Public Safety and Homeland Security Bureau Requests Comment on Implementation of the Cybersecurity Labeling for Internet of Things Program, 58312-58323 [2024-15379]

Download as PDF 58312 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules and low-income populations to the greatest extent practicable and permitted by law. EPA defines environmental justice (EJ) as ‘‘the fair treatment and meaningful involvement of all people regardless of race, color, national origin, or income with respect to the development, implementation, and enforcement of environmental laws, regulations, and policies.’’ EPA further defines the term fair treatment to mean that ‘‘no group of people should bear a disproportionate burden of environmental harms and risks, including those resulting from the negative environmental consequences of industrial, governmental, and commercial operations or programs and policies.’’ The NJDEP evaluated environmental justice as part of its SIP submittal even though the CAA and applicable implementing regulations neither prohibit nor require an evaluation. The EPA’s evaluation of the NJDEP’s environmental justice considerations is described above in the section titled, ‘‘Environmental Justice Considerations.’’ The analysis was done for the purpose of providing additional context and information about this rulemaking to the public, not as a basis of the action. The EPA is taking action under the CAA on bases independent of New Jersey’s evaluation of environmental justice. In addition, there is no information in the record upon which this decision is based that is inconsistent with the stated goal of E.O. 12898 of achieving environmental justice for people of color, low-income populations, and Indigenous peoples. List of Subjects in 40 CFR Part 52 Environmental protection, Air pollution control, Incorporation by reference, Ozone, Reporting and recordkeeping requirements, Volatile organic compounds. Authority: 42 U.S.C. 7401 et seq. Lisa Garcia, Regional Administrator, Region 2. [FR Doc. 2024–15705 Filed 7–17–24; 8:45 am] khammond on DSKJM1Z7X2PROD with PROPOSALS BILLING CODE 6560–50–P VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 FEDERAL COMMUNICATIONS COMMISSION 47 CFR Part 8 [PS Docket No. 23–239; DA 24–617; FR ID 229959] Public Safety and Homeland Security Bureau Requests Comment on Implementation of the Cybersecurity Labeling for Internet of Things Program Federal Communications Commission. ACTION: Proposed rule. AGENCY: In this document, the Federal Communications Commission (Commission or FCC) seeks comment on additional items to further the efficient and timely rollout of the IoT Labeling program. These items include the format of Cybersecurity Label Administrator (CLA) and Lead Administrator applications; filing fees for CLA applications; criteria for selecting CLAs and the Lead Administrator; CLA sharing of Lead Administrator expenses; Lead Administrator neutrality; processes for withdrawal of CLA and Lead Administrator approvals; recognition of CyberLABs outside the United States; complaint processes; confidentiality and security requirements; and the IoT registry. DATES: Comments are due on or before August 19, 2024; reply comments are due on or before September 3, 2024. Comments on section II.B are due on or before August 19, 2024. ADDRESSES: Pursuant to §§ 1.415 and 1.419 of the Commission’s rules, 47 CFR 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission’s Electronic Comment Filing System (ECFS). You may submit comments, identified by PS Docket No. 23–239, by any of the following methods: • Electronic Filers: Comments may be filed electronically using the internet by accessing the ECFS: https:// www.fcc.gov/ecfs/. • Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. • Filings can be sent by hand or messenger delivery, by commercial courier, or by the U.S. Postal Service. All filings must be addressed to the Secretary, Federal Communications Commission. • Hand-delivered or messengerdelivered paper filings for the Commission’s Secretary are accepted between 8:00 a.m. and 4:00 p.m. by the SUMMARY: PO 00000 Frm 00018 Fmt 4702 Sfmt 4702 FCC’s mailing contractor at 9050 Junction Drive, Annapolis Junction, MD 20701. All hand deliveries must be held together with rubber bands or fasteners. Any envelopes and boxes must be disposed of before entering the building. • Commercial courier deliveries (any deliveries not by the U.S. Postal Service) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701. Filings sent by U.S. Postal Service First-Class Mail, Priority Mail, and Priority Mail Express must be sent to 45 L Street NE, Washington, DC 20554. • People with Disabilities: To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an email to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202–418–0530. FOR FURTHER INFORMATION CONTACT: Tara B. Shostek, Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau, (202) 418–8130, or by email to Tara.Shostek@fcc.gov. For additional information concerning the Paperwork Reduction Act information collection requirements contained in this document, contact Nicole Ongele, Office of Managing Director, Performance and Program Management, 202–418–2991, or by email to PRA@fcc.gov. SUPPLEMENTARY INFORMATION: This is a summary of the Commission’s document in PS Docket No. 23–239, DA 24–617; released on June 27, 2024. The full text of this document is available at https://docs.fcc.gov/public/ attachments/DA-24-617A1.pdf. Paperwork Reduction Act. The document may contain new or modified information collection(s) subject to the Paperwork Reduction Act of 1995. All such new or modified information collection requirements will be submitted to OMB for review under section 3507(d) of the PRA. OMB, the general public, and other Federal agencies are invited to comment on any new or modified information collection requirements contained in this proceeding. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, we seek specific comment on how we might ‘‘further reduce the information collection burden for small business concerns with fewer than 25 employees.’’ Providing Accountability Through Transparency Act. Consistent with the Providing Accountability Through Transparency Act, Public Law 118–9, a summary of this document will be available on https://www.fcc.gov/ proposed-rulemakings. E:\FR\FM\18JYP1.SGM 18JYP1 khammond on DSKJM1Z7X2PROD with PROPOSALS Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules Ex Parte Rules—Permit but Disclose. This proceeding shall be treated as a ‘‘permit-but-disclose’’ proceeding in accordance with the Commission’s ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter’s written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules. Confidential Treatment. Parties wishing to file materials with a claim of confidentiality should follow the procedures set forth in § 0.459 of the Commission’s rules. Casual claims of confidentiality are not accepted. Confidential submissions may not be filed via ECFS but rather should be filed with the Secretary’s Office following the procedures set forth in 47 CFR 0.459. Redacted versions of confidential submissions may be filed via ECFS. Parties are advised that the FCC looks with disfavor on claims of confidentiality for entire documents. When a claim of confidentiality is made, VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 a public, redacted version of the document should also be filed. Digital Equity and Inclusion. The Commission, as part of its continuing effort to advance digital equity for all,1 including people of color, persons with disabilities, persons who live in rural or Tribal areas, and others who are or have been historically underserved, marginalized, or adversely affected by persistent poverty or inequality, invites comment on any equity-related considerations 2 and benefits (if any) that may be associated with the proposals and issues discussed herein. Specifically, we seek comment on how our proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well the scope of the Commission’s relevant legal authority. Synopsis 1. In March 2024, the Federal Communications Commission (FCC or Commission) adopted a Report and Order and Further Notice of Proposed Rulemaking (IoT Labeling Order) establishing the framework for the Commission’s voluntary cybersecurity labeling program for consumer wireless Internet of Things (IoT) products (IoT Labeling Program). Recognizing the additional work that would need to be done to implement the framework, the Commission delegated authority to the Public Safety and Homeland Security Bureau (PSHSB or Bureau), in coordination with the Office of the Managing Director (OMD), to seek comment on certain additional items to further the efficient and timely rollout of the program. Accordingly, with this document, the PSHSB and OMD request comment on: the format of Cybersecurity Label Administrator (CLA) and Lead Administrator applications; filing fees for CLA 1 Section 1 of the Communications Act of 1934 as amended provides that the FCC ‘‘regulat[es] interstate and foreign commerce in communication by wire and radio so as to make [such service] available, so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex.’’ 47 U.S.C. 151. 2 The term ‘‘equity’’ is used here consistent with Executive Order 13985 as the consistent and systematic fair, just, and impartial treatment of all individuals, including individuals who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. See Exec. Order No. 13985, 86 FR 7009, Executive Order on Advancing Racial Equity and Support for Underserved Communities Through the Federal Government (January 20, 2021). PO 00000 Frm 00019 Fmt 4702 Sfmt 4702 58313 applications; criteria for selecting CLAs and the Lead Administrator; CLA sharing of Lead Administrator expenses; Lead Administrator neutrality; processes for withdrawal of CLA and Lead Administrator approvals; recognition of CyberLABs outside the United States; complaint processes; confidentiality and security requirements; and the IoT registry.3 Discussion A. Format of CLA and Lead Administrator Applications 2. The IoT Labeling Order provides that the Commission will accept applications for entities seeking to qualify as CLAs and those applicants seeking the position of Lead Administrator, but did not specify the format these applications should take. The Bureau believes that CLA/Lead Administrator applications should be submitted in narrative format via email and seeks comment on this tentative determination and any alternative methods or formats for submission. While the Bureau recognizes the organizational value of a fillable form, the information to be submitted by entities seeking to be a CLA/Lead Administrator seemingly lends itself to a narrative discussion of the qualifications and strengths the applicant possesses to support the FCC’s IoT Labeling Program. The Bureau still could re-evaluate the need for a fillable form after it has processed and reviewed the initial CLA/Lead Administrator applications and seek comment on a proposed format for such a form. We seek comment on these issues. B. FCC Filing Fees for CLA and Lead Administrator Applications 3. The IoT Labeling Order directs the Bureau, in conjunction with OMD, to adopt procedures and take additional steps, including applicable fees (pursuant to any required public notice and comment), as necessary to ensure compliance with the Communications Act with respect to any rules adopted therein that contemplate the filing of applications directly with the Commission.4 Section 8 of the Communications Act requires the Commission to assess and collect 3 We note that this documentis not meant to address all outstanding implementation issues in connection with the IoT Labeling Program; there are additional implementation matters and specific delegations of authority from the IoT Labeling Order that the Bureau will be addressing in subsequent documents. 4 The IoT Labeling Order directs manufacturers to file applications directly with CLAs to use the U.S. Cyber Trust Mark and, as such, those fees are not contemplated in this inquiry. E:\FR\FM\18JYP1.SGM 18JYP1 58314 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS application fees to cover the costs of the Commission to process applications. Although the Commission has assessed and collected application fees pursuant to section 8 of the Communications Act since 1986,5 in 2018, Congress modified section 8 of the Communications Act to change the application fee program from a statutory schedule of application fees to a requirement that the Commission update and amend the existing schedule of application fees by rule to recover the costs of the Commission to process applications.6 Section 8(c) of the Act also requires the Commission to, by rule, amend the application fee schedule if the Commission determines that the schedule requires amendment to ensure that: (1) such fees reflect increases or decreases in the costs of processing applications at the Commission or (2) such schedule reflects the consolidation or addition of new categories of applications. 4. In the 2020 Application Fee Order, the Commission explained that in accordance with the RAY BAUM’S Act, application fees are based on the ‘‘costs of the Commission to process applications.’’ Specifically, the Commission establishes an application fee based on direct labor costs of processing a particular application, which are calculated ‘‘by multiplying an estimate of the number of hours needed for each task, up through first-level supervisory tasks required to process the application, by an estimate of the labor cost per hour for the employee performing the task and by an estimate of the probability that the task needed to be performed.’’ In the 2020 Application Fee Order, the Commission adopted five functional categories of 5 While the 1986 schedule adopted by Congress was accurate at the time adopted because it was based on cost information provided by the Commission to Congress, the framework did not allow the fee schedule to change as a result of advancements in technology and corresponding changes in Commission procedures and rules. Notably, the Commission was constrained from adding, removing, or otherwise changing the structure or levels of application fees prior to the RAY BAUM’S Act, outside of a ministerial biannual order adopting without notice and comment changes to fees based on the Consumer Price Index. 6 The Repack Airwaves Yielding Better Access for Users of Modern Services Act of 2018, or the RAY BAUM’S Act of 2018, amended sections 8 and 9 and added section 9A to the Communications Act of 1934, as amended and provided that such provisions would become effective on October 1, 2018. Consolidated Appropriations Act, 2018, Public Law 115–141, 132 Stat. 1084, Division P— RAY BAUM’S Act of 2018, Title I, section 103 (2018). 47 U.S.C. 158. Congress provided, however, that application fees in effect prior to the effective date of the new section 8 would remain in effect until the Commission adjusts or amends such fee. RAY BAUM’S Act of 2018, Title I, section 103(d) (uncodified provisions entitled ‘‘Transitional Rules’’). VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 fees: Wireless Licensing Fees, Media Licensing Fees, Equipment Approval Fees, Domestic Service Fees, and International Service Fees. 5. The Bureau seeks comment on whether applications filed with the Commission by entities seeking qualification as a CLA or seeking the position of Lead Administrator constitute an application under section 8 of the Act. If so, is there an existing fee category that would cover such applications? If there are no existing fee categories that are applicable, should new application fee categories, ‘‘Cybersecurity Label Administrator’’ and ‘‘Lead Administrator,’’ be established? We seek comment on the legal and factual basis for assessing a fee pursuant to section 8 of the Communications Act on these applications. 6. If we conclude that a filing with the Commission seeking to be a CLA or to be the Lead Administrator constitutes an application under section 8 of the Act, then we must consider the cost of processing such a filing to inform what fee the Commission would charge in connection with such a filing. We note that the agency has narrowly construed the scope of what constitutes processing for applications subject to fees. Applying the Commission’s framework for the costs of processing applications adopted in the 2020 Application Fee Order, we believe that the processing of CLA applications, including the initial conditional approval and subsequent review required after the CLA notifies the Commission that it has obtained the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17065 accreditation, consists of engineer and engineer supervisory review, and attorney and attorney supervisory review. 7. As detailed below, the Bureau estimates that the time it will take to process each CLA application will be 15 hours and the time it will take to process each Lead Administrator application will be 8 hours. We estimate the labor cost per hour for the various 2024 general schedule pay grades of the employees that process applications based on the current pay table for Washington, DC, at the step 5 level, we estimate overhead costs as 20% of the salary level also per that rule, and we estimate each employee works 2,087 hours in one year. We also round the fee to the nearest $5.00 increment as required by section 8 as amended. We seek comment on this approach. 8. The Bureau estimates that each CLA application will require 10 hours of engineering review at the GS–15 level, PO 00000 Frm 00020 Fmt 4702 Sfmt 4702 2 hours of engineering supervisory review at the GS–15 level; 2 hours of attorney application review at the GS– 12 level, and 1 hour of attorney supervisory review at the GS–15 level. The estimated total labor costs (including 20% overhead) for the engineering review (GS–15, step 5) of each CLA application is $1,282.20 (12 engineering hours * 106.85 = 1,282.20).7 The estimated labor costs (including 20% overhead) for the attorney application review (GS–12, step 5) for each CLA application is $129.28 (2 hours * $64.64 = $129.28).8 The estimated total labor costs (including 20% overhead) for the attorney supervisory review (GS–15, step 5) for each CLA application is $106.85 (1 hour * 106.85 = 106.85).9 The total labor costs per CLA application is $1,518.33 (1,282.20 + 129.28 + 106.85). Based on these hourly rates and the estimated time for processing each CLA application, the Bureau proposes that the filing fee for a CLA application is $1,520 and we seek comment on this proposal. 9. Some entities seeking to qualify as a CLA may include additional information in their application seeking the position of Lead Administrator, which will similarly require additional engineering and engineering supervisory review, and attorney application and attorney supervisory review. The Bureau estimates that each Lead Administrator application, which occurs after the CLA application has already been reviewed, will require 4 hours of engineering review at the GS– 15 level, 1 hour of supervisory engineering review at the GS–15 level, 2 hours of attorney application review at the GS–12 level, and 1 hour of attorney supervisory review at the GS–15 level. 7 The annual pay for a GS–15, step 5 in the Washington-Baltimore-Arlington, DC–MD–VA– WV–PA Locality Pay area is $185,824. Overhead costs are $37,164.80 (20% * 185,824 = 37,164.80). The hourly rate of a GS–15, Step 5 including overhead costs based on 2,087 annual hours is $106.85 (185,824 + 37,164.80 = 222,988.80; 222,988.80/2,087 hours = 106.85). The Bureau estimates that each CLA application will require 12 hours of engineering review at the GS–15, step 5 level. 8 The annual pay for a GS–12, step 5 in the Washington-Baltimore-Arlington, DC–MD–VA– WV–PA Locality Pay area is $112,425. Overhead costs are $22,485.00 (20% * 112,425 = 22,485). The hourly rate of a GS–12, step 5 including overhead costs based on 2,087 annual hours is $64.64 (112,425 + 22,485 = 134,910; 134,910/2,087 64.64). The Bureau estimates that each CLA application will require 2 hours of attorney review at the GS– 12, step 5 level. 9 The hourly rate of a GS–15, step 5 attorney is the same as the hourly rate of a GS–15, step 5 engineer, which is $106.85. The Bureau estimates that each CLA application will require 1 hour of attorney review at the GS–15, step 5 level. E:\FR\FM\18JYP1.SGM 18JYP1 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS 10. We propose that applications for Lead Administrator must include an additional fee of $770 to cover the FCC’s costs of processing Lead Administrator applications. The Bureau seeks comment on this determination. The Bureau estimates that each Lead Administrator application will require 5 hours of engineering application review at the GS–15, step 5 level at an hourly rate of $106.85 (5 * 106.85 = 534.25), 2 hours of attorney application review at the GS–12, step 5 level at an hour rate of $64.64 (2 * 64.64 = 129.28) and 1 hour of attorney supervisor review at the GS–15, step 5 level at an hourly rate of $106.85 (1 * 106.85 = 106.85) for a total of $770.38 (534.25 + 129.28 + 106.85). The Bureau seeks comment on the estimation of time to process the Lead Administrator applications and the proposed fee for processing the application. Our proposals for processing fees are based on averages. Given that these are new categories of applications, at this time, we do not believe we have a factual basis to assess fees for administrative updates, minor changes or updates to a CLA application, or for entities seeking to withdraw as a CLA. We also do not believe we have a factual basis to assess fees for administrative updates, minor changes, or updates to a Lead Administrator application, or for an entity seeking to withdraw a Lead Administrator. Until we have experience with processing these new types of applications, it would be difficult to calculate identifiable direct costs beyond those included in the calculation of the initial application fee. For both the CLA and Lead Administrator applications, we seek comment on whether we have included in our estimates the appropriate steps under the Commission’s 2020 Application Fee Order framework to determine processing costs. If commenters view our estimates to be over or under inclusive, to the extent practicable, commenters should explain their views by including reference to any application fees adopted in the 2020 proceeding that the commenter considers analogous to the CLA and/or Lead Administrator application. C. Bureau Selection of Cybersecurity Label Administrators and the Lead Administrator 11. The IoT Labeling Order provides that the Bureau will release a public notice opening a filing window for the acceptance of CLA applications, which will include an option for CLA applicants to indicate they also seek the VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 role of Lead Administrator.10 The IoT Labeling Order specifies the expertise and qualifications each applicant for CLA and Lead Administrator must demonstrate and delegates to the Bureau the authority to adopt additional criteria and administrative procedures necessary to efficiently select one or more independent, non-governmental entities to act as CLA(s) and Lead Administrator. The Bureau seeks comment on whether there are additional areas of expertise or specific requirements a CLA applicant should be required to demonstrate in addition to those listed in the Order.11 The Bureau seeks comment on what additional criteria, if any, the Bureau should take into consideration during the Lead Administrator selection process. What additional criteria would help us ensure that CLA(s) and the Lead Administrator are able to advance the Commission’s policy objective to raise consumer confidence with regard to the cybersecurity of consumer wireless IoT products while strengthening the nation’s cybersecurity posture? How should the Bureau differentiate between Lead Administrator candidates for selection? Should all selection criteria be weighted the same? If not, which criteria should carry more? D. Lead Administrator Expenses Shared Among CLAs 12. The IoT Labeling Order ‘‘expect[ed]’’ that the Lead Administrator’s expenses ‘‘in performing its duties on behalf of the program as a whole’’ will be ‘‘shared among CLAs as a whole,’’ but does not provide a mechanism or details for such sharing. The Bureau seeks comment on the most effective mechanism for CLAs to share the Lead Administrator’s expenses, including whether and how to distinguish costs associated with identified Lead Administrator responsibilities, potential changes in the Lead Administrator, and the timing of reimbursement for such expenses. Commenters should also consider whether and how any cost sharing mechanism might change after the initial rollout of the program, including any rationale for doing so. Alternatively, we seek comment on whether the Lead Administrator is in the best position to 10 The Bureau, in coordination with OMD and OGC will review these applications and determine which applications meet the CLA requirements and which CLA applicant best meets the requirements of Lead Administrator. 11 The IoT Labeling Order contemplates the acceptance of applications for CLAs located outside the United States after appropriate international agreements or other appropriate prerequisites are in place. PO 00000 Frm 00021 Fmt 4702 Sfmt 4702 58315 propose how costs should be shared among CLAs. To the extent commenters have estimates of the Lead Administrator’s expenses, we invite them to share such estimates. In addition, we seek comment on the categories of expenses that should be attributable to the Lead Administrator’s responsibilities under this program. What auditing requirements should be required of the Lead Administrator? Are there financial controls, or other controls, the Commission has adopted in the case of other program administrators that it relies on that would be appropriate in this context? We note that the IoT Labeling Order does not contemplate other funding sources for the Lead Administrator’s expenses, beyond sharing ‘‘among CLAs as a whole.’’ E. Lead Administrator Neutrality 13. The Commission recognized the competitive implications of an entity being both the Lead Administrator and a CLA and, as such, delegated authority to the Bureau to review, seek public comment on, and approve/disapprove the Lead Administrator recommendations. We seek comment on whether there are safeguards the Bureau might adopt to ensure the stakeholder process remains competitively neutral and the recommendations the Lead Administrator makes to the Commission (e.g., standards and testing criteria and label design) are stakeholder consensusbased and competitively neutral. For example, are there additional or different safeguards the Commission has adopted in the case of other program administrators that it relies on that would be appropriate in this context? We seek comment on whether the Bureau should adopt additional safeguards to ensure fulsome and broad stakeholder engagement in this process. Are there other safeguards the Bureau should adopt to ensure the Lead Administrator, who is potentially a competitor of other CLAs, does not have an unfair economic, or other, competitive advantage? F. Withdrawal of CLA and Lead Administrator Approval 14. The IoT Labeling Order provides that the Commission will withdraw its approval of a CLA if the CLA’s designation or accreditation is withdrawn, if there is just cause for withdrawing approval, or upon request of the CLA. The Commission will notify a CLA in writing of its intention to withdraw or limit the scope of the CLA’s approval and provide at least 60 days for the CLA to respond. The Bureau will announce the withdrawal of E:\FR\FM\18JYP1.SGM 18JYP1 58316 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules a CLA approval by public notice. The IoT Labeling Order also delegates authority to the Bureau to ‘‘manage changes in the Lead Administrator.’’ We believe the same processes should be applied to the withdrawal of the Lead Administrator. We seek comment on this tentative determination. The Bureau also seeks comment on steps that should be taken to replace the Lead Administrator. Should a replacement Lead Administrator be chosen by the Bureau from among the remaining accredited and recognized CLAs based on the same criteria and procedures used to select the original Lead Administrator? Should the Commission open a new filing window for CLAs seeking to be Lead Administrator? What other procedures, if any, should the Commission adopt to ensure the efficient replacement of a Lead Administrator? Should the Bureau set a term for the Lead Administrator and at the end of this term open the position up to new applications? If yes, what term is appropriate? Commenters may provide any other additional information that is pertinent to this inquiry. khammond on DSKJM1Z7X2PROD with PROPOSALS G. Recognition of CyberLABs by Lead Administrator Located Outside the United States 15. The IoT Labeling Order provides that CyberLABs may be located outside the United States provided they are accredited to ISO/IEC 17025 and the FCC’s program scope and delegates authority to the Bureau to adopt any additional criteria or procedures necessary with respect to their use. We seek comment on whether there are additional procedures or criteria that should be considered when the Lead Administrator recognizes labs located outside the United States. Are there existing international frameworks in other areas that might provide an appropriate model to allow for recognition of a lab located outside of the United States? H. Complaints 16. The Commission is the ultimate arbiter of complaints submitted, whether directly to the Commission, CLAs, the Lead Administrator, CyberLABs, or any other third-party entity, alleging improper, nonconforming, and/or unauthorized use of the U.S. Cyber Trust Mark. The Commission will actively and diligently enforce the IoT Labeling Program’s requirements to maintain the integrity of the FCC IoT Label, the U.S. Cyber Trust Mark, and the program. The IoT Labeling Order emphasized that deceptive or misleading use of the FCC VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 IoT Label or U.S. Cyber Trust Mark are prohibited, and set out a 20-day cure period for grantees to investigate complaints of non-compliance and report the results to the Bureau. The IoT Labeling Order also determined that the Commission and CLAs will receive complaints of noncompliant displays of the Cyber Trust Mark and delegated authority to the Bureau, in coordination with the Consumer and Governmental Affairs Bureau, to determine the process for receiving and responding to complaints. The Lead Administrator will receive complaints about the registry and coordinate with manufacturers to resolve any associated technical problems, and the Lead Administrator is also responsible for interfacing with the Commission on behalf of CLAs, including as it relates to complaints. We seek comment on the specific processes for receiving and responding to complaints associated with the IoT Labeling Program. Should entities file complaints with the Bureau, in addition to submitting them directly to a CLA, including the Lead Administrator? If complaints are filed with the Commission, should complaints associated with grantees that applied for authorization to use the FCC IoT Label be initially referred to the CLA that reviewed the original application for investigation and a determination of whether the application was approved or denied? Should these processes be different if the complaint involves a CyberLAB located outside of the United States? If so, what is the legal basis for these differences? In situations where there is no associated CLA, such as when a product displays the mark without permission, we believe that complaints of fraudulent or deceptive use of the Cyber Trust Mark by those entities that never applied for authorization (i.e., where there is no applicable CLA) should be filed directly with the Commission. We seek comment on this belief. The Commission determined in the IoT Labeling Order that a grant of authorization to use the FCC IoT Label is automatically terminated upon notice by the Bureau following submission of a complaint of non-compliance, if that non-compliance has not been adequately corrected or addressed in a report describing actions taken to correct the deficiencies within 20 days. We seek comment on what requirements should follow from such a termination of authority. Should the Commission adopt disqualification procedures similar to ENERGY STAR’s, which include ceasing shipments of units displaying the label, ceasing the labeling PO 00000 Frm 00022 Fmt 4702 Sfmt 4702 of associated units, removing references to the label from marketing materials, covering or removing labels on noncompliant units within the brand owner’s control, and conducting retail store level assessments to identify mislabeled products? I. Confidentiality and Security Requirements 17. The Bureau anticipates that the manufacturer applications submitted to CLAs will contain commercially sensitive and proprietary information that the manufacturers customarily treat as confidential, including, but not limited to, test reports. The Bureau proposes that these applications should be treated as presumptively confidential and CLAs should be required to maintain this confidentiality. The Bureau seeks comment on this tentative determination. We also seek comment on whether CLA applications submitted to the Commission will likewise contain commercially sensitive and proprietary information that is routinely treated as confidential and thus should be treated as presumptively confidential.12 Are certain aspects of either of these applications not appropriately treated as presumptively confidential? Are there public interest and/or transparency reasons to make CLA applications and/ or Lead Administrator applications publicly available? Should only those CLA applications that are approved be publicly available, while CLA applications that are denied be kept confidential? 18. Information submitted by manufacturers to CLAs, the Lead Administrator, or CyberLABs, in the course of seeking authority to use the FCC IoT Label, including but not limited to applications and test reports, and information submitted to the Lead Administrator by a lab seeking recognition as a CyberLAB (i.e., authorized to conduct conformance testing under the Commission’s IoT Labeling Program) are not agency records of the Commission. Only information submitted to the Commission, such as submissions in furtherance of applications by entities seeking authority from the Commission to be a CLA and/or Lead Administrator, are records of the Commission. 19. The Federal Information Security Modernization Act of 2014 (FISMA) requires, among other things, that each Federal agency provide protections commensurate with the risk and 12 The Bureau has an obligation to publish data maintained by the Commission that would be subject to disclosure under the Freedom of Information Act (FOIA). E:\FR\FM\18JYP1.SGM 18JYP1 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of ‘‘information collected or maintained by or on behalf of the agency’’ and ‘‘information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.’’ We tentatively conclude that these requirements attach to the Lead Administrator and CLAs, who both collect and maintain information and operate information systems on behalf of the FCC. We seek comment on this tentative conclusion. We note that in the IoT Labeling Order, the Commission described that each entity seeking authority to act as a CLA should demonstrate expertise in, among other things, ‘‘[f]ederal law and guidance governing the security and privacy of agency information systems,’’ which we believe encompasses FISMA and related guidance from the Office of Management and Budget and publications from the National Institute of Standards and Technology (NIST). If these requirements are applicable to the Lead Administrator and CLAs, would they incur additional costs, and if so, what are they? What benefits would attach to FISMA compliance with respect to the confidentiality, integrity, and availability of information and information systems if FISMA and related requirements are applicable to the Lead Administrator and CLAs? Are there additional security requirements the Commission should require of the databases that are used in support of the IoT Labeling Program? J. Registry 20. The Commission determined in the IoT Labeling Order that the FCC IoT Label must include the Cyber Trust Mark and a QR Code that links to a dynamic, decentralized, publicly available registry containing information supplied by entities authorized to use the FCC IoT Label (e.g., manufacturers) through a common Application Programming Interface (API).13 The Commission agreed that it should use a third-party to host and manage the registry due to the resources required to establish the registry; determined that the Lead Administrator is in the best position to interface with manufacturers to ensure the smooth operation of the registry; and directed the Lead Administrator to receive and address any technical issues that arise in connection with the registry’s API 13 The goal of the registry is to assist the public in understanding security-related information about the products that bear the Cyber Trust Mark. VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 and displaying information from the registry to the consumer when they present the QR Code. Further, as detailed below, the IoT Labeling Order envisioned a registry that supports different presentation options. 21. We seek comment on what, if any, registry disclosure fields, in addition to those already required by the IoT Labeling Order, would be beneficial to consumers.14 Should manufacturers be required to list the sensors contained in the complying product, such as cameras, microphones, and location tracking devices? Should manufacturers be required to disclose what data is collected by those sensors, and whether that data is shared with third parties? 15 The Commission also recognizes some products/product classes may benefit from additional data elements being disclosed in the registry. For example, the Commission observed that ‘‘the information contained in the registry for a particular IoT product or product class may also depend on the standards and testing procedures adopted for each particular IoT product.’’ The Commission also recognized ‘‘that some of the information recommended by NIST in its consumer education recommendations . . . may be valuable for consumers to see in the registry.’’ Other possible candidates for inclusion identified in the IoT Labeling Order included, ‘‘manufacturer’s access control protections (e.g., information about passwords, multi-factor authentication), whether or not the data is encrypted while in motion and at rest (including in the home, app, and cloud), patch policies, and security or privacy information.’’ Are there particular registry data elements that would support the product’s security features for those using assistive technologies? Are there additional registry disclosure fields that are necessary for specific products/product classes, based on 14 The Commission delegated authority to the Bureau to seek comment on the need for additional data fields beyond the baseline of necessary information that must be displayed for an IoT product in the registry which includes: disclosure of product name, manufacturer name, date of authorization, contact information for the CLA and CyberLAB, instructions on how to change the default password, information on how to configure the device securely, information as to whether software updates are automatic and how to access updates if not, the minimum support period, and whether the manufacturer maintains a Hardware Bill of Materials (HBOM) and/or a Software Bill of Materials (SBOM). 15 Regarding whether to disclose whether data is shared with third parties, commenters should consider security/privacy issues and if data should be replicated; and if the data should be replicated in multiple repositories—by the relevant CLA(s) or vendors, for example—and publicly accessible via a single query point? PO 00000 Frm 00023 Fmt 4702 Sfmt 4702 58317 those or other considerations and if so, what they should be? 22. The Commission also delegated authority to the Bureau to establish the structure of the registry; and identify the common API and how the API should be structured and used. To this end, we seek comment generally on the structure, format, and maintenance of the registry, and how the queried registry data will be displayed to the consumer. The Bureau believes that the manufacturer would be responsible for their own product data and keeping the data current. We also believe that the data would be hosted by the manufacturers or in partnership with their selected third party and made available through the common API that is secure by design and seek comment on these tentative determinations. How should the API access be best secured to ensure its integrity and availability? What controls (e.g., rate limits for use of the API) should be required or allowed, and where would those controls best be implemented? How should manufacturers maintain and implement interactions with their product’s data in connection with the API? Should manufacturers be responsible for maintaining and implementing the API in connection with its interactions with the registry data, and if so, how? How should the Commission reduce burdens on manufacturers in supporting the decentralized registry? We seek comment on how often the registry data should be updated and on how costs involved in maintaining the registry should be handled. We invite commenters to provide any other technical information to be considered in establishing the registry. 23. The Bureau seeks comment on its tentative determination that at least three different registry display options may be supported: • Product specific data hosted by the manufacturer or their selected third party; • Vendor data provided for presentation by a commercial retailer; and • Aggregated data provided for presentation of multiple products. Are these presentation options consistent with the goals of the IoT Labeling Order that the registry should enable the display to the consumer of required information about individual products, while providing the flexibility to support the envisioned use cases? Are there other presentation options that we should consider for the display or consumption of registry information in determining the structure and technical details involved with the operation of the registry? Should the registry meet E:\FR\FM\18JYP1.SGM 18JYP1 58318 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules khammond on DSKJM1Z7X2PROD with PROPOSALS certain performance metrics so that poor user experience does not discourage use? Who is in the best position to manage access to the distributed registry as well as access to the API and the level of access available? 24. The Bureau seeks comment on its tentative determination that there should be a specific aggregated data ‘‘landing page’’ 16 for the registry, which should be a ‘‘.gov’’ domain to bring the consumer additional trust and validity to the IoT Labeling Program. The Bureau also seeks comment on the party that should be responsible for hosting this landing page. Is the Lead Administrator in the best position to host the landing page? What additional costs are involved with this responsibility? What security procedures must be adopted by that third party? Should the landing page meet certain performance metrics so that poor user experience does not discourage use? Are there additional security or privacy requirements arising from Federal law that are applicable to the registry? Should the registry operator(s), as appropriate, be required to implement adequate security, privacy, and availability controls to meet FISMA low/moderate standards, or a commercial equivalent? Procedural Matters 25. Regulatory Flexibility Act. The Regulatory Flexibility Act of 1980, as amended (RFA), requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that ‘‘the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities.’’ Accordingly, we have prepared a Supplemental Regulatory Flexibility Analysis (Supplemental IRFA) concerning the possible impact of the rulemaking and policy changes contained in this document. The Supplemental IRFA concerning the possible impact of the rulemaking and policy changes contained in this document can be found as Exhibit A of the Public Safety and Homeland Security Bureau’s Public Notice, DA 24– 617, released June 27, 2024, at this link: https://docs.fcc.gov/public/ attachments/DA-24-617A1.pdf. Written public comments are requested on the Supplemental IRFA. Comments must have a separate and distinct heading designating them as responses to the Supplemental IRFA and must be filed 16 The ‘‘landing page’’ is envisioned to be a web page/site that provides search capabilities to aggregate data pulled from the distributed registry and presents data for individual products or multiple products in a common format as prescribed by the IoT Labeling Order. VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 by the deadlines for comments on the first page of this document. 26. Supplemental Regulatory Flexibility Analysis. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), the Bureau has prepared this Supplemental Initial Regulatory Flexibility Analysis (Supplemental IRFA) of the possible significant economic impact on small entities of the policies and rules discussed in the document to supplement the Commission’s Initial and Final Regulatory Flexibility Analyses completed in the IoT Labeling NPRM released in August 2023, and the IoT Labeling Order released in March 2024. Written public comments are requested on this Supplemental IRFA. Comments must be identified as responses to the Supplemental IRFA and must be filed by the same deadline for comments specified in the DATES section of this document. The Bureau will send a copy of the document, including this Supplemental IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). In addition, the document and Supplemental IRFA (or summaries thereof) will be published in the Federal Register. 27. Need for, and Objectives of, the Proposed Rules. The IoT Labeling Order adopted a voluntary cybersecurity labeling program for consumer Internet of Things (IoT) products that will provide consumers with an easy-tounderstand indicator of a product’s relative cybersecurity and improve consumer confidence and understanding of IoT product cybersecurity. The IoT Labeling Program will authorize qualifying IoT products to display the FCC IoT Label, which includes the U.S. Cyber Trust Mark and a QR Code that links to a registry with product-specific consumer-friendly information. The program will adopt standards and testing procedures based on the National Institute of Standards and Technology (NIST) Core Baseline for Consumer IoT Products, and it will be supported by Cybersecurity Label Administrators (CLAs) and recognized Cybersecurity Testing Laboratories (CyberLABs). A Lead Administrator will be chosen by the Commission from among the CLAs and will be responsible for collaborating with stakeholders to make recommendations including technical cybersecurity standards and testing procedures with which IoT products must comply to be authorized to use the FCC IoT Label, the label design, and a consumer education campaign, to be reviewed by the Commission. PO 00000 Frm 00024 Fmt 4702 Sfmt 4702 28. In the IoT Labeling Order, the Commission delegated authority to the Public Safety and Homeland Security Bureau (Bureau) to seek comment on certain additional items to further the efficient and timely rollout of the program. This document seeks comment on a number of those items, including the format of CLA and Lead Administrator applications; filing fees for CLA applications; criteria for selecting CLAs and the Lead Administrator; CLA sharing of Lead Administrator expenses; extensions of time to become accredited; Lead Administrator neutrality; complaint processes; and the IoT registry. The proposals considered in this document will contribute to the voluntary IoT Labeling Program and further the Commission’s objective to provide better information to consumers about the cybersecurity of the IoT products they use, and bolster the cybersecurity of the nationwide IoT ecosystem. 29. Legal Basis. The proposed action is authorized pursuant to sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, of the Communications Act of 1934, as amended. 30. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply. The RFA directs agencies to provide a description and, where feasible, an estimate of the number of small entities that may be affected by the proposed rules and policies, adopted. The RFA generally defines the term ‘‘small entity’’ as having the same meaning as the terms ‘‘small business,’’ ‘‘small organization,’’ and ‘‘small governmental jurisdiction.’’ In addition, the term ‘‘small business’’ has the same meaning as the term ‘‘small business concern’’ under the Small Business Act.’’ 17 A ‘‘small business concern’’ is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA. 31. As noted above, Regulatory Flexibility Analyses were incorporated into the IoT Labeling NPRM and the IoT Labeling Order. In those analyses, the Commission described in detail the small entities that might be significantly affected. Accordingly, in this document, for the Supplemental IRFA, we incorporate by reference the 17 Pursuant to 5 U.S.C. 601(3), the statutory definition of a small business applies ‘‘unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.’’ E:\FR\FM\18JYP1.SGM 18JYP1 khammond on DSKJM1Z7X2PROD with PROPOSALS Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules descriptions and estimates of the number of small entities from the previous Regulatory Flexibility Analyses in the IoT Labeling NPRM and the IoT Labeling Order. 32. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities. The IoT Labeling Program will be voluntary, so small entities who do not participate in the program will not be subject to any new or modified reporting, recordkeeping, or other compliance obligations. Small entities that choose to participate in the program will incur recordkeeping, reporting, and other compliance obligations necessary to test their IoT products to demonstrate compliance with the program requirements. Small entities that choose to participate by applying to be a CLA or CyberLAB will also incur recordkeeping, reporting, and other compliance obligations. We note that obligations for small entities and other applicants were detailed and adopted by the Commission in the IoT Labeling Order. The proposals and discussions in this document seek comment on additional details to the program, including application, selection, and replacement for CLAs and the Lead Administrator as needed, the complaints process, and the registry. 33. Small entities will need to keep the records necessary to demonstrate initial and continued compliance with program requirements, as an IoT product manufacturer or a CLA, including test reports, records related to potential complaint investigations, and data disclosures for the registry, among others. More specifically, small and other grantees of authority to use the FCC IOT Label may also be subject to additional reporting, recordkeeping, and/or other compliance requirements related to the IoT registry in light of the our inquiry and request for comments in the document on (1) what, if any additional registry disclosure fields would benefit consumers, and (2) whether to require manufacturers to list the sensors contained a complying product, identify what data is collected by those sensors, and disclose whether that data is shared with third parties. 34. The document calculates and proposes that small and other CLA and Lead Administrator applicants be subject to an application filing fee of $1,520 for CLA Applicants and an additional $770 for CLA applicants that apply to be a Lead Administrator, to cover the Commission’s costs of processing these applications. With regard to other costs that could result from this proceeding, at this time the record does not include sufficient cost VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 information to allow the Bureau to quantify the costs of compliance for small entities, including whether it will be necessary for small entities to hire professionals to comply with the proposals and other matters upon which we seek comment, if adopted. To help the Bureau more fully evaluate the cost of compliance for small entities should its proposals be adopted, in this document, we request comments on the implications of our proposals and whether there are more efficient and less burdensome alternatives (including cost estimates) for the Bureau to consider. We expect the information we received in comments to help the Bureau identify and evaluate relevant matters for small entities, including compliance costs and other burdens that may result from the proposals and inquiries we make in the document. 35. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered. The RFA requires an agency to describe any significant, specifically small businesses, alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): ‘‘(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities.’’ 36. For the IoT Labeling Program to be meaningful to consumers, the requirements for an IoT product to be granted authority to use the FCC IoT Label must be uniform for small businesses and other entities. The Bureau maintains the view expressed in the IoT Labeling Order that the significance of mark integrity, and building confidence among consumers that devices and products bearing the FCC IoT Label can be trusted to be cyber secure, necessitates adherence by all entities participating in the program to the same rules, regardless of size. 37. In the document, steps taken by the Bureau which should minimize the economic impact for small entities include our decision not to assess fees for administrative updates, minor changes or updates to a CLA application, or for entities seeking to withdraw as a CLA. The Bureau sought comment on the format of CLA and Lead Administrator applications, as PO 00000 Frm 00025 Fmt 4702 Sfmt 4702 58319 well as the fees associated with those applications, and additional areas of expertise or specific requirements a CLA applicant should be required to demonstrate. We also considered and sought comment on other aspects of the Lead Administrator’s roles and responsibilities, including the most effective mechanism for CLAs to share in funding the Lead Administrator’s expenses, safeguards the Bureau might adopt to ensure Lead Administrator neutrality, and steps to replace the Lead Administrator as needed. Following our conclusion that CLA and Lead Administrator applications are not covered by any existing Commission fee categories and therefore new categories should be established, we alternatively inquired and sought comment on whether, and which existing Commission fee category do CLA and Lead Administrator applications fall within, if any. Additionally, the Bureau considered whether there are additional procedures or criteria that should be considered when recognizing CyberLABs located outside the United States. As stated in the IoT Labeling Order, declining to require CyberLABs to be physically located in the U.S. provides more testing lab options for small and other entities. In comments, small entities can identify other requirements or criteria that could minimize the economic impact as IoT product manufacturers submitting applications to a CLA or CyberLAB, or as a prospective CLA or CyberLAB themselves. 38. The Bureau also sought comment on the process for receiving and responding to complaints associated with the program, as well as what requirements should follow from a termination of authority to use the FCC IoT Label due to noncompliance. We asked whether complaints associated with grantees that applied for authorization to use the FCC IoT Label should be initially referred back to the CLA that reviewed the original application. We believe this would be less costly to small entities than going through a separate entity for investigation of complaints. Small entities can also address in comments whether the termination requirements presented would create significant economic impacts and identify alternatives that may reduce those costs. 39. Additionally, the Bureau considered and sought comment in the document on details related to the publicly accessible IoT registry, including additional data disclosure fields, structure and format of the registry, and the Bureau’s determination that the registry landing page should be E:\FR\FM\18JYP1.SGM 18JYP1 58320 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules a ‘‘.gov’’ domain. We considered and asked what additional fields would be beneficial to consumers, such as information related to sensors contained in the product and elements that would support users of assistive technologies. We also considered and asked how the common application programming interface (API) that makes manufacturer data available to consumers should be funded and what responsibilities manufacturers should have for maintaining and implementing it. Small entities can specify in comments whether additional aspects of the registry would create significant economic impacts and identify alternatives that may reduce those costs. Regarding the landing page, we asked what additional costs would be associated with hosting such a page. While small entities choosing to participate in the program would have to make required registry data available through the common API, allowing grantees to report information through the API alleviates the need for additional notification requirements which would increase costs for small entities. 40. The Bureau also proposed in the document that manufacturer applications submitted to CLAs, including but not limited to test reports, are presumptively confidential which should benefit small manufacturers, and sought comment on this approach. We tentatively concluded the Lead Administrator and CLAs are required to comply with the Federal Information Security Management Act of 2002 (FISMA),18 and we sought comment on whether there are additional costs associated with such compliance. In comments, small entities can identify which of these proposals raised in this document are particularly difficult or costly for them and how different, simplified, or consolidated requirements would address those burdens. They can also propose any modifications to the proposals that would their minimize anticipated economic impact. The Bureau expects to consider more fully the economic impact on small entities following its review of any comments filed in response to the document, including any costs and benefits information we receive. The Bureau’s evaluation of the comments filed in this proceeding will shape the final alternatives we consider, the final conclusions we reach, and any final actions we ultimately take in this proceeding to minimize any significant economic impact that may occur on small entities. 41. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules. None. Ordering Clauses 42. Accordingly, it is ordered, pursuant to sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, of the Communications Act of 1934, as amended that this document is hereby adopted. 43. It is further ordered that the Commission’s Office of the Secretary, shall send a copy of this document, including the Supplemental Initial Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration. APPLICATION FOR CYBERSECURITY LABELING ADMINISTRATOR AND LEAD ADMINISTRATOR CYBERSECURITY LABEL ADMINISTRATOR (CLA) 1. Applicant Name: Address Point of Contact: Name Street City Zip Title Email Phone Number 2. Describe Applicant’s organization structure and how this structure supports the Commission’s CLA requirements. 3. Describe the processes Applicant will use to review applications seeking authority to use the FCC IoT Label (based on type testing as identified in ISO/IEC 17065). khammond on DSKJM1Z7X2PROD with PROPOSALS 4. Describe the safeguards Applicant will implement (or already has in place) to avoid personal and organization conflict when processing applications. 5. Describe in detail Applicant’s expertise in all of the following areas: (a) Cybersecurity expertise and capabilities. Include a description of Applicant’s knowledge of IoT and FCC IoT Labeling requirements. 18 44 U.S.C. 3541, et seq. VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 PO 00000 Frm 00026 Fmt 4702 Sfmt 4702 E:\FR\FM\18JYP1.SGM 18JYP1 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules 58321 (b) Expert knowledge of NIST’s cybersecurity guidance, including but not limited to NIST’s recommended criteria and labeling program approaches for cybersecurity labeling of consumer IoT products. (c) Expert knowledge of FCC rules and procedures associated with product compliance testing and certification. (d) Knowledge of Federal law and guidance governing the security and privacy of agency information systems. (e) Explain how Applicant will securely handle large volumes of information and include Applicant’s related internal security practices. (f) Explain how Applicant will securely handle large volumes of information and include Applicant’s related internal security practices. (g) Status of accreditation pursuant to all the requirements associated with ISO/IEC 17065 and the FCC scope. khammond on DSKJM1Z7X2PROD with PROPOSALS (h) Describe the controls Applicant has implemented to eliminate actual or potential conflicts of interests (both personal and organizational), particularly with regard to commercially sensitive information, to include but not limited to, remaining impartial and unbiased and prevent them from giving preferential treatment to certain applications (e.g., application line jumping) and from implementing heightened scrutiny of applications from entities not members or otherwise aligned with the CLA. Check all that apply: 6. Applicant is not owned or controlled by or affiliated 19 with any entity identified on the Commission’s Covered List 7. Applicant is not owned or controlled by or affiliated with any listed sources of prohibition under 47 CFR 8.204 8. Applicant, its affiliate(s), or subsidiary(ies) are not owned or controlled by a foreign adversary country defined by the Department of Commerce in 15 CFR 7.4 9. Applicant is not owned or controlled by or affiliated with any person or entity that has been suspended or debarred form receiving federal procurements or financial awards 10. Applicant is not otherwise prohibited from participating in the IoT Labeling Program 19 For purposes of the Commission’s IoT labeling program an ‘‘affiliate’’ is defined as ‘‘a person that (directly or indirectly) owns or controls, is owned VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 or controlled by, or is under common ownership or control with, another person. For purposes of this PO 00000 Frm 00027 Fmt 4702 Sfmt 4702 b b b b b part the term ‘own’ means to own an equity interest (or the equivalent thereof) of more than 10 percent.’’ E:\FR\FM\18JYP1.SGM 18JYP1 58322 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules If any of the boxes in this section do not apply to Applicant, attach an exhibit explaining the circumstances and demonstrating why Applicant is qualified to be Lead Administrator. LEAD ADMINISTRATOR Applicants seeking the role of Lead Administrator must provide all of the information requested below. (Leave the following information blank if not applying for role of Lead Administrator.) In the following section, provide a detailed description of how Applicant will execute the duties of the Lead Administrator and include all of the following: 1. Describe Applicant’s previous experience in IoT cybersecurity. 2. Describe Applicant’s previous roles, if any, in IoT labeling. 3. Describe Applicant’s capacity to execute the Lead Administrator duties. 4. Describe Applicant’s plan/approach to interfacing with the Commission on the behalf of CLAs. 5. Describe in detail Applicant’s plan for engaging and collaborating with stakeholders (including other CLAs) to identify or develop FCC recommendations as required by 47 CFR 8.221. 6. Describe in detail Applicant’s proposed consumer education campaign. 7. Any additional information Applicant believes demonstrates why they should be on how the applicant’s qualifications align with the role of Lead Administrator. khammond on DSKJM1Z7X2PROD with PROPOSALS Information Current and Complete Information filed with the FCC must be kept current and complete. The Applicant must notify the FCC regarding any substantial and significant changes in the information furnished in the application(s). See 47 CFR 1.65. Certification Statements By signing this applicant, the Applicant certifies that all statements and information provided in this application and in any exhibits or attachments are part of this application and are true, complete, correct, and made in good faith. The Applicant certifies that neither the Applicant nor any other party to the application is subject to a denial of Federal benefits pursuant to section 5301 of the Anti-Drug Abuse Act of 1988, 21 U.S.C. 862, because of a conviction for possession or distribution of a controlled substance. This certification does not apply to applications filed in services exempted under § 1.2002(c) of the Commission’s rules, 47 CFR 1.2002(c). See 47 CFR 1.2002(b) for the definition of ‘‘party to the application’’ as used in this certification. The Applicant certifies that it is not in default on any payment for Commission licenses and that it is not delinquent on any non-tax debt owed to any federal agency. The Applicant certifies that the Applicant and all of the related individuals and entities required to be disclosed on this application are not person(s) who have been, for reasons of national security, barred by any agency of the Federal Government from federal procurement. VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 PO 00000 Frm 00028 Fmt 4702 Sfmt 4702 E:\FR\FM\18JYP1.SGM 18JYP1 Federal Register / Vol. 89, No. 138 / Thursday, July 18, 2024 / Proposed Rules 58323 Signature Typed or printed name of Party Authorized to Sign First Name: MI: Last Name Suffix Signature Title Date FAILURE TO SIGN THIS APPLICATION MAY RESULT IN DISMISSAL OF THE APPLICATION AND FORFEITURE OF ANY FEES PAID. Federal Communications Commission. David Furth, Deputy Bureau Chief, Public Safety and Homeland Security Bureau. [FR Doc. 2024–15379 Filed 7–17–24; 8:45 am] BILLING CODE 6712–01–P DEPARTMENT OF DEFENSE GENERAL SERVICES ADMINISTRATION NATIONAL AERONAUTICS AND SPACE ADMINISTRATION 48 CFR Parts 22 and 52 [FAR Case 2024–004, Docket No. FAR– 2024–0004, Sequence No. 1] RIN 9000–AO72 Federal Acquisition Regulation: Combating Trafficking in Persons— Definition and Agency Responsibilities Department of Defense (DoD), General Services Administration (GSA), and National Aeronautics and Space Administration (NASA). ACTION: Proposed rule. AGENCY: DoD, GSA, and NASA are proposing to amend the Federal Acquisition Regulation (FAR) to implement statutory updates to a definition and to agency responsibilities associated with combating trafficking in persons in Federal contracts. DATES: Interested parties should submit written comments to the Regulatory Secretariat Division at the address shown below on or before September 16, 2024 to be considered in the formation of the final rule. ADDRESSES: Submit comments in response to FAR Case 2024–004 to the Federal eRulemaking portal at https:// www.regulations.gov by searching for ‘‘FAR Case 2024–004’’. Select the link ‘‘Comment Now’’ that corresponds with ‘‘FAR Case 2024–004’’. Follow the instructions provided on the ‘‘Comment Now’’ screen. Please include your name, company name (if any), and ‘‘FAR Case 2024–004’’ on your attached document. If your comment cannot be submitted khammond on DSKJM1Z7X2PROD with PROPOSALS SUMMARY: VerDate Sep<11>2014 15:57 Jul 17, 2024 Jkt 262001 using https://www.regulations.gov, call or email the point of contact in the FOR FURTHER INFORMATION CONTACT section of this document for alternate instructions. Instructions: Please submit comments only and cite ‘‘FAR Case 2024–004’’ in all correspondence related to this case. Comments received generally will be posted without change to https:// www.regulations.gov, including any personal and/or business confidential information provided. Public comments may be submitted as an individual, as an organization, or anonymously (see frequently asked questions at https:// www.regulations.gov/faq). To confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission to verify posting. FOR FURTHER INFORMATION CONTACT: For clarification of content, contact Ms. Jennifer Hawes, Procurement Analyst, at 202–969–7386 or by email at jennifer.hawes@gsa.gov. For information pertaining to status, publication schedules, or alternate instructions for submitting comments if https:// www.regulations.gov cannot be used, contact the Regulatory Secretariat Division at 202–501–4755 or GSARegSec@gsa.gov. Please cite FAR Case 2024–004. SUPPLEMENTARY INFORMATION: I. Background DoD, GSA, and NASA are proposing to revise the FAR to implement the following statutory amendments to a definition and to agency responsibilities associated with combating trafficking in persons in Federal contracts: • Section 108 of the Justice for Victims of Trafficking Act of 2015 (Pub. L. 114–22) amended the definition of ‘‘sex trafficking’’ at 22 U.S.C. 7102 to clarify the range of conduct considered sex trafficking. • Section 2 of the End Human Trafficking in Government Contracts Act of 2022 (Pub. L. 117–211) amended 22 U.S.C. 7104b(c)(1) to require that, upon receipt of an Inspector General’s report substantiating an allegation of violations by a contractor or subcontractor, the agency head refer the PO 00000 Frm 00029 Fmt 4702 Sfmt 4702 matter to the agency suspending and debarring official. II. Discussion and Analysis A. Definition DoD, GSA, and NASA are proposing amendments to FAR subpart 22.17, Combating Trafficking in Persons, and the clause at FAR 52.222–50, Combating Trafficking in Persons, to align the definition of ‘‘sex trafficking’’ with the statutory definition of this term at 22 U.S.C. 7102. This proposed rule would clarify the definition of ‘‘sex trafficking’’ at FAR 22.1702 and paragraph (a) of the clause at FAR 52.222–50 to also include ‘‘patronizing’’ or ‘‘soliciting’’ a person for the purpose of a commercial sex act, in accordance with Federal law. The term ‘‘sex trafficking’’ is used in the definition of ‘‘severe forms of trafficking in persons’’ in the same FAR section and clause; therefore, the proposed revisions to the definition of ‘‘sex trafficking’’ in the section and clause will affect the definition of ‘‘severe forms of trafficking in persons.’’ The proposed revisions have the effect of clarifying that patronizing or soliciting a person for the purpose of a commercial sex act, where the commercial sex act is induced by force, fraud, or coercion, or in which the person induced to perform such act has not attained 18 years of age, is a ‘‘severe form of trafficking in persons.’’ Conforming changes are also proposed to update the date of FAR clause 52.222–50 where it is referenced in the clauses at FAR 52.212–5, Contract Terms and Conditions Required To Implement Statutes or Executive Orders—Commercial Products and Commercial Services; FAR 52.213–4, Terms and Conditions—Simplified Acquisitions (Other Than Commercial Products and Commercial Services); and FAR 52.244–6, Subcontracts for Commercial Products and Commercial Services. B. Agency Responsibilities DoD, GSA, and NASA are also proposing to update agency responsibilities to align with the statutory requirements at 22 U.S.C. 7104b(c)(1). Currently, FAR E:\FR\FM\18JYP1.SGM 18JYP1

Agencies

[Federal Register Volume 89, Number 138 (Thursday, July 18, 2024)]
[Proposed Rules]
[Pages 58312-58323]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-15379]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 8

[PS Docket No. 23-239; DA 24-617; FR ID 229959]


Public Safety and Homeland Security Bureau Requests Comment on 
Implementation of the Cybersecurity Labeling for Internet of Things 
Program

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(Commission or FCC) seeks comment on additional items to further the 
efficient and timely rollout of the IoT Labeling program. These items 
include the format of Cybersecurity Label Administrator (CLA) and Lead 
Administrator applications; filing fees for CLA applications; criteria 
for selecting CLAs and the Lead Administrator; CLA sharing of Lead 
Administrator expenses; Lead Administrator neutrality; processes for 
withdrawal of CLA and Lead Administrator approvals; recognition of 
CyberLABs outside the United States; complaint processes; 
confidentiality and security requirements; and the IoT registry.

DATES: Comments are due on or before August 19, 2024; reply comments 
are due on or before September 3, 2024. Comments on section II.B are 
due on or before August 19, 2024.

ADDRESSES: Pursuant to Sec. Sec.  1.415 and 1.419 of the Commission's 
rules, 47 CFR 1.415, 1.419, interested parties may file comments and 
reply comments on or before the dates indicated on the first page of 
this document. Comments may be filed using the Commission's Electronic 
Comment Filing System (ECFS). You may submit comments, identified by PS 
Docket No. 23-239, by any of the following methods:
     Electronic Filers: Comments may be filed electronically 
using the internet by accessing the ECFS: https://www.fcc.gov/ecfs/.
     Paper Filers: Parties who choose to file by paper must 
file an original and one copy of each filing.
     Filings can be sent by hand or messenger delivery, by 
commercial courier, or by the U.S. Postal Service. All filings must be 
addressed to the Secretary, Federal Communications Commission.
     Hand-delivered or messenger-delivered paper filings for 
the Commission's Secretary are accepted between 8:00 a.m. and 4:00 p.m. 
by the FCC's mailing contractor at 9050 Junction Drive, Annapolis 
Junction, MD 20701. All hand deliveries must be held together with 
rubber bands or fasteners. Any envelopes and boxes must be disposed of 
before entering the building.
     Commercial courier deliveries (any deliveries not by the 
U.S. Postal Service) must be sent to 9050 Junction Drive, Annapolis 
Junction, MD 20701. Filings sent by U.S. Postal Service First-Class 
Mail, Priority Mail, and Priority Mail Express must be sent to 45 L 
Street NE, Washington, DC 20554.
     People with Disabilities: To request materials in 
accessible formats for people with disabilities (braille, large print, 
electronic files, audio format), send an email to [email protected] or 
call the Consumer & Governmental Affairs Bureau at 202-418-0530.

FOR FURTHER INFORMATION CONTACT: Tara B. Shostek, Cybersecurity and 
Communications Reliability Division, Public Safety and Homeland 
Security Bureau, (202) 418-8130, or by email to [email protected]. 
For additional information concerning the Paperwork Reduction Act 
information collection requirements contained in this document, contact 
Nicole Ongele, Office of Managing Director, Performance and Program 
Management, 202-418-2991, or by email to [email protected].

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's 
document in PS Docket No. 23-239, DA 24-617; released on June 27, 2024. 
The full text of this document is available at https://docs.fcc.gov/public/attachments/DA-24-617A1.pdf.
    Paperwork Reduction Act. The document may contain new or modified 
information collection(s) subject to the Paperwork Reduction Act of 
1995. All such new or modified information collection requirements will 
be submitted to OMB for review under section 3507(d) of the PRA. OMB, 
the general public, and other Federal agencies are invited to comment 
on any new or modified information collection requirements contained in 
this proceeding. In addition, pursuant to the Small Business Paperwork 
Relief Act of 2002, we seek specific comment on how we might ``further 
reduce the information collection burden for small business concerns 
with fewer than 25 employees.''
    Providing Accountability Through Transparency Act. Consistent with 
the Providing Accountability Through Transparency Act, Public Law 118-
9, a summary of this document will be available on https://www.fcc.gov/proposed-rulemakings.

[[Page 58313]]

    Ex Parte Rules--Permit but Disclose. This proceeding shall be 
treated as a ``permit-but-disclose'' proceeding in accordance with the 
Commission's ex parte rules. Persons making ex parte presentations must 
file a copy of any written presentation or a memorandum summarizing any 
oral presentation within two business days after the presentation 
(unless a different deadline applicable to the Sunshine period 
applies). Persons making oral ex parte presentations are reminded that 
memoranda summarizing the presentation must (1) list all persons 
attending or otherwise participating in the meeting at which the ex 
parte presentation was made, and (2) summarize all data presented and 
arguments made during the presentation. If the presentation consisted 
in whole or in part of the presentation of data or arguments already 
reflected in the presenter's written comments, memoranda or other 
filings in the proceeding, the presenter may provide citations to such 
data or arguments in his or her prior comments, memoranda, or other 
filings (specifying the relevant page and/or paragraph numbers where 
such data or arguments can be found) in lieu of summarizing them in the 
memorandum. Documents shown or given to Commission staff during ex 
parte meetings are deemed to be written ex parte presentations and must 
be filed consistent with rule 1.1206(b). In proceedings governed by 
rule 1.49(f) or for which the Commission has made available a method of 
electronic filing, written ex parte presentations and memoranda 
summarizing oral ex parte presentations, and all attachments thereto, 
must be filed through the electronic comment filing system available 
for that proceeding, and must be filed in their native format (e.g., 
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding 
should familiarize themselves with the Commission's ex parte rules.
    Confidential Treatment. Parties wishing to file materials with a 
claim of confidentiality should follow the procedures set forth in 
Sec.  0.459 of the Commission's rules. Casual claims of confidentiality 
are not accepted. Confidential submissions may not be filed via ECFS 
but rather should be filed with the Secretary's Office following the 
procedures set forth in 47 CFR 0.459. Redacted versions of confidential 
submissions may be filed via ECFS. Parties are advised that the FCC 
looks with disfavor on claims of confidentiality for entire documents. 
When a claim of confidentiality is made, a public, redacted version of 
the document should also be filed.
    Digital Equity and Inclusion. The Commission, as part of its 
continuing effort to advance digital equity for all,\1\ including 
people of color, persons with disabilities, persons who live in rural 
or Tribal areas, and others who are or have been historically 
underserved, marginalized, or adversely affected by persistent poverty 
or inequality, invites comment on any equity-related considerations \2\ 
and benefits (if any) that may be associated with the proposals and 
issues discussed herein. Specifically, we seek comment on how our 
proposals may promote or inhibit advances in diversity, equity, 
inclusion, and accessibility, as well the scope of the Commission's 
relevant legal authority.
---------------------------------------------------------------------------

    \1\ Section 1 of the Communications Act of 1934 as amended 
provides that the FCC ``regulat[es] interstate and foreign commerce 
in communication by wire and radio so as to make [such service] 
available, so far as possible, to all the people of the United 
States, without discrimination on the basis of race, color, 
religion, national origin, or sex.'' 47 U.S.C. 151.
    \2\ The term ``equity'' is used here consistent with Executive 
Order 13985 as the consistent and systematic fair, just, and 
impartial treatment of all individuals, including individuals who 
belong to underserved communities that have been denied such 
treatment, such as Black, Latino, and Indigenous and Native American 
persons, Asian Americans and Pacific Islanders and other persons of 
color; members of religious minorities; lesbian, gay, bisexual, 
transgender, and queer (LGBTQ+) persons; persons with disabilities; 
persons who live in rural areas; and persons otherwise adversely 
affected by persistent poverty or inequality. See Exec. Order No. 
13985, 86 FR 7009, Executive Order on Advancing Racial Equity and 
Support for Underserved Communities Through the Federal Government 
(January 20, 2021).
---------------------------------------------------------------------------

Synopsis

    1. In March 2024, the Federal Communications Commission (FCC or 
Commission) adopted a Report and Order and Further Notice of Proposed 
Rulemaking (IoT Labeling Order) establishing the framework for the 
Commission's voluntary cybersecurity labeling program for consumer 
wireless Internet of Things (IoT) products (IoT Labeling Program). 
Recognizing the additional work that would need to be done to implement 
the framework, the Commission delegated authority to the Public Safety 
and Homeland Security Bureau (PSHSB or Bureau), in coordination with 
the Office of the Managing Director (OMD), to seek comment on certain 
additional items to further the efficient and timely rollout of the 
program. Accordingly, with this document, the PSHSB and OMD request 
comment on: the format of Cybersecurity Label Administrator (CLA) and 
Lead Administrator applications; filing fees for CLA applications; 
criteria for selecting CLAs and the Lead Administrator; CLA sharing of 
Lead Administrator expenses; Lead Administrator neutrality; processes 
for withdrawal of CLA and Lead Administrator approvals; recognition of 
CyberLABs outside the United States; complaint processes; 
confidentiality and security requirements; and the IoT registry.\3\
---------------------------------------------------------------------------

    \3\ We note that this documentis not meant to address all 
outstanding implementation issues in connection with the IoT 
Labeling Program; there are additional implementation matters and 
specific delegations of authority from the IoT Labeling Order that 
the Bureau will be addressing in subsequent documents.
---------------------------------------------------------------------------

Discussion

A. Format of CLA and Lead Administrator Applications

    2. The IoT Labeling Order provides that the Commission will accept 
applications for entities seeking to qualify as CLAs and those 
applicants seeking the position of Lead Administrator, but did not 
specify the format these applications should take. The Bureau believes 
that CLA/Lead Administrator applications should be submitted in 
narrative format via email and seeks comment on this tentative 
determination and any alternative methods or formats for submission. 
While the Bureau recognizes the organizational value of a fillable 
form, the information to be submitted by entities seeking to be a CLA/
Lead Administrator seemingly lends itself to a narrative discussion of 
the qualifications and strengths the applicant possesses to support the 
FCC's IoT Labeling Program. The Bureau still could re-evaluate the need 
for a fillable form after it has processed and reviewed the initial 
CLA/Lead Administrator applications and seek comment on a proposed 
format for such a form. We seek comment on these issues.

B. FCC Filing Fees for CLA and Lead Administrator Applications

    3. The IoT Labeling Order directs the Bureau, in conjunction with 
OMD, to adopt procedures and take additional steps, including 
applicable fees (pursuant to any required public notice and comment), 
as necessary to ensure compliance with the Communications Act with 
respect to any rules adopted therein that contemplate the filing of 
applications directly with the Commission.\4\ Section 8 of the 
Communications Act requires the Commission to assess and collect

[[Page 58314]]

application fees to cover the costs of the Commission to process 
applications. Although the Commission has assessed and collected 
application fees pursuant to section 8 of the Communications Act since 
1986,\5\ in 2018, Congress modified section 8 of the Communications Act 
to change the application fee program from a statutory schedule of 
application fees to a requirement that the Commission update and amend 
the existing schedule of application fees by rule to recover the costs 
of the Commission to process applications.\6\ Section 8(c) of the Act 
also requires the Commission to, by rule, amend the application fee 
schedule if the Commission determines that the schedule requires 
amendment to ensure that: (1) such fees reflect increases or decreases 
in the costs of processing applications at the Commission or (2) such 
schedule reflects the consolidation or addition of new categories of 
applications.
---------------------------------------------------------------------------

    \4\ The IoT Labeling Order directs manufacturers to file 
applications directly with CLAs to use the U.S. Cyber Trust Mark 
and, as such, those fees are not contemplated in this inquiry.
    \5\ While the 1986 schedule adopted by Congress was accurate at 
the time adopted because it was based on cost information provided 
by the Commission to Congress, the framework did not allow the fee 
schedule to change as a result of advancements in technology and 
corresponding changes in Commission procedures and rules. Notably, 
the Commission was constrained from adding, removing, or otherwise 
changing the structure or levels of application fees prior to the 
RAY BAUM'S Act, outside of a ministerial biannual order adopting 
without notice and comment changes to fees based on the Consumer 
Price Index.
    \6\ The Repack Airwaves Yielding Better Access for Users of 
Modern Services Act of 2018, or the RAY BAUM'S Act of 2018, amended 
sections 8 and 9 and added section 9A to the Communications Act of 
1934, as amended and provided that such provisions would become 
effective on October 1, 2018. Consolidated Appropriations Act, 2018, 
Public Law 115-141, 132 Stat. 1084, Division P--RAY BAUM'S Act of 
2018, Title I, section 103 (2018). 47 U.S.C. 158. Congress provided, 
however, that application fees in effect prior to the effective date 
of the new section 8 would remain in effect until the Commission 
adjusts or amends such fee. RAY BAUM'S Act of 2018, Title I, section 
103(d) (uncodified provisions entitled ``Transitional Rules'').
---------------------------------------------------------------------------

    4. In the 2020 Application Fee Order, the Commission explained that 
in accordance with the RAY BAUM'S Act, application fees are based on 
the ``costs of the Commission to process applications.'' Specifically, 
the Commission establishes an application fee based on direct labor 
costs of processing a particular application, which are calculated ``by 
multiplying an estimate of the number of hours needed for each task, up 
through first-level supervisory tasks required to process the 
application, by an estimate of the labor cost per hour for the employee 
performing the task and by an estimate of the probability that the task 
needed to be performed.'' In the 2020 Application Fee Order, the 
Commission adopted five functional categories of fees: Wireless 
Licensing Fees, Media Licensing Fees, Equipment Approval Fees, Domestic 
Service Fees, and International Service Fees.
    5. The Bureau seeks comment on whether applications filed with the 
Commission by entities seeking qualification as a CLA or seeking the 
position of Lead Administrator constitute an application under section 
8 of the Act. If so, is there an existing fee category that would cover 
such applications? If there are no existing fee categories that are 
applicable, should new application fee categories, ``Cybersecurity 
Label Administrator'' and ``Lead Administrator,'' be established? We 
seek comment on the legal and factual basis for assessing a fee 
pursuant to section 8 of the Communications Act on these applications.
    6. If we conclude that a filing with the Commission seeking to be a 
CLA or to be the Lead Administrator constitutes an application under 
section 8 of the Act, then we must consider the cost of processing such 
a filing to inform what fee the Commission would charge in connection 
with such a filing. We note that the agency has narrowly construed the 
scope of what constitutes processing for applications subject to fees. 
Applying the Commission's framework for the costs of processing 
applications adopted in the 2020 Application Fee Order, we believe that 
the processing of CLA applications, including the initial conditional 
approval and subsequent review required after the CLA notifies the 
Commission that it has obtained the International Organization for 
Standardization/International Electrotechnical Commission (ISO/IEC) 
17065 accreditation, consists of engineer and engineer supervisory 
review, and attorney and attorney supervisory review.
    7. As detailed below, the Bureau estimates that the time it will 
take to process each CLA application will be 15 hours and the time it 
will take to process each Lead Administrator application will be 8 
hours. We estimate the labor cost per hour for the various 2024 general 
schedule pay grades of the employees that process applications based on 
the current pay table for Washington, DC, at the step 5 level, we 
estimate overhead costs as 20% of the salary level also per that rule, 
and we estimate each employee works 2,087 hours in one year. We also 
round the fee to the nearest $5.00 increment as required by section 8 
as amended. We seek comment on this approach.
    8. The Bureau estimates that each CLA application will require 10 
hours of engineering review at the GS-15 level, 2 hours of engineering 
supervisory review at the GS-15 level; 2 hours of attorney application 
review at the GS-12 level, and 1 hour of attorney supervisory review at 
the GS-15 level. The estimated total labor costs (including 20% 
overhead) for the engineering review (GS-15, step 5) of each CLA 
application is $1,282.20 (12 engineering hours * 106.85 = 1,282.20).\7\ 
The estimated labor costs (including 20% overhead) for the attorney 
application review (GS-12, step 5) for each CLA application is $129.28 
(2 hours * $64.64 = $129.28).\8\ The estimated total labor costs 
(including 20% overhead) for the attorney supervisory review (GS-15, 
step 5) for each CLA application is $106.85 (1 hour * 106.85 = 
106.85).\9\ The total labor costs per CLA application is $1,518.33 
(1,282.20 + 129.28 + 106.85). Based on these hourly rates and the 
estimated time for processing each CLA application, the Bureau proposes 
that the filing fee for a CLA application is $1,520 and we seek comment 
on this proposal.
---------------------------------------------------------------------------

    \7\ The annual pay for a GS-15, step 5 in the Washington-
Baltimore-Arlington, DC-MD-VA-WV-PA Locality Pay area is $185,824. 
Overhead costs are $37,164.80 (20% * 185,824 = 37,164.80). The 
hourly rate of a GS-15, Step 5 including overhead costs based on 
2,087 annual hours is $106.85 (185,824 + 37,164.80 = 222,988.80; 
222,988.80/2,087 hours = 106.85). The Bureau estimates that each CLA 
application will require 12 hours of engineering review at the GS-
15, step 5 level.
    \8\ The annual pay for a GS-12, step 5 in the Washington-
Baltimore-Arlington, DC-MD-VA-WV-PA Locality Pay area is $112,425. 
Overhead costs are $22,485.00 (20% * 112,425 = 22,485). The hourly 
rate of a GS-12, step 5 including overhead costs based on 2,087 
annual hours is $64.64 (112,425 + 22,485 = 134,910; 134,910/2,087 
64.64). The Bureau estimates that each CLA application will require 
2 hours of attorney review at the GS-12, step 5 level.
    \9\ The hourly rate of a GS-15, step 5 attorney is the same as 
the hourly rate of a GS-15, step 5 engineer, which is $106.85. The 
Bureau estimates that each CLA application will require 1 hour of 
attorney review at the GS-15, step 5 level.
---------------------------------------------------------------------------

    9. Some entities seeking to qualify as a CLA may include additional 
information in their application seeking the position of Lead 
Administrator, which will similarly require additional engineering and 
engineering supervisory review, and attorney application and attorney 
supervisory review. The Bureau estimates that each Lead Administrator 
application, which occurs after the CLA application has already been 
reviewed, will require 4 hours of engineering review at the GS-15 
level, 1 hour of supervisory engineering review at the GS-15 level, 2 
hours of attorney application review at the GS-12 level, and 1 hour of 
attorney supervisory review at the GS-15 level.

[[Page 58315]]

    10. We propose that applications for Lead Administrator must 
include an additional fee of $770 to cover the FCC's costs of 
processing Lead Administrator applications. The Bureau seeks comment on 
this determination. The Bureau estimates that each Lead Administrator 
application will require 5 hours of engineering application review at 
the GS-15, step 5 level at an hourly rate of $106.85 (5 * 106.85 = 
534.25), 2 hours of attorney application review at the GS-12, step 5 
level at an hour rate of $64.64 (2 * 64.64 = 129.28) and 1 hour of 
attorney supervisor review at the GS-15, step 5 level at an hourly rate 
of $106.85 (1 * 106.85 = 106.85) for a total of $770.38 (534.25 + 
129.28 + 106.85). The Bureau seeks comment on the estimation of time to 
process the Lead Administrator applications and the proposed fee for 
processing the application. Our proposals for processing fees are based 
on averages. Given that these are new categories of applications, at 
this time, we do not believe we have a factual basis to assess fees for 
administrative updates, minor changes or updates to a CLA application, 
or for entities seeking to withdraw as a CLA. We also do not believe we 
have a factual basis to assess fees for administrative updates, minor 
changes, or updates to a Lead Administrator application, or for an 
entity seeking to withdraw a Lead Administrator. Until we have 
experience with processing these new types of applications, it would be 
difficult to calculate identifiable direct costs beyond those included 
in the calculation of the initial application fee. For both the CLA and 
Lead Administrator applications, we seek comment on whether we have 
included in our estimates the appropriate steps under the Commission's 
2020 Application Fee Order framework to determine processing costs. If 
commenters view our estimates to be over or under inclusive, to the 
extent practicable, commenters should explain their views by including 
reference to any application fees adopted in the 2020 proceeding that 
the commenter considers analogous to the CLA and/or Lead Administrator 
application.

C. Bureau Selection of Cybersecurity Label Administrators and the Lead 
Administrator

    11. The IoT Labeling Order provides that the Bureau will release a 
public notice opening a filing window for the acceptance of CLA 
applications, which will include an option for CLA applicants to 
indicate they also seek the role of Lead Administrator.\10\ The IoT 
Labeling Order specifies the expertise and qualifications each 
applicant for CLA and Lead Administrator must demonstrate and delegates 
to the Bureau the authority to adopt additional criteria and 
administrative procedures necessary to efficiently select one or more 
independent, non-governmental entities to act as CLA(s) and Lead 
Administrator. The Bureau seeks comment on whether there are additional 
areas of expertise or specific requirements a CLA applicant should be 
required to demonstrate in addition to those listed in the Order.\11\ 
The Bureau seeks comment on what additional criteria, if any, the 
Bureau should take into consideration during the Lead Administrator 
selection process. What additional criteria would help us ensure that 
CLA(s) and the Lead Administrator are able to advance the Commission's 
policy objective to raise consumer confidence with regard to the 
cybersecurity of consumer wireless IoT products while strengthening the 
nation's cybersecurity posture? How should the Bureau differentiate 
between Lead Administrator candidates for selection? Should all 
selection criteria be weighted the same? If not, which criteria should 
carry more?
---------------------------------------------------------------------------

    \10\ The Bureau, in coordination with OMD and OGC will review 
these applications and determine which applications meet the CLA 
requirements and which CLA applicant best meets the requirements of 
Lead Administrator.
    \11\ The IoT Labeling Order contemplates the acceptance of 
applications for CLAs located outside the United States after 
appropriate international agreements or other appropriate 
prerequisites are in place.
---------------------------------------------------------------------------

D. Lead Administrator Expenses Shared Among CLAs

    12. The IoT Labeling Order ``expect[ed]'' that the Lead 
Administrator's expenses ``in performing its duties on behalf of the 
program as a whole'' will be ``shared among CLAs as a whole,'' but does 
not provide a mechanism or details for such sharing. The Bureau seeks 
comment on the most effective mechanism for CLAs to share the Lead 
Administrator's expenses, including whether and how to distinguish 
costs associated with identified Lead Administrator responsibilities, 
potential changes in the Lead Administrator, and the timing of 
reimbursement for such expenses. Commenters should also consider 
whether and how any cost sharing mechanism might change after the 
initial rollout of the program, including any rationale for doing so. 
Alternatively, we seek comment on whether the Lead Administrator is in 
the best position to propose how costs should be shared among CLAs. To 
the extent commenters have estimates of the Lead Administrator's 
expenses, we invite them to share such estimates. In addition, we seek 
comment on the categories of expenses that should be attributable to 
the Lead Administrator's responsibilities under this program. What 
auditing requirements should be required of the Lead Administrator? Are 
there financial controls, or other controls, the Commission has adopted 
in the case of other program administrators that it relies on that 
would be appropriate in this context? We note that the IoT Labeling 
Order does not contemplate other funding sources for the Lead 
Administrator's expenses, beyond sharing ``among CLAs as a whole.''

E. Lead Administrator Neutrality

    13. The Commission recognized the competitive implications of an 
entity being both the Lead Administrator and a CLA and, as such, 
delegated authority to the Bureau to review, seek public comment on, 
and approve/disapprove the Lead Administrator recommendations. We seek 
comment on whether there are safeguards the Bureau might adopt to 
ensure the stakeholder process remains competitively neutral and the 
recommendations the Lead Administrator makes to the Commission (e.g., 
standards and testing criteria and label design) are stakeholder 
consensus-based and competitively neutral. For example, are there 
additional or different safeguards the Commission has adopted in the 
case of other program administrators that it relies on that would be 
appropriate in this context? We seek comment on whether the Bureau 
should adopt additional safeguards to ensure fulsome and broad 
stakeholder engagement in this process. Are there other safeguards the 
Bureau should adopt to ensure the Lead Administrator, who is 
potentially a competitor of other CLAs, does not have an unfair 
economic, or other, competitive advantage?

F. Withdrawal of CLA and Lead Administrator Approval

    14. The IoT Labeling Order provides that the Commission will 
withdraw its approval of a CLA if the CLA's designation or 
accreditation is withdrawn, if there is just cause for withdrawing 
approval, or upon request of the CLA. The Commission will notify a CLA 
in writing of its intention to withdraw or limit the scope of the CLA's 
approval and provide at least 60 days for the CLA to respond. The 
Bureau will announce the withdrawal of

[[Page 58316]]

a CLA approval by public notice. The IoT Labeling Order also delegates 
authority to the Bureau to ``manage changes in the Lead 
Administrator.'' We believe the same processes should be applied to the 
withdrawal of the Lead Administrator. We seek comment on this tentative 
determination. The Bureau also seeks comment on steps that should be 
taken to replace the Lead Administrator. Should a replacement Lead 
Administrator be chosen by the Bureau from among the remaining 
accredited and recognized CLAs based on the same criteria and 
procedures used to select the original Lead Administrator? Should the 
Commission open a new filing window for CLAs seeking to be Lead 
Administrator? What other procedures, if any, should the Commission 
adopt to ensure the efficient replacement of a Lead Administrator? 
Should the Bureau set a term for the Lead Administrator and at the end 
of this term open the position up to new applications? If yes, what 
term is appropriate? Commenters may provide any other additional 
information that is pertinent to this inquiry.

G. Recognition of CyberLABs by Lead Administrator Located Outside the 
United States

    15. The IoT Labeling Order provides that CyberLABs may be located 
outside the United States provided they are accredited to ISO/IEC 17025 
and the FCC's program scope and delegates authority to the Bureau to 
adopt any additional criteria or procedures necessary with respect to 
their use. We seek comment on whether there are additional procedures 
or criteria that should be considered when the Lead Administrator 
recognizes labs located outside the United States. Are there existing 
international frameworks in other areas that might provide an 
appropriate model to allow for recognition of a lab located outside of 
the United States?

H. Complaints

    16. The Commission is the ultimate arbiter of complaints submitted, 
whether directly to the Commission, CLAs, the Lead Administrator, 
CyberLABs, or any other third-party entity, alleging improper, 
nonconforming, and/or unauthorized use of the U.S. Cyber Trust Mark. 
The Commission will actively and diligently enforce the IoT Labeling 
Program's requirements to maintain the integrity of the FCC IoT Label, 
the U.S. Cyber Trust Mark, and the program. The IoT Labeling Order 
emphasized that deceptive or misleading use of the FCC IoT Label or 
U.S. Cyber Trust Mark are prohibited, and set out a 20-day cure period 
for grantees to investigate complaints of non-compliance and report the 
results to the Bureau. The IoT Labeling Order also determined that the 
Commission and CLAs will receive complaints of noncompliant displays of 
the Cyber Trust Mark and delegated authority to the Bureau, in 
coordination with the Consumer and Governmental Affairs Bureau, to 
determine the process for receiving and responding to complaints. The 
Lead Administrator will receive complaints about the registry and 
coordinate with manufacturers to resolve any associated technical 
problems, and the Lead Administrator is also responsible for 
interfacing with the Commission on behalf of CLAs, including as it 
relates to complaints. We seek comment on the specific processes for 
receiving and responding to complaints associated with the IoT Labeling 
Program. Should entities file complaints with the Bureau, in addition 
to submitting them directly to a CLA, including the Lead Administrator? 
If complaints are filed with the Commission, should complaints 
associated with grantees that applied for authorization to use the FCC 
IoT Label be initially referred to the CLA that reviewed the original 
application for investigation and a determination of whether the 
application was approved or denied? Should these processes be different 
if the complaint involves a CyberLAB located outside of the United 
States? If so, what is the legal basis for these differences? In 
situations where there is no associated CLA, such as when a product 
displays the mark without permission, we believe that complaints of 
fraudulent or deceptive use of the Cyber Trust Mark by those entities 
that never applied for authorization (i.e., where there is no 
applicable CLA) should be filed directly with the Commission. We seek 
comment on this belief. The Commission determined in the IoT Labeling 
Order that a grant of authorization to use the FCC IoT Label is 
automatically terminated upon notice by the Bureau following submission 
of a complaint of non-compliance, if that non-compliance has not been 
adequately corrected or addressed in a report describing actions taken 
to correct the deficiencies within 20 days. We seek comment on what 
requirements should follow from such a termination of authority. Should 
the Commission adopt disqualification procedures similar to ENERGY 
STAR's, which include ceasing shipments of units displaying the label, 
ceasing the labeling of associated units, removing references to the 
label from marketing materials, covering or removing labels on 
noncompliant units within the brand owner's control, and conducting 
retail store level assessments to identify mislabeled products?

I. Confidentiality and Security Requirements

    17. The Bureau anticipates that the manufacturer applications 
submitted to CLAs will contain commercially sensitive and proprietary 
information that the manufacturers customarily treat as confidential, 
including, but not limited to, test reports. The Bureau proposes that 
these applications should be treated as presumptively confidential and 
CLAs should be required to maintain this confidentiality. The Bureau 
seeks comment on this tentative determination. We also seek comment on 
whether CLA applications submitted to the Commission will likewise 
contain commercially sensitive and proprietary information that is 
routinely treated as confidential and thus should be treated as 
presumptively confidential.\12\ Are certain aspects of either of these 
applications not appropriately treated as presumptively confidential? 
Are there public interest and/or transparency reasons to make CLA 
applications and/or Lead Administrator applications publicly available? 
Should only those CLA applications that are approved be publicly 
available, while CLA applications that are denied be kept confidential?
---------------------------------------------------------------------------

    \12\ The Bureau has an obligation to publish data maintained by 
the Commission that would be subject to disclosure under the Freedom 
of Information Act (FOIA).
---------------------------------------------------------------------------

    18. Information submitted by manufacturers to CLAs, the Lead 
Administrator, or CyberLABs, in the course of seeking authority to use 
the FCC IoT Label, including but not limited to applications and test 
reports, and information submitted to the Lead Administrator by a lab 
seeking recognition as a CyberLAB (i.e., authorized to conduct 
conformance testing under the Commission's IoT Labeling Program) are 
not agency records of the Commission. Only information submitted to the 
Commission, such as submissions in furtherance of applications by 
entities seeking authority from the Commission to be a CLA and/or Lead 
Administrator, are records of the Commission.
    19. The Federal Information Security Modernization Act of 2014 
(FISMA) requires, among other things, that each Federal agency provide 
protections commensurate with the risk and

[[Page 58317]]

magnitude of the harm resulting from the unauthorized access, use, 
disclosure, disruption, modification, or destruction of ``information 
collected or maintained by or on behalf of the agency'' and 
``information systems used or operated by an agency or by a contractor 
of an agency or other organization on behalf of an agency.'' We 
tentatively conclude that these requirements attach to the Lead 
Administrator and CLAs, who both collect and maintain information and 
operate information systems on behalf of the FCC. We seek comment on 
this tentative conclusion. We note that in the IoT Labeling Order, the 
Commission described that each entity seeking authority to act as a CLA 
should demonstrate expertise in, among other things, ``[f]ederal law 
and guidance governing the security and privacy of agency information 
systems,'' which we believe encompasses FISMA and related guidance from 
the Office of Management and Budget and publications from the National 
Institute of Standards and Technology (NIST). If these requirements are 
applicable to the Lead Administrator and CLAs, would they incur 
additional costs, and if so, what are they? What benefits would attach 
to FISMA compliance with respect to the confidentiality, integrity, and 
availability of information and information systems if FISMA and 
related requirements are applicable to the Lead Administrator and CLAs? 
Are there additional security requirements the Commission should 
require of the databases that are used in support of the IoT Labeling 
Program?

J. Registry

    20. The Commission determined in the IoT Labeling Order that the 
FCC IoT Label must include the Cyber Trust Mark and a QR Code that 
links to a dynamic, decentralized, publicly available registry 
containing information supplied by entities authorized to use the FCC 
IoT Label (e.g., manufacturers) through a common Application 
Programming Interface (API).\13\ The Commission agreed that it should 
use a third-party to host and manage the registry due to the resources 
required to establish the registry; determined that the Lead 
Administrator is in the best position to interface with manufacturers 
to ensure the smooth operation of the registry; and directed the Lead 
Administrator to receive and address any technical issues that arise in 
connection with the registry's API and displaying information from the 
registry to the consumer when they present the QR Code. Further, as 
detailed below, the IoT Labeling Order envisioned a registry that 
supports different presentation options.
---------------------------------------------------------------------------

    \13\ The goal of the registry is to assist the public in 
understanding security-related information about the products that 
bear the Cyber Trust Mark.
---------------------------------------------------------------------------

    21. We seek comment on what, if any, registry disclosure fields, in 
addition to those already required by the IoT Labeling Order, would be 
beneficial to consumers.\14\ Should manufacturers be required to list 
the sensors contained in the complying product, such as cameras, 
microphones, and location tracking devices? Should manufacturers be 
required to disclose what data is collected by those sensors, and 
whether that data is shared with third parties? \15\ The Commission 
also recognizes some products/product classes may benefit from 
additional data elements being disclosed in the registry. For example, 
the Commission observed that ``the information contained in the 
registry for a particular IoT product or product class may also depend 
on the standards and testing procedures adopted for each particular IoT 
product.'' The Commission also recognized ``that some of the 
information recommended by NIST in its consumer education 
recommendations . . . may be valuable for consumers to see in the 
registry.'' Other possible candidates for inclusion identified in the 
IoT Labeling Order included, ``manufacturer's access control 
protections (e.g., information about passwords, multi-factor 
authentication), whether or not the data is encrypted while in motion 
and at rest (including in the home, app, and cloud), patch policies, 
and security or privacy information.'' Are there particular registry 
data elements that would support the product's security features for 
those using assistive technologies? Are there additional registry 
disclosure fields that are necessary for specific products/product 
classes, based on those or other considerations and if so, what they 
should be?
---------------------------------------------------------------------------

    \14\ The Commission delegated authority to the Bureau to seek 
comment on the need for additional data fields beyond the baseline 
of necessary information that must be displayed for an IoT product 
in the registry which includes: disclosure of product name, 
manufacturer name, date of authorization, contact information for 
the CLA and CyberLAB, instructions on how to change the default 
password, information on how to configure the device securely, 
information as to whether software updates are automatic and how to 
access updates if not, the minimum support period, and whether the 
manufacturer maintains a Hardware Bill of Materials (HBOM) and/or a 
Software Bill of Materials (SBOM).
    \15\ Regarding whether to disclose whether data is shared with 
third parties, commenters should consider security/privacy issues 
and if data should be replicated; and if the data should be 
replicated in multiple repositories--by the relevant CLA(s) or 
vendors, for example--and publicly accessible via a single query 
point?
---------------------------------------------------------------------------

    22. The Commission also delegated authority to the Bureau to 
establish the structure of the registry; and identify the common API 
and how the API should be structured and used. To this end, we seek 
comment generally on the structure, format, and maintenance of the 
registry, and how the queried registry data will be displayed to the 
consumer. The Bureau believes that the manufacturer would be 
responsible for their own product data and keeping the data current. We 
also believe that the data would be hosted by the manufacturers or in 
partnership with their selected third party and made available through 
the common API that is secure by design and seek comment on these 
tentative determinations. How should the API access be best secured to 
ensure its integrity and availability? What controls (e.g., rate limits 
for use of the API) should be required or allowed, and where would 
those controls best be implemented? How should manufacturers maintain 
and implement interactions with their product's data in connection with 
the API? Should manufacturers be responsible for maintaining and 
implementing the API in connection with its interactions with the 
registry data, and if so, how? How should the Commission reduce burdens 
on manufacturers in supporting the decentralized registry? We seek 
comment on how often the registry data should be updated and on how 
costs involved in maintaining the registry should be handled. We invite 
commenters to provide any other technical information to be considered 
in establishing the registry.
    23. The Bureau seeks comment on its tentative determination that at 
least three different registry display options may be supported:
     Product specific data hosted by the manufacturer or their 
selected third party;
     Vendor data provided for presentation by a commercial 
retailer; and
     Aggregated data provided for presentation of multiple 
products.
    Are these presentation options consistent with the goals of the IoT 
Labeling Order that the registry should enable the display to the 
consumer of required information about individual products, while 
providing the flexibility to support the envisioned use cases? Are 
there other presentation options that we should consider for the 
display or consumption of registry information in determining the 
structure and technical details involved with the operation of the 
registry? Should the registry meet

[[Page 58318]]

certain performance metrics so that poor user experience does not 
discourage use? Who is in the best position to manage access to the 
distributed registry as well as access to the API and the level of 
access available?
    24. The Bureau seeks comment on its tentative determination that 
there should be a specific aggregated data ``landing page'' \16\ for 
the registry, which should be a ``.gov'' domain to bring the consumer 
additional trust and validity to the IoT Labeling Program. The Bureau 
also seeks comment on the party that should be responsible for hosting 
this landing page. Is the Lead Administrator in the best position to 
host the landing page? What additional costs are involved with this 
responsibility? What security procedures must be adopted by that third 
party? Should the landing page meet certain performance metrics so that 
poor user experience does not discourage use? Are there additional 
security or privacy requirements arising from Federal law that are 
applicable to the registry? Should the registry operator(s), as 
appropriate, be required to implement adequate security, privacy, and 
availability controls to meet FISMA low/moderate standards, or a 
commercial equivalent?
---------------------------------------------------------------------------

    \16\ The ``landing page'' is envisioned to be a web page/site 
that provides search capabilities to aggregate data pulled from the 
distributed registry and presents data for individual products or 
multiple products in a common format as prescribed by the IoT 
Labeling Order.
---------------------------------------------------------------------------

Procedural Matters

    25. Regulatory Flexibility Act. The Regulatory Flexibility Act of 
1980, as amended (RFA), requires that an agency prepare a regulatory 
flexibility analysis for notice and comment rulemakings, unless the 
agency certifies that ``the rule will not, if promulgated, have a 
significant economic impact on a substantial number of small 
entities.'' Accordingly, we have prepared a Supplemental Regulatory 
Flexibility Analysis (Supplemental IRFA) concerning the possible impact 
of the rulemaking and policy changes contained in this document. The 
Supplemental IRFA concerning the possible impact of the rulemaking and 
policy changes contained in this document can be found as Exhibit A of 
the Public Safety and Homeland Security Bureau's Public Notice, DA 24-
617, released June 27, 2024, at this link: https://docs.fcc.gov/public/attachments/DA-24-617A1.pdf. Written public comments are requested on 
the Supplemental IRFA. Comments must have a separate and distinct 
heading designating them as responses to the Supplemental IRFA and must 
be filed by the deadlines for comments on the first page of this 
document.
    26. Supplemental Regulatory Flexibility Analysis. As required by 
the Regulatory Flexibility Act of 1980, as amended (RFA), the Bureau 
has prepared this Supplemental Initial Regulatory Flexibility Analysis 
(Supplemental IRFA) of the possible significant economic impact on 
small entities of the policies and rules discussed in the document to 
supplement the Commission's Initial and Final Regulatory Flexibility 
Analyses completed in the IoT Labeling NPRM released in August 2023, 
and the IoT Labeling Order released in March 2024. Written public 
comments are requested on this Supplemental IRFA. Comments must be 
identified as responses to the Supplemental IRFA and must be filed by 
the same deadline for comments specified in the DATES section of this 
document. The Bureau will send a copy of the document, including this 
Supplemental IRFA, to the Chief Counsel for Advocacy of the Small 
Business Administration (SBA). In addition, the document and 
Supplemental IRFA (or summaries thereof) will be published in the 
Federal Register.
    27. Need for, and Objectives of, the Proposed Rules. The IoT 
Labeling Order adopted a voluntary cybersecurity labeling program for 
consumer Internet of Things (IoT) products that will provide consumers 
with an easy-to-understand indicator of a product's relative 
cybersecurity and improve consumer confidence and understanding of IoT 
product cybersecurity. The IoT Labeling Program will authorize 
qualifying IoT products to display the FCC IoT Label, which includes 
the U.S. Cyber Trust Mark and a QR Code that links to a registry with 
product-specific consumer-friendly information. The program will adopt 
standards and testing procedures based on the National Institute of 
Standards and Technology (NIST) Core Baseline for Consumer IoT 
Products, and it will be supported by Cybersecurity Label 
Administrators (CLAs) and recognized Cybersecurity Testing Laboratories 
(CyberLABs). A Lead Administrator will be chosen by the Commission from 
among the CLAs and will be responsible for collaborating with 
stakeholders to make recommendations including technical cybersecurity 
standards and testing procedures with which IoT products must comply to 
be authorized to use the FCC IoT Label, the label design, and a 
consumer education campaign, to be reviewed by the Commission.
    28. In the IoT Labeling Order, the Commission delegated authority 
to the Public Safety and Homeland Security Bureau (Bureau) to seek 
comment on certain additional items to further the efficient and timely 
rollout of the program. This document seeks comment on a number of 
those items, including the format of CLA and Lead Administrator 
applications; filing fees for CLA applications; criteria for selecting 
CLAs and the Lead Administrator; CLA sharing of Lead Administrator 
expenses; extensions of time to become accredited; Lead Administrator 
neutrality; complaint processes; and the IoT registry. The proposals 
considered in this document will contribute to the voluntary IoT 
Labeling Program and further the Commission's objective to provide 
better information to consumers about the cybersecurity of the IoT 
products they use, and bolster the cybersecurity of the nationwide IoT 
ecosystem.
    29. Legal Basis. The proposed action is authorized pursuant to 
sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, of the 
Communications Act of 1934, as amended.
    30. Description and Estimate of the Number of Small Entities to 
Which the Proposed Rules Will Apply. The RFA directs agencies to 
provide a description and, where feasible, an estimate of the number of 
small entities that may be affected by the proposed rules and policies, 
adopted. The RFA generally defines the term ``small entity'' as having 
the same meaning as the terms ``small business,'' ``small 
organization,'' and ``small governmental jurisdiction.'' In addition, 
the term ``small business'' has the same meaning as the term ``small 
business concern'' under the Small Business Act.'' \17\ A ``small 
business concern'' is one which: (1) is independently owned and 
operated; (2) is not dominant in its field of operation; and (3) 
satisfies any additional criteria established by the SBA.
---------------------------------------------------------------------------

    \17\ Pursuant to 5 U.S.C. 601(3), the statutory definition of a 
small business applies ``unless an agency, after consultation with 
the Office of Advocacy of the Small Business Administration and 
after opportunity for public comment, establishes one or more 
definitions of such term which are appropriate to the activities of 
the agency and publishes such definition(s) in the Federal 
Register.''
---------------------------------------------------------------------------

    31. As noted above, Regulatory Flexibility Analyses were 
incorporated into the IoT Labeling NPRM and the IoT Labeling Order. In 
those analyses, the Commission described in detail the small entities 
that might be significantly affected. Accordingly, in this document, 
for the Supplemental IRFA, we incorporate by reference the

[[Page 58319]]

descriptions and estimates of the number of small entities from the 
previous Regulatory Flexibility Analyses in the IoT Labeling NPRM and 
the IoT Labeling Order.
    32. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements for Small Entities. The IoT Labeling Program 
will be voluntary, so small entities who do not participate in the 
program will not be subject to any new or modified reporting, 
recordkeeping, or other compliance obligations. Small entities that 
choose to participate in the program will incur recordkeeping, 
reporting, and other compliance obligations necessary to test their IoT 
products to demonstrate compliance with the program requirements. Small 
entities that choose to participate by applying to be a CLA or CyberLAB 
will also incur recordkeeping, reporting, and other compliance 
obligations. We note that obligations for small entities and other 
applicants were detailed and adopted by the Commission in the IoT 
Labeling Order. The proposals and discussions in this document seek 
comment on additional details to the program, including application, 
selection, and replacement for CLAs and the Lead Administrator as 
needed, the complaints process, and the registry.
    33. Small entities will need to keep the records necessary to 
demonstrate initial and continued compliance with program requirements, 
as an IoT product manufacturer or a CLA, including test reports, 
records related to potential complaint investigations, and data 
disclosures for the registry, among others. More specifically, small 
and other grantees of authority to use the FCC IOT Label may also be 
subject to additional reporting, recordkeeping, and/or other compliance 
requirements related to the IoT registry in light of the our inquiry 
and request for comments in the document on (1) what, if any additional 
registry disclosure fields would benefit consumers, and (2) whether to 
require manufacturers to list the sensors contained a complying 
product, identify what data is collected by those sensors, and disclose 
whether that data is shared with third parties.
    34. The document calculates and proposes that small and other CLA 
and Lead Administrator applicants be subject to an application filing 
fee of $1,520 for CLA Applicants and an additional $770 for CLA 
applicants that apply to be a Lead Administrator, to cover the 
Commission's costs of processing these applications. With regard to 
other costs that could result from this proceeding, at this time the 
record does not include sufficient cost information to allow the Bureau 
to quantify the costs of compliance for small entities, including 
whether it will be necessary for small entities to hire professionals 
to comply with the proposals and other matters upon which we seek 
comment, if adopted. To help the Bureau more fully evaluate the cost of 
compliance for small entities should its proposals be adopted, in this 
document, we request comments on the implications of our proposals and 
whether there are more efficient and less burdensome alternatives 
(including cost estimates) for the Bureau to consider. We expect the 
information we received in comments to help the Bureau identify and 
evaluate relevant matters for small entities, including compliance 
costs and other burdens that may result from the proposals and 
inquiries we make in the document.
    35. Steps Taken to Minimize the Significant Economic Impact on 
Small Entities, and Significant Alternatives Considered. The RFA 
requires an agency to describe any significant, specifically small 
businesses, alternatives that it has considered in reaching its 
proposed approach, which may include the following four alternatives 
(among others): ``(1) the establishment of differing compliance or 
reporting requirements or timetables that take into account the 
resources available to small entities; (2) the clarification, 
consolidation, or simplification of compliance and reporting 
requirements under the rule for such small entities; (3) the use of 
performance rather than design standards; and (4) an exemption from 
coverage of the rule, or any part thereof, for such small entities.''
    36. For the IoT Labeling Program to be meaningful to consumers, the 
requirements for an IoT product to be granted authority to use the FCC 
IoT Label must be uniform for small businesses and other entities. The 
Bureau maintains the view expressed in the IoT Labeling Order that the 
significance of mark integrity, and building confidence among consumers 
that devices and products bearing the FCC IoT Label can be trusted to 
be cyber secure, necessitates adherence by all entities participating 
in the program to the same rules, regardless of size.
    37. In the document, steps taken by the Bureau which should 
minimize the economic impact for small entities include our decision 
not to assess fees for administrative updates, minor changes or updates 
to a CLA application, or for entities seeking to withdraw as a CLA. The 
Bureau sought comment on the format of CLA and Lead Administrator 
applications, as well as the fees associated with those applications, 
and additional areas of expertise or specific requirements a CLA 
applicant should be required to demonstrate. We also considered and 
sought comment on other aspects of the Lead Administrator's roles and 
responsibilities, including the most effective mechanism for CLAs to 
share in funding the Lead Administrator's expenses, safeguards the 
Bureau might adopt to ensure Lead Administrator neutrality, and steps 
to replace the Lead Administrator as needed. Following our conclusion 
that CLA and Lead Administrator applications are not covered by any 
existing Commission fee categories and therefore new categories should 
be established, we alternatively inquired and sought comment on 
whether, and which existing Commission fee category do CLA and Lead 
Administrator applications fall within, if any. Additionally, the 
Bureau considered whether there are additional procedures or criteria 
that should be considered when recognizing CyberLABs located outside 
the United States. As stated in the IoT Labeling Order, declining to 
require CyberLABs to be physically located in the U.S. provides more 
testing lab options for small and other entities. In comments, small 
entities can identify other requirements or criteria that could 
minimize the economic impact as IoT product manufacturers submitting 
applications to a CLA or CyberLAB, or as a prospective CLA or CyberLAB 
themselves.
    38. The Bureau also sought comment on the process for receiving and 
responding to complaints associated with the program, as well as what 
requirements should follow from a termination of authority to use the 
FCC IoT Label due to noncompliance. We asked whether complaints 
associated with grantees that applied for authorization to use the FCC 
IoT Label should be initially referred back to the CLA that reviewed 
the original application. We believe this would be less costly to small 
entities than going through a separate entity for investigation of 
complaints. Small entities can also address in comments whether the 
termination requirements presented would create significant economic 
impacts and identify alternatives that may reduce those costs.
    39. Additionally, the Bureau considered and sought comment in the 
document on details related to the publicly accessible IoT registry, 
including additional data disclosure fields, structure and format of 
the registry, and the Bureau's determination that the registry landing 
page should be

[[Page 58320]]

a ``.gov'' domain. We considered and asked what additional fields would 
be beneficial to consumers, such as information related to sensors 
contained in the product and elements that would support users of 
assistive technologies. We also considered and asked how the common 
application programming interface (API) that makes manufacturer data 
available to consumers should be funded and what responsibilities 
manufacturers should have for maintaining and implementing it. Small 
entities can specify in comments whether additional aspects of the 
registry would create significant economic impacts and identify 
alternatives that may reduce those costs. Regarding the landing page, 
we asked what additional costs would be associated with hosting such a 
page. While small entities choosing to participate in the program would 
have to make required registry data available through the common API, 
allowing grantees to report information through the API alleviates the 
need for additional notification requirements which would increase 
costs for small entities.
    40. The Bureau also proposed in the document that manufacturer 
applications submitted to CLAs, including but not limited to test 
reports, are presumptively confidential which should benefit small 
manufacturers, and sought comment on this approach. We tentatively 
concluded the Lead Administrator and CLAs are required to comply with 
the Federal Information Security Management Act of 2002 (FISMA),\18\ 
and we sought comment on whether there are additional costs associated 
with such compliance. In comments, small entities can identify which of 
these proposals raised in this document are particularly difficult or 
costly for them and how different, simplified, or consolidated 
requirements would address those burdens. They can also propose any 
modifications to the proposals that would their minimize anticipated 
economic impact. The Bureau expects to consider more fully the economic 
impact on small entities following its review of any comments filed in 
response to the document, including any costs and benefits information 
we receive. The Bureau's evaluation of the comments filed in this 
proceeding will shape the final alternatives we consider, the final 
conclusions we reach, and any final actions we ultimately take in this 
proceeding to minimize any significant economic impact that may occur 
on small entities.
---------------------------------------------------------------------------

    \18\ 44 U.S.C. 3541, et seq.
---------------------------------------------------------------------------

    41. Federal Rules that May Duplicate, Overlap, or Conflict with the 
Proposed Rules. None.

Ordering Clauses

    42. Accordingly, it is ordered, pursuant to sections 1, 2, 4(i), 
4(n), 302, 303(r), 312, 333, and 503, of the Communications Act of 
1934, as amended that this document is hereby adopted.
    43. It is further ordered that the Commission's Office of the 
Secretary, shall send a copy of this document, including the 
Supplemental Initial Regulatory Flexibility Analysis, to the Chief 
Counsel for Advocacy of the Small Business Administration.

----------------------------------------------------------------------------------------------------------------
 
                   APPLICATION FOR CYBERSECURITY LABELING ADMINISTRATOR AND LEAD ADMINISTRATOR
                                     CYBERSECURITY LABEL ADMINISTRATOR (CLA)
 
1. Applicant
----------------------------------------------------------------------------------------------------------------
Name:                             Address
                                 -------------------------------------------------------------------------------
                                                      Street              City                Zip
                                 -------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------
Point of Contact:                 Name                Title               Email               Phone Number
----------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------


 
 
 
2. Describe Applicant's organization structure and how this structure
 supports the Commission's CLA requirements.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
3. Describe the processes Applicant will use to review applications
 seeking authority to use the FCC IoT Label (based on type testing as
 identified in ISO/IEC 17065).
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
4. Describe the safeguards Applicant will implement (or already has in
 place) to avoid personal and organization conflict when processing
 applications.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
5. Describe in detail Applicant's expertise in all of the following
 areas:
  (a) Cybersecurity expertise and capabilities. Include a description of
   Applicant's knowledge of IoT and FCC IoT Labeling requirements.
 


[[Page 58321]]


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
  (b) Expert knowledge of NIST's cybersecurity guidance, including but
   not limited to NIST's recommended criteria and labeling program
   approaches for cybersecurity labeling of consumer IoT products.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
  (c) Expert knowledge of FCC rules and procedures associated with
   product compliance testing and certification.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
  (d) Knowledge of Federal law and guidance governing the security and
   privacy of agency information systems.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
  (e) Explain how Applicant will securely handle large volumes of
   information and include Applicant's related internal security
   practices.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
  (f) Explain how Applicant will securely handle large volumes of
   information and include Applicant's related internal security
   practices.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
  (g) Status of accreditation pursuant to all the requirements
   associated with ISO/IEC 17065 and the FCC scope.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
  (h) Describe the controls Applicant has implemented to eliminate
   actual or potential conflicts of interests (both personal and
   organizational), particularly with regard to commercially sensitive
   information, to include but not limited to, remaining impartial and
   unbiased and prevent them from giving preferential treatment to
   certain applications (e.g., application line jumping) and from
   implementing heightened scrutiny of applications from entities not
   members or otherwise aligned with the CLA.
 

     
---------------------------------------------------------------------------

    \19\ For purposes of the Commission's IoT labeling program an 
``affiliate'' is defined as ``a person that (directly or indirectly) 
owns or controls, is owned or controlled by, or is under common 
ownership or control with, another person. For purposes of this part 
the term `own' means to own an equity interest (or the equivalent 
thereof) of more than 10 percent.''

------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
Check all that apply:
6. Applicant is not owned or controlled by or affiliated        [ballot]
 \19\ with any entity identified on the Commission's
 Covered List
7. Applicant is not owned or controlled by or affiliated        [ballot]
 with any listed sources of prohibition under 47 CFR 8.204
8. Applicant, its affiliate(s), or subsidiary(ies) are not      [ballot]
 owned or controlled by a foreign adversary country defined
 by the Department of Commerce in 15 CFR 7.4
9. Applicant is not owned or controlled by or affiliated        [ballot]
 with any person or entity that has been suspended or
 debarred form receiving federal procurements or financial
 awards
10. Applicant is not otherwise prohibited from                  [ballot]
 participating in the IoT Labeling Program
 

[[Page 58322]]

 
If any of the boxes in this section do not apply to Applicant, attach an
 exhibit explaining the circumstances and demonstrating why Applicant is
 qualified to be Lead Administrator.
 
                           LEAD ADMINISTRATOR
 
Applicants seeking the role of Lead Administrator must provide all of
 the information requested below.
(Leave the following information blank if not applying for role of Lead
 Administrator.)
In the following section, provide a detailed description of how
 Applicant will execute the duties of the Lead Administrator and include
 all of the following:
 


 
 
 
1. Describe Applicant's previous experience in IoT cybersecurity.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
2. Describe Applicant's previous roles, if any, in IoT labeling.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
3. Describe Applicant's capacity to execute the Lead Administrator
 duties.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
4. Describe Applicant's plan/approach to interfacing with the Commission
 on the behalf of CLAs.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
5. Describe in detail Applicant's plan for engaging and collaborating
 with stakeholders (including other CLAs) to identify or develop FCC
 recommendations as required by 47 CFR 8.221.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
6. Describe in detail Applicant's proposed consumer education campaign.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
7. Any additional information Applicant believes demonstrates why they
 should be on how the applicant's qualifications align with the role of
 Lead Administrator.
 


------------------------------------------------------------------------
 
-------------------------------------------------------------------------
 
 
 
------------------------------------------------------------------------


 
 
 
Information Current and Complete
 
 Information filed with the FCC must be kept current and complete. The
 Applicant must notify the FCC regarding any substantial and significant
 changes in the information furnished in the application(s). See 47 CFR
 1.65.
 
Certification Statements
 
 By signing this applicant, the Applicant certifies that all statements
 and information provided in this application and in any exhibits or
 attachments are part of this application and are true, complete,
 correct, and made in good faith.
 The Applicant certifies that neither the Applicant nor any other party
 to the application is subject to a denial of Federal benefits pursuant
 to section 5301 of the Anti-Drug Abuse Act of 1988, 21 U.S.C. 862,
 because of a conviction for possession or distribution of a controlled
 substance. This certification does not apply to applications filed in
 services exempted under Sec.   1.2002(c) of the Commission's rules, 47
 CFR 1.2002(c). See 47 CFR 1.2002(b) for the definition of ``party to
 the application'' as used in this certification.
 The Applicant certifies that it is not in default on any payment for
 Commission licenses and that it is not delinquent on any non-tax debt
 owed to any federal agency.
 The Applicant certifies that the Applicant and all of the related
 individuals and entities required to be disclosed on this application
 are not person(s) who have been, for reasons of national security,
 barred by any agency of the Federal Government from federal
 procurement.
 

[[Page 58323]]

 
Signature
 
 Typed or printed name of Party Authorized to Sign
 


----------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------
First Name:                       MI:                 Last Name           Suffix              Title
----------------------------------------------------------------------------------------------------------------
 
----------------------------------------------------------------------------------------------------------------
Signature                         Date
----------------------------------------------------------------------------------------------------------------
FAILURE TO SIGN THIS APPLICATION MAY RESULT IN DISMISSAL OF THE APPLICATION AND FORFEITURE OF ANY FEES PAID.
----------------------------------------------------------------------------------------------------------------


Federal Communications Commission.
David Furth,
Deputy Bureau Chief, Public Safety and Homeland Security Bureau.
[FR Doc. 2024-15379 Filed 7-17-24; 8:45 am]
BILLING CODE 6712-01-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.