify labeled devices;
     Changing Applicability: The current state of device 
labeling as new cybersecurity threats and vulnerabilities emerge;
     Security considerations for end-of-life IoT devices and 
implications for functionality if the device is no longer connected;
     Expectations for Consumers: The responsibility consumers 
share in securing the device software and how their actions (or 
inactions) can impact the device's software cybersecurity; and
     Contact information for the labeling program and 
information on how consumers can lodge a complaint regarding a product 
label.
    56. The Commission seeks comment on anticipated costs of such a 
consumer education campaign particularly with regard to upfront costs 
that will be incurred to start the program. The Commission also seeks 
comment on mechanisms for conducting the outreach consistent with the 
constraints on federal outreach and the possibility of public or 
private partnerships that may facilitate a consumer education campaign.
    57. Integrity of the National Government-based IoT Cybersecurity 
Label. The Commission seeks comment on ways to avoid consumer confusion 
between the government-based IoT cybersecurity label and existing and 
future IoT cybersecurity labeling schemes such as UL and IoT Security 
Trust Mark. What features and assurances can the Commission's label 
provide to improve customer awareness of the security of a given IoT 
device? Alternatively, should the FCC label act as an aggregator for 
other labeling programs ensuring that these programs meet the IoT 
security standards in addition to any wider or sector specific security 
needs the scheme owners feel necessary. What about other labeling 
programs in other countries? How should the Commission coordinate and 
engage with other international bodies maintaining labeling programs to 
develop recognition of the Commission's IoT Label, and where 
appropriate, mutual recognition of those international labels? The 
Commission's proposal seeks to implement this program for devices or 
products for sale in the United States. What steps, if any, should the 
Commission take to ensure the FCC label is not mistaken for compliance 
with IoT security or RF-emission standards in other countries?
    58. Accessibility. The Commission emphasizes its continued 
commitment to ensuring that the labeling program is accessible and 
usable by individuals with disabilities. With respect to the 
Commission's Broadband Consumer Label, in 2022, the Commission noted 
that the Consumer Advisory Committee (CAC) determined that 
participating providers can best ensure accessibility to printed and 
online information by relying on well-established legal requirements 
included in the Americans with Disabilities Act and by following the 
guidance developed by the Web Accessibility Initiative. The Commission 
seeks comment on whether relying on these guidelines provides the best 
likelihood of ensuring that consumers with disabilities will be able to 
access necessary information about their IoT devices or products. The 
Commission seeks comment on how best to ensure that any adopted IoT 
cybersecurity label is accessible to persons with disabilities.

Legal Authority

    59. The Commission tentatively concludes that it has authority to 
adopt the proposed IoT labeling program. In particular, section 302(a) 
of the Communications Act authorizes the FCC ``consistent with the 
public interest, convenience, and necessity, [to] make reasonable 
regulations (1) governing the interference potential of devices which 
in their operation are capable of emitting radio frequency energy by 
radiation, conduction, or other means in sufficient degree to cause 
harmful interference to radio communications; . . .'' While this 
program would be voluntary, entities that elect to participate would 
need to do so in accordance with the regulations the Commission adopts 
in this proceeding, including but not limited to the IoT security 
standards, compliance requirements, and the labeling program's 
operating framework. The Commission tentatively concludes that the 
standards the Commission proposes to apply when administering the 
proposed labeling program fall within the scope of ``reasonable 
regulations . . . governing the interference potential

[[Page 58222]]

of devices. . . .'' The Commission seeks comment on this reasoning.
    60. The Commission has exercised authority in other contexts to 
secure both software and firmware to prevent unauthorized modification 
that would compromise a device or the data it transmits. For example, 
in adopting technical rules for the Citizens Broadband Radio Service 
(CBRS), the Commission required end user devices to ``contain security 
features sufficient to protect against modification of software and 
firmware by any unauthorized parties'' and required that such devices 
``be able to protect the communication data that are exchanged between 
these elements.'' The Commission adopted a further obligation for 
identified security vulnerabilities to be resolved on a going-forward 
basis, and encouraged industry to develop best practices for end-to-end 
security that can be validated through the certification process. By 
way of further example, in the 5 GHz band, the Commission, noting the 
potential for reprogramming of unlicensed national information 
infrastructure (U-NII) devices to operate outside of authorized device 
parameters, similarly adopted security measures requiring manufacturers 
to prevent software changes that would result in this outcome. 
Declining to mandate specific software security measures, the 
Commission required manufacturers instead to document their methods. In 
addition, the Commission's rules require security protocols and 
procedures to ensure the integrity of transmission related between and 
among white space devices and databases.
    61. The Commission's proposed labeling program rules are intended 
to ensure that IoT devices have implemented certain minimum 
cybersecurity protocols to prevent their being hacked by bad actors who 
could cause the devices to cause harmful interference to radio 
communications. As noted above, in the 5 GHz context, the Commission 
identified concerns about security vulnerabilities that could, if 
exploited, lead equipment to operate outside established parameters, 
with the associated risk that doing so could cause harmful 
interference. As also noted above, interference issues also could arise 
if security vulnerabilities were exploited to use a device as an 
interference generator, or to transmit at times and intervals selected 
by the attacker to interfere with other devices. The Commission 
anticipates that this could be a more pervasive risk, and the 
Commission seeks comment on that predictive judgment. Furthermore, 
under the Act, the Commission's other obligations in this regard can 
encompass not only the prevention of interference to other devices, but 
the need to mitigate against the risk of interference to covered 
equipment. In this regard, and in considering the potential need to 
encompass not only devices but, ultimately, products in order to 
adequately secure the IoT ecosystem and empower consumer choices, the 
Commission believes such an approach is reasonable under sections 333 
and 302(a) of the Act.
    62. In particular, the Commission also seeks comment on the 
authorities that would support including additional IoT products and 
devices within the proposed IoT labeling Program. For example, section 
302(a)(2) of the Act provides the Commission with the authority to 
adopt reasonable regulations ``establishing minimum performance 
standards for home electronic equipment and systems to reduce their 
susceptibility to interference from radio frequency energy.'' Does this 
authority support reasonable regulations that may include the 
regulations proposed herein? Section 333 states: ``No person shall 
willfully or maliciously interfere with or cause interference to any 
radio communications of any station licensed or authorized by or under 
this chapter or operated by the United States Government.'' Does this 
authority, possibly coupled with other provisions, provide a basis for 
the Commission's proposed action? Is the Commission's proposal 
necessary or reasonably ancillary to the execution of its 
implementation of any or all of these statutory responsibilities?
    63. Is it reasonable for the Commission's labeling program to not 
only guard against the risk that covered devices and products cause 
harmful interference, but also to guard against other risks, including 
the risk of interference to those covered devices and products 
consistent with policy goals underlying sections 302(a)(2) and 333 of 
the Act? For example, the Commission tentatively concludes that its 
authority to adopt ``reasonable regulations'' to guard against harmful 
interference under section 302 of the Act authorizes a labeling program 
that applies a set of criteria or standards that address not only risks 
of harmful interference from the products or devices subject to 
labeling but also other harms, such as the risk of harmful interference 
to such products or devices--particularly where the relevant criteria 
or standards were designed or intended to be applied as a package or 
collectively.
    64. The Commission also tentatively concludes that its authority 
under section 302(a)(1) of the Act to adopt reasonable regulations 
consistent with the public interest to guard against interference 
provides the Commission flexibility to tailor the proposed labeling 
program in other ways. For example, the Commission believes that, in 
adopting reasonable regulations consistent with the public interest 
under section 302, the Commission has authority to exclude equipment 
from the Covered List from participating in the voluntary labeling 
program, consistent with the objectives of sections 2(a) and (d) of the 
Secure and Trusted Communications Networks Act of 2019. The Commission 
further tentatively concludes that its section 302 authority likewise 
enables it to rely on third parties in carrying out the implementation 
details of the proposed labeling program. In particular, section 302(e) 
of the Act authorizes the Commission to delegate equipment testing and 
certification to private laboratories, and the Commission notes in that 
regard that it already has relied in part on third parties in carrying 
out its equipment authorization rules. The Commission also seeks 
comment on whether its authority to adopt reasonable regulations in the 
public interest to carry out the objectives of section 302 authorizes 
the Commission to rely on a third party IoT registry administrator as 
well as rely on third parties to perform some of the functions 
described above.
    65. The Commission also seeks comment on whether section 301 of the 
Act also provides the Commission with authority to include in its 
labeling program IoT products and devices that might receive harmful 
interference from an unauthorized cyber event. The Commission also 
recognizes, for example, that cyberattacks utilizing IoT 
vulnerabilities may not only give rise to harmful interference 
concerns, but can also effectuate physical threats to the world around 
us--degrading wireless networks, for example, changing service settings 
on smart appliances, or--more catastrophically--shutting down an 
industrial control system. Are there additional authorities that 
support the inclusion of additional IoT products and devices that do 
not emit RF externally for purposes of communications, such as 
unintentional or incidental radiators, or wired-only IoT?
    66. The Commission seeks comment broadly its legal authority under 
the Communications Act, or any other source, to implement the proposed 
voluntary IoT labeling program, including its authority pursuant to 
Titles II and III as well as its authority

[[Page 58223]]

under section 4(i) of the Communications Act, as amended, to ``perform 
any and all acts, make such rules and regulations, and issue such 
orders, not inconsistent with this chapter, as may be necessary in the 
execution of its functions'' which includes ``the purpose of promoting 
safety of life and property.''
    67. The Commission further seeks comment on how it may utilize 
enforcement authorities under the Act, including the potential 
imposition of penalties under section 503 and cease and desist orders 
under section 312 for those entities that voluntarily participate in 
the labeling program, but fail to continue to comply with the 
Commission's regulations. Would participants in the labeling program 
already be holders of authorizations within the meaning of section 
503(b)(5) of the Act, or are there steps the Commission should take to 
structure the labeling program so that participation would itself 
satisfy that provision? Are there any additional avenues for 
enforcement or oversight of the program's participants or of a third-
party security certifying body? What trademark remedies are available 
to the Commission? Are there other agencies that might contribute to 
program enforcement?

Promoting Digital Equity

    68. The Commission, as part of its continuing effort to advance 
digital equity for all,\84\ including people of color, persons with 
disabilities, persons who live in rural or Tribal areas, and others who 
are or have been historically underserved, marginalized, or adversely 
affected by persistent poverty or inequality, invites comment on any 
equity-related considerations \85\ and benefits (if any) that may be 
associated with the proposals and issues discussed herein. 
Specifically, the Commission seeks comment on how its proposals may 
promote or inhibit advances in diversity, equity, inclusion, and 
accessibility, as well as the scope of the Commission's relevant legal 
authority.

Appendix A

    69. Within the scope of a consumer IoT product, the following 
baseline product criteria are recommended by NIST to define the 
cybersecurity outcomes expected of IoT products and IoT product 
developers as part of a consumer IoT product labeling program. Most 
criteria concern the IoT product directly and are expected to be 
satisfied by software and/or hardware means implemented in the IoT 
product. Some criteria apply to the IoT product developer rather than 
to the IoT product directly. These criteria are expected to be 
satisfied through actions and supported by assertions and evidence from 
the developer rather than from the IoT product itself.
    70. Product criteria are recommended to apply to the IoT product 
overall, as well as to each individual IoT product component (e.g., IoT 
device, backend, companion app), as appropriate. (Given the nature of 
consumer IoT product, it is expected that all IoT products should 
satisfy all technical product criteria since they will, in most cases, 
be finished products intended for direct plug-and-play use. Individual 
IoT product components, though, may be more likely to not require 
certain criteria (e.g., based on lack of applicability). A scheme owner 
has the flexibility to adapt the product criteria and determine 
appropriate supporting evidence. Though NIST recommends that all 
criteria apply to every IoT product, some components may not be able or 
need to support all criteria. That might be the case due to product 
risk considerations, product development (e.g., cybersecurity tasks 
delegated via contracts and supply chain), nature of the components to 
form the product (e.g., backends may be highly distributed), or 
limitations of IoT components (e.g., devices may be constrained, 
companion software apps may have limited access and functionality).
    Asset Identification: The IoT product is uniquely identifiable and 
inventories all of the IoT product's components.
     The IoT product can be uniquely identified by the customer 
and other authorized entities (e.g., the IoT product developer).
     The IoT product uniquely identifies each IoT product 
component and maintains an up-to-date inventory of connected product 
components.
    Cybersecurity utility: The ability to identify IoT products and 
their components is necessary to support asset management for updates, 
data protection, and digital forensics capabilities for incident 
response.
    Product Configuration: The configuration of the IoT product is 
changeable, there is the ability to restore a secure default setting, 
and any and all changes can only be performed by authorized 
individuals, services, and other IoT product components.
     The customer can change the configuration settings of the 
IoT product via one or more IoT product components.
     The IoT product applies configuration settings to 
applicable IoT components.
    Cybersecurity utility: The ability to change aspects of how the IoT 
product functions can help customers tailor the IoT product's 
functionality to their needs and goals. Customers can configure their 
IoT products to avoid specific threats and risk they know about based 
on their risk appetite.
    Data Protection: The IoT product and its components protect data 
stored (across all IoT product components) and transmitted (both 
between IoT product components and outside the IoT product) from 
unauthorized access, disclosure, and modification.
     Each IoT product component protects data it stores via 
secure means, including the ability to delete or render inaccessible 
data stored that is either collected from or about the customer, home, 
family, etc.
     When data is sent between IoT product components or 
outside the product, protections are used for the data transmission.
    Cybersecurity utility: Maintaining confidentiality, integrity, and 
availability of data is foundational to cybersecurity for IoT products. 
Customers will expect that data is protected and that protection of 
data helps to ensure safe and intended functionality of the IoT 
product.
    Interface Access Control: The IoT product and its components 
restrict logical access to local and network interfaces--and to 
protocols and services used by those interfaces--to only authorized 
individuals, services, and IoT product components.
     Each IoT product component controls access (to and from) 
all interfaces (e.g., local interfaces, network interfaces, protocols, 
and services) in order to limit access to only authorized entities. At 
a minimum, the IoT product and its components shall:
    a. Use and have access only to interfaces necessary for the IoT 
product's operation. All other channels and access to channels are 
removed or secured.
    b. For all interfaces necessary for the IoT product's use, access 
control measures are in place (e.g., unique password-based multifactor 
authentication).
    c. For all interfaces, access and modification privileges are 
limited.
     The IoT product executes means via some, but not 
necessarily all, components to protect and maintain interface access 
control. At a minimum, the IoT product shall:
    a. Validate that data sent to other product components matches 
specified definitions of format and content.
    b. Prevent unauthorized transmissions or access to other product 
components.

[[Page 58224]]

    c. Maintain appropriate access control during initial connection 
(i.e., on-boarding) and when reestablishing connectivity after 
disconnection or outage.
    Cybersecurity utility: Inventorying and controlling access to all 
internal and external interfaces to the IoT product will help preserve 
the confidentiality, integrity, and availability of the IoT product, 
its components, and data by helping prevent unauthorized access and 
modification.
    Software Update: The software of all IoT product components can be 
updated by authorized individuals, services, and other IoT product 
components only by using a secure and configurable mechanism, as 
appropriate for each IoT product component.
     Each IoT product component can receive, verify, and apply 
verified software updates.
     The IoT product implements measures to keep software on 
IoT product components up to date (i.e., automatic application of 
updates or consistent customer notification of available updates via 
the IoT product).
    Cybersecurity utility: Software may have vulnerabilities discovered 
after the IoT product has been deployed; software update capabilities 
can ensure secure delivery of security patches.
    Cybersecurity State Awareness: The IoT product supports detection 
of cybersecurity incidents affecting or affected by IoT product 
components and the data they store and transmit.
     The IoT product captures and records information about the 
state of IoT components that can be used to detect cybersecurity 
incidents affecting or affected by IoT product components and the data 
they store and transmit.
    Cybersecurity utility: Protection of data and ensuring proper 
functionality can be supported by the ability to alert the customer 
when the device starts operating in unexpected ways, which could mean 
that unauthorized access is being attempted, malware has been loaded, 
botnets have been created, device software errors have happened, or 
other types of actions have occurred that was not initiated by the IoT 
product user or intended by the developer.
    Documentation: The IoT product developer creates, gathers, and 
stores information relevant to cybersecurity of the IoT product and its 
product components prior to customer purchase, and throughout the 
development of a product and its subsequent lifecycle.
     Throughout the development lifecycle, the IoT product 
developer creates or gathers and stores information relevant to the 
cybersecurity of the IoT product and its product components, including:
    a. Assumptions made during the development process and other 
expectations related to the IoT product, including:
    i. Expected customers and use cases.
    ii. Physical use, including security of the location of the IoT 
product and its product components (e.g., a camera for use inside the 
home that has an off switch on the device vs. a security camera for use 
outside the home that does not have an off switch on the device), and 
characteristics.
    iii. Network access and requirements (e.g., bandwidth 
requirements).
    iv. Data created and handled by the IoT product.
    v. Any expected data inputs and outputs (including error codes, 
frequency, type/form, range of acceptable values, etc.).
    vi. The IoT product developer's assumed cybersecurity requirements 
for the IoT product.
    vii. Any laws and regulations with which the IoT product and 
related support activities comply.
    viii. Expected lifespan and anticipated cybersecurity costs related 
to the IoT product (e.g., price of maintenance), and length and terms 
of support.
    b. All IoT components, including but not limited to the IoT device, 
that are part of the IoT product.
    c. How the baseline product criteria are met by the IoT product 
across its product components, including which baseline product 
criteria are not met by IoT product components and why (e.g., the 
capability is not needed based on risk assessment).
    d. Product design and support considerations related to the IoT 
product, for example:
    i. All hardware and software components, from all sources (e.g., 
open source, propriety third-party, internally developed) used to 
create the IoT product (i.e., used to create each product component).
    ii. IoT platform used in the development and operation of the IoT 
product, its product components, including related documentation.
    iii. Protection of software and hardware elements implemented to 
create the IoT product and its product components (e.g., secure boot, 
hardware root of trust, and secure enclave).
    iv. Consideration of the known risks related to the IoT product and 
known potential misuses.
    v. Secure software development and supply chain practices used.
    vi. Accreditation, certification, and/or evaluation results for 
cybersecurity- related practices.
    vii. The ease of installation and maintenance of the IoT product by 
a customer (i.e., the usability of the product).
    e. Maintenance requirements for the IoT product, for example:
    i. Cybersecurity maintenance expectations and associated 
instructions or procedures (e.g., vulnerability/patch management plan).
    ii. How the IoT product developer identifies authorized supporting 
parties who can perform maintenance activities (e.g., authorized repair 
centers).
    iii. Cybersecurity considerations of the maintenance process (e.g., 
how customer data unrelated to the maintenance process remains 
confidential even from maintainers).
    f. The secure system lifecycle policies and processes associated 
with the IoT product, including:
    i. Steps taken during development to ensure the IoT product and its 
product components are free of any known, exploitable vulnerabilities.
    ii. The process of working with component suppliers and third-party 
vendors to ensure the security of the IoT product and its product 
components is maintained for the duration of its supported lifecycle.
    iii. Any post end-of-support considerations, such as the discovery 
of a vulnerability which would significantly impact the security, 
privacy, or safety of customers who continue to use the IoT product and 
its product components.
    g. The vulnerability management policies and processes associated 
with the IoT product, including:
    i. Methods of receiving reports of vulnerabilities (see Information 
and Query Reception below).
    ii. Processes for recording reported vulnerabilities.
    iii. Policy for responding to reported vulnerabilities, including 
the process of coordinating vulnerability response activities among 
component suppliers and third-party vendors.
    iv. Policy for disclosing reported vulnerabilities.
    v. Processes for receiving notification from component suppliers 
and third- party vendors about any change in the status of their 
supplied components, such as end of production, end of support, 
deprecated status (e.g., the product is no longer recommended for use), 
or known insecurities.
    Cybersecurity utility: Generating, capturing, and storing important 
information about the IoT product and its development (e.g., assessment 
of the IoT product and development practices used to create and 
maintain it) can help inform the IoT product developer

[[Page 58225]]

regarding the product's actual cybersecurity posture.
    Information and Query Reception: The ability of the IoT product 
developer to receive information relevant to cybersecurity and respond 
to queries from the customer and others about information relevant to 
cybersecurity.
     The IoT product developer can receive information related 
to the cybersecurity of the IoT product and its product components and 
can respond to queries related to cybersecurity of the IoT product and 
its product components from customers and others, including:
    a. The ability of the IoT product developer to identify a point of 
contact to receive maintenance and vulnerability information (e.g., bug 
reporting capabilities and bug bounty programs) from customers and 
others in the IoT product ecosystem (e.g., repair technician acting on 
behalf of the customer).
    b. The ability of the IoT product developer to receive queries from 
and respond to customers and others in the IoT product ecosystem about 
the cybersecurity of the IoT product and its components.
    Cybersecurity utility: As IoT products are used by customers, those 
customers may have questions or reports of issues that can help improve 
the cybersecurity of the IoT product over time.
    Information Dissemination: The IoT product developer broadcasts 
(e.g., to the public) and distributes (e.g., to the customer or others 
in the IoT product ecosystem) information relevant to cybersecurity.
     The IoT product developer can broadcast to many/all 
entities via a channel (e.g., a post on a public channel) to alert the 
public and customers of the IoT product about cybersecurity relevant 
information and events throughout the support lifecycle. At a minimum, 
this information shall include:
    a. Updated terms of support (e.g., frequency of updates and 
mechanism(s) of application) and notice of availability and/or 
application of software updates.
    b. End of term of support or functionality for the IoT product.
    c. Needed maintenance operations.
    d. New IoT device vulnerabilities, associated details, and 
mitigation actions needed from the customer.
    e. Breach discovery related to an IoT product and its product 
components used by the customers, associated details, and mitigation 
actions needed from the customer (if any).
     The IoT product developer can distribute information 
relevant to cybersecurity of the IoT product and its product components 
to alert appropriate ecosystem entities (e.g., common vulnerability 
tracking authorities, accreditors and certifiers, third-party support 
and maintenance organizations) about cybersecurity relevant 
information, for example:
    a. Applicable documentation captured during the design and 
development of the IoT product and its product components.
    b. Cybersecurity and vulnerability alerts and information about 
resolution of any vulnerability.
    c. An overview of the information security practices and safeguards 
used by the IoT product developer.
    d. Accreditation, certification, and/or evaluation results for the 
IoT product developer's cybersecurity-related practices.
    e. A risk assessment report or summary for the IoT product 
developer's business environment risk posture.
    Cybersecurity utility: As the IoT product, its components, threats, 
and mitigations change, customers will need to be informed about how to 
securely use the IoT product.
    Product Education and Awareness: The IoT product developer creates 
awareness of and educates customers and others in the IoT product 
ecosystem about cybersecurity-related information (e.g., 
considerations, features) related to the IoT product and its product 
components.
     The IoT product developer creates awareness and provides 
education targeted at customers about information relevant to 
cybersecurity of the IoT product and its product components, including:
    a. The presence and use of IoT product cybersecurity capabilities, 
including at a minimum:
    i. How to change configuration settings and the cybersecurity 
implications of changing settings, if any.
    ii. How to configure and use access control functionality (e.g., 
set and change passwords).
    iii. How software updates are applied and any instructions 
necessary for the customer on how to use software update functionality.
    iv. How to manage device data including creation, update, and 
deletion of data on the IoT product.
    b. How to maintain the IoT product and its product components 
during its lifetime, including after the period of security support 
(e.g., delivery of software updates and patches) from the IoT product 
developer.
    c. How an IoT product and its product components can be securely 
re-provisioned or disposed of.
    d. Vulnerability management options (e.g., configuration and patch 
management and anti-malware) available for the IoT product or its 
product components that could be used by customers.
    e. Additional information customers can use to make informed 
purchasing decisions about the security of the IoT product (e.g., the 
duration and scope of product support via software upgrades and 
patches).
    Cybersecurity utility: Customers will need to be informed about how 
to securely use the device to lead to the best cybersecurity outcomes 
for the customers and the consumer IoT product marketplace.

Procedural Matters

Initial Paperwork Reduction Act of 1995 Analysis

    This document seeks comment on potential new or revised proposed 
information collection requirements. Therefore, the Commission seeks 
comment on potential new or revised collections subject to the 
Paperwork Reduction Act of 1995. If the Commission adopts any new or 
revised final information collection requirements when the final rules 
are adopted, the Commission will publish a notice in the Federal 
Register inviting further comments from the public on the final 
information collection requirements, as required by the Paperwork 
Reduction Act of 1995, Public Law 104-13 (44 U.S.C. 3501-3520). The 
Commission, as part of its continuing effort to reduce paperwork 
burdens, invites the general public to comment on the information 
collection requirements contained in this document, as required by the 
PRA. Public and agency comments on the PRA proposed information 
collection requirements are due October 24, 2023. Comments should 
address: (a) whether the proposed collection of information is 
necessary for the proper performance of the functions of the 
Commission, including whether the information shall have practical 
utility; (b) the accuracy of the Commission's burden estimates; (c) 
ways to enhance the quality, utility, and clarity of the information 
collected; (d) ways to minimize the burden of the collection of 
information on the respondents, including the use of automated 
collection techniques or other forms of information technology; and (e) 
way to further reduce the information collection burden on small 
business concerns with fewer than 25 employees. In addition, pursuant 
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, 
see 44 U.S.C. 3506(c)(4), the Commission seeks specific comment on how 
it might

[[Page 58226]]

``further reduce the information collection burden for small business 
concerns with fewer than 25 employees.''

Initial Regulatory Flexibility Analysis

    71. As required by the Regulatory Flexibility Act of 1980, as 
amended (RFA), the Commission has prepared an Initial Regulatory 
Flexibility Analysis (IRFA) of the possible significant economic impact 
on a substantial number of small entities by the policies and rules 
proposed in the document. The IRFA is set forth in Appendix B of the 
document. Written public comments are requested on this IRFA. Comments 
must be identified as responses to the IRFA and must be filed by the 
deadlines for comments on the document, including this IRFA, to the 
Chief Counsel for Advocacy of the Small Business Administration (SBA). 
In addition, the document and IRFA (or summaries thereof) will be 
published in the Federal Register.

A. Need for, and Objectives of, the Proposed Rules

    72. The document proposes a voluntary cybersecurity labeling 
program for the Internet of Things (IoT) to improve consumer confidence 
and understanding of security for IoT devices and/or products. Such IoT 
devices and products are susceptible to a wide range of security 
vulnerabilities, which can be exploited by attackers to gain 
unauthorized access to an IoT device or IoT product and its data. 
Accordingly, providing consumers with a label certifying that an IoT 
device and/or product satisfies certain baseline cybersecurity 
standards and has specific cybersecurity capabilities allows a consumer 
to understand the relative security risk that an IoT device and/or 
product may pose when making a purchase. The document seeks comments on 
the scope of the proposed cybersecurity labeling program, including 
comments on proposed definitions of an IoT device and an IoT product. 
It also seeks comments on specific technical criteria for the 
cybersecurity labeling program, including whether other criteria in 
addition to the IoT Criteria developed by the National Institute of 
Standards and Technology (NIST), should be considered, and whether and 
how to develop administrable standards. Finally, the document invites 
comments on how to administer the cybersecurity labeling program, the 
appropriate means to fund the costs of running the program, and what 
program auditing, enforcement, disqualification and certification 
revocation processes and procedures should be put in place to ensure 
that the labeling program is a trusted and valuable resource that 
consumers can reply upon to assess the security of the IoT devices and/
or products that exhibit the label.

B. Description and Estimate of the Number of Small Entities to Which 
the Proposed Rules Will Apply

    73. The RFA directs agencies to provide a description of, and where 
feasible, an estimate of the number of small entities that may be 
affected by the proposed rules and policies, if adopted. The RFA 
generally defines the term ``small entity'' as having the same meaning 
as the terms ``small business,'' ``small organization,'' and ``small 
governmental jurisdiction.'' In addition, the term ``small business'' 
has the same meaning has the term ``small business concern'' under the 
Small Business Act. A ``small business concern'' is one which: (1) is 
independently owned and operated; (2) is not dominant in its field of 
operation; and (3) satisfies any additional criteria established by the 
SBA.
    74. Small Businesses, Small Organizations, and Small Governmental 
Jurisdictions. The Commission's actions, over time, may affect small 
entities that are not easily categorized at present. The Commission 
therefore describes here, at the outset, three broad groups of small 
entities that could be directly affected herein. First, while there are 
industry specific size standards for small businesses that are used in 
the regulatory flexibility analysis, according to data from the Small 
Business Administration's (SBA) Office of Advocacy, in general a small 
business is an independent business having fewer than 500 employees. 
These types of small businesses represent 99.9% of all businesses in 
the United States, which translates to 30.7 million businesses.
    75. Next, the type of small entity described as a ``small 
organization'' is generally ``any not-for-profit enterprise which is 
independently owned and operated and is not dominant in its field.'' 
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 
or less to delineate its annual electronic filing requirements for 
small exempt organizations. Nationwide, for tax year 2020, there were 
approximately 447,689 small exempt organizations in the U.S. reporting 
revenues of $50,000 or less according to the registration and tax data 
for exempt organizations available from the IRS.
    76. Finally, the small entity described as a ``small governmental 
jurisdiction'' is defined generally as ``governments of cities, 
counties, towns, townships, villages, school districts, or special 
districts, with a population of less than fifty thousand.'' U.S. Census 
Bureau data from the 2017 Census of Governments indicate that there 
were 90,075 local governmental jurisdictions consisting of general 
purpose governments and special purpose governments in the United 
States. Of this number there were 36,931 general purpose governments 
(county, municipal and town or township) with populations of less than 
50,000 and 12,040 special purpose governments--independent school 
districts with enrollment populations of less than 50,000. Accordingly, 
based on the 2017 U.S. Census of Governments data, the Commission 
estimates that at least 48,971 entities fall into the category of 
``small governmental jurisdictions.''
    77. Radio Frequency Equipment Manufacturers (RF Manufacturers). 
There are several analogous industries with an SBA small business size 
standard that are applicable to RF Manufacturers. These industries are 
Fixed Microwave Services, Other Communications Equipment Manufacturing, 
Radio and Television Broadcasting and Wireless Communications Equipment 
Manufacturing. A description of these industries and the SBA small 
business size standards are detailed below.
    78. Fixed Microwave Services. Fixed microwave services include 
common carrier, private-operational fixed, and broadcast auxiliary 
radio services. They also include the Upper Microwave Flexible Use 
Service (UMFUS), Millimeter Wave Service (70/80/90 GHz), Local 
Multipoint Distribution Service (LMDS), the Digital Electronic Message 
Service (DEMS), 24 GHz Service, Multiple Address Systems (MAS), and 
Multichannel Video Distribution and Data Service (MVDDS), where in some 
bands licensees can choose between common carrier and non-common 
carrier status. Wireless Telecommunications Carriers (except Satellite) 
is the closest industry with an SBA small business size standard 
applicable to these services. The SBA small size standard for this 
industry classifies a business as small if it has 1,500 or fewer 
employees. U.S. Census Bureau data for 2017 show that there were 2,893 
firms that operated in this industry for the entire year. Of this 
number, 2,837 firms employed fewer than 250 employees. Thus, under the 
SBA size standard, the Commission estimates that a majority of fixed 
microwave service licensees can be considered small.
    79. The Commission's small business size standards with respect to 
fixed

[[Page 58227]]

microwave services involve eligibility for bidding credits and 
installment payments in the auction of licenses for the various 
frequency bands included in fixed microwave services. When bidding 
credits are adopted for the auction of licenses in fixed microwave 
services frequency bands, such credits may be available to several 
types of small businesses based average gross revenues (small, very 
small and entrepreneur) pursuant to the competitive bidding rules 
adopted in conjunction with the requirements for the auction and/or as 
identified in Part 101 of the Commission's rules for the specific fixed 
microwave services frequency bands.
    80. In frequency bands where licenses were subject to auction, the 
Commission notes that as a general matter, the number of winning 
bidders that qualify as small businesses at the close of an auction 
does not necessarily represent the number of small businesses currently 
in service. Further, the Commission does not generally track subsequent 
business size unless, in the context of assignments or transfers, 
unjust enrichment issues are implicated. Additionally, since the 
Commission does not collect data on the number of employees for 
licensees providing these services, at this time the Commission is not 
able to estimate the number of licensees with active licenses that 
would qualify as small under the SBA's small business size standard.
    81. Other Communications Equipment Manufacturing. This industry 
comprises establishments primarily engaged in manufacturing 
communications equipment (except telephone apparatus, and radio and 
television broadcast, and wireless communications equipment). Examples 
of such manufacturing include fire detection and alarm systems 
manufacturing, Intercom systems and equipment manufacturing, and 
signals (e.g., highway, pedestrian, railway, traffic) manufacturing. 
The SBA small business size standard for this industry classifies firms 
having 750 or fewer employees as small. For this industry, U.S. Census 
Bureau data for 2017 shows that 321 firms operated for the entire year. 
Of that number, 310 firms operated with fewer than 250 employees. Based 
on this data, the Commission concludes that the majority of Other 
Communications Equipment Manufacturers are small.
    82. Radio and Television Broadcasting and Wireless Communications 
Equipment Manufacturing. This industry comprises establishments 
primarily engaged in manufacturing radio and television broadcast and 
wireless communications equipment. Examples of products made by these 
establishments are: transmitting and receiving antennas, cable 
television equipment, GPS equipment, pagers, cellular phones, mobile 
communications equipment, and radio and television studio and 
broadcasting equipment. This industry comprises establishments 
primarily engaged in manufacturing communications equipment (except 
telephone apparatus, and radio and television broadcast, and wireless 
communications equipment). Examples of such manufacturing include fire 
detection and alarm systems manufacturing, Intercom systems and 
equipment manufacturing, and signals (e.g., highway, pedestrian, 
railway, traffic) manufacturing. The SBA small business size standard 
for this industry classifies firms having 750 or fewer employees as 
small. For this industry, U.S. Census Bureau data for 2017 shows that 
321 firms operated for the entire year. Of that number, 310 firms 
operated with fewer than 250 employees. Based on this data, the 
Commission concludes that the majority of Other Communications 
Equipment Manufacturers are small.

C. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements for Small Entities

    83. The voluntary cybersecurity labeling program for IoT devices 
and/or products to provide consumers with accessible information on the 
relative security of these IoT devices and/or products that the 
Commission proposes in the document may impose new reporting, 
recordkeeping, notice or other compliance requirements on small 
entities that choose to participate in the program. The requirements 
may include application or other conformance reporting, licensing, 
certification and/or other reporting obligations.
    84. The proposals in the document build upon other actions the 
Commission has taken to protect and secure public safety. Accordingly, 
the proposals being made in this document may require additional 
analysis and mitigation activities by small and other IoT manufacturers 
in order to satisfy certain technical criteria or standards for the 
ability to display an IoT cybersecurity label. At this time, the 
Commission is not in a position to determine whether the requirements 
that may be adopted for participants in the proposed cybersecurity 
labeling program will require small entities to hire professionals in 
order to comply and cannot quantify the cost of compliance with the 
potential requirements and obligations that may result in this 
proceeding. Among other things considered, the Commission inquires 
about the options for it to address the costs of running and 
administering the labeling program including whether there may be 
application fees charged by third-parties administering the program and 
whether there is oversight the Commission should exercise over such 
charges. The Commission seeks comment on these issues and anticipate 
that the information it receives in comments will address these matters 
and any broader cost issues for small entities that may choose to 
participate in the proposed labeling program.
    85. In light of the importance of mark integrity and the need to 
build consumer confidence and trust in the security of IoT devices and 
products that will display the Commission's IoT label, regardless of 
the size of the entity seeking to participate in the proposed 
cybersecurity labeling program, adherence by all participants to the 
same Commission rules is necessary. However, the Commission expects 
that the comments it receives will help it identify and evaluate 
relevant matters for small entities before adopting final rules for the 
labeling program, including any compliance costs and burdens that may 
result from the proposals and other matters discussed in the document.

D. Steps Taken To Minimize the Significant Economic Impact on Small 
Entities, and Significant Alternatives Considered

    86. The RFA requires an agency to describe any significant, 
specifically small business, alternatives that it has considered in 
reaching its proposed approach, which may include the following four 
alternatives (among others): ``(1) the establishment of differing 
compliance or reporting requirements or timetables that take into 
account the resources available to small entities; (2) the 
clarification, consolidation, or simplification of compliance or 
reporting requirements under the rule for such small entities; (3) the 
use of performance rather than design standards; and (4) an exemption 
from coverage of the rule, or any part thereof, for such small 
entities.''
    87. The Commission's development of a voluntarily cybersecurity 
labeling program for the IoT products and devices builds on the work of 
the National Institute of Standards and Technology (NIST) which 
produced labeling criteria for cybersecurity capabilities of IoT 
consumer devices. Using the work of NIST as a foundation has the 
potential to minimize the

[[Page 58228]]

economic impact on small entities for several reasons. First, NIST took 
into account existing consumer product labeling programs and 
information provided by diverse stakeholders. Next, two of the key 
elements NIST identified for labeling were encouraging innovation, and 
being practical and not burdensome. Further, the Commission believes 
building on the approach NIST developed for IoT cybersecurity labeling 
will provide a level of consistency with the requirements it 
establishes for the entities subject to Commission regulation that 
choose to participate in the Commission's cybersecurity IoT labeling 
program.
    88. In the document, the Commission considers and seeks comment on 
various compliance requirements that it could consider in advancing a 
voluntary cybersecurity labeling program. More specifically, the 
Commission considered the NIST definition for IoT devices which defines 
IoT devices as devices that have at least one transducer (sensor or 
actuator) for interacting directly with the physical world and at least 
one network interface (e.g., Ethernet, Wi-Fi, Bluetooth) for 
interfacing with the digital world, and determined that it should 
propose an alternative definition. The Commission's proposed definition 
modifies the NIST definition to add ``internet-connected'' because a 
key element of the IoT is the usage of standard internet protocols for 
functionality, which exposes IoT devices to the security threats and 
challenges related to being connected to the internet. The Commission's 
proposed definition also includes the requirement that devices must be 
capable of intentionally emitting radio frequency energy because the 
relevant scope of Commission's statutory authorities focus on devices 
that intentionally emit radio frequency energy.
    89. Although the Commission includes in its definition devices that 
intentionally emit radio frequency energy, it considered whether there 
are unintentional radiators or incidental radiators that should be 
included in the program, and if so whether the Commission should revise 
the definition to omit the word ``intentional.'' Alternatively, the 
Commission inquires if it should consider adding unintentional or 
incidental radiating devices to the program at a later date. In 
addition, while the Commission refers to devices and products in the 
document, it inquires whether it should expand the proposed scope of 
the cybersecurity labeling program and definition of devices beyond IoT 
devices to apply to IoT products. Under this expanded alternative the 
Commission could define an IoT product as an IoT device and any 
additional product components (e.g., backend, gateway, mobile App) that 
are necessary to use the IoT device. A further alternative the 
Commission considered, is whether to limit the IoT labeling program to 
consumer IoT devices or products intended for personal use, or to 
include ``enterprise'' devices or products intended for industrial or 
business uses and any additional considerations that would need to be 
accounted for with such devices or products. The Commission seeks 
comment on these inquiries and alternatives in the document, in 
addition to comments on the proposed definition.
    90. Regarding the content and updating of the IoT label on the 
physical device, product, or packaging, the Commission believes the 
simple approach proposed in the document will result in cost savings 
which could minimize the impact of these requirements for small 
entities. The Commission's proposal is to have the physical device, 
product, or packaging simply indicate that the manufacturer 
participates in the FCC's labeling program by having the FCC mark along 
with the related QR Code and/or the URL to the IoT registry. The 
detailed information on the IoT device or product will be made 
available on the device or product's web page within the IoT registry 
using an QR Code and/or a URL. When the device or product's web page 
within the IoT registry is updated to indicate for example, that the 
device or product's authorization is outdated, and/or the device or 
product is no longer maintained or updated, using the QR Code and/or 
the URL provided next to the FCC mark the information can be accessed 
on the device or product's web page within the IoT registry. Updating 
requirements for the device or product's web page within the IoT 
registry could alleviate the need for the Commission to adopt 
additional notification requirements which would increase costs for 
small entities.
    91. The Commission also considered and seeks comment on 
alternatives on how to address the end-of-life issues for devices 
previously receiving authorization under the program. For example, the 
Commission considered whether the label should include the specific 
date, or the year the authorization was awarded, or an expiration date. 
Further, the Commission considered whether it would be sufficient to 
provide consumers with additional information via the QR Code regarding 
the current security status of a device, and whether the QR Code-linked 
website should indicate when the label was issued by the Commission, 
and when the information on the web page last updated.
    92. In the area of accessibility, to ensure that any IoT 
cybersecurity label information the Commission adopts is accessible to 
persons with disabilities, the Commission considered an alternative 
that would alleviate the need for the Commission to establish and 
impose new accessibility requirements on small entities and other 
participants in the labeling program. Consistent with its approach with 
broadband consumer labels in 2022, in the document the Commission 
considered and seeks comment on relying on the existing legal 
requirements in the Americans with Disabilities Act (ADA) and following 
the guidance developed by the Web Accessibility Initiative, which the 
Consumer Advisory Committee (CAC) determined is the best method to 
ensure accessibility to printed and online information is made 
available by providers.
    93. Further, rather than proposing rules at this juncture, in the 
document the Commission seeks comment on costs associated with the 
proposed cybersecurity IoT labeling program, and on investigation, 
disqualification and enforcement processes to maintain the integrity of 
the devices or products that will be labeled under the program. The 
Commission's actions on all of these matters have the potential to 
minimize the impact of the cybersecurity IoT labeling program the 
Commission adopts on small entities.
    94. Regarding investigation, disqualification and enforcement, as 
discussed in the document, the Commission considered and seeks comment 
on whether to have random audits of IoT devices or products to confirm 
continued compliance; whether the Commission should adopt 
disqualifications procedures similar to those adopted for the ENERGY 
STAR program by the Environmental Protection Agency (EPA); what 
additional non-compliance or disqualification measures would be 
appropriate in addition to authorization revocation, and whether there 
should be an appeal process available to applicants that are denied 
authority to use the IoT label. Additionally, the Commission seeks 
comment on what recordkeeping and audit requirements could be adopted 
for purposes of compliance review.
    95. The Commission expects to more fully consider the economic 
impact and alternatives for small entities following

[[Page 58229]]

the review of comments filed in response to the document. Having input 
from interested parties will allow the Commission to better evaluate 
options and alternatives to minimize any significant economic impact on 
small entities that may result from the proposed cybersecurity IoT 
labeling program and the inquiries and alternatives discussed in the 
document. The Commission's evaluation of this information will shape 
the final alternatives it considers to minimize any significant 
economic impact that may occur on small entities, the final conclusions 
it reaches and any final rules it promulgates in this proceeding.

E. Legal Basis

    96. The proposed action is taken under authority found in sections 
1, 2, 4(i), 4(n), 301, 302, 303(b), 312, 333, and 503 of the 
Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 154(i), 
154(n), 301, 302a, 303(b), 312, 333, 503; and the IoT Cybersecurity 
Improvement Act of 2020, 15 U.S.C. 278g-3a to 278g-3e.

F. Federal Rules That May Duplicate, Overlap, or Conflict With the 
Proposed Rules

    97. None.

Federal Communications Commission.
Katura Jackson,
Federal Register Liaison Officer.
[FR Doc. 2023-18357 Filed 8-24-23; 8:45 am]
BILLING CODE 6712-01-P