Cybersecurity Labeling for Internet of Things, 20603-20605 [2024-06249]
Download as PDF
Federal Register / Vol. 89, No. 58 / Monday, March 25, 2024 / Proposed Rules
F. Federal Rules That May Duplicate,
Overlap, or Conflict With the Proposed
Rules
122. None.
Federal Communications Commission.
Marlene Dortch,
Secretary.
[FR Doc. 2024–05996 Filed 3–22–24; 8:45 am]
BILLING CODE 6712–01–P
FEDERAL COMMUNICATIONS
COMMISSION
47 CFR Part 8
[PS Docket Nos. 23–239; FR ID 210016]
Cybersecurity Labeling for Internet of
Things
Federal Communications
Commission.
ACTION: Proposed rule.
AGENCY:
In this document, the Federal
Communications Commission (FCC or
Commission) adopts a voluntary
cybersecurity labeling program for
wireless consumer Internet of Things, or
IoT, products. The final rule also
requires applicant manufacturers to
make certain disclosures related to their
product(s) for authorization to use the
FCC IoT Label. This is a summary of the
Further Notice of Proposed Rulemaking
(Further Notice), in which the
Commission proposes rules on
additional national security declarations
for the IoT labeling program. These
requirements would further help
consumers make safer purchasing
decisions, raise consumer confidence
regarding the cybersecurity of the IoT
products they buy, and encourage
manufacturers to develop IoT products
with security-by-design principles in
mind.
SUMMARY:
Comments are due on or before
April 24, 2024 and reply comments are
due on or before May 24, 2024. Written
comments on the Paperwork Reduction
Act proposed information collection
requirements must be submitted by the
public, Office of Management and
Budget (OMB), and other interested
parties on or before May 24, 2024.
ADDRESSES: You may submit comments,
identified by PS Docket No. 23–239, by
any of the following methods:
• Federal Communications
Commission’s Website: https://www.
apps.fcc.gov/ecfs/. Follow the
instructions for submitting comments.
• Mail: Parties who choose to file by
paper must file an original and one copy
of each filing. If more than one docket
or rulemaking number appears in the
khammond on DSKJM1Z7X2PROD with PROPOSALS
DATES:
VerDate Sep<11>2014
16:13 Mar 22, 2024
Jkt 262001
caption of this proceeding, filers must
submit two additional copies for each
additional docket or rulemaking
number. Filings can be sent by
commercial overnight courier, or by
first-class or overnight U.S. Postal
Service mail. All filings must be
addressed to the Commission’s
Secretary, Office of the Secretary,
Federal Communications Commission.
Commercial overnight mail (other than
U.S. Postal Service Express Mail and
Priority Mail) must be sent to 9050
Junction Drive, Annapolis Junction, MD
20701. U.S. Postal Service first-class,
Express, and Priority mail must be
addressed to 45 L Street NE,
Washington, DC 20554. Effective March
19, 2020, and until further notice, the
Commission no longer accepts any hand
or messenger delivered filings. This is a
temporary measure taken to help protect
the health and safety of individuals, and
to mitigate the transmission of COVID–
19. See FCC Announces Closure of FCC
Headquarters Open Window and
Change in Hand-Delivery Policy, Public
Notice, DA 20–304 (March 19, 2020).
https://www.fcc.gov/document/fcccloses-headquarters-open-window-andchanges-hand-delivery-policy.
• People with Disabilities. To request
materials in accessible formats for
people with disabilities (braille, large
print, electronic files, audio format),
send an email to fcc504@fcc.gov or call
the Consumer & Governmental Affairs
Bureau at 202–418–0530 (voice), 202–
418–0432 (TTY).
For
further information regarding these
proposed rules, please contact Zoe Li,
Attorney Advisor, Cybersecurity and
Communications Reliability Division,
Public Safety and Homeland Security
Bureau, (202) 418–2490, or by email to
Zoe.Li@fcc.gov.
For additional information concerning
the Paperwork Reduction Act
information collection requirements
contained in this document, send an
email to PRA@fcc.gov or contact Nicole
Ongele, Office of Managing Director,
Performance Evaluation and Records
Management, 202–418–2991, or by
email to PRA@fcc.gov.
FOR FURTHER INFORMATION CONTACT:
This is a
summary of the Commission’s Further
Notice of Proposed Rulemaking
(FNPRM), FCC 24–26, adopted March
14, 2024, and released March 15, 2024.
The full text of this document is
available by downloading the text from
the Commission’s website at: https://
docs.fcc.gov/public/attachments/FCC24-26A1.pdf.
SUPPLEMENTARY INFORMATION:
PO 00000
Frm 00053
Fmt 4702
Sfmt 4702
20603
Synopsis
Further Notice of Proposed Rulemaking
1. In this FNPRM, we seek comment
on additional declarations intended to
provide consumers with assurances that
the products bearing the FCC IoT Label
do not contain hidden vulnerabilities
from high-risk countries, that the data
collected by the products does not sit
within or transit high-risk countries,
and that the products cannot be
remotely controlled by servers located
within high-risk countries. Specifically,
we seek comment on whether we
should require manufacturers to
disclose to the Commission whether
firmware and/or software were
developed and manufactured in a ‘‘highrisk country,’’ as well as where firmware
and software updates will be developed
and deployed from. We also seek
comment on whether to require
manufacturers to disclose to consumers
in the registry whether firmware and/or
software were developed and
manufactured in a ‘‘high-risk country,’’
as well as where firmware and software
updates will be developed and deployed
from. We propose to include as highrisk countries those foreign adversary
countries defined by the Department of
Commerce in 15 CFR 7.4. Are there
other sources that the Commission
should consider for identifying high-risk
countries? Specifically, we seek
comment on whether to require the
applicant seeking to use the FCC IoT
Label to make one of the following
declarations under penalty of perjury to
accompany its application to use the
label:
a. No software or software update or
part of any software or software update
that runs on or controls the product was
or will be developed or deployed from
within a country on the Secretary of
Commerce’s list of high-risk countries,
except that this commitment does not
apply to the origin of open-source
contributions not paid for directly or
indirectly by us or our direct or indirect
partners in offering this product; or
b. This device runs, or due to future
software updates might run, software
developed within the Secretary of
Commerce’s list of high-risk country or
countries. Applicant is not aware of any
backdoors or other sabotage, or any
reason to believe that there is a
particular heightened risk for such
backdoors or sabotage relative other
software developed within such a
country, but we inform purchasers and
users that the Department of Commerce
has designated high-risk country or
countries as jurisdictions whose
conduct is significantly adverse to the
national security of the United States or
E:\FR\FM\25MRP1.SGM
25MRP1
khammond on DSKJM1Z7X2PROD with PROPOSALS
20604
Federal Register / Vol. 89, No. 58 / Monday, March 25, 2024 / Proposed Rules
security and safety of United States
persons.
2. We also seek comment on requiring
manufacturers to disclose to the
Commission whether the data collected
by the product is stored in or transits a
high-risk country or countries. We also
seek comment on whether to require
manufacturers to disclose to consumers
in the registry whether the data
collected by the product is stored in or
transits a country or countries that are
known to pose a national security risk
to the United States. Does the
manufacturer have sufficient knowledge
of the data collected by the device to
know where the servers hosting the
collected data are located or where the
servers remotely controlling the device
will be located? Is it possible for the
location of stored data to be changed
without the manufacturer’s knowledge?
Are there other factors that would
impact the manufacturer’s ability to
make these declarations. Specifically,
we seek comment on requiring the
applicant seeking to use the FCC IoT
Label to make one of the following
declarations under penalty of perjury to
accompany its application to use the
label:
a. No customer data collected by this
product will be sent to servers located
on the Department of Commerce’s list of
high-risk countries, defined at 15 CFR
7.4 or any successor regulation. No
servers that remotely control the device
will be located in such a country; or
b. Customer data collected by this
product will be sent to servers located
in a high-risk country or countries. We
inform purchasers and users that the
Secretary of Commerce has designated
high-risk country or countries as
jurisdictions whose conduct is
significantly adverse to the national
security of the United States or security
and safety of United States persons.
3. If a manufacturer must disclose one
of these exposures or potential
exposures to a high-risk country, should
it have to disclose additional
information as well? Should it have to
disclose the identity of the high-risk
country or countries? Should it have to
disclose the specific hardware or
software components or server activities
that did, will, or could originate from or
take place in those countries? How
could such disclosures help purchasers
make informed decisions about product
acquisitions? And what burdens would
such additional disclosures place on
manufacturers? Should we require
manufacturers to include this
information in the registry to inform
consumers of these issues?
4. Alternatively, should the fact that
software or firmware originates from
VerDate Sep<11>2014
16:13 Mar 22, 2024
Jkt 262001
such countries, that data will be stored
in such countries, or that products can
be remotely controlled by servers within
such countries, make products ineligible
for the label altogether? Are there
certain product components, such as
cellular interface modules, that pose
elevated risks for which such a
prohibition might specifically be
warranted?
5. With respect to these declarations
proposed to require the manufacturer to
inform the Commission, would such
information provide meaning to
consumers? Should we require
manufacturers to include this
information in the registry to inform
consumers of these issues? How would
manufacturers inform users who are not
purchasers? In addition, we seek
comment on the possible costs and
benefits of requiring any additional
language in the relevant product’s
registry page. Should they encompass
some or all of the same representations
made in an application for authorization
to use the FCC label, or should they be
different or additional? Can such
representations be made not just for the
benefit of the purchaser or user, but also
extend to any third parties who may be
impacted by a security vulnerability in
a labeled product attributable to a
failure of the manufacturer, and what
would the practical or legal implications
of that be? How might this influence
manufacturer participation in the
program? Could the federal MagnusonMoss Act be an additional legal overlay
here, as well? How should those state
and federal laws inform whether and
how the Commission requires
manufacturer or seller representations
in the product’s registry page?
Procedural Matters
6. Paperwork Reduction Act. This
document contains proposed new or
modified information collection
requirements. The Commission, as part
of its continuing effort to reduce
paperwork burdens, invites the general
public and the Office of Management
and Budget (OMB) to comment on the
information collection requirements
contained in this document, as required
by the Paperwork Reduction Act of
1995, Public Law 104–13. In addition,
pursuant to the Small Business
Paperwork Relief Act of 2002, Public
Law 107–198, see 44 U.S.C. 3506(c)(4),
we seek specific comment on how we
might further reduce the information
collection burden for small business
concerns with fewer than 25 employees.
The Bureau does not believe that the
new or modified information collection
requirements we adopt here will be
PO 00000
Frm 00054
Fmt 4702
Sfmt 4702
unduly burdensome on small
businesses.
7. In this present document, we have
assessed the effects of the operational
framework for a voluntary IoT
cybersecurity labeling program. Since
the IoT Labeling Program is voluntary,
small entities who do not participate in
the IoT Labeling Program will not be
subject to any new or modified
reporting, recordkeeping, or other
compliance obligations. Small entities
that choose to participate in the IoT
Labeling Program by seeking authority
to affix the Cyber Trust Mark on their
products will incur recordkeeping and
reporting as well as other obligations
that are necessary to test their IoT
products to demonstrate compliance
with the requirements we adopt today.
We find that, for the Cyber Trust Mark
to have meaning for consumers, the
requirements for an IoT product to
receive the Cyber Trust Mark must be
uniform for both small businesses and
other entities. Thus, the Commission
continues to maintain the view we
expressed in the IoT Labeling NPRM,
that the significance of mark integrity,
and building confidence among
consumers that devices and products
containing the Cyber Trust Mark label
can be trusted to be cyber secure,
necessitates adherence by all entities
participating in the IoT Labeling
Program to the same rules regardless of
size.
8. Regulatory Flexibility Act. The
Regulatory Flexibility Act of 1980, as
amended (RFA), requires that an agency
prepare a regulatory flexibility analysis
for notice and comment rulemakings,
unless the agency certifies that ‘‘the rule
will not, if promulgated, have a
significant economic impact on a
substantial number of small entities.’’
Accordingly, we have prepared a Final
Regulatory Flexibility Analysis (FRFA)
concerning the possible impact of the
rule changes contained in this Report
and Order on small entities. The FRFA
is set forth in Appendix B of the FCC’s
Report and Order and Further Notice of
Proposed Rulemaking, FCC 24–26,
adopted March 14, 2024, at this link:
https://docs.fcc.gov/public/
attachments/FCC-24-26A1.pdf.
9. We have also prepared an Initial
Regulatory Flexibility Analysis (IRFA)
concerning the potential impact of rule
and policy change proposals on small
entities in the FNPRM. The IRFA is set
forth in Appendix C of the FCC’s Report
and Order and Further Notice of
Proposed Rulemaking, FCC 24–26,
adopted March 14, 2024, at this link:
https://docs.fcc.gov/public/
attachments/FCC-24-26A1.pdf. The
Commission invites the general public,
E:\FR\FM\25MRP1.SGM
25MRP1
khammond on DSKJM1Z7X2PROD with PROPOSALS
Federal Register / Vol. 89, No. 58 / Monday, March 25, 2024 / Proposed Rules
in particular small businesses, to
comment on the IRFA. Comments must
be filed by the deadlines for comments
on the FNPRM indicated on the first
page of this document and must have a
separate and distinct heading
designating them as responses to the
IRFA.
10. OPEN Government Data Act. The
OPEN Government Data Act requires
agencies to make ‘‘public data assets’’
available under an open license and as
‘‘open Government data assets,’’ i.e., in
machine-readable, open format,
unencumbered by use restrictions other
than intellectual property rights, and
based on an open standard that is
maintained by a standards organization.
This requirement is to be implemented
‘‘in accordance with guidance by the
Director’’ of the OMB. The term ‘‘public
data asset’’ means ‘‘a data asset, or part
thereof, maintained by the Federal
Government that has been, or may be,
released to the public, including any
data asset, or part thereof, subject to
disclosure under the Freedom of
Information Act (FOIA).’’ A ‘‘data asset’’
is ‘‘a collection of data elements or data
sets that may be grouped together,’’ and
‘‘data’’ is ‘‘recorded information,
regardless of form or the media on
which the data is recorded.’’ We
delegate authority, including the
authority to adopt rules, to the Bureau,
in consultation with the agency’s Chief
Data Officer and after seeking public
comment to the extent it deems
appropriate, to determine whether to
make publicly available any data assets
maintained or created by the
Commission within the meaning of the
OPEN Government Act pursuant to the
rules adopted herein, and if so, to
determine when and to what extent
such information should be made
publicly available. Such data assets may
include assets maintained by a CLA or
other third-party, to the extent the
Commission’s control or direction over
those assets may bring them within the
scope of the OPEN Government Act, as
interpreted in the light of guidance to be
issued by OMB.1 In doing so, the Bureau
shall take into account the extent to
which such data assets are subject to
disclosure under the FOIA.
11. Ex Parte Rules—Permit-ButDisclose. The proceeding this Further
Notice of Proposed Rulemaking initiates
shall be treated as a ‘‘permit-butdisclose’’ proceeding in accordance
with the Commission’s ex parte rules.
Persons making ex parte presentations
must file a copy of any written
presentation or a memorandum
summarizing any oral presentation
1 OMB
has not yet issued final guidance.
VerDate Sep<11>2014
16:13 Mar 22, 2024
Jkt 262001
within two business days after the
presentation (unless a different deadline
applicable to the Sunshine period
applies). Persons making oral ex parte
presentations are reminded that
memoranda summarizing the
presentation must (1) list all persons
attending or otherwise participating in
the meeting at which the ex parte
presentation was made, and (2)
summarize all data presented and
arguments made during the
presentation. If the presentation
consisted in whole or in part of the
presentation of data or arguments
already reflected in the presenter’s
written comments, memoranda or other
filings in the proceeding, the presenter
may provide citations to such data or
arguments in his or her prior comments,
memoranda, or other filings (specifying
the relevant page and/or paragraph
numbers where such data or arguments
can be found) in lieu of summarizing
them in the memorandum. Documents
shown or given to Commission staff
during ex parte meetings are deemed to
be written ex parte presentations and
must be filed consistent with section
1.1206(b) of the Commission’s rules. In
proceedings governed by § 1.49(f) of the
Commission’s rules or for which the
Commission has made available a
method of electronic filing, written ex
parte presentations and memoranda
summarizing oral ex parte
presentations, and all attachments
thereto, must be filed through the
electronic comment filing system
available for that proceeding, and must
be filed in their native format (e.g., .doc,
.xml, .ppt, searchable .pdf). Participants
in this proceeding should familiarize
themselves with the Commission’s ex
parte rules.
12. Comment Filing Procedures.
Pursuant to §§ 1.415 and 1.419 of the
Commission’s rules, 47 CFR 1.415,
1.419, interested parties may file
comments and reply comments on or
before the dates indicated on the first
page of this document. Comments may
be filed using the Commission’s
Electronic Comment Filing System
(ECFS). See Electronic Filing of
Documents in Rulemaking Proceedings,
63 FR 24121 (1998).
13. Providing Accountability Through
Transparency Act. Consistent with the
Providing Accountability Through
Transparency Act, Public Law 118–9, a
summary of this document will be
available on https://www.fcc.gov/
proposed-rulemakings.
Legal Basis
14. The proposed action is authorized
pursuant to sections 1, 2, 4(i), 4(n), 302,
303(r), 312, 333, and 503, of the
PO 00000
Frm 00055
Fmt 4702
Sfmt 4702
20605
Communications Act of 1934, as
amended, 47 U.S.C. 151, 152, 154(i),
154(n), 302a, 303(r), 312, 333, 503; and
the IoT Cybersecurity Improvement Act
of 2020, 15 U.S.C. 278g–3a through
278g–3e.
Initial Regulatory Flexibility Analysis
15. An Initial Regulatory Flexibility
Act (IRFA) Analysis for the rules
proposed in the FNPRM was prepared
and can be found as Exhibit B of the
FCC’s Second Report and Order and
Further Notice of Proposed Rulemaking,
FCC 24–5, adopted January 26, 2024, at
this link: https://docs.fcc.gov/public/
attachments/FCC-24-26A1.pdf.
Federal Communications Commission.
Katura Jackson,
Federal Register Liaison Officer.
[FR Doc. 2024–06249 Filed 3–22–24; 8:45 am]
BILLING CODE 6712–01–P
DEPARTMENT OF TRANSPORTATION
Federal Transit Administration
49 CFR Part 671
[Docket No. FTA–2023–0024]
RIN 2132–AB41
Rail Transit Roadway Worker
Protection
Federal Transit Administration
(FTA), Department of Transportation
(DOT).
ACTION: Notice of proposed rulemaking
(NPRM).
AGENCY:
The Federal Transit
Administration (FTA) is proposing
minimum safety standards for rail
transit roadway worker protection
(RWP) to ensure the safe operation of
public transportation systems and to
prevent accidents, incidents, fatalities,
and injuries to transit workers who may
access the roadway in the performance
of work. This NPRM would apply to rail
transit agencies (RTAs) covered by the
State Safety Oversight (SSO) program,
SSO agencies (SSOAs), and rail transit
workers who access the roadway to
perform work. It would set minimum
standards for RWP program elements,
including an RWP manual and track
access guide; requirements for on-track
safety and supervision, job safety
briefings, good faith safety challenges,
and reporting unsafe acts and
conditions and near-misses;
development and implementation of
risk-based redundant protections for
workers; and establishment of RWP
training and qualification and RWP
compliance monitoring activities. RTAs
SUMMARY:
E:\FR\FM\25MRP1.SGM
25MRP1
Agencies
[Federal Register Volume 89, Number 58 (Monday, March 25, 2024)]
[Proposed Rules]
[Pages 20603-20605]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-06249]
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 8
[PS Docket Nos. 23-239; FR ID 210016]
Cybersecurity Labeling for Internet of Things
AGENCY: Federal Communications Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission (FCC
or Commission) adopts a voluntary cybersecurity labeling program for
wireless consumer Internet of Things, or IoT, products. The final rule
also requires applicant manufacturers to make certain disclosures
related to their product(s) for authorization to use the FCC IoT Label.
This is a summary of the Further Notice of Proposed Rulemaking (Further
Notice), in which the Commission proposes rules on additional national
security declarations for the IoT labeling program. These requirements
would further help consumers make safer purchasing decisions, raise
consumer confidence regarding the cybersecurity of the IoT products
they buy, and encourage manufacturers to develop IoT products with
security-by-design principles in mind.
DATES: Comments are due on or before April 24, 2024 and reply comments
are due on or before May 24, 2024. Written comments on the Paperwork
Reduction Act proposed information collection requirements must be
submitted by the public, Office of Management and Budget (OMB), and
other interested parties on or before May 24, 2024.
ADDRESSES: You may submit comments, identified by PS Docket No. 23-239,
by any of the following methods:
Federal Communications Commission's Website: https://www.apps.fcc.gov/ecfs/. Follow the instructions for submitting
comments.
Mail: Parties who choose to file by paper must file an
original and one copy of each filing. If more than one docket or
rulemaking number appears in the caption of this proceeding, filers
must submit two additional copies for each additional docket or
rulemaking number. Filings can be sent by commercial overnight courier,
or by first-class or overnight U.S. Postal Service mail. All filings
must be addressed to the Commission's Secretary, Office of the
Secretary, Federal Communications Commission. Commercial overnight mail
(other than U.S. Postal Service Express Mail and Priority Mail) must be
sent to 9050 Junction Drive, Annapolis Junction, MD 20701. U.S. Postal
Service first-class, Express, and Priority mail must be addressed to 45
L Street NE, Washington, DC 20554. Effective March 19, 2020, and until
further notice, the Commission no longer accepts any hand or messenger
delivered filings. This is a temporary measure taken to help protect
the health and safety of individuals, and to mitigate the transmission
of COVID-19. See FCC Announces Closure of FCC Headquarters Open Window
and Change in Hand-Delivery Policy, Public Notice, DA 20-304 (March 19,
2020). https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
People with Disabilities. To request materials in
accessible formats for people with disabilities (braille, large print,
electronic files, audio format), send an email to [email protected] or
call the Consumer & Governmental Affairs Bureau at 202-418-0530
(voice), 202-418-0432 (TTY).
FOR FURTHER INFORMATION CONTACT: For further information regarding
these proposed rules, please contact Zoe Li, Attorney Advisor,
Cybersecurity and Communications Reliability Division, Public Safety
and Homeland Security Bureau, (202) 418-2490, or by email to
[email protected].
For additional information concerning the Paperwork Reduction Act
information collection requirements contained in this document, send an
email to [email protected] or contact Nicole Ongele, Office of Managing
Director, Performance Evaluation and Records Management, 202-418-2991,
or by email to [email protected].
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's
Further Notice of Proposed Rulemaking (FNPRM), FCC 24-26, adopted March
14, 2024, and released March 15, 2024. The full text of this document
is available by downloading the text from the Commission's website at:
https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf.
Synopsis
Further Notice of Proposed Rulemaking
1. In this FNPRM, we seek comment on additional declarations
intended to provide consumers with assurances that the products bearing
the FCC IoT Label do not contain hidden vulnerabilities from high-risk
countries, that the data collected by the products does not sit within
or transit high-risk countries, and that the products cannot be
remotely controlled by servers located within high-risk countries.
Specifically, we seek comment on whether we should require
manufacturers to disclose to the Commission whether firmware and/or
software were developed and manufactured in a ``high-risk country,'' as
well as where firmware and software updates will be developed and
deployed from. We also seek comment on whether to require manufacturers
to disclose to consumers in the registry whether firmware and/or
software were developed and manufactured in a ``high-risk country,'' as
well as where firmware and software updates will be developed and
deployed from. We propose to include as high-risk countries those
foreign adversary countries defined by the Department of Commerce in 15
CFR 7.4. Are there other sources that the Commission should consider
for identifying high-risk countries? Specifically, we seek comment on
whether to require the applicant seeking to use the FCC IoT Label to
make one of the following declarations under penalty of perjury to
accompany its application to use the label:
a. No software or software update or part of any software or
software update that runs on or controls the product was or will be
developed or deployed from within a country on the Secretary of
Commerce's list of high-risk countries, except that this commitment
does not apply to the origin of open-source contributions not paid for
directly or indirectly by us or our direct or indirect partners in
offering this product; or
b. This device runs, or due to future software updates might run,
software developed within the Secretary of Commerce's list of high-risk
country or countries. Applicant is not aware of any backdoors or other
sabotage, or any reason to believe that there is a particular
heightened risk for such backdoors or sabotage relative other software
developed within such a country, but we inform purchasers and users
that the Department of Commerce has designated high-risk country or
countries as jurisdictions whose conduct is significantly adverse to
the national security of the United States or
[[Page 20604]]
security and safety of United States persons.
2. We also seek comment on requiring manufacturers to disclose to
the Commission whether the data collected by the product is stored in
or transits a high-risk country or countries. We also seek comment on
whether to require manufacturers to disclose to consumers in the
registry whether the data collected by the product is stored in or
transits a country or countries that are known to pose a national
security risk to the United States. Does the manufacturer have
sufficient knowledge of the data collected by the device to know where
the servers hosting the collected data are located or where the servers
remotely controlling the device will be located? Is it possible for the
location of stored data to be changed without the manufacturer's
knowledge? Are there other factors that would impact the manufacturer's
ability to make these declarations. Specifically, we seek comment on
requiring the applicant seeking to use the FCC IoT Label to make one of
the following declarations under penalty of perjury to accompany its
application to use the label:
a. No customer data collected by this product will be sent to
servers located on the Department of Commerce's list of high-risk
countries, defined at 15 CFR 7.4 or any successor regulation. No
servers that remotely control the device will be located in such a
country; or
b. Customer data collected by this product will be sent to servers
located in a high-risk country or countries. We inform purchasers and
users that the Secretary of Commerce has designated high-risk country
or countries as jurisdictions whose conduct is significantly adverse to
the national security of the United States or security and safety of
United States persons.
3. If a manufacturer must disclose one of these exposures or
potential exposures to a high-risk country, should it have to disclose
additional information as well? Should it have to disclose the identity
of the high-risk country or countries? Should it have to disclose the
specific hardware or software components or server activities that did,
will, or could originate from or take place in those countries? How
could such disclosures help purchasers make informed decisions about
product acquisitions? And what burdens would such additional
disclosures place on manufacturers? Should we require manufacturers to
include this information in the registry to inform consumers of these
issues?
4. Alternatively, should the fact that software or firmware
originates from such countries, that data will be stored in such
countries, or that products can be remotely controlled by servers
within such countries, make products ineligible for the label
altogether? Are there certain product components, such as cellular
interface modules, that pose elevated risks for which such a
prohibition might specifically be warranted?
5. With respect to these declarations proposed to require the
manufacturer to inform the Commission, would such information provide
meaning to consumers? Should we require manufacturers to include this
information in the registry to inform consumers of these issues? How
would manufacturers inform users who are not purchasers? In addition,
we seek comment on the possible costs and benefits of requiring any
additional language in the relevant product's registry page. Should
they encompass some or all of the same representations made in an
application for authorization to use the FCC label, or should they be
different or additional? Can such representations be made not just for
the benefit of the purchaser or user, but also extend to any third
parties who may be impacted by a security vulnerability in a labeled
product attributable to a failure of the manufacturer, and what would
the practical or legal implications of that be? How might this
influence manufacturer participation in the program? Could the federal
Magnuson-Moss Act be an additional legal overlay here, as well? How
should those state and federal laws inform whether and how the
Commission requires manufacturer or seller representations in the
product's registry page?
Procedural Matters
6. Paperwork Reduction Act. This document contains proposed new or
modified information collection requirements. The Commission, as part
of its continuing effort to reduce paperwork burdens, invites the
general public and the Office of Management and Budget (OMB) to comment
on the information collection requirements contained in this document,
as required by the Paperwork Reduction Act of 1995, Public Law 104-13.
In addition, pursuant to the Small Business Paperwork Relief Act of
2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), we seek specific
comment on how we might further reduce the information collection
burden for small business concerns with fewer than 25 employees. The
Bureau does not believe that the new or modified information collection
requirements we adopt here will be unduly burdensome on small
businesses.
7. In this present document, we have assessed the effects of the
operational framework for a voluntary IoT cybersecurity labeling
program. Since the IoT Labeling Program is voluntary, small entities
who do not participate in the IoT Labeling Program will not be subject
to any new or modified reporting, recordkeeping, or other compliance
obligations. Small entities that choose to participate in the IoT
Labeling Program by seeking authority to affix the Cyber Trust Mark on
their products will incur recordkeeping and reporting as well as other
obligations that are necessary to test their IoT products to
demonstrate compliance with the requirements we adopt today. We find
that, for the Cyber Trust Mark to have meaning for consumers, the
requirements for an IoT product to receive the Cyber Trust Mark must be
uniform for both small businesses and other entities. Thus, the
Commission continues to maintain the view we expressed in the IoT
Labeling NPRM, that the significance of mark integrity, and building
confidence among consumers that devices and products containing the
Cyber Trust Mark label can be trusted to be cyber secure, necessitates
adherence by all entities participating in the IoT Labeling Program to
the same rules regardless of size.
8. Regulatory Flexibility Act. The Regulatory Flexibility Act of
1980, as amended (RFA), requires that an agency prepare a regulatory
flexibility analysis for notice and comment rulemakings, unless the
agency certifies that ``the rule will not, if promulgated, have a
significant economic impact on a substantial number of small
entities.'' Accordingly, we have prepared a Final Regulatory
Flexibility Analysis (FRFA) concerning the possible impact of the rule
changes contained in this Report and Order on small entities. The FRFA
is set forth in Appendix B of the FCC's Report and Order and Further
Notice of Proposed Rulemaking, FCC 24-26, adopted March 14, 2024, at
this link: https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf.
9. We have also prepared an Initial Regulatory Flexibility Analysis
(IRFA) concerning the potential impact of rule and policy change
proposals on small entities in the FNPRM. The IRFA is set forth in
Appendix C of the FCC's Report and Order and Further Notice of Proposed
Rulemaking, FCC 24-26, adopted March 14, 2024, at this link: https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf. The Commission invites
the general public,
[[Page 20605]]
in particular small businesses, to comment on the IRFA. Comments must
be filed by the deadlines for comments on the FNPRM indicated on the
first page of this document and must have a separate and distinct
heading designating them as responses to the IRFA.
10. OPEN Government Data Act. The OPEN Government Data Act requires
agencies to make ``public data assets'' available under an open license
and as ``open Government data assets,'' i.e., in machine-readable, open
format, unencumbered by use restrictions other than intellectual
property rights, and based on an open standard that is maintained by a
standards organization. This requirement is to be implemented ``in
accordance with guidance by the Director'' of the OMB. The term
``public data asset'' means ``a data asset, or part thereof, maintained
by the Federal Government that has been, or may be, released to the
public, including any data asset, or part thereof, subject to
disclosure under the Freedom of Information Act (FOIA).'' A ``data
asset'' is ``a collection of data elements or data sets that may be
grouped together,'' and ``data'' is ``recorded information, regardless
of form or the media on which the data is recorded.'' We delegate
authority, including the authority to adopt rules, to the Bureau, in
consultation with the agency's Chief Data Officer and after seeking
public comment to the extent it deems appropriate, to determine whether
to make publicly available any data assets maintained or created by the
Commission within the meaning of the OPEN Government Act pursuant to
the rules adopted herein, and if so, to determine when and to what
extent such information should be made publicly available. Such data
assets may include assets maintained by a CLA or other third-party, to
the extent the Commission's control or direction over those assets may
bring them within the scope of the OPEN Government Act, as interpreted
in the light of guidance to be issued by OMB.\1\ In doing so, the
Bureau shall take into account the extent to which such data assets are
subject to disclosure under the FOIA.
---------------------------------------------------------------------------
\1\ OMB has not yet issued final guidance.
---------------------------------------------------------------------------
11. Ex Parte Rules--Permit-But-Disclose. The proceeding this
Further Notice of Proposed Rulemaking initiates shall be treated as a
``permit-but-disclose'' proceeding in accordance with the Commission's
ex parte rules. Persons making ex parte presentations must file a copy
of any written presentation or a memorandum summarizing any oral
presentation within two business days after the presentation (unless a
different deadline applicable to the Sunshine period applies). Persons
making oral ex parte presentations are reminded that memoranda
summarizing the presentation must (1) list all persons attending or
otherwise participating in the meeting at which the ex parte
presentation was made, and (2) summarize all data presented and
arguments made during the presentation. If the presentation consisted
in whole or in part of the presentation of data or arguments already
reflected in the presenter's written comments, memoranda or other
filings in the proceeding, the presenter may provide citations to such
data or arguments in his or her prior comments, memoranda, or other
filings (specifying the relevant page and/or paragraph numbers where
such data or arguments can be found) in lieu of summarizing them in the
memorandum. Documents shown or given to Commission staff during ex
parte meetings are deemed to be written ex parte presentations and must
be filed consistent with section 1.1206(b) of the Commission's rules.
In proceedings governed by Sec. 1.49(f) of the Commission's rules or
for which the Commission has made available a method of electronic
filing, written ex parte presentations and memoranda summarizing oral
ex parte presentations, and all attachments thereto, must be filed
through the electronic comment filing system available for that
proceeding, and must be filed in their native format (e.g., .doc, .xml,
.ppt, searchable .pdf). Participants in this proceeding should
familiarize themselves with the Commission's ex parte rules.
12. Comment Filing Procedures. Pursuant to Sec. Sec. 1.415 and
1.419 of the Commission's rules, 47 CFR 1.415, 1.419, interested
parties may file comments and reply comments on or before the dates
indicated on the first page of this document. Comments may be filed
using the Commission's Electronic Comment Filing System (ECFS). See
Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121
(1998).
13. Providing Accountability Through Transparency Act. Consistent
with the Providing Accountability Through Transparency Act, Public Law
118-9, a summary of this document will be available on https://www.fcc.gov/proposed-rulemakings.
Legal Basis
14. The proposed action is authorized pursuant to sections 1, 2,
4(i), 4(n), 302, 303(r), 312, 333, and 503, of the Communications Act
of 1934, as amended, 47 U.S.C. 151, 152, 154(i), 154(n), 302a, 303(r),
312, 333, 503; and the IoT Cybersecurity Improvement Act of 2020, 15
U.S.C. 278g-3a through 278g-3e.
Initial Regulatory Flexibility Analysis
15. An Initial Regulatory Flexibility Act (IRFA) Analysis for the
rules proposed in the FNPRM was prepared and can be found as Exhibit B
of the FCC's Second Report and Order and Further Notice of Proposed
Rulemaking, FCC 24-5, adopted January 26, 2024, at this link: https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf.
Federal Communications Commission.
Katura Jackson,
Federal Register Liaison Officer.
[FR Doc. 2024-06249 Filed 3-22-24; 8:45 am]
BILLING CODE 6712-01-P