Cybersecurity Labeling for Internet of Things, 61242-61279 [2024-14148]

Download as PDF 61242 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations FEDERAL COMMUNICATIONS COMMISSION 47 CFR Subchapter A [PSHSB: PS Docket No. 23–239; FR ID 210726] Cybersecurity Labeling for Internet of Things Federal Communications Commission. ACTION: Final rule. AGENCY: In this document, the Federal Communications Commission (Commission or FCC) establishes a voluntary cybersecurity labeling program for wireless consumer Internet of Things, or IoT, products. The program will provide consumers with an easy-to-understand and quickly recognizable FCC IoT Label that includes the U.S. Cyber Trust Mark and a QR code linked to a dynamic, decentralized, publicly available registry of more detailed cybersecurity information. This program will help consumers make safer purchasing decisions, raise consumer confidence regarding the cybersecurity of the IoT products they buy, and encourage manufacturers to develop IoT products with security-by-design principles in mind. SUMMARY: DATES: Effective date: This rule is effective August 29, 2024. Incorporation by reference: The incorporation by reference of certain material listed in the rule is approved by the Director of the Federal Register as of August 29, 2024. Compliance date: Compliance with 47 CFR 8.208, 8.209, 8.212, 8.214, 8.215, 8.217, 8.218, 8.219, 8.220, 8.221, and 8.222 will not be required until the Office of Management and Budget has completed review under the Paperwork Reduction Act. The Commission will publish a document in the Federal Register announcing that compliance date. Zoe Li, Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau, (202) 418– 2490, or by email to Zoe.Li@fcc.gov. For additional information concerning the Paperwork Reduction Act information collection requirements contained in this document, contact Nicole Ongele, Office of Managing Director, Performance and Program Management, 202–418–2991, or by email to PRA@fcc.gov. SUPPLEMENTARY INFORMATION: This is a summary of the Commission’s Report khammond on DSKJM1Z7X2PROD with RULES2 FOR FURTHER INFORMATION CONTACT: VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 and Order, PS Docket No. 23–239, adopted March 14, 2024, and released March 15, 2024. The full text of this document is available by downloading the text from the Commission’s website at: https://docs.fcc.gov/public/ attachments/FCC-24-26A1.pdf. When the FCC Headquarters reopens to the public, the full text of this document will also be available for public inspection and copying during regular business hours in the FCC Reference Center, 45 L Street NE, Washington, DC 20554. To request this document in accessible formats for people with disabilities (e.g., Braille, large print, electronica files, audio format, etc.) or to request reasonable accommodations (e.g., accessible format documents, sign language interpreters, CART, etc.), send an email to FCC504@fcc.gov or call the FCC’s Consumer and Government Affairs Bureau at (202) 418–0530 (voice), (202) 418–0432 (TTY). Congressional Review Act: The Commission has determined, and the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, concurs, that this rule is non-major under the Congressional Review Act, 5 U.S.C. 804(2). The Commission will send a copy of the Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. 801(a)(1)(A). Synopsis 1. With the Report and Order (Order), the Commission takes prompt and decisive measures to strengthen the nation’s cybersecurity posture by adopting a voluntary cybersecurity labeling program for wireless IoT products. The Commission’s IoT Labeling Program will provide consumers with an easy-to-understand and quickly recognizable FCC IoT Label that includes the U.S. Government certification mark (referred to as the U.S. Cyber Trust Mark) that provides assurances regarding the baseline cybersecurity of an IoT product, together with a QR code that directs consumers to a registry with specific information about the product. Consumers who purchase an IoT product that bears the FCC IoT Label can be assured that their product meets the minimum cybersecurity standards of the IoT Labeling Program, which in turn will strengthen the chain of connected IoT products in their own homes and as part of a larger national IoT ecosystem. The Order will help consumers make better purchasing decisions, raise consumer confidence with regard to the cybersecurity of the IoT products they buy to use in their homes and their lives, and encourage manufacturers of PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 IoT products to develop products with security-by-design principles in mind. 2. In the Order, we set forth the framework by which the IoT Labeling Program will operate. We focus the IoT Labeling Program initially on IoT ‘‘products,’’ which we define to include one or more IoT devices and additional product components necessary to use the IoT device beyond basic operational features. Recognizing that a successful voluntary IoT Labeling Program will require close partnership and collaboration between industry, the Federal Government, and other stakeholders, we adopt an administrative framework for the IoT Labeling Program that capitalizes on the existing public, private, and academic sector work in this space, while ensuring the integrity of the IoT Labeling Program through oversight by the Commission. 3. Voluntary IoT Labeling Program. We establish a voluntary IoT Labeling Program for wireless consumer IoT products. While participation is voluntary, those that choose to participate must comply with the requirements of the IoT Labeling Program to receive authority to utilize the FCC IoT Label bearing the Cyber Trust Mark. The IoT Labeling Notice of Proposed Rulemaking (NPRM), 88 FR 58211 (August 25, 2023), sought comment on whether the proposed IoT Labeling Program should be voluntary, reasoning that ‘‘success of a cybersecurity labeling program will be dependent upon a willing, close partnership and collaboration between the federal government, industry, and other stakeholders.’’ The record shows substantial support for a voluntary approach. The Custom Electronic Design & Installation Association (CEDIA) suggests that IoT Labeling Program must be voluntary ‘‘for the program to gain momentum in the marketplace.’’ AIM, Inc. (AIM) suggests that the voluntary aspect of the IoT Labeling Program ‘‘will help drive adoption of the label by device producers.’’ Further, commenters suggest that a voluntary program will ensure the broadest reach, most efficiency, and widest access to a diversity of IoT technologies. We agree that a voluntary program will help drive adoption of the IoT Labeling Program, so that a willing, close partnership can be achieved. We also agree with the record that flexible, voluntary, riskbased best practices are the hallmarks of IoT security as it exists today and as it is being developed around the world. Additionally, we acknowledge the view that ‘‘consumer labeling is a difficult undertaking in any context,’’ especially E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations in the evolving area of cybersecurity, and that the ‘‘best approach is to start the Program with something achievable and effective.’’ We concur that willing participation will allow the IoT Labeling Program to be more easily achievable than requiring participation in a novel program. With the added imprimatur of a U.S. Government certification mark, the IoT Labeling Program will help distinguish products in the marketplace that meet minimum requirements and provide options to consumers. 4. We reject arguments that mandating participation in the IoT Labeling Program is necessary. While we recognize that a voluntary IoT Labeling Program may cause concern that smaller businesses with limited resources may choose not to participate, we believe the strong stakeholder engagement and collaboration that we expect to result from willing participation, and which is vital to establishing this new program, outweighs these risks. Further, while we acknowledge that, at least in the near term, allowing the IoT Labeling Program to be voluntary ‘‘could limit its adoption and impact,’’ we believe this risk is outweighed by the benefits that a voluntary program will garner, such as speed to market to hasten impact, efficiency of resources, and the likelihood that consumer demand will drive widespread adoption over time. 5. In adopting the IoT Labeling Program with the parameters discussed in the Order, we are establishing a collaborative effort between the Federal Government and relevant stakeholders in industry and the private sector. We emphasize that the Order is intended to provide the high-level programmatic structure that is reasonably necessary to establish the IoT Labeling Program and create the requirements necessary for oversight by the Commission, while leveraging the extensive work, labeling schemes, processes and relationships that have already been developed in the private sector. We also note that there is further development to be done by the private sector and other Federal agencies to implement the IoT Labeling Program and, as discussed below, expects many of the details not expressly addressed in the Order will be resolved through these separate efforts and by the authorities the Commission delegates to the Public Safety and Homeland Security Bureau (PSHSB or the Bureau). A. Eligible Devices or Products 6. The Order initially establishes the IoT Labeling Program for wireless consumer IoT products. We do not, however, foreclose the possibility of VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 expanding the IoT Labeling Program in the future. 7. The record supports adopting an IoT Labeling Program that encompasses consumer-focused IoT products. We focus our IoT Labeling Program initially on consumer IoT products, rather than enterprise or industrial IoT products. Because medical devices regulated by the U.S. Food and Drug Administration (FDA) already are subject to statutory and regulatory cybersecurity requirements under other Federal laws more specifically focused on such devices, we do not include such devices in our IoT Labeling Program. In addition, we exclude from this program motor vehicles 1 and motor vehicle equipment (as defined in 49 U.S.C. 30102(8) given that the National Highway Traffic Safety Administration (NHTSA) ‘‘has the authority to promulgate motor vehicle safety regulations on cybersecurity and has enforcement authority to secure recalls of motor vehicles and motor vehicle equipment with a safety-related defect, including one involving cybersecurity flaws.’’ We also exclude from our IoT Labeling program any communications equipment on the Covered List that the Commission maintains pursuant to the Secure and Trusted Communications Networks Act and equipment produced by certain other entities as discussed below. Finally, our initial IoT Labeling Program will focus on wireless consumer IoT devices consistent with the core of our section 302 authority governing the interference potential of devices that emit radio frequency energy—and thus we exclude wired IoT devices at this time. 8. Definition of IoT Devices. Although we focus our IoT Labeling program on IoT ‘‘products,’’ to lay a foundation we must first address the definition of IoT ‘‘devices’’ because this definition is a building block of the IoT ‘‘product’’ definition. In this respect, we adopt the modified version of the National Institute of Standards and Technology (NIST) definition of ‘‘IoT device’’ that the Commission proposed in the IoT Labeling NPRM. Specifically, the IoT Labeling NPRM proposed defining an IoT device to include (1) an internetconnected device capable of intentionally emitting radio frequency (RF) energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, 1 Motor Vehicle ‘‘means a vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, but does not include a vehicle operated only on a rail line.’’ 49 U.S.C. 30102(7). PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 61243 Bluetooth) for interfacing with the digital world. This definition builds on NIST’s definition by adding ‘‘internetconnected’’ as a requirement, because ‘‘a key component of IoT is the usage of standard internet protocols for functionality.’’ The modified definition adopted in the Order also adds that a device must be ‘‘capable of intentionally emitting RF energy,’’ because aspects of the Commission’s authority recognizes the particular risks of harmful interference associated with such devices. It should be noted that we direct the Label Administrator to collaborate with Cybersecurity Label Administrators (CLAs) and other stakeholders (e.g., cyber experts from industry, government, and academia) as appropriate and recommend within 45 days of publication of updates or changes to NIST guidelines, or adoption by NIST of new guidelines, to the FCC any appropriate modifications to the Labeling Program standards and testing procedures to stay aligned with the NIST guidelines. 9. The record supports this reasoning. For example, Consumer Reports states that ‘‘[i]f you’re going to sell a device where some of the benefits come from having a cloud connection, an app, and connectivity, then those must also be secured.’’ Consumer Reports provides further support for the Commission’s reasoning by noting that ‘‘connectivity may be so central to the functionality of the device that it may no longer be able to operate safely [without it].’’ TIC Council Americas similarly ‘‘agrees that ‘internet-connected’ should be included in the definition of IoT devices.’’ We agree with these arguments and adopt the modified IoT device definition requiring ‘‘internet-connected’’ device element to assure consumers that the functionality of the IoT device or product displaying the Cyber Trust Mark is reasonably secure as well. As noted by ioXt Alliance, including ‘‘internet-connected’’ in the definition of IoT makes ‘‘sense if the program focuses on IoT products instead of devices because not all IoT devices are ‘internet-connected.’ ’’ Because the IoT Labeling Program will be focused on the broader category of IoT consumer products and not devices, including ‘‘internet-connected’’ in the definition of IoT device is further justified. 10. We disagree with commenters who argue the Commission should adopt the NIST definition of a device without change. We acknowledge that the record indicates some concern regarding the internet-connected element of the Commission’s proposed definition; however, we find these concerns to be misplaced. TIC Council E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61244 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations Americas, for example, supports adding ‘‘internet-connected’’ to the definition, but argues that ‘‘there are devices that are able to connect to non-internet connected networks, and that those devices should not be excluded from the program.’’ While we do not foreclose the possibility of expanding the IoT Labeling Program to devices on noninternet connected networks in the future, we focus initially on the more common category of internet-connected consumer IoT products. Others argue that ‘‘internet-connected’’ is too ‘‘situational,’’ with a concern that the device might become ‘‘disconnected from the internet and, therefore, no longer be an ‘IoT device.’ ’’ We do not agree that ‘‘internet-connected device’’ must be interpreted so narrowly as to exclude from the IoT Labeling Program devices that may become disconnected from the internet. ‘‘internet-connected,’’ in terms of the IoT Labeling Program, applies to the functional capability of the device; if the device is capable of being connected to the internet, the fact that it may not be connected at any given point in time does not exclude its eligibility for participation in the IoT Labeling Program. Further, any potential concerns arising from requiring an IoT device be ‘‘internet-connected’’ for inclusion in the IoT Labeling Program are outweighed by the benefit of giving consumers further assurance that the security of their IoT device or product extends to the connected functionality that a consumer expects when making such a purchase. In this respect, including ‘‘internet-connected’’ in the definition of IoT device also recognizes the highest risk functional component of an IoT device that distinguishes ‘‘smart’’ devices from other devices a consumer may use, and allows the Cyber Trust Mark to more effectively support consumer expectations. 11. The record also supports adding an RF energy-emitting element to the IoT device definition, acknowledging the Commission’s authority under section 302 governing the interference potential of devices that emit RF energy and can cause harmful interference to radio communications. We reject the argument that limiting the definition to RF-emitting devices may lead to marketplace confusion if a product does not bear the Cyber Trust Mark due solely to its lack of RF energy emissions. In the first instance, we note the need to launch an achievable IoT Labeling Program consistent with the Commission’s core authority. We also note that the benefits that a focus on wireless products will have in elevating the overall cybersecurity posture of the VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 IoT ecosystem, especially in view of the record indicating that the majority of IoT devices are wireless, outweigh the risks associated with concerns regarding marketplace confusion. In any case, there will be a number of products— both wired and wireless—that do not bear the Cyber Trust Mark while uptake occurs. We also anticipate that consumer education in this space will help alleviate these concerns. 12. We further disagree with the view that the capability of a device to emit RF radiation is ‘‘unrelated to the general, far-ranging cybersecurity concerns the Commission is confronting in this proceeding.’’ Instead, we agree with Comcast that interference caused by a [distributed denial of service] attack raises ‘‘the same policy concerns and has the same practical effect as interference caused by traditional means.’’ The Electronic Privacy Information Center (EPIC) explains how hackers exploit unpatched vulnerabilities to attack a large number of wireless devices, and turning them into signal jammers to take down mobile networks. The record thus bears out our view that cybersecurity vulnerabilities in wireless IoT devices could cause harmful interference to radio communications. Given Congress’ direction to the Commission in section 302 of the Act to guard against the interference potential of wireless devices, requiring the element of ‘‘emitting RF energy interference’’ in the IoT device definition for the initial iteration of the IoT Labeling Program focuses on that core Commission authority without ruling out future action regarding wired IoT devices. Further, while we acknowledge that devices that unintentionally or incidentally emit RF radiation may also pose interference potential, we find that a focus initially on ‘‘intentional’’ radiators provides the ability of a nascent program to target products with the highest risk profile from among those that emit RF energy. 13. Definition of IoT Products. We adopt the NIST definition of an ‘‘IoT product.’’ Specifically, the IoT Labeling NPRM’s proposed definition of IoT product is an ‘‘IoT device and any additional product components (e.g., backend, gateway, mobile app) that are necessary to use the IoT device beyond basic operational features.’’ The record supports adopting the IoT product definition developed by NIST, with Garmin International, Inc. (Garmin) noting that a fundamental purpose of the IoT Labeling Program ‘‘is to inform consumers regarding device security as they evaluate potential IoT purchases. . . . [T]his purpose is best PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 achieved by focusing on ‘consumer IoT products’ as defined by NIST in NISTIR 8425.’’ Additionally, Kaiser Permanente states that adopting the NIST definition of IoT products will ‘‘promote consistency across federal agency programs and related industry norms and requirements.’’ Further, the Information Technology Industry Council (ITI) explained that the ‘‘Commission’s implementation of the program will be more successful if it aligns as closely as possible to the definitions, processes and procedures already outlined by NIST.’’ We agree with these commenters, in that adopting NIST’s IoT product definition will allow for consistency in the treatment of programmatic elements across the Federal Government, and allow the Commission to appropriately leverage the work existing in this space to promote the IoT Labeling Program’s success. We also note that no commenters opposed the NIST definition of IoT products. For purposes of the IoT Labeling Program, when discussing IoT products and their ‘‘components’’ in the Order, we are using the NISTIR 8425 scoping definition of ‘‘components.’’ We believe that this definition allows the IoT Labeling Program to address the most relevant ‘‘package’’ components expected by consumers to be securable when making purchasing decisions, and encompasses the appropriate level of ‘‘component’’ pieces to address the functionalities that generate the most salient cybersecurity risks.2 This view is supported by the record, with Consumer Technology Association (CTA) providing a proposed testing framework where ‘‘all individual components provided by the manufacturer should be in scope for testing,’’ including all components of the IoT product ‘‘that are necessary for the device to function in a normal use case scenario.’’ 14. IoT Devices vs. IoT Products. We find that the IoT Labeling Program should apply to ‘‘IoT products’’ as defined above, rather than being limited only to ‘‘IoT devices.’’ In the IoT Labeling NPRM, the Commission noted 2 For purposes of the IoT Labeling Program, the NISTIR 8425 scoping definition of ‘‘components’’ falls into three main types: Specialty networking/ gateway hardware (e.g., a hub within the system where the IoT device is used); Companion application software (e.g., a mobile app for communicating with the IoT device); and Backends (e.g., a cloud service, or multiple services, that may store and/or process data from the IoT device). See NISTIR 8425 at 2. Our use of this scoping definition of ‘‘components’’ is intended only to apply to the IoT Labeling program. We note that Commission rules use the term ‘‘components’’ in a variety or contexts and different rule provisions, and we are not intending to affect the use of that term in those other contexts. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations that it was important to ensure that the IoT Labeling Program ‘‘would be sufficiently inclusive to be of value to consumers.’’ Since the Commission’s adoption of the IoT Labeling NPRM, NIST has provided clarity in this realm by stating ‘‘the cybersecurity technical and non-technical outcomes defined in the NISTIR 8425 consumer profile apply to IoT products and not just IoT devices.’’ In addition, in reviewing the record, we believe applying the IoT Labeling Program to IoT products instead of IoT devices alone achieves these priorities because only by addressing the full functionality of a consumer product (i.e., one or more IoT devices and any additional product components (e.g., backend, gateway, mobile app) that are necessary to use the IoT device, beyond basic operational features) ‘‘including data communications links to components outside this scope but excluding those external components and any external third-party components that are outside the manufacturer’s control’’ will provide consumers the necessary scope to satisfy the basic security expectation of the consumer and effectuate a discernable increase in the cybersecurity posture of the IoT ecosystem at large. 15. There is significant support in the record for an IoT product focus for the IoT Labeling Program. As explained by UL Solutions, applying the IoT Labeling Program to IoT products is necessary since ‘‘most IoT devices sold to consumers cannot be meaningfully used without additional components.’’ The Cybersecurity Coalition further supports this position by saying ‘‘IoT devices are typically part of a broader ecosystem of components that can have their own security issues, requiring ‘IoT cybersecurity’ to extend beyond individual devices to be effective.’’ ITI notes an IoT product focus benefits consumers because it ‘‘will appropriately capture the relevant devices/components of the product that could be vulnerable to attack (and are always included in an IoT product, as NIST points out).’’ Applying the IoT Labeling Program to IoT products further benefits consumers by promoting consumer safety because it ‘‘encourages manufacturers to prioritize security across all components, ultimately leading to safer and more reliable IoT experiences for consumers.’’ Additionally, the record indicates that ‘‘the entire service which includes cloud infrastructure as well as apps or other ways to control or manage the device by the user, and not simply the physical device itself, is critical for an assessment of safety and security.’’ VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 Further, focusing on IoT products aligns not only with the technical requirements of NISTIR 8425, but also ‘‘emerging requirements in Europe and the UK [United Kingdom], such as the EU [European Union] [Cyber Resilience Act], and EU Directives on consumer protections EU 2019/770, 771.’’ We agree and will apply the IoT Labeling Program to consumer IoT products, which provides for the greatest level of consumer benefit by prioritizing cybersecurity across the entirety of the consumer product, as compared to just the device, which is able to perform its full functionality only when working in conjunction with other product components. 16. We disagree with Samsung, CTIA—The Wireless Association (CTIA), LG Electronics, and CTA, who advocate focusing on IoT devices instead of IoT products. Samsung and CTIA argue that cybersecurity standards for devices are more mature than standards for products, and CTA argues that applying the FCC IoT Label to products would be more complex than devices. LG Electronics expresses concern that expanding to products ‘‘would require device manufacturers to attest to the security of product components that are outside of their control.’’ We do not agree that these rationales support limiting application of the IoT Labeling Program only to devices, rather than products. First, applying the IoT Labeling Program narrowly to IoT devices would run counter to NIST’s guidance and considerable work in this space, upon which the Commission has relied for the basis for the IoT Labeling Program proposal. NIST’s Profile of the IoT Core Baseline for Consumer IoT Products (NISTIR 8425), discussed above, provides fundamental IoT guidelines and applies to the broader product category, and the more recent NIST IoT Product Component Requirements Essay clearly states that the outcomes listed in NISTIR 8425 apply to consumer IoT products and not just IoT devices. 17. Further, regarding the notion that the IoT Labeling Program should be focused on IoT devices because existing standards for IoT devices are more readily available or achievable in the near term, we counter that the record shows existing IoT device standards can be leveraged to support assessing IoT products as well. As noted by commenter ITI, existing IoT industry standards ‘‘capture similar baseline themes’’ to the NIST criteria. In view of these similarities, the IoT Labeling Program can leverage these existing standards for IoT devices as building blocks, and tailor them in view of the PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 61245 IoT products being assessed. Accordingly, the need to realize the benefits of a product-level label weigh in favor of taking a small amount of time to get to product-based standards by leveraging existing device standards. 18. We also reject the argument that because ‘‘cybersecurity frameworks and testing programs have been developed to focus on device-level—rather than product-level—assessment’’ that a device-level IoT Labeling Program is the appropriate outcome. We note, for example, that ITI recommends recognizing IoT security assessments from our international partners, such as IoT assessments under the Cybersecurity Labelling Scheme (CLS) by Singapore’s Cyber Security Agency, which assesses the overall IoT product, and not just a single device included in the IoT product. In this regard, the ability to recognize international efficiencies for IoT Labeling Program participants would be hindered by limiting the Cyber Trust Mark to the device level, as Singapore’s CLS (and other evolving international standards) focus on product-level assessments. 19. Finally, applying the IoT Labeling Program to products enhances value to consumers without requiring manufacturers to be responsible for products or devices that are outside of their control. The record shows that a consumer’s expectation of security extends to the entire IoT product they purchase. This consumer expectation is evidenced in the record by ITI, clarifying that ‘‘because consumers purchase, interact with, and view IoT merchandise not as component parts but as complete physical product . . . Consumers are primarily concerned with the entire physical product they are purchasing.’’ Additionally, as noted by UL Solutions, ‘‘most IoT devices sold to consumers cannot be meaningfully used without additional components.’’ In view of this need, a manufacturer seeking authority to affix the FCC IoT Label is expected to secure the whole IoT product, including the product’s internal communication links connecting the different parts of the product to each other as well as the product’s communication links that connect the IoT product to the outside world. We do not require manufacturers to be responsible for third-party products or devices (including apps) that are outside of their control; 2 2 To further clarify, nothing in this item prohibits manufacturers from allowing product owners from installing the software of their choice, from disabling security features, or from replacing or modifying components of a product, including the firmware and software. An IoT manufacturer cannot E:\FR\FM\30JYR2.SGM Continued 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61246 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations however, where a manufacturer allows third-party apps, for example, to connect to and they allow that application to control their IoT product, such manufacturer is responsible for the security of that connection link and the app if such app resides on the IoT product. Further, we agree with CTIA that if ‘‘a [p]roduct [c]omponent also support[s] other IoT Products through alternative features and interfaces, these alternative features and interfaces may, through risk-assessment, be considered as separate from and not part of the IoT Product for purposes of authorization.’’ Moreover, NIST enumerates the dangers of an IoT device-only focus, establishing that the ‘‘additional product components have access to the IoT device and the data it creates and usesmaking them potential attack vectors that could impact the IoT device, customer, and others,’’ and that ‘‘these additional components can introduce new or unique risks to the IoT product.’’ Consumer expectations that the FCC IoT Label would apply to the entirety of the product purchased is further highlighted by Consumer Reports, explaining that ‘‘If everything is sold within a box, then everything in the box should be approved to use the mark.’’ Consumer Reports also notes that ‘‘[i]f the labeling programs were only to address the physical device and not other system components, consumers would likely be deceived as to the scope and efficacy of the program.’’ The record is adamant that the ‘‘Cyber Trust Mark must be trusted by consumers to be successful.’’ In view of the record, securing only a portion of an IoT product by just assessing a single IoT device included in the IoT product, instead of assessing the devices and components that comprise the IoT product holistically, could deceive consumers and go against consumer expectation that the technology being brought into their homes is reasonably secure. We weigh heavily the likelihood for consumer confusion should the device-only approach be taken, and accordingly we apply this consumer IoT Labeling Program to IoT products and not just IoT devices. 20. In sum, although there are relative advantages and disadvantages with either a narrow focus on IoT devices or a broader focus on IoT products, on balance we are persuaded to focus our be held responsible for the owner’s decision to make such changes, just as a traditional product manufacturer cannot be responsible for the actions of a consumer who modifies the core mechanisms of a product and thereby risks rendering it unsafe. However, we reiterate that in order to be authorized to use the FCC IoT Label, manufacturers must meet the requirements of the program. VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 initial IoT Labeling Program on IoT products. As explained above, we find commenters’ concerns about encompassing full IoT products in our IoT Labeling Program to be overstated. At the same time, we see significant shortcomings with a narrower focus just on IoT devices. Weighing the totality of these considerations, we are persuaded that targeting the IoT Labeling Program on IoT products is the best approach at this time. 21. Consumer IoT Products vs. Enterprise IoT Products. The IoT Labeling Program applies to the labeling of consumer IoT products that are intended for consumer use, and does not include products that are primarily intended to be used in manufacturing, healthcare, industrial control, or other enterprise applications. While we do not foreclose expansion of the IoT Labeling Program at a later date, this initial scope will provide value to consumers most efficiently and expediently, without added complexity from the enterprise environment. 22. The record supports the IoT Labeling Program having a consumer IoT focus, with support provided by UL Solutions, the Cybersecurity Coalition, and the Connectivity Standards Alliance (CSA), among others. The FDA also suggests that IoT outside of the consumer scope may need ‘‘[g]reater and more tailored controls,’’ suggesting that different considerations might attend IoT with a purpose outside of that in the routine consumer realm. Additionally, commenters highlight the differing security needs of consumer and enterprise products. For example, UL Solutions notes that ‘‘IoT products intended for commercial or industrial settings are exposed to different types of threats than consumer products and often carry higher risk if breach, which necessitates different requirements.’’ CSA also highlights that ‘‘[e]nterprise device security approaches are often customized and vary based on the specific needs of the business.’’ We agree that applying the IoT Labeling Program to consumer IoT products will reduce complexity, which will bolster the likelihood of success when starting the new IoT Labeling Program. 23. The International Speech and Communication Association (ISCA) supports including enterprise IoT, stating that a broader scope will ensure the IoT Labeling Program remains flexible to the extent that the boundary between consumer and enterprise IoT is blurring. Further, ISCA and Abhishek Bhattacharyya note that attackers have more to gain from targeting enterprise settings. While there are considerable threat vectors and vulnerabilities PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 associated with all classes of IoT products,3 we agree with Everything Set, Inc., that focusing the IoT Labeling Program on household use of IoT products will be more useful and have greater impact, given that enterprises tend to have more time, resources, and expertise to devote to network security. They note further that many small- and medium-sized businesses also buy consumer devices, so a consumerfocused Cyber Trust Mark would be of utility to them, as well. We believe in the near term that a consumer focus will provide the most initial impact, and create a level of recognition and trust in the Cyber Trust Mark itself as the IoT Labeling Program progresses that could be leveraged to enterprise IoT at a later time, and we therefore defer consideration of the IoT Labeling Program’s expansion. 24. Exclusion of Certain Devices/ Products. As an initial matter, we exclude from the IoT Labeling Program medical devices regulated by the U.S. Food and Drug Administration (FDA). The Center for Devices and Radiological Health (within the FDA) expresses concern that the Commission’s labeling IoT Labeling Program may lack controls and minimum criteria that it believes are necessary for IoT medical devices. In addition, the FDA is concerned that including medical devices in the IoT Labeling Program may cause consumer confusion and ‘‘potentially creates conflict where product manufacturers attempt to both qualify for the Cyber Trust Mark and comply with existing statutory and regulatory cybersecurity requirements under other federal laws, such as the Federal Food, Drug, and Cosmetic Act (FD&C Act).’’ These considerations persuade us to exclude FDA-regulated medical devices from our IoT Labeling Program, consistent with commenters’ recommendations. In 3 There are many types IoT devices and products, which may be divided into various categories or classes based on their purpose, application, and functionality. These classes of IoT devices and products include smart home (e.g., smart thermostats, smart lights, smart locks, smart cameras), wearables (e.g., fitness trackers, smart watches), and Healthcare (e.g., remote patient monitoring devices, smart medical equipment). It is worth noting that not all IoT devices or products are created equal, in terms of features, security and the level of risk they present. Additionally, from security standpoint, an IoT product that is appropriate for consumer or home use may not be suitable for industrial or enterprise environment. These differences suggest the need for different security standards that distinguish between lowrisk, medium-risk and high-risk applications. Our approach to identifying the specific cybersecurity standards to apply enables us to appropriately account for that in the case of particular wireless consumer products (or categories of such products) in our initial implementation of the IoT Labeling Program. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations addition, we exclude from this program motor vehicles and motor vehicle equipment given that the National Highway Traffic Safety Administration (NHTSA) ‘‘has the authority to promulgate motor vehicle safety regulations on cybersecurity and has enforcement authority to secure recalls of motor vehicles and motor vehicle equipment with a safety-related defect, including one involving cybersecurity flaws.’’ 25. Exclusion of Devices/Products Produced by Certain Entities. We adopt the following measures to promote national security in connection with the IoT Labeling Program. The IoT Labeling NPRM proposed to exclude from the IoT Labeling Program (1) any communications equipment on the Covered List maintained by the Commission pursuant to section 2 of the Secure and Trusted Communications Networks Act (STCNA); (2) any IoT device produced by an entity identified on the Covered List (i.e., an entity named or any of its subsidiaries or affiliates) as producing ‘‘covered’’ equipment; and (3) any device or product from a company named on certain other lists maintained by other Federal agencies that represent the findings of a national security review. We now adopt all of these prohibitions as they relate to our decision to focus the IoT Labeling Program on consumer IoT products. Thus, any communications equipment identified on the Covered List, now or in the future, will be ineligible for the IoT Labeling Program, and any such product will be denied approval to use the Cyber Trust Mark. Furthermore, any additional products produced by an entity identified on the Covered List as producing ‘‘covered’’ equipment, or any product containing devices or product components produced by such an entity, will be ineligible for the IoT Labeling Program; this would include products that may not fit within the definition of ‘‘communications equipment’’ under STCNA. Only entities identified on the Covered List as producers of ‘‘covered’’ equipment—not those on the Covered List only because of their ‘‘covered’’ services—are subject to this prohibition. In addition, we adopt the proposal that IoT devices or products containing devices manufactured by companies named on the Department of Commerce’s Entity List, named on the Department of Defense’s List of Chinese Military Companies, or suspended or debarred from receiving Federal procurements or financial awards, including those published as ineligible for award on the VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 General Service Administration’s System for Award Management, will not be authorized to display the FCC IoT Label or participate in the IoT Labeling Program. Further, we exclude from the IoT Labeling Program any products containing devices produced or manufactured by these entities. We conclude that inclusion on these lists represents a determination by an agency charged with making national security determinations that a company’s products lack the indicia of trustworthiness that the Cyber Trust Mark is intended to represent. Our action here thus supports and reinforces the steps we have taken in other proceedings to safeguard consumers and communications networks from equipment that poses an unacceptable risk to national security and that other Federal agencies have taken to identify potential concerns that could seriously jeopardize the national security and law enforcement interests of the United States. 26. With the exception of China’s comments raising the same World Trade Organization (WTO) issue we rejected in the Report and Order applying the Covered List to the FCC equipment authorization program, the record overwhelmingly supports excluding from the IoT Labeling Program these products and devices produced by companies identified on the Covered List. Additionally, USTelecom, CTIA, CTA, Cybersecurity Coalition and Consumer Reports specifically support excluding from the IoT Labeling Program IoT devices that are manufactured by companies on the Covered List, but also urge the Commission to restrict any equipment manufactured by companies on additional Federal restricted lists, including those otherwise banned from Federal procurement. Consumer Reports agrees with excluding systems that include components included on the Covered List or similar lists from the IoT Labeling Program. Each of these lists represent the determination by relevant Federal agencies that the entities on the list may pose a national security threat within their respective areas, and as such we find that we cannot separately sanction their products as trustworthy via the IoT Labeling Program. While each list is designed to support specific prohibitions, their use here only excludes their contents from a voluntary program representing U.S. Government assessment of their security and does not prohibit any other use. Insofar as the FCC IoT Label reflects the FCC’s signal to consumers about cybersecurity, it is reasonable for the FCC to take a cautious PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 61247 approach especially for those products for which relevant Federal agencies have expressed other security concerns. 27. Applicant Declaration Under Penalty of Perjury. To implement the Commission’s goal of ensuring the Cyber Trust Mark is not affixed to products that pose a risk to national security or a risk to public safety, we require applicants seeking authorization to use the FCC IoT Label to provide a declaration under penalty of perjury that all of the following are true and correct: (i) The product for which the applicant seeks to use the FCC IoT Label through cybersecurity certification meets all the requirements of the IoT Labeling Program. (ii) The applicant is not identified as an entity producing covered communications equipment on the Covered List, established pursuant to § 1.50002 of the Commission’s rules. (iii) The product is not comprised of ‘‘covered’’ equipment on the Covered List. (iv) The product is not produced by any entity, its affiliates, or subsidiaries identified on the Department of Commerce’s Entity List, or the Department of Defense’s List of Chinese Military Companies. (v) The product is not owned or controlled by or affiliated with any person or entity that has been suspended or debarred from receiving Federal procurements or financial awards, to include all entities and individuals published as ineligible for award on the General Service Administration’s System for Award Management. (vi) The applicant has taken every reasonable measure to create a securable product. (vii) The applicant will, until the support period end date disclosed in the registry, diligently identify critical vulnerabilities in our products and promptly issue software updates correcting them, unless such updates are not reasonably needed to protect against security failures. (viii) The applicant will not elsewhere disclaim or otherwise attempt to limit the substantive or procedural enforceability of this declaration or of any other representations and commitments made on the FCC IoT Label or made for purposes of acquiring or maintaining authorization to use it. 28. If any applicant fails to make any of the above disclosures within 20 days after being notified of its noncompliance, such failure would result in termination of any improperly granted authorization to use the Label, and/or subject the applicant to other E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61248 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations enforcement measures. The applicant is required to update its declaration, or withdraw a not-yet granted application, if any of the applicant’s circumstances impacting the declarations materially change while the application is pending. 29. Wireless Consumer IoT Devices vs. Wired Consumer IoT Devices. The Order adopts the IoT Labeling NPRM’s proposal that the IoT Labeling Program apply initially to wireless consumer IoT devices. This is consistent with the IoT Labeling NPRM proposal to focus the scope of the IoT Labeling Program on intentional radiators that generate and emit RF energy by radiation or induction and exclude wired-only IoT devices, noting such devices are encompassed by the Commission’s section 302 authority governing the interference potential of devices that emit RF energy and can cause harmful interference. We find that this distinction is appropriate, both because of the Commission’s interest in keeping the scope of the IoT Labeling Program clear and manageable during its debut and because there is support in the record for wireless intentional radiators as most prevalent types of consumer IoT devices contemplated in the IoT Labeling NPRM. While we recognize that there are other types of RF devices—both unintentional and incidental radiators—that are subject to our jurisdiction, we are not including them in our IoT Labeling Program at this time. 30. We acknowledge there is substantial support in the record for including wired IoT consumer products within the scope of the IoT Labeling Program. Consumer Reports recommends including both wired and wireless IoT within the scope of the IoT Labeling Program, pointing out that wired IoT devices or products are vulnerable to cybersecurity threats just as wireless IoT devices or products are. Consumer Reports also points out that ‘‘while wireless devices are the majority of IoT devices, there are still almost 700 million wired IoT devices globally, and they are expected to grow by a 10% [compound annual growth rate] through 2027 according to IoT Analytics ‘State of IoT—Spring 2023 Report.’ ’’ TÜV SÜD also encourages the Commission to cover both wired and wireless devices within the scope of the IoT Labeling Program, and AIM emphasizes the importance of the security of both wired and wireless IoT to the cybersecurity ecosystem. CTA further states that the Commission should not define the scope of the IoT Labeling Program in such a way as to exclude wired IoT products. The Association of Home VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 Appliance Manufacturers (AHAM) points out that both wired and wireless IoT are included in the NIST definition. 31. While we agree that wired IoT products are susceptible to cyberattacks and similarly pose security risks to consumers and others, we find it to be in the public interest for the IoT Labeling Program to start with wireless consumer IoT products in view of the record indicating that ‘‘wireless devices are the majority of IoT devices,’’ which would indicate that a focus on this product segment will have a substantial impact on the overall IoT market. The record also supports this approach, with Keysight Technologies, Inc. concurring that ‘‘the program should include consumer RF IoT products initially.’’ Further, we do not agree with arguments that there may be an unintended perception that ‘‘[c]reating a program that would only certify wireless IoT devices would send an improper message that only wireless IoT devices are secure.’’ Instead, we believe that beginning with wireless IoT products is both feasible and can be adopted with more speed, providing more prompt benefit in the marketplace. Further, a more limited scope will streamline the initial rollout of the IoT Labeling Program, provide focus to the additional tasks necessary to stand up the program, and lay the groundwork for expansion, and we do not foreclose consideration including wired IoT products in the future. As such and as discussed below, we also defer consideration of our legal authority to consider wired products at this time. B. Oversight and Management of the IoT Labeling Program 32. Based on the comments filed regarding oversight and management of the IoT Labeling Program, the Commission finds it is in the public interest to continue to foster publicprivate collaboration, including with regard to the management and administration of the IoT Labeling Program, while ensuring the Commission retains ultimate control and oversight of the IoT Labeling Program. In this respect, providing a broad, unifying government oversight framework for existing private labeling schemes and other private efforts in this context will allow current participants in this ecosystem to capitalize on their existing investments and relationships in a way that not only promotes the overall effectiveness of the FCC’s IoT Labeling Program and increases the security of the IoT ecosystem. 33. The Commission adopts the IoT Labeling NPRM proposal that the IoT Labeling Program be comprised of a PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 single ‘‘program owner’’ responsible for the overall management and oversight of the IoT Labeling Program, with administrative support from one or more third-party administrators. NIST’s white paper recommends one ‘‘scheme owner’’ responsible for managing the labeling program, determining its structure and management, and performing oversight to ensure the program is functioning consistently in keeping with overall objectives. We agree that it is appropriate for a single entity to perform these functions and find that the Commission will be the program owner of the IoT Labeling Program, and as such retains ultimate control over the program, and determines the program’s structure. CSA highlights support in the record for having the Commission as the program owner, arguing that ‘‘[p]lacing the regulatory authority in the hands of the Commission and providing governmentbacked endorsement may strengthen trust with Consumers.’’ However, the NIST Cybersecurity White Paper also recommends the ‘‘scheme owner’’ be responsible for defining the conformity assessment requirements, developing the label and associated information, and conducting consumer outreach and education. 34. While the Commission as program owner will oversee the elements of the program, the program will be supported by Cybersecurity Label Administrators (Label Administrators or CLAs) who will manage certain aspects of the program and authorize use the FCC IoT Label as well as a Lead Administrator selected by the Bureau from among the CLAs, which will undertake additional duties including acting as the point of contact between the CLAs and the Commission. In addition, the Commission believes it is appropriate for a Lead Administrator, in collaboration with the CLAs and other stakeholders, to identify or develop, and recommend to the Commission for approval, the IoT specific standards and testing procedures, procedures for postmarket surveillance, as well as design and placement of the label. The Lead Administrator will also be responsible for developing, in coordination with stakeholders, a consumer education plan and submitting the plan to the Bureau and engaging in consumer education. Each of these duties are discussed in depth below. The Cybersecurity Coalition recommends the Commission utilize a single administrator, rather than multiple administrators ‘‘to reduce the likelihood of conflict among administrators and simplify engagement with E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations manufacturers, consumers, and government agencies.’’ CTA, on the other hand, contemplates multiple administrators, suggesting that the Commission may consider leveraging ‘‘a consortium of scheme owners[ ] to ensure that the IoT Labeling Program is administered and issues are adjudicated in an effective, objective, and timely fashion.’’ We agree with CTA’s reasoning, while also acknowledging the Cybersecurity Coalition’s concern regarding potential conflict. Accordingly, the Bureau will select a Lead Administrator from among the CLA applicants to address conflicts. 35. As an initial matter, we have looked to the structure of, and experiences with, the Commission’s equipment authorization program and rules in developing the IoT Labeling Program, as proposed and discussed in the IoT Labeling NPRM. We emphasize, however, that the IoT Labeling Program is new and distinct, and it will operate under its own rules and with new authorities specifically delegated to PSHSB. This is consistent with the record developed in the proceeding, in which many commenters urged the Commission to keep the equipment authorization and IoT Labeling programs separate. In addition, several commenters addressed whether obtaining a valid equipment authorization should be a pre-requisite for obtaining the Cyber Trust Mark, or whether obtaining approval to use the Cyber Trust Mark would be required as a condition for applying for an equipment authorization. We emphasize that our IoT Labeling Program is voluntary, and parties are required to follow the Commission’s equipment authorization program regardless of whether or not they choose to participate in the IoT Labeling Program. We also clarify that there is no requirement to complete the equipment authorization process before qualifying for the Cyber Trust Mark; however, our existing part 2 rules will continue to prohibit the marketing of a device that does not have a valid equipment authorization. 36. We conclude that it is in the public interest and supported in the record to adopt the IoT Labeling Program structure recommended by NIST, with the modifications discussed above regarding third-party administrators that are overseen by the Commission as the program owner. This and the following paragraph preview the remaining roles and responsibilities for the IoT Labeling Program, which will be developed in depth in the remaining sections of the Order. The Commission also will be responsible for VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 coordinating mutual recognition of the Cyber Trust Mark with international partners, coordinating with the Lead Administrator, Federal partners, industry, and other stakeholders on consumer education programs, and performing oversight to ensure the IoT Labeling Program is functioning properly. In addition, the Commission will specify the data to be included in a consumer-friendly registry that provides additional information about the security of the products approved to use the Cyber Trust Mark and is accessible through the QR Code that is required to accompany the Cyber Trust Mark. Further, the Commission will own and maintain the registration for the Cyber Trust Mark, which may only be used when the product has been appropriately tested and complies with the Commission’s IoT Labeling Program requirements. 37. The Commission will approve qualified Cybersecurity Label Administrators (Label Administrators or CLAs) to manage certain aspects of the labeling program and be authorized by the Commission to license the Cyber Trust Mark to manufacturers whose products are in compliance with the Commission’s IoT cybersecurity labeling rules. The Commission will also select a Lead Administrator, which will be responsible for carrying out additional administrative responsibilities, including but not limited to reviewing applications and recognizing qualified and accredited Cybersecurity Testing Laboratories (CyberLABs) and engaging in consumer education regarding the Cyber Trust Mark. The Lead Administrator will also collaborate with cyber experts from industry, government, academia, and other relevant sectors if needed to identify, develop, and maintain consumer IoT cybersecurity technical and conformity assessment standards that are based on NIST standards and guidance, that will be submitted to PSHSB for consideration and approval, and, subject to any required public notice and comment, adopted into the Commission’s rules. The standards and testing procedures developed or identified in collaboration with CLAs and other stakeholders and submitted by the Lead Administrator for consideration by the Commission will, in turn, be used by accredited 4 testing 4 The organization(s) accrediting the prospective Label Administrators and testing labs must meet the requirements and conditions in ISO/IEC 17011. See 47 CFR 8.910(b)(1) ISO/IEC 17011:2004(E), ‘‘Conformity assessment—General requirements for accreditation bodies accrediting conformity assessment bodies,’’ First Edition, 2004–09–01, IBR approved for §§ 8.217(e) and 8.218(b). PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 61249 labs recognized by the Lead Administrator—whether CyberLABs,5 a CLA-run lab, or a testing lab internal to a company (in-house testing lab) for product testing. 38. Retaining key overarching functions within the Commission as discussed above will ensure the effective administration and oversight of this government program and protect the integrity of the FCC-owned Cyber Trust Mark, while perpetuating, where appropriate, the relevant efforts of the private sector that meet the goals and requirements of the program. We also agree with CSA that program ownership by the Commission will increase consumer confidence in the Cyber Trust Mark. In addition, the clear high-level oversight functions retained for the Commission ensures the Commission has meaningful decision-making control. Here, while the CLA(s) will recommend standards and testing procedures to be approved by the Commission as well as manage the dayto-day administrative functions assigned, the Commission will ultimately review, consider, and exercise judgment on whether the requirements are appropriate to support the Commission’s program, and on how the program is ultimately administered. 39. We adopt the IoT Labeling NPRM’s proposal that one or more qualified third-party administrators (Cybersecurity Labeling Administrators or CLAs) be designated by the Commission to manage certain aspects of the labeling program and be authorized to certify the application of the FCC IoT Label by manufacturers whose products are found to be in compliance with the Commission’s IoT cybersecurity labeling rules and regulations. The record supports the Commission’s adoption of a labeling program that is supported by CLAs. 5 There appeared to be some confusion in the record with the Commission’s use of the term Cybersecurity Labeling Authorization Bodies. Specifically, the ANSI National Accreditation Board (ANAB) recommended the Commission reconsider the use of the term ‘‘CyberLAB’’ as the ‘‘implication that such organizations are laboratories could create market confusion.’’ ANAB Reply at 2. We disagree that the term CyberLAB may be confusing because these organizations are, in fact, laboratories/testing bodies that will be testing products to determine compliance with applicable standards. The CyberLABs, however, are not ‘‘certification bodies.’’ Rather, the entity that will be authorizing an applicant to use the Cyber Trust Mark on their product is the CLA, as described below. To ensure there is no confusion, the Commission has changed the term from Cybersecurity Labeling ‘‘Authorization Bodies’’ as these terms are reserved for accreditation bodies, to Cybersecurity Testing Laboratories, reflecting that the function of these labs is for testing and generating reports, and not certifying or issuing a label. We continue to use the short-form term ‘‘CyberLAB’’ to refer to these testing labs. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61250 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations According to TIC Council Americas, involving independent third-party administrators who verify that labeled products meet the program requirements will bring trust, consistency, and an impartial level playing field to the Cyber Trust Mark. The Cybersecurity Coalition, Widelity, and CSA highlight that utilizing experienced third-party administrators will allow the program to run more efficiently and will provide ‘‘the required expertise for the administration of the program.’’ CTA and other commenters also assert that the IoT Labeling Program will be best served if the Commission ‘‘leverage[s] the unique expertise and existing certification infrastructure offered by well-regarded industry organizations.’’ AHAM says that ‘‘[g]iven the volume and increasing numbers of IoT products on the market, [the] FCC needs to give manufacturers as many options as possible as far as obtaining the Cyber Trust mark’’ and that ‘‘third parties will play an important role in any successful program.’’ 40. CTA supports assigning certain responsibilities to one or more independent, (i.e., neutral) third-party administrators which it refers to as ‘‘Authorized Scheme Owners.’’ However, the Commission disagrees with this descriptor insofar as some commenters are confused as to whether the ‘‘scheme owner’’ is the entity ultimately responsible for the program, or a third-party entity responsible for certain program administration functions or specified tasks under the ultimate direction of the Commission. To avoid confusion, the Commission refers to these third-party administrators as CLAs. These CLAs are neutral third parties independent of the applicant and within the context of a program overseen by the Commission. 41. We believe that authorizing one or more CLAs to handle the routine administration of the program will help to ensure a timely and consistent rollout of the program. In particular, several private entities have already implemented robust IoT cybersecurity labeling programs with established business processes in place to receive applications from IoT manufacturers and conduct conformity/standards testing against widely accepted cybersecurity guidelines (e.g., NIST guidelines) or proprietary product profiles based on the NIST criteria. We anticipate a large number of entities will seek grants of authorization to use the FCC IoT Label and we are concerned that if we were to adopt a program limited to a single administrator, there may be bottlenecking delays in the VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 processing of applications and a single administrator could result in a single point of failure in the program. Allowing multiple CLAs to execute the role of day-to-day administration of the program will provide for the simultaneous processing of a significant number of applications, provide redundancy of structure, and potentially foster competition in this space to better serve those seeking access to the label. In addition, leveraging the expertise of multiple existing program managers and using pre-existing systems and processes that meet our program specifications will minimize administrative delay, while promoting an efficient and timely rollout of the Cyber Trust Mark. This will also ensure that the Commission effectively utilizes the expertise of those entities who have made investments in their own cybersecurity labeling programs and have experience working with manufacturers and IoT conformity and standards testing, expediting the ability to provide consumers with a simple way to understand the relative security of the products and devices they purchase under a government-backed standard. 42. We recognize, however, that there is a need for a common interface between the CLAs and the Commission to facilitate ease of engagement and to conduct other initial tasks associated with the launch of the program. We delegate authority to PSHSB to review CLA applications, review CLA applications that also request consideration for Lead Administrator, select the Lead Administrator and manage changes in the Lead Administrator. 43. Lead Administrator Duties. The Lead Administrator will undertake the following duties in addition to the CLA duties outlined below: a. interface with the Commission on behalf of the CLAs, including but not limited to submitting to the Bureau all complaints alleging a product bearing the FCC IoT Label does not meet the requirements of the Commission’s labeling program; b. conduct stakeholder outreach as appropriate; c. accept, review, and approve or deny applications from labs seeking recognition as a lab authorized to perform the conformity testing necessary to support an application for authority to affix the FCC IoT Label,6 6 If the Lead Administrator, in addition to its administrative duties, intends to offer lab testing service (CLA-run lab), it must submit an application with PSHSB seeking FCC recognition as a lab authorized to perform conformity testing to support an application for authority to affix the FCC IoT Label. The Lead Administrator is not authorized to PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 and maintain a publicly available list of Lead Administrator-recognized labs and a list of labs that have lost their recognition; d. within 90 days of release of the Public Notice announcing the Lead Administrator selection, the Lead Administrator shall, in collaboration with stakeholders (e.g., cyber experts from industry, government, and academia) as appropriate: i. submit to the Bureau recommendations identifying and/or developing the technical standards and testing procedures for the Commission to consider with regard to at least one class of IoT products eligible for the IoT Labeling Program. The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission’s rules; ii. submit to the Bureau a recommendation on how often a given class of IoT products must renew their request for authority to bear the FCC IoT Label, which may be dependent on the type of product, and that such a recommendation be submitted in connection with the relevant standards recommendations for an IoT product or class of IoT products; The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission’s rules; iii. submit to the Bureau recommendations on the design of the FCC IoT Label, including but not limited to labeling design and placement (e.g., size and white spaces, product packaging.) The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission’s rules; and iv. submit to the Bureau recommendations with regard to updates to the registry including whether the registry should be in additional languages, and if so, to recommend specific languages for inclusion; v. submit to the Bureau recommendations on the design of the FCC IoT Label, including but not limited to labeling design and placement (e.g., size and white spaces, product packaging, whether to include recognize its own cybersecurity testing lab. If approved by PSHSB, the Lead Administrator will add the name of its lab to the list of recognized labs. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations the product support end date and other security and privacy information on the label.) The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission’s rules. e. The Lead Administrator shall, in collaboration with CLAs and other stakeholders (e.g., cyber experts from industry, government, and academia) as appropriate recommend within 45 days of publication of updates or changes to NIST guidelines, or adoption by NIST of new guidelines, to the FCC any appropriate modifications to the Labeling Program standards and testing procedures to stay aligned with the NIST guidelines; f. submit to the Commission reports on CLAs’ post-market surveillance activities and findings in the format and by the date specified by PSHSB; g. develop in collaboration with stakeholders a consumer education campaign, submit the plan to the PSHSB, and participate in consumer education; h. receive complaints about the Labeling Program, including but not limited to consumer complaints about the registry and coordinate with manufacturers to resolve any technical problems associated with consumers accessing the information in the registry; i. facilitate coordination between CLAs; and j. submit to the Commission any other reports upon request of the Commission or as required by Commission rule. 44. Cybersecurity Label Administrator Duties. CLA(s) are responsible for various administrative duties, including: a. receive and evaluate applications and supporting data requesting authority to use the FCC IoT Label on the product subject to the application; b. grant an application only if it meets all of the Commission’s requirements to use the FCC IoT Label and authorize (i.e., certify) the applicant to use the FCC IoT Label on the product subject to the application; c. ensure that manufacturers make all required information accessible by the IoT registry; d. participate in consumer education campaign in coordination with the Lead Administrator; e. perform post-market surveillance activities, such as audits, in accordance with ISO/IEC 17065 and submit periodic reports to the Lead Administrator of their post-market surveillance activities and findings in VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 the format and by the date specified by PSHSB; and f. receive complaints alleging an IoT product does not support the cybersecurity criteria conveyed by the Cyber Trust Mark and refer these complaints to the Lead Administrator which will notify PSHSB.7 45. The record supports the use of CLAs to support a variety of tasks within the program’s construct. ioXt Alliance supports utilizing CLAs for evaluating and certifying products for the Cyber Trust Mark. CTA supports utilizing CLAs to conduct program operations. The Cybersecurity Coalition and Kaiser Permanente also support utilizing CLAs for managing the day-today operations of the IoT Labeling Program. CSA argues that, ‘‘the day-today administration of the Cyber Trust Mark Program should be managed by a Third-Party Administrator, serving as the entity that grants permission to use the Program trademark to applicants.’’ In addition, ITI recommends that it should be the responsibility of the CLA to review or audit self-attestations and that ‘‘third-party administrators can and should play a key role in administering conformity assessment schemes.’’ CSA and CTIA further recommend adopting the IoT Labeling NPRM’s proposal that a third-party administrator evaluate, accredit, or recognize the CyberLABs, and CSA also ‘‘recommends that the Commission hire a third-party administrator to operate the IoT Registry.’’ Finally, ioXt Alliance recommends that third-party administrators should also ‘‘vet companies and products during the certification process’’ to determine which products pose a threat to national security, based on Commission guidance. ioXt Alliance also notes in its comments that the ‘‘label design and associated information should be informed by the expertise of manufacturers and third-party administrators.’’ 46. Subject to Commission oversight, and consistent with recommendations in the record, the CLAs will evaluate and grant or deny requests for authority to use the FCC IoT Label on consumer IoT products in accordance with the IoT Labeling Program. Each administrator will be responsible for certifying that the consumer IoT products for which it authorizes a manufacturer to apply the 7 This process does not foreclose the ability of consumers to file an informal complaint in accordance with the Commission’s rules. See 47 CFR 1.716 through 1.719. In the event an informal complaint is filed with the Commission, the complaint will be forwarded to the Lead Administrator for investigation and/or referral to the issuing CLA. PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 61251 FCC IoT Label are tested by an accredited testing lab, which as discussed further below may be a CyberLAB, the applicant’s own in-house lab, or a CLA-run lab, and that the testing report demonstrates the product conforms to all Commission IoT labeling rules. The CLA will track each application it receives requesting authority to use the FCC IoT Label, and the disposition of all applications, including date of filing, date of acceptance as complete, the date and reason application is returned to applicant, and date of grant or denial. The CLAs will review each application they receive to ensure the application and supporting documents are provided and are sufficient to show the product conforms to all Commission rules and that it includes a compliance test report generated by an accredited and Lead Administrator-recognized testing lab (e.g., third-party lab (CyberLAB), applicant’s in-house testing lab, or CLArun lab). If the application is deficient, it will not be granted until all necessary conditions are satisfied. If the application is complete and meets all of the Commission’s requirements, the CLA will issue a cybersecurity labeling authorization (i.e., cybersecurity certification) approving the applicant to affix the FCC IoT Label to the identified product. 47. In addition to its role as a CLA, the Lead Administrator must collaborate with CLAs and other stakeholders (e.g., cyber experts from industry, government, and academia) as appropriate to develop or identify, and maintain, consumer IoT cybersecurity technical and conformity assessment standards to be met for each class of IoT product seeking authority to affix the FCC IoT Label on their product, which the Lead Administrator will submit to PSHSB for consideration and approval and, subject to any required public notice and comment, adoption into its rules. Adopting standards through consensus is supported by the record in this proceeding.8 The Information Technology Industry Counsel (ITI) supports the Commission retaining ownership of the IoT Labeling Program and authorizing the ‘‘various industryled, consensus standards, which can be used to gain approval for the Cyber Trust Mark.’’ ITI also notes that using industry-led, consensus standards will also limit the likelihood of legal challenges. UL Standards & Engagement 8 As below, we emphasize the importance of leveraging existing expertise in this space, and as such adopt as a criterion for consideration in selecting the lead administrator the ability to convene and develop consensus among stakeholders. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61252 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations agrees that the FCC should use a ‘‘voluntary consensus-based standards development process’’ to create and update standards for the IoT Labeling Program. The U.S. Chamber of Commerce also supports a consensusbased approach urging the Commission ‘‘to track closely with public-private developments in IoT cybersecurity as well as industry-driven initiatives, such as the C2 Consensus on IoT Device Security Baseline Capabilities (C2 Consensus) and CTIA’s cybersecurity certification program for IoT devices.’’ The Council to Secure the Digital Economy (CSDE), which is ‘‘composed of USTelecom, the Consumer Technology Association (CTA), and 13 global information and communications technology (ICT) companies—has also already convened technical experts from 19 leading organizations throughout the ICT sector to develop and advance industry consensus on baseline security capabilities for new devices,’’ including the C2 Consensus document, which provides guidance to the public and private sectors on IoT devices security. We agree with these recommendations that the Commission adopt standards following recommendations based on an industry-led consensus process, leveraging standards work already in process or completed, which will provide for the swift development and implementation of the IoT Labeling Program. 48. The Lead Administrator is to base the recommended technical standards and testing procedures on the NISTIR 8425, Profile of the IoT Core Baseline for Consumer IoT Products. As noted by ITI, there is ‘‘a suite of existing standards that might be leveraged to ensure that the outcomes NIST outlines can be met.’’ In addition, NIST’s IoT Product Component Requirements Essay provides a summary of standards and guidance that NIST has initially identified as applicable to IoT devices and IoT product components, that the Lead Administrator may determine are applicable to the IoT Labeling Program. The Lead Administrator should evaluate and leverage existing work for efficiency and speed to market where appropriate in making its recommendations to the Commission. 49. The Lead Administrator in collaboration with stakeholders as appropriate will identify or develop IoT cybersecurity standards (or packages of standards) and testing procedures that they determine can be used to test that a product meets the NISTIR 8425 criteria for each class of products identified by the working group. The Lead Administrator will submit to the Bureau recommendations on a rolling VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 basis as they are identified, but shall submit the initial set of recommendations no later than 90-days after release of the Public Notice selecting the Lead Administrator. We specify a timeframe here to ensure timeliness of initial standards and prompt launch of the program. Noting the work already ongoing on these issues, we also find such a timeframe to be reasonably achievable. The proposed standards (or packages of standards) and testing procedures must be approved by the Commission prior to implementation. The Commission delegates authority to PSHSB to evaluate and (after any required public notice and comment) approve (or not approve) the technical standards and testing procedures proposed by the Lead Administrator for use in the IoT Labeling Program and incorporate the approved standards and testing procedures by reference into the Commission’s rules. The Commission further directs the Bureau to ensure the standards and testing procedures are relevant and appropriate to support the Commission’s IoT Labeling Program. 50. Selecting CLAs. Each entity seeking authority to act as a CLA must file an application with the Commission for consideration by PSHSB,9 which includes a description of its organization structure, an explanation of how it will avoid personal and organizational conflict when processing applications, a description of its processes for evaluating applications seeking authority to use the FCC IoT Label, and a demonstration of expertise that will be necessary to effectively serve as a CLA including, but not limited to: 1. Cybersecurity expertise and capabilities in addition to industry knowledge of IoT and IoT labeling requirements. 2. Expert knowledge of NIST’s cybersecurity guidance, including but not limited to NIST’s recommended criteria and labeling program approaches for cybersecurity labeling of consumer IoT products. 9 This approach necessitates a mechanism for the Commission to recognize administrators, and we accordingly adopt a rule doing so. See 47 CFR 8.219. We model our approach on analogous elements of our equipment authorization rules, with which the Commission and industry have substantial experience, and which have proven workable in practice. See 47 CFR 2.949. We delegate to PSHSB and OMD authority to take any necessary steps, including adoption of additional procedures and any applicable fees (pursuant to any required public notice and comment), as necessary to ensure compliance with the Communications Act with respect to any rules adopted here that contemplate the filing of applications directly with the Commission. 47 U.S.C. 158(c). PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 3. Expert knowledge of FCC rules and procedures associated with product compliance testing and certification. 4. Knowledge of Federal law and guidance governing the security and privacy of agency information systems. 5. Demonstration of ability to securely handle large volumes of information and demonstration of internal security practices. 6. Accreditation pursuant to all the requirements associated with ISO/IEC 17065 with the appropriate scope.10 We recognize that CLAs cannot obtain accreditation to the FCC scope until after the Commission adopts standards and testing procedures. As such, the Commission will accept and conditionally approve CLA applications from entities that meet the other FCC program requirements and commit to obtain ISO/IEC 17065 accreditation with the appropriate scope within six (6) months of the effective date by the adopted standards and testing procedures. CLA approval to authorize use of the FCC IoT Label will be finalized upon receipt and demonstration to the Commission of ISO/IEC 17065 accreditation with the appropriate scope.11 7. Demonstrate implementation of controls to eliminate actual or potential conflicts of interests (including both personal and organizational), particularly with regard to commercially sensitive information, to include but not limited to, remaining impartial and unbiased and prevent them from giving preferential treatment to certain applications (e.g., application line jumping) and from implementing heightened scrutiny of applications from entities not members or otherwise aligned with the CLA. 8. That the applicant is not owned or controlled by or affiliated with any entity identified on the Commission’s Covered List or is otherwise prohibited from participating in the IoT Labeling Program. We will dismiss all CLA applications from an entity (company) identified on the Commission’s Covered List, the Department of Commerce’s Entity List, and the Department of Defense’s List of Chinese Military Companies. 9. That the applicant is not owned or controlled by or affiliated with any person or entity that has been suspended or debarred from receiving 10 The scope of CLA’s ISO/IEC 17065 certification includes certifying IoT products and devices for compliance with FCC cybersecurity standards. 11 Consistent with standard practice for accreditation, the organization accrediting the CLAs must be recognized by the Bureau to perform such accreditation based on International Standard ISO/ IEC 17011. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations Federal procurements or financial awards, to include all entities and individuals published as ineligible for award on the General Service Administration’s System for Award Management. 10. In addition to completing the CLA application information, entities seeking to be the Lead Administrator will submit a description of how they will execute the duties of the Lead Administrator, including: a. their previous experience in IoT cybersecurity; b. what role, if any, they have played in IoT labeling; c. their capacity to execute the Lead Administrator duties outlined in the Order; d. how they would engage and collaborate with stakeholders to identify or develop the Bureau recommendations discussed in the Order; e. a proposed consumer education campaign; and f. additional information the applicant believes demonstrates why they should be the Lead Administrator. 51. For items #7 and #8, we note that the record raises national security considerations when selecting a Label Administrator. For example, CTIA urges that the Commission ‘‘exclude all entities on the Covered List (not just those included on the list for producing equipment), all entities on the other lists identified in the IoT Labeling NPRM, as well as entities that are otherwise banned from federal procurement.’’ CTIA explains that these broad exclusions for program participation are necessary because of ‘‘the unique nature of the proposed labeling program— namely that it is both governmentadministered and voluntary—counsels in favor of painting with a broad brush on national security-based exclusions.’’ We agree with the commenters in the record, and consistent with our reasoning herein addressing the exclusion of certain products that would raise potential national security concerns, we also prohibit entities owned or controlled by or affiliated with entities that produce equipment found on the Covered List, as well as entities specified on the other lists referenced above or those suspended or debarred from receiving Federal procurements or financial awards from being a CLA in view of national security considerations and to insure the integrity of the IoT Labeling Program. Each of these lists represent the determination of relevant Federal agencies that the entities on the list may pose a national security threat within their respective areas, and as such we find that it is not in the public interest VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 to permit these entities to provide assurances to the American public that products meet minimum cybersecurity standards. Importantly, we are only excluding the entities of the lists from a voluntary program under which the FCC approves their capability to oversee cybersecurity certification testing for purposes of the IoT Label. Insofar as the FCC IoT Label reflects the FCC’s signal to consumers about cybersecurity, it is reasonable for us to take a cautious approach when approving entities to conduct the underlying product evaluations when relevant Federal agencies have expressed security concerns with the entity. 52. NCTA—The Internet & Television Association (NCTA) also suggests that ‘‘any ‘foreign entity of concern’ as defined by the CHIPS Act should be ineligible for certification or recognition as a CyberLAB.’’ Further, ioXt Alliance recommends that the Commission ‘‘establish rules to ensure CyberLABs are not subject to undue influence by foreign adversaries.’’ We agree that it would be problematic for the U.S. to rely on the determination of entities controlled or affiliated with ‘‘foreign adversaries’’ as to the security of products approved to use the Cyber Trust Mark, and therefore the FCC will not recognize for purposes of the IoT Labeling Program any applicant that is an entity, its affiliate, or subsidiary owned or controlled by a ‘‘foreign adversary’’ country. A ‘‘foreign adversary’’ country is defined in the Department of Commerce’s rule, 15 CFR 7.4, and includes China (including Hong Kong), Cuba, Iran, North Korea, Russia, and Maduro Regime. We do not otherwise see a basis to preclude other foreign entities from serving as CLAs, but at this preliminary stage of establishing the IoT Labeling Program— where no international agreements are yet in place in this regard, and oversight details continue to be effectuated—we defer action in this regard. We delegate authority to PSHSB, in consultation with the Office of International Affairs (OIA), to evaluate and (after any appropriate public notice and comment) establish qualification criteria for any entity outside the United States to be approved to act as a CLA once any appropriate international agreements or other appropriate prerequisites are in place. 53. We decline to require that a CLA be a non-profit. The Cybersecurity Coalition recommends that the CLA be a non-profit entity, but did not elaborate on why, focusing their comments on having a neutral, independent thirdparty that followed consistent pricing guidelines and had industry experience PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 61253 and strong security practices. Researchers from the Northeastern University’s College of Engineering similarly agreed that the Label Administrator should be a non-profit while emphasizing that the CLA should not have conflicts of interest. We decline, however, to require that the CLA be a non-profit organization, recognizing that there may be wellqualified companies that may be forprofit organizations or non-profit organizations that possess the other relevant qualifications. We agree with what appear to be the underlying concerns of the record, that the CLA be neutral, have the knowledge outlined above (e.g., knowledge regarding FCC rules, IoT cybersecurity standards and testing procedures), and be free of conflicts. However, we believe that a company that satisfies the above requirements could carry out the CLA duties without being a non-profit organization. Moreover, expanding the pool of potential participants should increase the likelihood that a reasonable number of qualified entities apply to fulfill the specified roles. In addition, the record did not highlight reasons why a for-profit company would be incapable of fulfilling the role of label administrator. 54. Termination of CLA Authority. To address national security concerns, the authority of CLAs to grant applications to use the FCC IoT Label under the IoT Labeling Program will automatically terminate if the CLA subsequently becomes owned or controlled by or affiliated with an entity that produces equipment found on the Covered List, or otherwise added to any exclusionary list identified in this item as precluding authorization as a CLA. In addition, a CLA’s authority may also be terminated for failure to uphold the required competencies or accreditations enumerated above. We delegate authority to PSHSB, to determine if a CLA’s authority is to be terminated in the latter circumstance, and to terminate such authorization.12 PSHSB, may identify such CLA deficiencies itself or receive notice from other entities, including other agencies, consumers, 12 Because of the public safety importance of a CLA having the requisite qualifications and adhering to our rules when evaluating requests to use the FCC IoT Label, this process should proceed appropriately expeditiously to minimize any periods of time where a CLA continues to operate in that capacity once concerns have come to PSHSB’s attention. In particular, PSHSB shall provide notice to the CLA that the Bureau proposes to terminate the CLA’s authority and provide the CLA a reasonable opportunity to respond (not more than 20 days) before reaching a decision on possible termination. PSHSB may suspend the CLA’s ability to issues labeling authorizations during the pendency of such consideration if appropriate. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61254 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations and industry, that products granted authorization by a CLA do not accurately reflect the security posture of the product. Products authorized to use the FCC IoT Label by a disqualified CLA will be subject to the disqualification procedures described further below. 55. CLA Application Filing Window. We delegate authority to the Bureau to issue a Public Notice opening the initial filing window to receive applications from entities seeking authority to be recognized as a CLA (and Lead Administrator) under the IoT Labeling Program with instructions on how to apply and further details on the qualifications required of CLA applicants as well as the decision criteria used to select applicants. We also delegate to the Bureau authority to open additional filing windows or otherwise accept additional applications for authority to be recognized by the Bureau as a CLA when and as the Bureau determines it is necessary. Interested parties must establish they meet the requirements established in the Order. The Commission notes that it may refer applications to the U.S. Committee for the Assessment of Foreign Participation in the U.S. Telecommunications Sector (Team Telecom) for their review and consideration of national security and law-enforcement risks. We further delegate authority to PSHSB in coordination with the Office of the Managing Director (OMD) (specifically Office of the Chief Information Officer) and, to the extent necessary, the Office of General Counsel (OGC) (specifically the Senior Agency Official for Privacy), to receive and review each application for compliance with the criteria established in the Order. We also delegate to PSHSB authority to adopt additional criteria and administrative procedures necessary to efficiently select one or more independent, nongovernmental entities, to act as CLA(s) and Lead Administrator. The Lead Administrator must provide equitable recommendations to the Commission to encourage the broadest possible participation of CLAs within the parameters of the FCC’s rules.13 We also delegate to PSHSB authority to adopt additional criteria and procedures in the event the Lead Administrator must be replaced or chooses to withdraw from its responsibilities.14 We delegate 13 We also agree with CTA in highlighting the importance of PSHSB’s involvement in matters where the Lead Administrator and CLAs may share vested interests. 14 We recognize the potential raised by ioXt Alliance for anticompetitive preferences in recommendations made to the Bureau if a CLA is chosen as Lead Administrator. VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 authority to PSHSB to release a Public Notice announcing the CLA(s) selected by the Bureau and next steps for each entity, including but not limited the execution of appropriate documentation governing the details of the CLA’s responsibilities. Moreover, we delegate to PSHSB and OMD authority to take any necessary steps, including adoption of additional procedures and any applicable fees after selection of the CLAs, if necessary to ensure compliance with the Communications Act or applicable government-wide statutes that are implicated by the IoT Labeling Program. Finally, we also delegate authority to PSHSB and OMD, in consultation with OGC, to take any additional actions necessary to preserve the Commission’s rights to the Cyber Trust Mark under trademark and other applicable laws. Only entities who have followed the procedures required by PSHSB and OMD and executed relevant required documentation will be authorized by the Commission to accept and grant applications authorizing the use of the FCC IoT Label, which includes the Cyber Trust Mark and QR Code. C. CyberLABs, CLA-Run Labs, and InHouse Testing Labs 56. The Commission envisioned the role of CyberLABs as assessing IoT devices or products for compliance against IoT security standards, once developed. The Commission sought comment on whether the Commission or one of the authorized label administrators would evaluate, accredit, or recognize the CyberLABs, noting that it was seeking to ensure that CyberLABs have the necessary expertise and resources to properly test and assess whether IoT devices and products are in compliance with the IoT security standards. To become accredited and FCC-recognized for the proposed IoT Labeling Program, the Commission proposed the submission of applications demonstrating the applicant CyberLAB met the following requirements: • Qualifications: The CyberLAB has technical expertise in cybersecurity testing and conformity assessment of IoT devices and products. • Resources: The CyberLAB has the necessary equipment, facilities, and personnel to conduct cybersecurity testing and conformity assessment of IoT devices and products. • Procedures: The CyberLAB has documented procedures for conformity assessment. • Continued competence: Once accredited and recognized, CyberLABs would be periodically audited and reviewed to ensure they continue to PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 comply with the IoT security standards and testing procedures. 57. We adopt our proposal to accept CyberLABs, in-house labs, and CLA-run labs, to test and assess IoT products for compliance with the consumer IoT standards that are established pursuant to the process described above to actualize the outcome of the NIST criteria. Rather than having the Commission or CLA evaluate or accredit a lab, however, we are persuaded that it is appropriate to recognize testing labs that have been accredited to ISO/IEC 17025 standards to conduct compliance testing that would support an application for authority to affix the FCC IoT Label. Consistent with standard practice for accreditation, the organization accrediting the testing labs must be recognized by the Bureau to perform such accreditation based on International Standard ISO/IEC 17011. We recognize that labs cannot be accredited or recognized in the context of this IoT Labeling Program until after the IoT cybersecurity standards have been approved by the Commission and incorporated into the Commission’s rules. We delegate authority to PSHSB to publish a Public Notice, subject to any required notice and comment, outlining the specific standards CyberLABs, in-house labs, and CLA-run labs must meet to be recognized as qualified to conduct conformity testing to support applications seeking authority to use the FCC IoT Label. We also find it to be in the public interest for the Lead Administrator to review and recognize labs that meet these accreditation requirements and make a list of recognized labs publicly available.15 58. The Order agrees with CTIA that entities specializing in testing and certification will be valuable to program participants, and that such entities are likely to have the resources and expertise to evaluate IoT products in accordance with a standard. CTIA also notes, ‘‘a third-party certification model will help to lend credibility to the program’’ because CyberLABs can focus on the assessment aspects of the program in a way that helps ensure the 15 To enable the Lead Administrator to compile a reliable and verifiable list, we require accredited CyberLABs to submit certain information to the Lead Administrator: (1) Laboratory name, location of test site(s), mailing address and contact information; (2) Name of accrediting organization; (3) Scope of laboratory accreditation; (4) Date of expiration of accreditation; (5) Designation number; (6) FCC Registration Number (FRN); (7) A statement as to whether or not the laboratory performs testing on a contract basis; (8) For laboratories outside the United States, details of the arrangement under which the accreditation of the laboratory is recognized; and (9) Other information as requested by the Commission. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations integrity of the IoT Labeling Program. The Order also agrees with CTA that leveraging accredited industry bodies to perform conformity assessments will ‘‘speed the establishment of the program and increase the program’s ultimate quality.’’ 59. We agree with CSA’s argument that the Commission should adopt a model where CyberLABs must be ISO/ IEC 17025 accredited. CSA notes its confusion as to whether CyberLABs were intended to be ‘‘certification bodies’’ as defined by ISO/IEC 17065 or ‘‘evaluation laboratories’’ as defined by ISO/IEC 17025. We clarify that the proposal as envisioned by the IoT Labeling NPRM and adopted here is for CyberLABs, in-house labs, and CLA-run labs to function as a body responsible for assessing the security of IoT products (i.e., testing lab). CSA proposes that such bodies hold ISO/IEC 17025 accreditations, as this model has been the basis for mutual recognition agreements in the cybersecurity industry, and we agree. 60. We note the objection of LG Electronics, which asserts that ‘‘[t]he CyberLAB concept described in the NPRM would almost certainly create a testing bottleneck’’ that would slow the process, and deter participation in the IoT Labeling Program. Instead, LG Electronics argues, self-certification is required to avoid these problems, although LG Electronics concedes that some compliance certification is required to participate in the IoT Labeling Program. As a nascent program, and as discussed above in connection with the envisioned process, we do not find it appropriate to adopt at this time a labeling path that does not include some level of laboratory testing in combination with an application to a CLA to ensure the product bearing the FCC IoT Label complies with the IoT Labeling Program’s requirements. However, we recognize the benefits of time, efficiency and cost-savings associated with in-house testing and will allow the option for applicants to use an in-house testing labs, provided the lab is ISO/IEC 17025 accredited. 61. CyberLABs’ Programmatic Role. CyberLABs will receive requests for conformance testing from manufacturers seeking to use the FCC IoT Label and will assess and test the products using the cybersecurity standards developed by industry and approved by the Commission and provide the applicant with a report of their findings. There was confusion in the record with how the term CyberLAB is to be applied. The Commission clarifies that the CyberLABs are laboratories whose role is limited to conducting compliance VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 tests and generating reports. CyberLABs are not, in the organizational structure adopted in the Order, either certifying products or issuing authorization to use the FCC IoT Label. While the IoT Labeling NPRM defined a CyberLAB as an ‘‘authorization body’’ we remove that reference here as the term ‘‘authorization body’’ might be seen as referring to certification bodies, not laboratories. The role of CyberLABs is to conduct the required tests and generate test reports for use by the applicant in seeking CLA authorization to use the FCC IoT Label. 62. In-House Testing Lab. We also adopt an option for manufacturers to use an accredited and Lead Administrator-recognized in-house testing lab to perform the cybersecurity conformity testing for their IoT products, provided the in-house lab meets the same vigorous standards as the CyberLABs. In the IoT Labeling NPRM, the Commission sought comment on whether there is an avenue for ‘‘a comprehensive review that an IoT device or product compl[ies] with the IoT security standards.’’ We received significant support in the record for an in-house testing option. Samsung argues that, to encourage widespread adoption, the Commission must allow manufacturers an option to perform inhouse testing to receive the label. The Cybersecurity Coalition urges the Commission to allow for in-house testing. We agree that an in-house testing option, for some manufacturers, will be more cost-effective, encourage participation in the IoT Labeling Program, and when combined with the filing of an application with a CLA can assure quality and trust in the IoT Labeling Program. However, we do require that in-house labs meet the same accreditation and recognition requirements as CyberLABs. In this respect, consumers may be assured that the label achieved on an in-house basis meets the same standards as those tested elsewhere, promoting consistency and reliance on the IoT Labeling Program generally. We also expect that ensuring a common baseline testing standard will ultimately aid in the ability to gain international recognition of the Cyber Trust Mark. 63. CLA-Run Testing Lab. We also recognize that CLAs may also have, or seek to have, their own in-house labs conduct conformity testing for applicants seeking certification to use the Mark. The Commission finds no need to limit the number of potential testing facilities by prohibiting CLA-run labs from also being considered recognized labs. Applicants who wish to do so, may file an application with an PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 61255 authorized CLA and request the services of the CLA’s accredited and Lead Administrator-recognized lab. Again, the Commission requires CLA labs to meet the same accreditation and recognition requirements as CyberLABs. Only after a lab has been accredited by a recognized accreditation body may the lab file an application with the Lead Administrator seeking to be recognized as an approved cybersecurity testing lab.16 As explained by the American Association for Laboratory Accreditation (A2LA), ‘‘[a]ccreditation is a means of determining the technical competence of conformity assessment organizations such as laboratories using qualified, third-party accreditation bodies. It assures federal government agencies as well as private sector organizations that assessments conducted by accreditation bodies are objective and reliable and that one can have confidence in the data generated by the accredited testing laboratory.’’ Recognizing that, whether an IoT product is evaluated by a CyberLAB, CLA-run lab, or an in-house lab there is a need to ensure equal rigor in the process, this requirement applies to inhouse testing labs and third-party testing labs (CyberLABs and CLA-run labs). For ease of understanding, when we refer to CyberLABs below, we are including CyberLABs, in-house testing labs, and CLA-run labs. 64. In order to achieve recognition by the Lead Administrator, all labs seeking recognition under the Commission’s IoT Labeling Program must submit evidence of accreditation in the form of an attestation from an accreditation body that the prospective lab has demonstrated: 1. Technical expertise in cybersecurity testing and conformity assessment of IoT devices and products. Compliance with all requirements associated with ISO/IEC 17025. If we determine that other ISO standards or other relevant requirements are missing, the Commission will provide guidance to industry on how they may be addressed. 16 This approach necessitates a mechanism for the Commission to recognize lab accreditation bodies, and we accordingly adopt a rule doing so. See 47 CFR 8.218. We model our approach on analogous elements of our equipment authorization rules, with which the Commission and industry have substantial experience, and which have proven workable in practice. See 47 CFR 2.949. We delegate to PSHSB and OMD authority to take any necessary steps, including adoption of additional procedures and any applicable fees (pursuant to any required public notice and comment), as necessary to ensure compliance with the Communications Act with respect to any rules adopted here that contemplate the filing of applications directly with the Commission. 47 U.S.C 158(c). E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61256 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations 2. Knowledge of FCC rules and procedures associated with IoT cybersecurity compliance testing and certification. 3. Necessary equipment, facilities, and personnel to conduct cybersecurity testing and conformity assessment of IoT devices and products. 4. Documented procedures for IoT cybersecurity conformity assessment. 5. Demonstrated implementation of controls to eliminate actual or potential conflicts of interests (including both personal and organizational), particularly with regard to commercially sensitive information. 6. That the applicant is not owned or controlled by or affiliated with any entity that produces equipment on the FCC Covered List or is otherwise prohibited from participating in the IoT Labeling Program. We will dismiss all applications from a company named on the Department of Commerce’s Entity List, the Department of Defense’s List of Chinese Military Companies. 7. That the applicant is not owned or controlled by or affiliated with any person or entity that has been suspended or debarred from receiving Federal procurements or financial awards, to include all entities and individuals published as ineligible for award on the General Service Administration’s System for Award Management. 65. Once accredited and recognized, the lab will be periodically audited and reviewed by the Lead Administrator to ensure they continue to comply with the IoT security standards and testing procedures. 66. Concerning items #6 and #7, national security considerations must be considered when allowing testing labs to participate because of ‘‘the unique nature of the proposed labeling program.’’ As recommended in the record and consistent with our exclusions as to eligible products and eligibility to serve as a third-party administrator, all entities owned or controlled by or affiliated with entities that produce equipment found on the Covered List, as well as entities specified on the other U.S. Government exclusionary lists referenced above are prohibited from serving as a CyberLAB. Each of these lists represent the determination of relevant Federal agencies that the entities on the list may pose a national security threat within their respective areas, and as such we find that we cannot give U.S. Government endorsement to their security testing while claiming they pose such a threat. Insofar as the label reflects the FCC’s signal to consumers about cybersecurity, it is reasonable for VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 the FCC to take a cautious approach especially for those products for which relevant Federal agencies have expressed other security concerns with the testing lab. 67. NCTA also suggests also suggests that ‘‘any ‘foreign entity of concern’ as defined by the CHIPS Act should be ineligible for certification or recognition as a CyberLAB.’’ Further, ioXt Alliance recommends that the Commission ‘‘establish rules to ensure CyberLABs are not subject to undue influence by foreign adversaries.’’ We agree that it would be problematic for the U.S. to rely on the determination of entities controlled or affiliated with ‘‘foreign adversaries’’ as to the security of products approved to use the Cyber Trust Mark, and therefore the Lead Administrator will not recognize for purposes of the IoT Labeling Program any testing lab that is an entity, its affiliate, or subsidiary owned or controlled by a ‘‘foreign adversary’’ country. A ‘‘foreign adversary’’ country is defined in the Department of Commerce’s rule, 15 CFR 7.4, and includes China (including Hong Kong), Cuba, Iran, North Korea, Russia, and Maduro Regime. Because of the role CLAs will play in the labeling program, we find that the concerns related to entities identified as ‘‘foreign adversaries’’ are equally applicable to entities acting as CLAs as they are testing labs. To avoid these issues, the record suggests requiring testing labs certify compliance with the Commission’s rules, including the rules pertaining to the Covered List. Accordingly, we find it appropriate that each testing lab must certify to the truth and accuracy of all information included in its recognition application and immediately update the information if the information changes. 68. The Order notes that Garmin advocates even stricter measures on the testing labs, suggesting that the labs be ‘‘located in the U.S.’’ We decline to require physical location within the U.S. to avoid ‘‘unnecessarily limiting the pool of legitimate CyberLABs approved to conduct testing and conformity assessment for the Mark.’’ Further, the record indicates that this stricter approach ‘‘would vastly diminish manufacturers’ abilities to select and access evaluation labs, conduct proper risk management and promote competition and diversity in the lab market.’’ Such a restriction might also unduly limit the ability of legitimate foreign corporations that do not raise national security concerns to participate in the IoT Labeling Program to the detriment of the goal of elevating the cybersecurity posture of those IoT PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 devices sold in the U.S. and to promote international recognition of the Cyber Trust Mark. We delegate authority to the Bureau to adopt any additional criteria or procedures necessary with respect to labs located outside of the United States. 69. Terminating CyberLAB Testing Authority. To address national security concerns, the CyberLAB recognition afforded to entities under this IoT Labeling Program will be automatically terminated for entities that subsequently become affiliated with an entity that is owned or controlled by or affiliated with entities that produce equipment placed on the Covered List, or that are otherwise added to any exclusionary list identified in this item as precluding authorization as a CyberLAB. CyberLAB testing authority may also be terminated for failure to uphold the required competencies or accreditations enumerated above. We delegate authority to the Bureau to determine when a CyberLAB’s authority is to be terminated, and to terminate such authorization.17 The Bureau may identify such deficiencies itself or receive notice from other entities, including other agencies, consumers, and industry, that products tested by a CyberLAB do not accurately reflect the security posture of the product. Products authorized to use the FCC IoT Label by a disqualified CyberLAB will be subject to the disqualification procedures described further below. 70. Fees. To fulfill their role, as envisioned by the IoT Labeling NPRM, we authorize CyberLABs to charge reasonable fees to conduct the tasks adopted in the Order. The IoT Labeling NPRM proposed a fee calculation methodology adopted by the Commission in the 2020 Application Fee Report and Order, 86 FR 15026 (March 19, 2021), and sought comment on whether any oversight is needed by the Commission over such charges. We did not receive any comments on the suitability of the approach proposed in the IoT Labeling NPRM or detailed comments about the degree of oversight the Commission should conduct over 17 Because of the public safety importance of a CyberLAB having the requisite qualifications and adhering to our rules when evaluating requests to use the FCC IoT Label, this process should proceed appropriately expeditiously to minimize any periods of time where a CyberLAB continues to operate in that capacity once concerns have come to PSHSB’s attention. In particular, PSHSB shall provide notice to the CyberLAB that the Bureau proposes to terminate the CyberLAB’s authority and provide the CyberLAB a reasonable opportunity to respond (not more than 20 days) before reaching a decision on possible termination. PSHSB may suspend the CLA’s ability conduct product testing during the pendency of such consideration if appropriate. E:\FR\FM\30JYR2.SGM 30JYR2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES2 the charges. We recognize the Cybersecurity Coalition’s comments that high fees would deter participation in the IoT Labeling Program. We anticipate that there will be multiple CyberLABs authorized through the approach adopted in the Order, and we believe that market competition will ensure fees are reasonable, competitive, and accessible while covering the costs incurred by the CyberLABs in performing their designated tasks. We believe this addresses the concerns raised by the Cybersecurity Coalition and renders the approach proposed in the IoT Labeling NPRM unnecessary. The National Association of Manufacturers (NAM) rightly indicates, however, that the fee structure for CyberLABs will necessitate ‘‘robust protections to ensure that CyberLABs focus on the underlying mission of protecting the public rather than boosting their revenues.’’ We delegate to the Bureau, in connection with OMD, to review and reconsider if necessary whether the level and structure of the fees should be regulated by the Commission. D. Two-Step Process for Obtaining Authority To Use the FCC IoT Label 71. The Commission adopts a twostep process for a manufacturer seeking authority to use the FCC IoT Label, which includes (1) product testing by an accredited and Lead Administratorrecognized lab (e.g., CyberLAB, CLA lab, or an in-house lab) and (2) product label certification by a CLA. In the context of this IoT Labeling Program and as discussed in detail below, we find that in order to ensure the integrity of this nascent program, that the FCC IoT Label certification process will include a twostep process involving (1) the use of an accredited and Lead Administratorrecognized laboratory (CyberLAB, CLA lab, or in-house lab) to test the IoT product for compliance to FCC rules and generate a test report; and (2) an application to an FCC-recognized CLA (i.e., an accredited certification body) to certify the product as fully compliant with all relevant FCC IoT Labeling Program rules. 72. The record is split on the processes the Commission should adopt for manufacturers to follow when seeking to use the FCC IoT Label, specifically with regard to whether it is necessary for a third-party to review and verify the product meets all of the IoT Labeling Program requirements, including product testing, or if the manufacturer should be afforded the opportunity to ‘‘self-declare’’ compliance and affix the FCC IoT Label without third-party verification. VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 73. UL Solutions, TÜV SÜD, and TIC Council Americas recommend that the Commission require all applications to be supported by conformity testing conducted by an accredited lab (e.g., ISO/IEC 17025 accredited), and submitted to a third-party for verification of compliance with the Commission’s program requirements. Others argue the Commission should accept a declaration of conformity or self-certification, while others recommend the Commission enter into agreements with each manufacturer to allow the manufacturer to conduct internal conformity testing of its products and self-certify compliance with the Commission’s program requirements resulting in approval to use the Cyber Trust Mark without thirdparty involvement. CTA, for example, contemplates a ‘‘Manufacturer SelfAttestation Process’’ where manufacturers apply to the Commission for access to a ‘‘Mark Self-Attestation License Agreement’’ between the manufacturer and the FCC. Under this process, the manufacturer provides documentation showing how it complies with the NIST Criteria and if the Commission agrees with the documentation, the parties execute the agreement. The license agreement will identify the limits of the manufacturer’s license authority, which may be corporate-wide, on a divisional basis, or for a specific product line. 74. To ensure the Cyber Trust Mark retains the highest level of integrity and consumer trust, we agree with commenters who caution against allowing testing by entities that are not accredited and recognized. We also agree with Garmin and AHAM, who recommend third-party verification of the information contained in a manufacturer’s application to use the Cyber Trust Mark. UL Solutions notes that while the Commission’s equipment authorization process allows some products that pose a low risk of RF interference to be approved via a Supplier’s Declaration of Conformity (SDoC), there is no clear line to be drawn between low risk and high risk connected products when ‘‘IoT devices are significant targets for an evergrowing number of cybersecurity attacks.’’ In addition, UL Solutions points to the investigation conducted by the Government Accountability Office (GAO) into the ENERGY STAR program’s initial reliance a supplier’s declaration of conformity, which GAO found to be unreliable because GAO was able to obtain UL certification with blatantly non-conforming products. 75. The Commission disagrees with commenters who believe the IoT PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 61257 Labeling Program should offer different methods of conformity assessment based on varying levels of risk and potential impact on consumers because doing so adds an unnecessary and significant layer of complexity to the process. The Commission recognizes the view of Keysight, the National Electronic Manufacturers Association (NEMA), AIM, Whirlpool, AHAM, Consumer Reports, Garmin, NAM, ITI, and TIC Council Americas, who support self-attestation as an efficient and cost effective methodology for applicants to conduct conformity assessments. However, the Commission agrees with A2LA, which urges caution with selfattestations of conformity ‘‘due to the bias inherent in self-declaration.’’ We also take into serious consideration the 2010 GAO Report that found the ENERGY STAR program in effect at that time, which was ‘‘primarily a selfcertification program relying on corporate honesty and industry selfpolicing to protect the integrity of the Energy Star label,’’ failed to require upfront third-party validation of manufacturers’ self-reported claims of compliance with the program requirements, which resulted in the certification of bogus products as ENERGY STAR compliant. ENERGY STAR has since changed the manner in which it certifies products as ENERGY STAR compliant, stating that in order ‘‘[t]o ensure consumer confidence in the ENERGY STAR label and to protect the investment of ENERGY STAR partners, the U.S. Environmental Protection Agency (EPA) requires all ENERGY STAR products to be third-party certified. Products are tested in an EPArecognized laboratory and reviewed by an EPA-recognized certification body before they can carry the label.’’ 76. As such, in light of the nascent nature of the IoT Labeling Program, lessons learned in the ENERGY STAR context, and the need to ensure that the Cyber Trust Mark garners sufficient trust by consumers to be viewed as providing accurate information and manufacturer participation, we find that allowing a path to ‘‘self-attestation’’ is not appropriate at this time. While such a path may provide for prompt time to market for the Cyber Trust Mark itself, the concerns regarding the Mark’s integrity at this initial stage counsel against ‘‘self attestation.’’ Moreover, we anticipate that the benefits and level of efficiency afforded manufacturers by the ability to use in-house labs will mitigate the additional process associated with certification by a CLA, as discussed below. 77. We intend for the Cyber Trust Mark to serve as a reliable and trusted E:\FR\FM\30JYR2.SGM 30JYR2 61258 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES2 way for consumers to quickly identify those products that meet the Commission’s program requirements. To achieve this, the Commission must adopt sufficient controls over the IoT Labeling Program to ensure only those products that meet the Commission’s requirements bear the Cyber Trust Mark. The Commission’s second step of requiring an application be submitted to a CLA is a significant and important control to ensure that an independent disinterested third-party outside the manufacturer’s control has reviewed the manufacturer’s product application and supporting test report and verified that the product complies with the Commission’s program requirements. 78. The second step of the application process is particularly important because, as discussed above, the Commission allows the first step (testing) to be completed by an accredited and recognized CyberLAB, a CLA lab, or the manufacturer’s in-house lab. Requiring the manufacturer to submit an application with a CLA is an important control, particularly to ensure that all products, including those products whose conformity testing is conducted, and reports are generated, by the manufacturer’s in-house lab, are subject to third-party scrutiny and oversight. As such, the Commission requires all entities seeking to use the FCC IoT Label must submit an application for authority to a CLA to use the FCC IoT Label that is supported by the appropriate report detailing the conformity testing conducted by a lab that is both accredited and Lead Administrator-recognized (CyberLAB, CLA lab, or manufacturer’s in-house lab). Only entities who have received prior authorization from a CLA (i.e., cybersecurity certification) are authorized to use the FCC IoT Label, which will ensure the IoT Labeling Program retains its integrity.18 We further recognize that the CLA may charge a reasonable fee to cover the cost of reviewing the application and the costs of conducting the other tasks the CLA would perform. Once the IoT Labeling Program is established, we may revisit the issue of whether to adopt additional pathways to obtaining authority to use the FCC IoT Label. 18 In addition to the discussion in the text, we adopt certain rules to support the administration and integrity of the IoT Labeling Program, including governing the designation of agents for service of process and governing required signatures. See 47 CFR 8.208(i), (k). We model our approach on analogous elements of our equipment authorization rules, with which the Commission and industry have substantial experience, and which have proven workable in practice. See 47 CFR 2.911(d)(7), (f). VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 79. The IoT Labeling NPRM sought comment on whether and how one or more third-party administrators should be utilized to manage the IoT Labeling Program, and whether the Commission should designate one or more administrators to authorize use of the label. Kaiser Permanente argues that the Commission should maintain ownership of the application process, as well as oversight and supervision of third parties administering the IoT Labeling Program. Garmin notes that the application process described in the IoT Labeling NPRM is unclear and worries that third-party involvement would require enormous effort, and cautioned that sharing sensitive information with a third-party administrator itself raises security concerns. However, the record was silent with respect to details about an application process. We agree that oversight and supervision of the IoT Labeling Program, including intaking applications, will require effort but believe a CLA is in the best position to streamline that process and, as noted, ensure the integrity of the process. We will require the CLA to have the ability to securely handle large volumes of information, which we believe should alleviate Garmin’s concern. We outline the application process to use the FCC IoT Label below. 80. Before being able to display the Cyber Trust Mark, the applicant must determine their product is an eligible product under our rules; have their product tested by an accredited and Lead Administrator-recognized CyberLAB, CLA Lab, or manufacturer’s in-house lab; obtain a report of conformity and compliance from the lab; and submit an application for authority to use the FCC IoT Label to an FCC-recognized CLA in accordance with their procedures. Using the CLAs’ filing processes, entities seeking authority to use the FCC IoT Label will file an application to be developed by the Bureau. Each application must include a report of conformity issued by an accredited CyberLAB, accredited CLA lab, or accredited in-house lab whose testing and reporting is comparative in rigor to that completed by a CyberLAB. The CLA will review the application and supporting documentation to ensure it is complete and in compliance with the Commission’s rules and will either grant or deny the application. If an application is granted, the CLA will provide the applicant with notification of the grant and authority to affix the FCC IoT Label to the product granted authorization. 81. Applications that do not meet the Commission’s IoT Labeling Program will be denied by the CLA. If an PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 application is denied, the CLA will provide the applicant with notification of the denial and an explanation of why it was denied. An applicant may only re-submit an application for a denied product if the CLA-identified deficiencies have been corrected. The applicant must indicate on its application that it is re-submitting the application after it was denied, the name of the CLA that denied the application, and the CLA’s explanation of why it was denied. Failure to disclose the denial of an application for the same or substantially similar product will result in denial of the application for that product and the FCC will take other regulatory and/or legal action it deems appropriate. 82. Grant or denial of an application for authority to use the FCC IoT Label will be made by the CLA in the first instance. The CLA will return incomplete applications to the applicant or otherwise contact the applicant regarding the incomplete application, as soon as possible. 83. We delegate authority to the Bureau to issue a Public Notice after any necessary notice and public comment and after completing any process required under the Paperwork Reduction Act, providing further details on how to apply for authority to use the FCC IoT Label, including but not limited to informational elements of the application, additional details on filing requirements (e.g., description or photograph of the label and how/where it will be affixed to the product), and how to request confidential treatment of submitted information. As the Commission anticipated in the NPRM, CLAs may charge reasonable fees for their services and to cover the costs of performing the administrative duties. The IoT Labeling NPRM proposed to follow the fee calculation methodology adopted by the Commission in the 2020 Application Fee Report and Order and requested comment on the proposal and any changes. We did not receive any comments on the suitability of this approach. We recognize the Cybersecurity Coalition’s comments that high fees would deter participation in the IoT Labeling Program. We anticipate that there will be multiple administrators authorized through the approach adopted in the Order, and we believe that market competition will ensure fees are reasonable, competitive, and accessible while covering the costs incurred by the CLA in performing their designated tasks. We believe this addresses the concerns raised by the Cybersecurity Coalition and renders the approach proposed in the IoT Labeling NPRM unnecessary. We therefore reject E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations the NPRM’s proposal. To the extent that the Lead Administrator may incur costs in performing its duties on behalf of the program as a whole, we expect these costs to be shared among CLAs as a whole.19 We delegate to the Bureau, in connection with OMD, to consider these issues and provide guidance to the CLAs and Lead Administrator to ensure the fees do not become onerous, as indicated by the record. 84. Seeking Review of CLA Decision. Any party aggrieved by an action taken by a CLA must first seek review from the CLA, which must be filed with the CLA within 60 days from the date of the CLA’s decision. A party aggrieved by an action taken by a CLA may, after seeking review by the CLA, seek review from the Commission. A request for Commission review must be filed with the Commission within 60 days from the date the CLA issues a decision on the party’s request for review. In all cases of requests for review, the request for review shall be deemed filed on the postmark date. If the postmark date cannot be determined, the applicant must file a sworn affidavit stating the date that the request for review was mailed. Parties must adhere to the time periods for filing oppositions and replies set forth in 47 CFR 1.45. 85. We delegate authority to PSHSB to consider and act upon requests for review of CLA decisions. Requests for review that raise novel questions of fact, law, or policy will be considered by the full Commission. An affected party may seek review of a decision issued under delegated authority pursuant to the rules set forth in part 1 of the Commission’s rules. The Bureau will conduct de novo review of requests for review of decisions issued by a CLA. The Commission will conduct de novo review of requests for review of decisions by the CLA that involve novel questions of fact, law, or policy; provided, however, that the Commission will not conduct de novo review of decisions issued by the Bureau under delegated authority. The Bureau will, within 45 days, take action in response to a request for review of CLA decision that is properly before it. The Bureau may extend the time period for taking action on a request for review of a CLA decision for a period of up to 90 days. The Commission may also at any time, extend the time period for taking action of a request for review of 19 We recognize that many of the duties of the Lead Administrator benefit all the CLAs and the program as a whole, and we do not suggest that the costs associated with the duties of the Lead Administrator as described in the Order to be an exhaustive list of the shared costs we expect to be shared among CLAs as a whole. VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 a CLA decision pending before the Bureau. The Commission will issue a written decision in response to a request for review of a CLA decision that involves novel questions of fact, law, or policy within 45 days. The Commission may extend the time period for taking action on the request for review of a CLA decision. The Bureau also may extend action on a request for review of an CLA decision for a period of up to ninety days. While a party seeks review of a CLA decision, they are not authorized to use the FCC IoT Label until the Commission issues a final decision authorizing their use of the FCC IoT Label. E. Consumer IoT Product Cybersecurity Criteria and Standards 86. Technical Criteria for Consumer IoT Products. We adopt the IoT Labeling NPRM proposal that the NIST Core Baseline serve as the basis of the IoT Labeling Program. The NIST Core Baseline is based on product-focused cybersecurity capabilities (also referred to by NIST as ‘‘Outcomes’’) rather than specific requirements, which NIST asserts provide the flexibility needed due to the diverse marketplace of IoT products, and we agree. As outlined in the IoT Labeling NPRM, the NIST criteria includes the following IoT product capabilities: (1) asset identification; (2) product configuration; (3) data protection; (4) interface access control; (5) software update; (6) cybersecurity state awareness; and the following IoT Product Developer Activities: (7) documentation; (8) information and query reception; (9) information dissemination; and (10) product education and awareness. 87. The record reflects broad support for adoption of the technical criteria presented in NISTIR 8425. For example, a coalition of industry stakeholders including the Association of Home Appliance Manufacturers, Connectivity Standards Alliance, Consumer Technology Association, CTIA Information Technology, Industry Council, National Electrical Manufacturers Association, Plumbing Manufacturers International Power Tool Institute, Security Industry Association, Telecommunications Industry Association, U.S. Chamber of Commerce, and USTelecom submitted a letter to the Commission supporting the establishment of ‘‘a voluntary program based on the technical criteria developed by [NIST], under NISTIR 8425.’’ UL Solutions supports adoption of the NISTIR 8425 criteria and asserts that there are several mature standards that can be drawn from that address the PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 61259 NISTIR 8425 criteria, such as UL 2900, UL 5500, and IEC 62443. 88. CTIA supports adoption of the NIST Core Baseline but urges the Commission not to prescribe any specific methodologies that testing programs or standards must use, other than to require that such programs or standards be consistent with NIST Core Baseline. CSA also supports adoption of the NIST Core Baseline but urges the Commission to refrain from developing its own standards for testing. Rather, CSA asserts that they have developed a certification program that meets the requirements of NISTIR 8425 and other relevant standards documents, including ETSI EN 303 645 and the Singapore Cybersecurity Labeling Scheme, and CTA indicates that they are working on American National Standards (ANS) documents that will ‘‘[d]efine a Framework that is a standardized and objective method of applying the Criteria in NISTIR 8425 to a candidate Scheme or to a manufacturer’s proposal for selfattestation . . .’’ Garmin encourages the Commission to consider ETSI 303 645 standards, and commenters American Certification Body, Inc. and Consumer Reports encourage international standards such as those developed as a result of the EU Cyber Resiliency Act and UK’s Product Security and Telecommunications Infrastructure Act. These commenters did not oppose referencing the NIST criteria. 89. We agree with Infineon, Consumer Reports, and NCTA and adopt NISTIR 8425 as the basis for the Commission’s IoT Labeling Program. The consumer IoT environment is complicated by a significant number of different types of consumer IoT products. Adoption of the NIST criteria as the foundation of the IoT Labeling Program will result in a robust consumer IoT program that is sufficiently flexible that it can be applied across all types of consumer IoT products. The NIST criteria were developed through a multi-year effort between NIST and various stakeholders, and includes significant industry input and will continue to be updated by NIST as necessary. The Commission agrees with NIST’s publication, which avers that the following NISTIR 8425 criteria identify the cybersecurity capabilities that consumers would expect manufacturers to address within the products they buy. NIST contemplates that most of the criteria concern the IoT product directly and are expected to be satisfied by software and/ or hardware implemented in the IoT product (1–6 below) and other criteria apply to the IoT product developer (7– 10 below). The following is the list of E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61260 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations the NIST IoT product capability criteria, NIST’s brief description of each, and the NIST-identified cybersecurity utility for each: (1) Asset Identification: The product can be uniquely identified by the customer and other authorized entities and the product uniquely identifies each IoT product component and maintains an up-todate inventory of connected product components i. Cybersecurity Utility: The ability to identify IoT products and their components is necessary to support such activities as asset management for updates, data protection, and digital forensics capabilities for incident response. (2) Product Configuration: The configuration of the IoT product is changeable, with an ability to restore a secure default setting, and changes can only be performed by authorized individuals, services, and other IoT product components. i. Cybersecurity Utility: The ability to change aspects of how the IoT product functions can help customers tailor the IoT product’s functionality to their needs and goals. Customers can configure their IoT products to avoid specific threats and risk they know about based on their risk appetite. (3) Data Protection: The IoT product protects data store across all IoT product components and transmitted both between IoT product components and outside the IoT product from unauthorized access, disclosure, and modification. i. Cybersecurity Utility: Maintaining confidentiality, integrity, and availability of data is foundational to cybersecurity for IoT products. Customers will expect that data are protected and that protection of data helps to ensure safe and intended functionality of the IoT product. (4) Interface Access Control: The IoT product restricts logical access to local and network interfaces—and to protocols and services used by those interfaces—to only authorized individuals, services, and IoT product components. i. Cybersecurity Utility: Enumerating and controlling access to all internal and external interfaces to the IoT product will help preserve the confidentiality, integrity, and availability of the IoT product, its components, and data by helping prevent unauthorized access and modification. (5) Software Update: The software of all IoT product components can be updated by authorized individuals, services, and other IoT product components only by using a secure and VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 configurable mechanism, as appropriate for each IoT product component. i. Cybersecurity Utility: Software may have vulnerabilities discovered after the IoT product has been deployed; software update capabilities can help ensure secure delivery of security patches. (6) Cybersecurity State Awareness: The IoT product supports detection of cybersecurity incidents affecting or affected by IoT product components and the data they store and transmit. i. Cybersecurity Utility: Protection of data and ensuring proper functionality can be supported by the ability to alert the customer when the device starts operating in unexpected ways, which could mean that unauthorized access is being attempted, malware has been loaded, botnets have been created, device software errors have happened, or other types of actions have occurred that was not initiated by the IoT product user or intended by the developer. The following is the list of NISTidentified IoT Product Developer Activities/Non-Technical Supporting Capabilities and their NIST-identified cybersecurity utility: (7) Documentation: The IoT product developer creates, gathers, and stores information relevant to cybersecurity of the IoT product and its product components prior to customer purchase, and throughout the development of a product and its subsequent lifecycle. i. Cybersecurity Utility: Generating, capturing, and storing important information about the IoT product and its development (e.g., assessment of the IoT product and development practices used to create and maintain it) can help inform the IoT product developer about the product’s actual cybersecurity posture. (8) Information and Query Reception: The IoT product developer has the ability to receive information relevant to cybersecurity and respond to queries from the customer and others about information relevant to cybersecurity. i. Cybersecurity Utility: As IoT products are used by customers, those customers may have questions or reports of issues that can help improve the cybersecurity of the IoT product over time. (9) Information Dissemination: The IoT product developer broadcasts (e.g., to the public) and distributes (e.g., to the customer or others in the IoT product ecosystem) information relevant to cybersecurity. i. Cybersecurity Utility: As the IoT product, its components, threats, and mitigations change, customers will need to be informed about how to securely use the IoT product. PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 (10) Product Education and Awareness: The IoT product developer creates awareness of and educates customers and others in the IoT product ecosystem about cybersecurity-related information (e.g., considerations, features) related to the IoT product and its product components. i. Cybersecurity Utility: Customers will need to be informed about how to securely use the device to lead to the best cybersecurity outcomes for the customers and the consumer IoT product marketplace. 90. Consumer IoT Product Standards. We find that standards are necessary to administer the IoT Labeling Program in a fair and equitable manner and to ensure the products with the FCC IoT Label have all been tested to the same standards to provide consumers with confidence that products bearing the FCC IoT Label include strong cybersecurity. Commenters generally agree with the adoption of standards based on NIST’s Core Baseline for Consumer IoT products (NISTIR 8425). We take up the Cybersecurity Coalition’s recommendation ‘‘that the Commission or a designated third-party administrator work with stakeholders to identify recognized standards that encompass the Core Baseline, or that offer equivalent controls.’’ NCTA also notes that ‘‘Standards Development Organizations (‘‘SDOs’’) and specification organizations are wellestablished organizations that can develop standards aligned with NIST guidelines and the Program’s goals.’’ According to NIST, the NISTIR 8425 ‘‘outcomes are guidelines that describe what is expected . . . but more specific information may be needed to define how to implement IoT products or product components so that they meet an outcome. Requirements define how a component can meet an outcome for a specific use case, context, technology, IoT product component etc. . . ..’’ 91. We reject CTIA’s recommendation that the Commission refrain from adopting specific standards and solely rely on the NIST criteria. Rather, the Commission agrees with NIST and commenters that its criteria are general guidelines that must be further developed into a requirements document (i.e., standards) and corresponding testing procedures, which will demonstrate how the product bearing the FCC IoT Label has met the NIST criteria and to ensure consistency of application across a class of products. ITI adds that the ‘‘Commission need not recreate [existing] work or develop its own standards but can leverage completed standards work for swift development E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations and implementation.’’ The integrity of the Cyber Trust Mark requires the Commission to adopt standards that provide for adequate and consistent testing of products to ensure that all products bearing the FCC IoT Label have demonstrated conformance to the identified standards that the Commission has approved as compliant with the NIST criteria. In addition, for the Commission’s IoT Labeling Program to be fairly administered by the multiple CLAs, all products displaying the FCC’s label must be tested against the same standards to ensure that all products displaying the FCC IoT Label conform to the Commission’s standards. 92. Commenters such as TÜV SÜD agree that ‘‘the main requirement when perform[ing] testing for compliance is that the test need[s] to be reliable and always offer the same outcome when a product is tested in the same condition. In the current state of the NIST IoT criteria there is not enough detail[ ] in the standard, so there is the need to write a more detail[ed] test method/ standard.’’ UL Solutions also ‘‘supports the use of the NISTIR 8425 criteria as the basis for the IoT Labeling Program. These criteria help establish a minimum security baseline suitable for consumer IoT products . . . However, as noted in paragraphs 27 and 28 [of the IoT Labeling NPRM], these criteria must be defined by minimum IoT security requirements and standards to enable consistent and replicable product testing.’’ Moreover, Somos similarly agrees that leveraging existing standards for device definition and security guidelines are the fastest, most effective path to the definition of a secure ecosystem, that NIST 8425 standard is the appropriate starting point, and that ‘‘existing standards should allow for the Commission to quickly create its definitions and guidelines.’’ We agree with the Cybersecurity Coalition that ‘‘only those standards and best practices recognized by the labeling program should be eligible, in order to avoid the inclusion of non-credible or irrelevant frameworks that may undermine trust in the label.’’ 93. We further determine that, given the existing work in this space, the Commission should not undertake the initial development of the standards that underpin the NIST Core Baseline. Rather, as discussed in paragraph 56 above, we direct the Lead Administrator to undertake this task, and delegate authority to the Bureau to review and approve the consumer IoT cybersecurity standards and testing procedures that have been identified and/or developed by the Lead Administrator (after any appropriate public comment) that VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 ensures the product to which a manufacturer seeks to affix the FCC IoT Label conforms to the NIST criteria. NIST’s IoT Product Component Requirements Essay provides a summary of standards and guidance that NIST has initially identified as applicable to IoT devices and IoT product components, that the Lead Administrator may determine are applicable to the IoT Labeling Program. Moreover, the Lead Administrator may also determine existing standards or schemes that exist in the market already may be readily adaptable and leverage such work to meet the terms of the program. 94. The Commission recognizes that since a ‘‘product’’ for purposes of the IoT Labeling Program is comprised of at least one IoT device and any additional product components that are necessary to use the IoT device beyond basic operational features, there may be multiple standards (e.g., a package of standards) applicable to a single IoT product (e.g., standards applicable to IoT devices; mobile apps; networking equipment included with IoT devices; and cloud platforms). The Commission does not anticipate a single standard would be developed or identified to apply to all consumer IoT products. However, a single package of standards may be developed or identified for each product type or class as identified by the Lead Administrator and reviewed and approved by the Bureau. We also agree with the Cybersecurity Coalition that ‘‘participants should have discretion to include security features that go beyond standard requirements . . . So long as the additional security features do not conflict with conformity with the standard used for eligibility by the labeling program participants, participants should be encouraged to go beyond baseline requirements.’’ F. The FCC IoT Label (Cyber Trust Mark and QR Code) 95. We adopt the IoT Labeling NPRM’s proposal to implement a single binary label with layering. As discussed in the IoT Labeling NPRM, ‘‘under a binary label construct, products will either qualify to carry the label or not qualify (i.e., not be able to carry the label) and ‘layers’ of the label would include the Commission’s Cyber Trust Mark representing that the product or device has met the Commission’s baseline consumer IoT cybersecurity standards and a scannable code (e.g., QR Code) directing the consumer to more detailed information of the particular IoT product.’’ 96. We adopt a binary label because we believe that a label signaling that an PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 61261 IoT product has met the minimum cybersecurity requirements will be simplest for consumers to understand, especially as the label is introduced to and established for the public. The Cybersecurity Coalition supports a binary label, citing the benefits of a simple, consumer friendly nature and its potential to streamline the purchasing decision for consumers. Similarly, as LG Electronics points out, ‘‘[l]ike the ENERGY STAR program, a binary label specifying that a device has met a government standard—in this case for cybersecurity—will be enough to drive consumers and manufacturers toward more secure products,’’ while leaving manufacturers free to separately provide additional cybersecurity information about their products. And the Connectivity Standards Alliance supports the use of a single binary label with layering, as recommended by NIST, asserting that ‘‘[a]cademic studies have validated this approach.’’ Conversely, Canada advocates a multitiered approach to labeling to ‘‘lower barriers to entry into the labelling regime and facilitate trade and competition by ensuring Micro, Small and Medium Sized Enterprises (MSMEs), with fewer resources to meet a high level of cybersecurity,’’ and to ‘‘provide the incentives for a greater number of firms to innovate in IoT products and work on ‘climbing the ladder’ of cybersecurity levels over time.’’ Another commenter suggests a multi-tiered label that would have different colors depending on the length of time the product is supported. Other commenters advocate a multi-tiered approach that need not be reflected in different Cyber Trust Marks, but in different information available when a consumer scans the QR code. A study by Carnegie Mellon University indicates that different types of labels of various complexities have varying levels of effectiveness, but does not contest the idea of a binary label. We also recognize that some international regimes, such as Singapore, use a multi-tiered label. 97. Although one could imagine myriad different approaches to labeling that each have relative advantages and disadvantages, on balance we are persuaded to rely on a binary label as we begin our IoT Labeling Program, consistent with NIST’s recommended approach. We agree with the Cybersecurity Coalition that ‘‘the primary value of the IoT . . . labeling program is to better enable ordinary consumers to distinguish labeled products as likely providing better basic security than unlabeled products.’’ We believe a binary label meets this goal by E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61262 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations providing a clear indication that products with the label meet the Commission’s cybersecurity requirements. We anticipate that promoting early consumer recognition of the FCC IoT Label—which we think is better advanced by a binary label— will, in turn, make consumers more attuned to cybersecurity issues and more receptive to additional cybersecurity information that manufacturers elect to provide apart from the FCC IoT Label and associated QR code. Thus, we believe that our use of a binary label still retains incentives for manufacturers to innovate and achieve higher levels of cybersecurity. Our approach to determining what cybersecurity standards will be applied also accommodates the potential for different requirements being necessary to meet the NIST baseline criteria in different contexts. To the extent that any multi-tiered labeling approach contemplated by commenters would allow manufacturers to obtain a label through lesser cybersecurity showings, that would be less effective at achieving the goals of our program. And to the extent that any multi-tiered labeling approach would require manufacturers to make heightened cybersecurity showings to achieve higher-tier labels, that is unlikely to lower barriers to participation in the IoT Labeling Program while also risking less understanding and acceptance of the FCC IoT Label by consumers. Because delay in moving forward with the IoT Labeling Program would have its own costs in pushing back the potential for benefits to consumers and device security, we also recognize the benefits of a binary label as more straightforward to implement, at least at the start of our IoT Labeling Program. Weighing all the relevant considerations, we are persuaded to move forward with a binary label at this time. 98. We require that products bearing the FCC IoT Label, which includes the Cyber Trust Mark, must also include the corresponding QR Code. Approval to use the Cyber Trust Mark is conditioned on the label also bearing the QR Code in accordance with the IoT Labeling Program’s label standards. In addition, the FCC IoT Label must be easily visible to consumers (e.g., on product packaging). This approach received considerable support in the record. We agree with USTelecom that ‘‘consumers should not have to open the package to get information because that could impact their ability to return the product.’’ Power Tool Institute, Inc. concurs that ‘‘[p]lacing a QR Code on the packaging is preferable to placing it VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 on the device.’’ Notable pros of using a QR Code are providing ‘‘consumers with detailed information about a device or product,’’ enhancing the program’s objective by providing real-time updates. However, some commenters raise concerns with the placement of the QR Code on the product packaging. Logitech urges the Commission to not require a QR Code in conjunction with the label, stating that it could crowd packaging, cause consumer confusion, and may cause confusion if retailers scan the wrong barcode when checking out a customer. We believe that as the label becomes established and recognized by consumers and retailers, the benefit of providing a QR Code linking to a registry populated with current information on the IoT product outweighs the potential for consumer confusion. We also believe the registry will be of value to consumers such that they will want to see it acknowledged in an easily accessible manner, which will override any potential difficulty retailers may have with scanning the incorrect code. Moreover, recognizing the realities of inventory turnover against the need for a cybersecurity label to be dynamic, the use of a QR Code-embedded URL in this context ensures that (1) if a consumer desires more information about the product than what the label itself signifies there is a simple means of access; and (2) information associated with the product’s compliance with the IoT Labeling Program is current. We view these as relevant considerations to purchasing decisions, which requires easy access to such information ‘‘on the spot’’ rather than requiring a purchaser to independently seek it out. 99. We direct the Lead Administrator to collaborate with stakeholders as needed to recommend to the Commission standards for how the FCC IoT Label bearing the Cyber Trust Mark and the QR Code should be designed (e.g., size and white spaces) and where such a label should be placed. This should include where the label could be placed on products where consumers may not see product packaging when shopping or after purchasing (e.g., refrigerators, washing machines, dryers, dishwashers, etc.) and including where consumers purchase products online. The Lead Administrator and stakeholders should also examine whether the label design should include the date the manufacturer will stop supporting the product as well as whether including other security and privacy information (e.g., sensor data collection) on the label would be useful to consumers. In addition, the Lead PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 Administrator should address the use of the FCC IoT Label in store displays and advertising.20 We recognize the current work being done by industry on an appropriate format for the label, including the Cybersecurity Label Design, which is part of CTA’s American National Standards Institute (ANSI)-accredited standards program. As noted by CTA in its reply comments, the FCC specifies requirements for the use of the Cyber Trust Mark, but ‘‘there are several additional details needed regarding QR coding and resolution, white space for accurate recognition of QR codes, and more.’’ CTA states that the draft ANSI/CTA–2120 details lay out requirements for packaging, and we encourage the Lead Administrator to review and consider the work CTA’s Cybersecurity Label Design working group (a subgroup of CTA’s Cybersecurity and Privacy Management Committee) has completed in this regard. We agree that we should take into consideration the considerable work that has already been undertaken with respect to labeling design and placement and seek to leverage and benefit from this expertise by directing the Lead Administrator to seek feedback from a cross-section of relevant stakeholders who have been working on these issues. We delegate authority to PSHSB to review, approve (or not approve) the Lead Administratorrecommended labeling design and placement standards after any required public notice and comment process and if approved incorporate into the Commission’s part 8 rules. The provisions of 47 CFR 2.935(a) (allowing the electronic display of ‘‘or other information that the Commission’s rules would otherwise require to be shown on a physical label attached to the device’’) do not apply to the FCC IoT Label. The Cyber Trust Mark may only be used as directed by part 8, notwithstanding 47 CFR 2.935 or any other rule. G. Registry 100. We adopt our proposal from the IoT Labeling NPRM that the label include the Cyber Trust Mark and a QR Code that links to a decentralized publicly available registry containing 20 The issue of where the FCC IoT Label would be placed was raised in the record. We agree that flexibility in placement is important in instances where the consumer might not see the product’s packaging, such as in larger appliances, before purchasing the product. We recognize that some types of products might be customarily displayed in ways that make a one-size-fits-all approach inappropriate. As such, we agree with the ioXt Alliance’s suggestion that we consider how the label may be placed in ways that will be helpful to a consumer, such as through an in-store display, advertisement on a screen, or website. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations information supplied by entities authorized to use the FCC IoT Label (e.g., manufacturers) through a common Application Programming Interface (API). The registry will include and display consumer-friendly information about the security of the product. We believe a publicly accessible registry furthers the Commission’s mission of allowing consumers to understand the cybersecurity capabilities of the IoT devices they purchase. We also agree that it is important for the registry to be dynamic, so a consumer can be aware if a product loses authorization to use the FCC IoT Label or if the manufacturer is no longer providing security updates. There is robust support for the development of a publicly-accessible registry. We agree with NCTA that ‘‘the IoT Registry is foundational to the value and utility of the Cyber Trust Mark Program.’’ In the following paragraphs, we establish general parameters for registry information. 101. We adopt a decentralized registry that contains specific essential information that will be disclosed by the manufacturer, as discussed in further detail below. This essential information from the manufacturer will be provided to a consumer accessible application via the registry by utilizing a common API that is secure by design. When a consumer scans the QR Code, a consumer accessible application will access the registry using the common API and present the consumer with the information we require to be displayed from the registry. CTIA points out that a centralized registry containing all the information the Commission conceived in the IoT Labeling NPRM and by commenters in the record would be inordinately complex and costly. We agree, and endeavor to meet the policy goal of providing a transparent, accessible registry to the public through more efficient and less complicated means. 102. We agree with the Commission’s assessment in the IoT Labeling NPRM that the registry’s goal is to assist the public in understanding security-related information about the products that bear the Cyber trust Mark. CTIA confirms this view, stating ‘‘the Commission should focus on the [registry] as a means to provide consumers with information that is critical to the success of the program.’’ CTIA further proposes that we should allow each manufacturer to establish their own mechanisms for conveying this information to consumers. However, we acknowledge ioXt Alliance’s concern that a completely manufacturer-driven approach could lead to inconsistencies, inaccuracies, or other difficulties for the VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 consumer. To balance the need for a workable, streamlined registry that is consistent for consumers and meets the Commission’s goals while easing the administrative burden inherent in a centralized registry, we require a common API that would provide access to the following essential information from the manufacture and display it to the consumer in a simple, uniform way: • Product Name; • Manufacturer name; • Date product received authorization (i.e., cybersecurity certification) to affix the label and current status of the authorization (if applicable); • Name and contact information of the CLA that authorized use of the FCC IoT Label; • Name of the lab that conducted the conformity testing; • Instructions on how to change the default password (specifically state if the default password cannot be changed); • Information (or link) for additional information on how to configure the device securely; • Information as to whether software updates and patches are automatic and how to access security updates/patches if they are not automatic; • The date until which the entity promises to diligently identify critical vulnerabilities in the product and promptly issue software updates correcting them, unless such an update is not reasonably needed to protect against cybersecurity failures (i.e., the minimum support period); alternatively, a statement that the device is unsupported and that the purchaser should not rely on the manufacturer to release security updates; • Disclosure of whether the manufacturer maintains a Hardware Bill of Materials (HBOM) and/or a Software Bill of Materials (SBOM); 21 and • Additional data elements that the Bureau determines are necessary pursuant to the delegated authority discussed below. 103. To reduce potential burdens and focus on essential information, we pare back the scope of the registry from what the Commission proposed in the IoT Labeling NPRM. We agree with the Cybersecurity Coalition that ‘‘[t]he primary purpose of the label is to help consumers make informed purchasing decisions’’ and include in the registry information that is key to making a purchasing decision, without overwhelming the consumer. To this end, we agree with commenters who 21 In addition to the declaration, the SBOM and HBOM will be made available upon request by the Commission, CyberLAB, and/or CLA. PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 61263 suggest that including the information proposed in the IoT Labeling NPRM may be too burdensome. NEMA, for example, expresses concern about the resources required for a registry containing a full catalogue of devices. CTIA agrees that the IoT registry envisioned by the IoT Labeling NPRM would ‘‘impose significant, unmeetable burdens’’ for participants and the manager of the registry, and encourages us to refine our approach. The Cybersecurity Coalition likewise expresses concern over the complexity of the proposed registry. We agree that the registry be ‘‘modest in its goals’’ and ‘‘limited to basic information that is uniform . . . and pragmatic and useful to the consumer.’’ We believe that a registry containing simple, easy to understand information will be most helpful to a consumer making a purchasing decision, but also see the value in allowing manufacturers to include a second registry page (following the consumer-focused page) to enable manufacturers to provide additional technical details designed for researchers, enterprise purchasers, and other expert consumers of the label. Focusing only on the most critical information will further facilitate the speedy establishment of the IoT Labeling Program and the registry itself. 104. In the interest of keeping information simple and establishing the database swiftly, we streamline the elements that should be included in the registry. We do require information about how to operate the device securely, including information about how to change the password, as it would help consumers understand the cybersecurity features of the products, how those products are updated or otherwise maintained by the manufacturer, and the consumer’s role in maintaining the cybersecurity of the product. We do not require information about whether a product’s security settings are protected against unauthorized changes as part of the initial rollout of the registry in an attempt to streamline the registry to address concerns that the registry would be too bulky or unfriendly to consumers. We recognize the value of ensuring the registry information is accessible to everyone, including those whose primary language is not English. Accordingly, we direct the Lead Administrator to recommend to the Bureau whether the registry should be in additional languages and if so, to recommend the specific languages for inclusion. We delegate authority to the Bureau to consider and adopt requirements in this regard upon review E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61264 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations of these recommendations. As the Association of Home Appliance Manufacturers points out, the location of the product’s manufacture is redundant with existing legal requirements. We also do not require labels to include an expiration date at this time as it may not be an applicable requirement for every product, but we direct the Label Administrator to consider whether to recommend including the product support end date on labels for certain products, or category of products. 105. While we recognize the value of utilizing the registry to keep consumers informed about product vulnerabilities, we note CTIA and Garmin’s concerns about listing unpatched vulnerabilities as not providing value to consumers, discouraging manufacturers from participating in the program, and tipping off bad actors. We agree that these concerns are significant and do not require detailed information about vulnerability disclosures in the registry at this time. Rather, we require disclosure only of whether a manufacturer maintains an SBOM and HBOM for supply chain security awareness. We agree with Consumer Reports, NYC Cyber Command Office of Technology and Innovation (NYC OTI), and the Cybersecurity Coalition that an SBOM should be considered as an element of the registry. We also note that Garmin’s concern is with disclosing the specific contents of an SBOM to the public, which ‘‘could reveal confidential business relationships with companies, as well as provide a roadmap for attackers,’’ but this is not what we require here. Requiring participating manufacturers to disclose only the maintenance of an SBOM and HBOM, rather than the contents therein, indicates an added level of software and hardware security while also protecting potentially sensitive information. Further, while we agree with CTA that a searchable registry would have value for the public, we are mindful of the resources, costs, and time involved with creating a registry that is searchable by each of the elements identified in the IoT Labeling NPRM. In limiting the registry as we have, we address the concerns that the registry may be too complex to administer in the initial iteration of the IoT Labeling Program. As discussed above, the decentralized, API-driven registry we adopt in the Order addresses the complexity concerns raised in the record. We cabin our initial vision of the registry and direct the Bureau, as described further below, to consider ways to make the initial design of the registry modest, VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 with potential to scale the registry as the IoT Labeling Program grows. 106. In this respect, we note that NIST’s research suggests that ‘‘future work should be done to examine potential issues of including an expiry date on a label.’’ NIST cited studies conducted by the UK Government that consumers were confused about what the expiration date meant, and an Australian government study in which consumers thought the device would stop working after that date. The UK research did conclude, however, that continued manufacturer support was important to survey participants. Consumer Reports suggested an expiration date, if present, should be tied to an end-of-support date rather than a renewal date. NIST’s research into the importance of support dates to consumers coupled with the potential confusion of expiration dates and the support from the record lead us to conclude an expiration date is not warranted. We do find, however, that the disclosure of a minimum support period and end date for the support period for the device is appropriate and will provide meaningful information to consumers on the manufacturer’s commitment to provide patches or other support—a vital issue in a dynamic threat environment. To ensure that information about this support period remains accurate, and to encourage manufacturers to support their products for longer periods, manufacturers shall be able to extend the support period in the registry through a mechanism to be determined by the Lead Administrator, but which should be expeditious and require no further disclosures. 107. While we identify the defined set of data that is consistent across all manufacturers, we believe the information contained in the registry for a particular IoT product or product class may also depend on the standards and testing procedures adopted for each particular IoT product. As such, in the near term, we expect there will be additional registry data elements that are specific to an IoT product, or classes of IoT products, that are not yet ripe for decision. We also recognize that some of the information recommended by NIST in its consumer education recommendations, discussed in further detail below, may be valuable for consumers to see in the registry. Accordingly, while we provide a baseline of necessary information that must be displayed for an IoT product in the registry, regardless of class the IoT product belongs to, we delegate authority to the Bureau to determine, subject to any required public notice and comment processes, whether any PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 additional disclosure fields, such as the manufacturer’s access control protections (e.g., information about passwords, multi-factor authentication), whether or not the data is encrypted while in motion and at rest (including in the home, app, and cloud), patch policies and security or privacy information are necessary, and if so, what should they be. 108. We disagree with commenters, such as LG Electronics, who suggest that manufacturers should have discretion over whether to include additional privacy and/or security information through a QR Code, URL, or other scannable mechanism insofar as it would require additional information in the registry. LG Electronics, though supportive of adding a variety of data to the registry, acknowledges it is unclear how much detail or what types of information would be of value to a consumer. We believe that allowing discretion over what information is included in the registry may overcrowd it, or engender consumer confusion. Rather, uniform registry elements will provide greater consistency for consumers and adoption of uniform registry elements is supported by the record. We make clear, however, that we do not otherwise restrict what information manufacturers may include or reference on their product packaging, so long as it does not interfere with or undermine the display of the FCC IoT Label. 109. We recognize that a decentralized registry relying on data derived through an API from manufacturers will require some oversight to ensure that the registry, when accessed by consumers using QR Codes, functions as described and displays the required information about individual products. We direct the Lead Administrator to receive and address any technical issues that arise in connection with displaying the registry through the QR Code, the associated API, and consumer complaints with respect to the registry. CSA recommends that the Commission engage a thirdparty with operating the registry for cost and efficiency reasons. CTA agrees that the Commission should use a thirdparty to host and manage the registry due to the resources required to establish the registry. We agree that, given the structure of the registry as we adopt in the Order, the Lead Administrator is in the best position to interface with manufacturers to ensure the smooth operation of the registry. 110. We also recognize that for a registry of this magnitude to be effectively and timely rolled out requires significant input and E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations coordination with industry partners. To determine how the registry should be structured to best meet the goals of the IoT Labeling Program as we adopt in the Order, we direct the Bureau to seek comment and consider, as part of a public process, the technical details involved with the operation of the registry. We delegate authority to the Bureau to adopt a Public Notice, subject to any required public notice and comment, establishing the structure of the registry; identifying the common API; how the API should be structured; how the API should be used; how the queried data will be displayed to the consumer; how manufacturers need to maintain and implement the API in connection with its interactions with the registry; what, if any, additional disclosure fields would be most beneficial to consumers in the future, as discussed above; how the data in the registry returned by the API should be presented to the consumer; how the costs involved in maintaining the registry will be handled; how often the registry should be updated; whether to require the manufacturer to list the product sensors, what data is collected, if the data is shared with third parties, or security or privacy issues and if data should be replicated; and whether data should be replicated in multiple repositories—by the relevant CLA(s) or vendors, for example—and publicly accessible via a single query point; and any other technical information needed to establish the registry as we adopt in the Order. The Bureau should consider how to reduce burdens on manufacturers in supporting the decentralized registry. We delegate authority to PSHSB in coordination with, at a minimum, OMD (specifically the Office of the Chief Information Officer) and, to the extent necessary OGC (specifically the Senior Agency Official for Privacy) to identify and impose any applicable security or privacy requirements arising from Federal law or Federal guidance for the registry and to approve or modify the recommendations regarding the functional elements of the registry listed above. We further delegate authority to PSHSB to publish a Public Notice, subject to any required public notice and comment, adopting and incorporating into the Commission’s rules any additional requirements or procedures necessary to implement the Cyber Trust Mark registry. H. Continuing Obligations of Entities Authorized To Use the FCC IoT Label 111. We adopt the proposal in the IoT Labeling NPRM that applicants must renew their authority to use the FCC IoT VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 Label. Entities authorized to use the FCC IoT Label are required to ensure the product bearing the FCC IoT Label continue to comply with the Commission’s program requirements. We disagree with the Connected Consumer Device Security Council (CCDS) that no renewals should be required and the product should simply bear the last date of testing. Such an approach could severely impair consumer trust in the label, especially if a product bearing the FCC IoT Label is being sold as new but is far out of date as to its initial achievement of the Mark. 112. For those that support some interval of renewal, the record is divided with respect to whether IoT Labeling Program applicants should file for renewal each year, as proposed in the IoT Labeling NPRM. Consumer Reports and TÜV SÜD agree that annual renewal is appropriate. AHAM feels that an annual renewal application as the Commission proposed was unnecessary, or at minimum ‘‘unnecessarily rigid.’’ AHAM posits that a requirement to renew should only be triggered when a significant or substantive change is made to either the standard the manufacturer certifies to, or a significant design change to the product. Similarly, more durable IoT products (such as smart appliances) may need to be renewed less frequently. NAM argues that annual renewals are unnecessary for products that pose a limited risk. Kaiser Permanente believes higher-risk devices should be updated annually, and otherwise renewal should occur every three years. CCDS argues no annual testing is necessary, and the product should simply have the date it was authorized to bear the label that signals the product was compliant as of the initial date. CSA suggests limiting the need for annual testing, but suggests some kind of annual reporting should be required. We observe that other certifying bodies, such as ioXt Alliance, require annual renewal for products they certify and allow incentives for early renewal. Based on the record, we recognize the degrees of nuance attendant to the different types of products at issue. We agree with the notion that certain IoT products, depending on their lifespan and risk level, may need different standards for renewal to achieve the FCC IoT Label. 113. We task the Lead Administrator to collaborate with stakeholders and provide recommendations to PSHSB on how often a given class of IoT products must renew their request for authority to bear the FCC IoT Label, which may be dependent on the type of product, and that such a recommendation be submitted in connection with the PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 61265 relevant standards recommendations for an IoT product or class of products. In doing so, consideration should be given as to whether annual continuous compliance reports are acceptable for purposes of renewing, and how to effectively balance the need for industry flexibility and the need to ensure that consumers have up-to-date information about the product they are considering purchasing. Consideration should also be given to the fees incurred as part of a renewal process, as we agree with Kaiser Permanente that renewal fees must not be unduly burdensome or costprohibitive. We emphasize that renewals should occur frequently enough that a consumer can be sure that a product bearing the FCC IoT Label has reasonable cybersecurity protections in place, and some process must be in place to ensure accountability, even if annual testing is not required. We delegate authority to PSHSB to review, approve (if appropriate) and, subject to any required public notice and comment, incorporate by reference into the Commission’s rules, the proposals from the Lead Administrator for renewal of authority to bear the FCC IoT Label. I. Audits, Post-Market Surveillance, and Enforcement 114. We adopt the IoT Labeling NPRM’s proposal to rely on a combination of administrative remedies and civil litigation to address noncompliance and direct the CLA(s) to conduct post-market surveillance. The purpose of this IoT Labeling Program is to provide reasonable assurances to the consumer that the products they bring into their homes have at least a minimum level of cybersecurity. The success of the IoT Labeling Program hinges on the label retaining its integrity as a trusted consumer resource. This requires vigorous review and enforcement to ensure that products bearing the Cyber Trust Mark are in compliance with the program standards. We further observe that the ISO/IEC 17065 standards require CLAs to perform appropriate post-market surveillance activities. We adopt postmarket surveillance and civil enforcement, accordingly. 115. We find support in the record that the ‘‘Mark must be trusted by consumers to be successful’’ and ‘‘to gain consumer confidence and incentivize cybersecurity, the label must be backed by a robust enforcement program.’’ We agree with the EPIC’s position that weak enforcement may result in unmet consumer expectations regarding a product’s actual level of cybersecurity and ‘‘allow bad actors to take advantage of the goodwill created E:\FR\FM\30JYR2.SGM 30JYR2 61266 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES2 by the cybersecurity program,’’ and take up its recommendation of independent, post-market audits accordingly. Whirlpool also supports regular market surveillance to find instances of unapproved use of the Cyber Trust Mark, as well as products that may have been certified but no longer meet program requirements. Whirlpool states that surveillance ‘‘should include random auditing . . . as well as sampling of some established percentage on a regular basis of certified products/devices.’’ The American Association for Laboratory Accreditation supports adopting the product surveillance standards established for Telecommunication Certification Bodies (TCBs) and in the EPA’s ENERGY STAR program. We also agree with commenters who indicate that the Commission, CLAs, and possibly the Federal Trade Commission (FTC) should be able to receive complaints of noncompliant displays of the Cyber Trust Mark, which could result in auditing. We delegate authority to the Bureau, in coordination with the Consumer and Governmental Affairs Bureau, to determine the process for receiving and responding to complaints. CTA and Planar Systems also support random auditing. We agree that random audits, in addition to regular postmarket surveillance will best serve to maintain consumer confidence in the Cyber Trust Mark.22 116. Post-market surveillance. We agree with the Cybersecurity Coalition that post-market surveillance of products receiving the Cyber Trust Mark should be a principal enforcement mechanism, and find that CLAs are in the best position to conduct post-market surveillance and random auditing, in accordance with ISO/IEC 17065. These activities are based on type testing a certain number of samples of the total number of product types which the CLA has certified. In addition, each CLA must be prepared to receive and address post-market surveillance from the public. If a CLA determines that a product fails to comply with the technical regulations for that product, the CLA will immediately notify the 22 To enable a meaningful audit process it will be important to be able to review certain key records, which we consequently will require grantees to retain records regarding the original design and specifications and all changes that have been made to the relevant consumer IoT product that may affect compliance with the IoT Labeling Program requirements; a record of the procedures used for production inspection and testing; and a record of the test results that demonstrate compliance. See 47 CFR 8.215. We model our approach on analogous elements of our equipment authorization rules, with which the Commission and industry have substantial experience, and which have proven workable in practice. See 47 CFR 2.938(a), (f). VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 grantee and the Lead Administrator in writing. The grantee will have 20 days to provide a report to the CLA describing actions taken to correct the deficiencies. Continued deficiency after 20 days will result in termination of the grantee’s approval to display the Cyber Trust Mark. A grantee’s approval to display the Cyber Trust Mark may also be terminated subject to the 20 day cure period for false statements or representations found in their application or associated materials or if other conditions come to the attention of a CLA which would warrant initial refusal to authorize use of the FCC Label. Such terminations will protect the integrity of the FCC IoT Label and encourage accurate representations and disclosures in application materials that will enhance the reliability of the Labeling Program’s operation, more generally. 117. We believe it is appropriate for the Lead Administrator, in collaboration with the CLAs and other stakeholders, to identify or develop, and recommend to the Commission for approval, the post market surveillance activities and procedures that CLAs will use for performing post-market surveillance. The recommendations should include specific requirements such as the number and types of samples that a CLA must test and the requirement that grantees submit, upon request by PSHSB or a CLA, a sample directly to the CLA to be evaluated for compliance at random or as needed.23 We delegate authority to the Bureau to review the recommendations and, subject to any required public notice and comment, incorporate post market procedures into the Commission’s rules. We also delegate authority to the Bureau to establish requirements (subject to any required public notice and comment) regarding post-market surveillance of products in any instances where the CLA that granted the authorization of the product is not available to conduct such post-market surveillance. The document will also address procedures to be followed if a grantee’s approval to display the Cyber Trust Mark is terminated based on mandatory postmarket surveillance or notice from the public, including disqualification from the IoT Labeling Program and potential further investigation into other products related to the manufacturer or the CyberLAB, as discussed below. Finally, the Lead Administrator will submit periodic reports to PSHSB of the CLAs’ 23 If necessary to accommodate the volume of auditing, a CLA may outsource some post-market surveillance testing to a recognized CyberLAB, but retains responsibility for the final review. PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 post-market surveillance activities and findings in the format and by the date specified by PSHSB. 118. The IoT Labeling NPRM sought comment on disqualification for nonconformity, referencing the Department of Energy’s ENERGY STAR program, which sets out contractual Disqualification Procedures, including a 20 day period to dispute before a formal disqualification decision and what steps an ENERGY STAR partner must take after being formally disqualified (e.g., removing references to ENERGY STAR in the product labeling, marketing). The IoT Labeling NPRM asked whether the IoT Labeling Program should adopt a similar process. We agree with EPIC and Planar Systems in supporting a ‘‘cure period [to] give[ ] good actors the opportunity to fix any issues without incurring penalties’’ and ’’ to address any discovered non-conformance as long as the manufacturer is acting in good faith.’’ Here, we adopt a cure period of 20 days, which is in line with the ENERGY STAR program. 119. EPIC also supports adopting disqualification procedures similar to ENERGY STAR’s for non-compliance, including ceasing shipments of units displaying the label, ceasing the labeling of associated units, removing references to the label from marketing materials, and covering or removing labels on noncompliant units within the brand owner’s control. It notes that the EPA also conducts retail store level assessments to identify mislabeled products and argues that a robust enforcement mechanism should include all of these actions. We delegate to the Bureau to consider whether such requirements should follow from termination of authority. 120. In addition, we find that a combination of enforcement procedures for non-compliance are available, including administrative remedies under the Communications Act and civil litigation trademark infringement or breach of contract. Administrative remedies may include, but are not limited to, show cause orders, forfeitures, consent decrees, cease and desist orders, and penalties. The Commission will pursue all available means to prosecute entities who improperly or fraudulently use the FCC IoT Label, which may include, but are not limited to, enforcement actions, legal claims of deceptive practices prosecuted through the FTC,24 and legal 24 In addition, to further help safeguard the integrity of the IoT Labeling Program and the FCC IoT Label, we codify a rule that prohibits any person from, in any advertising matter, brochure, etc., using or making reference to the FCC IoT Label or the Cyber Trust Mark in a deceptive or E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations claims for trademark infringement or breach of contract. The record supports both administrative remedies to address consumer harm and civil enforcement actions for false use of the FCC IoT Label. We assert that this combination of enforcement mechanisms are best suited to protect consumer trust in the Cyber Trust Mark and incentivize participant compliance. 121. Cyber Trust Mark Demonstrates Adherence to Widely Accepted Industry Cybersecurity Standards. While we decline to preempt state law, we find that approval to use the Cyber Trust Mark on a particular product is an indicator of reasonableness and demonstrates adherence to widely accepted industry cybersecurity standards. While several commenters support Commission preemption of state laws, as well as adoption of liability protections for devices approved to display the Cyber Trust Mark, we decline to preempt state law and decline to implement a legal safe harbor beyond reiterating the Commission’s view that achievement of FCC IoT Label is an indicium of reasonableness for entities whose products are compromised despite being approved to use the Cyber Trust Mark. We recognize that a more fulsome safe harbor provision may indeed incentivize participation in the IoT Labeling Program, as the U.S. Chamber of Commerce urges. However, on this record we are not persuaded that it would be feasible or prudent for the Commission to make liability pronouncements as to laws or standards outside the Commission’s purview as would be necessary for a broader safe harbor in the absence of preemption. As EPIC observes, such a safe harbor could also decrease consumer trust in the label. In addition, several states have adopted legal safe harbors for entities that implement reasonable security measures (e.g., voluntarily adopt recognized best practices such as NIST’s and implement written security programs), and we defer to the states to determine whether approval to use the Cyber Trust Mark meets these State requirements. Given the uncertain interplay between qualification to use the Cyber Trust Mark and various state law regimes, coupled with the risk that such a safe harbor could decrease consumer trust in the label, we decline to preempt state liability requirements at this time. misleading manner. See 47 CFR 8.213(b). We model our approach on analogous elements of our equipment authorization rules, with which the Commission and industry have substantial experience, and which have proven workable in practice. See 47 CFR 2.927(c). VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 J. International Reciprocal Recognition of the Cyber Trust Mark 122. We note the robust record highlighting the immense value to manufacturers of IoT products in international harmonization of cybersecurity standards. We agree with Widelity that ‘‘IoT devices are often manufactured and sold globally. As supply chains evolve, a consistent set of standards will support the rapid growth of innovation and security.’’ We further agree with Consumer Reports that ‘‘mutual recognition should only occur when the other program to be recognized has standards as stringent or more stringent’’ than the IoT Labeling Program. 123. We recognize several other countries already have an established national cyber IoT labeling program, including Singapore, Finland, and Germany. The record cites to these programs and highlights their features for consideration in developing the IoT Labeling Program. For example, the record explains how Singapore’s CLS takes reference from the EN 303 645 standards developed by the European Telecommunications Standards Institute (ETSI). We note that other commenters have also recommended use of the ETSI EN 303 645 standards. Further, the record provides Finland’s IoT labeling database as an example for developing our IoT registry. Several other countries have government activity around IoT devices or products. For example, Canada has a cybersecurity certification program for small and medium-sized organizations. As another example, South Korea has a IoT security certification system justified under Article 48–6 of their ‘‘Act on Promotion of Information and Communications Network Utilization and Information Protection’’ statute. 124. We also observe continuing developments in IoT security across the globe for consideration. The European Union Agency for Cybersecurity (ENISA) is currently developing a cybersecurity certification framework that would require certain products, services, and processes to adhere to specific requirements. Relatedly, the U.S. has signed an agreement for a joint roadmap between the Cyber Trust Mark and similar consumer labeling programs in the EU. Further, Japan has committed to work with the U.S. to ‘‘ensure interoperability’’ of its IoT labeling scheme currently under development. 125. We fully recognize the importance of ensuring international recognition of the IoT Labeling Program and reciprocity considerations underlie our decisions in the Order. We delegate PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 61267 authority to the Bureau and the FCC Office of International Affairs to work with other Federal agencies to develop international recognition of the Commission’s IoT label and mutual recognition of international labels, where appropriate, as promptly as possible to enable recipients of the Cyber Trust Mark to realize the benefits an internationally recognized Cyber Trust Mark can have to promote global market access. Moreover, the proliferation in the marketplace both in the U.S. and abroad of products meeting a common baseline standard will elevate the overall global cybersecurity baseline for IoT and promote securityby-design approaches to smart products. K. Consumer Education 126. We adopt the IoT Labeling NPRM’s proposal and base the IoT Labeling Program’s consumer education requirements on the considerations NIST outlines in the NIST Cybersecurity White Paper due to its general applicability to an IoT label and in light of support from the record. The Lead Administrator will be responsible for developing a consumer education campaign that is based on the considerations recommended by NIST in the NIST Cybersecurity White Paper and discussed in greater detail below. In developing its consumer education plan, we task the Lead Administrator with considering ways to roll out a robust campaign with a reasonable national reach, including ways to make the consumer education accessible and whether education materials should be developed in multiple languages. We further task the Lead Administrator with considering the costs of conducting such outreach and how that outreach would be funded. Once developed, the Lead Administrator will submit this consumer education plan to the Bureau for consideration and for coordination in publicizing the benefits of the IoT Labeling Program. We recognize the importance of close collaboration between industry and delegate authority to the Bureau to consider and work with the Lead Administrator and other stakeholders to determine how the consumer education campaign would be executed and to execute the campaign. In addition and in furtherance of our expectation that the success of the IoT Labeling Program will be dependent on a close collaboration with the Federal Government, industry, and other relevant stakeholders, the Commission will coordinate as needed with relevant agencies, such as the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61268 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations (FBI), as well as the FTC, the Consumer Product Safety Commission (CPSC), and other industry stakeholders who have indicated a willingness to publicize the benefits of the IoT Labeling Program as part of their own consumer education activities. 127. We agree with CEDIA that consumer education will have a significant impact on meeting the IoT Labeling Program’s goals. We further agree that adequate consumer education must inform consumers of the limitations of the Cyber Trust Mark as well as the benefits of having a product that meets baseline cybersecurity requirements, and we agree with CSA that consumers should understand that the label does not guarantee complete device security, but that such protections are an important component of risk management. As pointed out by the City of New York’s Office of Technology and Innovation, an effective consumer education program would need to cover the risks and threats to ‘‘digital integration of [IoT] devices’’ and how those risks ‘‘can be lessened by helping operators, users, and consumers . . . learn the key elements of a strong IoT Cybersecurity posture.’’ We agree with commenters in the record that NIST’s approach to consumer education is best, and note that no commenters opposed NIST’s approach. 128. As the Commission acknowledged in the IoT Labeling NPRM, NIST has prepared a document identifying consumer education considerations as part of its analysis of a cybersecurity labeling program. In following with NIST’s recommendations, the Commission believes consumers should have access to the following information as part of the IoT Labeling Program’s consumer education plan: (1) What the label means and does not mean, including that the label does not imply an endorsement of the product and that labeled products have not completely eliminated risk; (2) What cybersecurity baselines must be met to obtain authority to affix the label, why they were included, and how those criteria address security risks; (3) A glossary of applicable terms, written in plain English; (4) General information about the conformity assessment process, including information about how the conformity assessment was conducted and the date the label was awarded to the product; (5) The kinds of products eligible for the label and an easy way for consumers to identify labeled products; VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 (6) The current state of device labeling as new cybersecurity threats and vulnerabilities emerge; (7) Security considerations for end-oflife IoT products and functionality implications if the product is no longer connected to the internet; (8) Consumer’s shared responsibility for securing the device software and how their actions (or inactions) can impact the product’s software cybersecurity; and (9) Contact information for the IoT Labeling Program and information on how consumers can lodge a complaint regarding a product label. 129. We recognize that some aspects of this consumer education campaign overlap other aspects of the IoT Labeling Program, such as the registry. We see no harm with including that information in the registry as well as the consumer education campaign. We also observe the importance of conducting what NIST describes as a ‘‘campaign’’ to establish and increase label recognition, and thus envision a Lead Administratorled, multiple stakeholder engagement that puts NIST’s recommendations into practice. 130. NIST has conducted research into the consumer perspective on the loss of manufacturer support in IoT products. The research suggests that proactive communication to consumers from the manufacturer with information about end-of-life support policies, the expected lifespan, and how to sign up for notifications about changes to support is an additional, important step. NIST also emphasizes the importance of consumer education about the meaning of the dates attached to a label, and cautions that this can confuse consumers as to the date’s meaning. We agree with Consumer Reports that educating consumers about the meaning of support periods is an important aspect of consumer education. We believe that the recommendations identified by NIST in the NIST Cybersecurity White Paper, coupled with the consumer research done by NIST and industry, provide a strong model that the Lead Administrator can utilize in its consumer education campaign to meet the goals NIST and the record, discussed above, identify as important for a successful consumer education campaign. 131. To assist the Lead Administrator in promoting consumer education, the Commission will coordinate publicizing the benefits of the IoT Labeling Program with the relevant agencies, including the Department of Homeland Security, CISA, FBI, FTC, CPSC, and other industry stakeholders who have indicated a willingness to assist with PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 consumer education. A coalition of trade associations advocates for a consumer education program led by the U.S. Government, but do not propose how to conduct outreach consistent with the Federal outreach concerns articulated in the IoT Labeling NPRM. We agree that a government outreach program is essential in a larger campaign to effectively inform consumers about the IoT Labeling Program, consistent with NIST’s recommendations identified above. The Commission intends to work closely with CISA to make use of their ‘‘Secure our World’’ program. We agree with CTA that Federal consumer education efforts do not preclude independent communication and outreach programs. For example, the National Retail Foundation indicated their willingness to support consumer education efforts. While Everything Set, Inc. is concerned that outsized private sector involvement in consumer education might hurt the campaign’s credibility, we believe that retail and manufacturer involvement in promoting the IoT Labeling Program and the limitations of the IoT Labeling Program are important to ensure widespread recognition of the Cyber Trust Mark in commerce. To promote consumer education and engage in a joint effort with industry and stakeholders to raise awareness of the label, the Commission will coordinate with the Lead Administrator, Executive Agencies, and other industry stakeholders who have indicated a willingness to publicize the benefits of the IoT Labeling Program as part of their own consumer education efforts. L. Cost/Benefit Analysis 132. Our analysis indicates that the expected benefits of the IoT Labeling Program greatly exceed the expected costs of the program. The expected benefits of the IoT Labeling Program include improved consumer cyber awareness; reduced vulnerability of products that could be used in cyberattacks both in people’s homes and as part of a larger national IoT ecosystem; and increased manufacturer competition and relational benefits stemming from increased goodwill and product awareness. Consumers value the security of their devices, and the complexity of understanding whether IoT devices meet baseline security standards, and making informed purchases on that basis is a significant cost to consumers. 133. Consumer Benefit from Reduced Search Costs. The Cyber Trust Mark can lower consumer research costs by reducing the amount of time consumers spend researching the cybersecurity E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations characteristics of IoT products before making a purchase. We estimate that the Cyber Trust Mark will save consumers at least $60 million annually from reduced time spent researching cybersecurity features of potential purchases. We use the U.S. Department of Transportation (DOT)’s approach of valuing the time savings of travel to value the time savings to consumers of the Cyber Trust Mark. Our analysis relies on the share of households with a smart home device (which we note is only one segment of the IoT market likely to be impacted by the Order), the share of those households that are likely to devote time to investigating the cybersecurity of their connected products, and an estimate of their time value of researching cybersecurity characteristics of devices. First, we estimate that 49 million U.S. households own at least one IoT device from a market segment that likely will be impacted by the Cyber Trust Mark. Further, recent survey evidence suggests that 32% of households are invested in reducing their cybersecurity risk. We estimate each hour of time savings to be valued at $16 based on the median compensation in the U.S. and an individual’s potential preference for researching products rather than working an additional hour. We note that this calculation only focuses on one segment of the IoT market, which may underestimate the time savings induced by the Order. We recognize that the exact time savings of utilizing the Cyber Trust Mark relative to searching for information online is unknown, so a lower end estimate of 15 minutes of time savings per year per household is used. We find a 15-minute time savings is consistent with the value of cybersecurity features disclosed in surveys. Given manufacturer and industry group comments showing support for consumer awareness and cybersecurity, we believe there would be sufficiently large enough immediate manufacturer participation in the IoT Labeling Program to incur these benefits in the first year of the program, and every year thereafter. Nationwide, the Cyber Trust Mark would result in a minimum of $60 million in time savings annually.25 134. A separate approach to calculating the benefit of the Cyber Trust Mark is to estimate the value consumers place on security and privacy features of IoT devices. A study submitted by Consumer Reports found that respondents valued individual 25 $60 million = (15,000,000*$16*(15/60)) is the estimated value for 15 minutes of time savings nationwide. VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 security upgrades between $6 and $13. The study also found that devices were valued at around $34 more if they had a label emphasizing a bundle of the most protective security features. Given the difficulty consumers face in understanding what security and privacy features are included in a device, the Cyber Trust Mark would help consumers easily identify and choose products with features they value. For example, if the Cyber Trust Mark represented the most protective features associated with the label in the in the study, a consumer would benefit by $34 from purchasing a device with the Cyber Trust Mark over a device that did not display the Mark. Based on our estimate of 15 million households that would be impacted by the IoT labeling program, we estimate that the benefit to consumers, in terms of the added value of the Cyber Trust Mark, would be between $85 million and $500 million annually. While the exact security features that will be proposed by the Lead Administrator in collaboration with stakeholders are not yet determined, if the Cyber Trust Mark only emphasized the lowest valued security feature, the program would produce a benefit of at least $85 million. 135. Manufacturer Competitive and Reputational Benefits. Aside from the direct benefits to consumers, there are also wider benefits of the Cyber Trust Mark. Participating businesses benefit from product differentiation and quality signaling vis-a-vis competitors that do not participate in the IoT Labeling Program and from increased company goodwill and reduced risks related to cybersecurity incidents. By aligning minimum security practices with the proposed standards, and communicating those standards to consumers, manufacturers may be able to generate goodwill and reduce business loss after cybersecurity incidences. While we do not revisit our discussion of a safe harbor from liability as discussed above, we note that manufacturers may benefit from adopting security practices that are consistent with standards necessary to bear the Cyber Trust Mark. We highlight that there have been several instances where the Federal Trade Commission investigated and settled with firms due to poor security practices or inaccurate communication of their security practices. We merely note that a manufacturer that has gone through the process of obtaining the Cyber Trust Mark may benefit from likely having documented the security practices and attendant testing necessary to acquire the Mark. PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 61269 136. Market-Wide Benefits of Reduced Cybersecurity Incidents. Insecure IoT products are often used in distributed denial-of-service (DDoS) attacks, which can be used to overwhelm websites to create a distraction during other cybersecurity crimes, or to request a ransom be paid to stop the attack. While we cannot quantify the expected benefits the Cyber Trust Mark may have on reducing the number of vulnerable devices and/or the potential reduction on their likelihood of being used in a cybersecurity attack, commenters do highlight improved security as one of the major benefits of this IoT Labeling Program. We do further emphasize this as a benefit that is likely to have significant impacts on firms in a wide range of industries. 137. Costs to IoT Labeling Program Participants. Only those entities who choose to participate will incur costs associated with the voluntary IoT Labeling Program. The specific costs of to participating manufacturers cannot be readily measured but are expected to include: conformity testing fees at a CyberLAB, CLA lab, or through in-house testing; CLA fees; internal compliance and filing costs; Cyber Trust Mark placement on product; costs incurred for API access as part of the QR Code; a customer information campaign; and adjustments to security practices necessary to meet the standards established for the Cyber Trust Mark. These costs are likely to vary depending on the standards and testing procedures proposed by the Lead Administrator as well as the extent of manufacturer participation. Any in-house testing lab will also be required to obtain accreditation to ISO/IEC standards and will incur the accreditation costs. We expect that manufacturers that choose to pursue this option may offset the accreditation costs with time savings, and potentially cost savings, associated with in-house testing. 138. Participating manufacturers will incur conformity testing, reporting costs, potential renewal fees, and Label Administrator processing fees, but the Commission’s IoT Labeling Program is voluntary and we only expect manufacturers who would benefit from the program to participate in the longrun, further indicating that accrued benefits will exceed manufacturer costs. Furthermore, comments in the record show that many manufacturers and industry groups are in favor of consumer awareness and addressing cybersecurity concerns. This provides some indication that manufacturers perceive the benefits of participating in the IoT Labeling Program as outweighing the costs. We understand E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61270 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations that manufacturers’ security practices for IoT products vary. Some manufacturers will find it beneficial to align their cybersecurity standards with the IoT Labeling Program’s standards and apply for the Cyber Trust Mark. If a manufacturer decides not to participate in the program, then they will not experience any additional costs. 139. Cost of Registry Development and Administration. We attempt to estimate the cost of developing and administering the registry with currently available information, recognizing that our cost estimate is unable to incorporate pending issues that will be addressed by the Bureau as discussed above. While the cost to the Lead Administrator to manage the registry in accordance with the Bureau’s pending determinations and as discussed above are forthcoming, we nevertheless attempt to estimate the costs of the Lead Administrator’ administrative role in managing the registry as described above. Our estimate utilizes data submitted by Consumer Reports, which envisioned a centralized registry. We note that the registry, as adopted, will be less burdensome than the costs described by Consumer Reports in their estimates.26 Our estimate to maintain registry components and review applications as part of the CLA duties, which aligns with the middle of the expert range based on commenter submissions, is approximately $5 million annually. The high-end estimate submitted by Consumer Reports is $10 million. Consumer Reports indicates that setting up a centralized registry could be done by one individual with a few contractors at a cost less than $200,000 a year. Depending on the requirements, the Lead CLA may still need to set up some minimal components of a registry and incur a small portion of these costs. The estimates on the annual administration costs are much less precise with the expert proposed estimate of between $100k and $10 million annually, with indication that the $10 million estimate is on the very high end. Staff calculate a more reasonable, but likely still high, estimate in the middle of that range, even accounting for the advanced technical expertise that would be required to review applications. For example, an organization relying on five lawyers, five electrical engineers, and 26 The Consumer Reports proposed registry architecture includes a dataset that can store images and PDFs as well as allows for device manufacturers, retailers, security researchers and administrators to access the platform. The registry, as adopted, does not include these features and therefore would not incur the costs to develop and maintain them. VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 five software developers in a full-time capacity would require $3 million annually in wage compensation. If we generously assume another $2 million in additional costs to accommodate ISO/ IEC accreditation, contractors, facilities, and other resources, the total is $5 million. While these estimates are for a single administrator, we believe this is a reasonable estimate of the staffing costs that would be distributed among the CLAs to meet the requirements of reviewing applications. 140. The estimated high-end costs of administering the IoT Labeling Program annually ($10 million) are far less than the low-end estimate of annual benefits to consumers ($60 million) of just one aspect of the program. We further highlight that the benefits to manufacturers are likely to exceed manufacturer’s participation costs. Together this indicates the total program benefits exceed costs. Because the initial startup costs are so low relative to the benefits, we do not compare the discounted values. I. Legal Authority 141. We adopt the IoT Labeling NPRM’s tentative conclusion that the FCC has authority to adopt the IoT Labeling Program. We conclude that section 302 provides us with the authority to adopt a voluntary program for manufacturers seeking authority to affix the FCC-owned Cyber Trust Mark on wireless consumer IoT products that comply with the program requirements. In the IoT Labeling NPRM, the Commission sought comment on its authority under section 302 of the Act, along with other possible sources of authority. In particular, under section 302(a) of the Act, consistent with the public interest, convenience, and necessity, the Commission is authorized to make reasonable regulations (1) governing the interference potential of devices which in their operation are capable of emitting radio frequency energy by radiation, conduction, or other means in sufficient degree to cause harmful interference to radio communications; and (2) establishing minimum performance standards for home electronic equipment and systems to reduce their susceptibility to interference from radio frequency energy. 142. Some commenters question our authority under section 302 to establish an IoT Labeling Program. The U.S. Chamber of Commerce cautions the Commission to not ‘‘overinterpret its harmful interference authority’’ under sections 302(a) and 333. CTIA argues that the Commission does not have the authority to regulate cybersecurity, but PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 does not cite to section 302(a) or explain why the Commission’s action in the Order does not fall within the scope of section 302(a) or any other section of the Communications Act. Others do not dispute the Commission’s authority to adopt a voluntary program but argue that the Commission does not have the authority to make the IoT Labeling Program mandatory. 143. We agree with Comcast that Congress intended section 302 to be flexible enough ‘‘to address novel issues not yet on the legislative radar[.]’’ As Comcast further observes, ‘‘[t]he stated goal of the [IoT Labeling] Program is to ‘ensure that IoT devices have implemented certain minimum cybersecurity protocols to prevent their being hacked by bad actors who could cause the devices to cause harmful interference to radio communications,’ which falls squarely within the Commission’s remit under section 302(a).’’ Further, NYC OTI points out that IoT which ‘‘by design doesn’t protect against the reception of spurious or unintended RF communications may be subject to a series of radio-layer attacks due to the lack of these protections’’ and thus is within our authority to regulate. A voluntary IoT Labeling Program thus assures consumers that certain cybersecurity standards are met to protect those devices from being used to generate interference to other devices. 144. In addition to our authority under section 302(a)(1), section 302(a)(2) authorizes the Commission to ‘‘establish minimum performance standards for home electronic equipment and systems to reduce their susceptibility to interference from radio frequency energy.’’ A voluntary program for consumer IoT products is encompassed within our authority to regulate home electronic equipment and their accompanying systems that render that home electronic equipment operational. 145. Section 302(a)(2) allows such regulations to apply to ‘‘the manufacture, import, sale, offer for sale, or shipment of such devices and home electronic equipment and systems[.]’’ The legislative history of section 302 also supports our conclusion. Congress adopted section 302 due to concerns about radio frequency interference to consumer electronic equipment: In the market for home devices, however, good faith industry attempts to solve this interference have not always been as successful. . . . [T]he Conferees believe that Commission authority to impose appropriate regulations on home electronic equipment and systems is now necessary to insure that consumers’ home electronic equipment and E:\FR\FM\30JYR2.SGM 30JYR2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES2 systems will not be subject to malfunction due to [radio frequency interference]. 146. Congress envisioned ‘‘home electronic equipment and systems’’ to include not only radio and television sets, but all types of electronics and their supporting systems used by consumers. Examples given by Congress were home burglar alarms, security systems, automatic garage door openers, record turntables, and sound systems. Congress clearly foresaw interference and disruption to consumer equipment and the systems that equipment was connected to as within the ambit of section 302 when it gave the Commission ‘‘exclusive jurisdiction’’ over matters involving radio frequency interference. The many alternatives available to the Commission to accomplish its duty under section 302 include directing manufacturers to meet ‘‘certain minimal standards’’ or utilizing labels. 147. We additionally conclude that our section 302(a) authority to adopt ‘‘reasonable regulations’’ governing the interference potential of devices capable of causing RF interference empowers us to choose specific approaches that advance goals of the Act in addition to the core concerns in section 302(a)(1) and (2). For one, as widely supported in the record, we rely on NIST’s recommended IoT criteria (the NIST Core Baseline) as the foundation for the cybersecurity requirements to be applied under the IoT Labeling Program. Even if some elements or applications of those criteria could advance policies or interests in addition to guarding against the risk that exploited vulnerabilities in internet-connected wireless consumer IoT products could cause harmful interference, it would be neither prudent nor workable to try to segregate or disaggregate that package of criteria in an effort to isolate some product capabilities from others in an effort to narrow the Program’s focus. To the contrary, maintaining the integrity of the cohesive package of NIST criteria advances the directive in section 302(a) to address the interference potential of wireless devices through ‘‘reasonable regulations.’’ Commenters point out, for example, that even when harmful interference to IoT products from cyberattacks ‘‘is not necessarily the traditional form of interference caused by devices operating in frequencies and at power levels not approved by the Commission[,]’’ it can implicate statutory policy concerns nonetheless. Under the circumstances here, we thus find it ‘‘reasonable’’ for our IoT Labeling Program to rely on the full package of IoT cybersecurity criteria that guard VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 against the risk that the covered products cause harmful interference, and also guard against the risk of interference to those covered products— even in the case of non-RF interference—consistent with the policy goals underlying provisions such as sections 302(a) and 333 and of the Act. Our understanding of the reasonableness of our approach here also is informed by the public safety and national security goals in sections 1 and 4(n) of the Act. Thus, although we do not rely on additional provisions beyond section 302 as authority for the voluntary IoT Labeling Program we adopt in the Order, they inform our understanding of what regulatory approach to implementing section 302(a) is reasonable under these circumstances.27 148. Comcast also cites the legislative history of section 302(a) in support of our authority to establish an IoT Labeling Program. Congress agreed with a letter from the Commission that initial language that would have restricted section 302(a) to devices that cause harmful interference to ‘‘‘commercial, aircraft, and public safety’ radio communications’’ was too narrow. Congress instead adopted the current language: ‘‘reasonable regulations . . . consistent with the public interest, convenience, and necessity.’’ The Commission’s authority under section 302 was designed by Congress to be ‘‘sufficiently broad to permit it to formulate rules relating to any service where interference from these devices is a serious problem.’’ Such language, it was believed, would be ‘‘sufficiently broad to permit it to formulate rules relating to any service where interference from these devices is a serious problem.’’ We conclude that a voluntary program with minimum standards to prevent radio interference to consumer IoT products is consistent with the text and history of section 302. 149. Further, we have previously imposed security requirements that prevent unauthorized parties from accessing and alerting technology to cause radio interference under our section 302 authority. In 2020, we required that access points to automated frequency coordination systems were secure so unauthorized parties could not alter the list of available frequencies and power levels sent to an access point. We agree with Comcast that our previous actions requiring end user devices to ‘‘contain security features 27 Because we conclude that section 302 of the Act authorizes our actions in the Order, we defer consideration of other sources of authority that the Communications Act may grant the Commission over this area. PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 61271 sufficient to protect against modification of software and firmware by any unauthorized parties’’ and actions to secure unlicensed national information infrastructure devices are sufficiently analogous to this proceeding as to be supported by our section 302 authority. 150. Finally, consistent with our tentative conclusion in the IoT Labeling NPRM, we find that our section 302 authority enables us to rely on third parties in carrying out the implementation details of our Program. As the Commission pointed out in the NPRM, section 302(e) of the Act authorizes the Commission to delegate equipment testing and certification to private laboratories, and the Commission already has relied in part on third parties in carrying out its equipment authorization rules that likewise implement section 302 of the Act. II. Incorporation by Reference 151. These final rules include regulatory text that is incorporated by reference. In accordance with requirements of 1 CFR 51.5, the Commission describes the incorporated materials here. These final rules are incorporating by reference the following ISO/IEC standards: ISO/IEC 17011:2017(E), Conformity assessment—Requirements for accreditation bodies accrediting conformity assessment bodies, Second Edition, November 2017, ISO/IEC 17025:2017(E), General requirements for the competence of testing and calibration laboratories, Third Edition, November 2017, and ISO/IEC 17065:2012(E), Conformity assessment—Requirements for bodies certifying products, processes and services, First Edition, 2012–09–15, which establish international standards requirements for accreditation bodies accrediting conformity assessment bodies; general requirements for testing and calibration laboratories; and conformity assessment requirements for certifying products, processes, and services; respectively. Copies of these standards are available for purchase from the American National Standards Institute (ANSI) through its NSSN operation (www.nssn.org) at Customer Service, American National Standards Institute, 25 West 43rd Street, New York, NY 10036, telephone (212) 642– 4900. III. Procedural Matters 152. Paperwork Reduction Act. This document contains new and modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104–13. It E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61272 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations will be submitted to the Office of Management and Budget (OMB) for review under section 3507(d) of the PRA. OMB, the general public, and other Federal agencies will be invited to comment on the new or modified information collection requirements contained in this proceeding. In addition, we note that pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107–198, see 44 U.S.C. 3506(c)(4), we previously sought specific comment on how the Commission might further reduce the information collection burden for small business concerns with fewer than 25 employees. 153. In this document, we have assessed the effects of the operational framework for a voluntary IoT cybersecurity labeling program. Since the IoT Labeling Program is voluntary, small entities who do not participate in the IoT Labeling Program will not be subject to any new or modified reporting, recordkeeping, or other compliance obligations. Small entities that choose to participate in the IoT Labeling Program by seeking authority to affix the Cyber Trust Mark on their products will incur recordkeeping and reporting as well as other obligations that are necessary to test their IoT products to demonstrate compliance with the requirements we adopt in the Order. We find that, for the Cyber Trust Mark to have meaning for consumers, the requirements for an IoT product to receive the Cyber Trust Mark must be uniform for both small businesses and other entities. Thus, the Commission continues to maintain the view we expressed in the IoT Labeling NPRM, that the significance of mark integrity, and building confidence among consumers that devices and products containing the Cyber Trust Mark label can be trusted to be cyber secure, necessitates adherence by all entities participating in the IoT Labeling Program to the same rules regardless of size. 154. Regulatory Flexibility Act Analysis. A Final Regulatory Flexibility Act (FRFA) Analysis for the final rules adopted in the Order was prepared and can be found as Exhibit B of the FCC’s Report and Order, FCC 24–26, adopted March 15, 2024, at this link: https:// docs.fcc.gov/public/attachments/FCC24-26A1.pdf. 155. OPEN Government Data Act. The OPEN Government Data Act requires agencies to make ‘‘public data assets’’ available under an open license and as ‘‘open Government data assets,’’ i.e., in machine-readable, open format, unencumbered by use restrictions other than intellectual property rights, and VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 based on an open standard that is maintained by a standards organization. This requirement is to be implemented ‘‘in accordance with guidance by the Director’’ of the OMB. The term ‘‘public data asset’’ means ‘‘a data asset, or part thereof, maintained by the Federal Government that has been, or may be, released to the public, including any data asset, or part thereof, subject to disclosure under the Freedom of Information Act (FOIA).’’ A ‘‘data asset’’ is ‘‘a collection of data elements or data sets that may be grouped together,’’ and ‘‘data’’ is ‘‘recorded information, regardless of form or the media on which the data is recorded.’’ We delegate authority, including the authority to adopt rules, to the Bureau, in consultation with the agency’s Chief Data Officer and after seeking public comment to the extent it deems appropriate, to determine whether to make publicly available any data assets maintained or created by the Commission within the meaning of the OPEN Government Act pursuant to the rules adopted herein, and if so, to determine when and to what extent such information should be made publicly available. Such data assets may include assets maintained by a CLA or other third party, to the extent the Commission’s control or direction over those assets may bring them within the scope of the OPEN Government Act, as interpreted in the light of guidance to be issued by OMB.28 In doing so, the Bureau shall take into account the extent to which such data assets are subject to disclosure under the FOIA. 156. People with Disabilities. To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an email to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202–418–0530 (voice). IV. Ordering Clauses 157. Accordingly, it is ordered that pursuant to the authority contained in sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, of the Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 154(i), 154(n), 302a, 303(r), 312, 333, 503; the IoT Cybersecurity Improvement Act of 2020, 15 U.S.C. 278g–3a through 278g–3e; the Report and Order is hereby adopted. 158. It is further ordered that the Office of the Managing Director, Performance Program Management, SHALL SEND a copy of the Report and Order in a report to be sent to Congress and the Government Accountability PO 00000 28 OMB has not yet issued final guidance. Frm 00032 Fmt 4701 Sfmt 4700 Office pursuant to the Congressional Review Act, see 5 U.S.C. 801(a)(1)(A). List of Subjects in 47 CFR Part 8 Communications, Consumer protection, Cybersecurity, Electronic products, Incorporation by reference, internet, Labeling, Product testing and certification, Telecommunications. Federal Communications Commission Marlene Dortch, Secretary. Final Rules For the reasons discussed in the preamble, the Federal Communications Commission amends 47 CFR subchapter A as follows: ■ 1. Under the authority of 47 U.S.C. 151, 152, 153, 154(i)–(j), 160, 163, 201, 202, 206, 207, 208, 209, 214, 215, 216, 217, 218, 219, 220, 230, 251, 254, 256, 257, 301, 303, 304, 307, 309, 310, 312, 316, 332, 403, 501, 503, 522, 1302, revise the heading for subchapter A to read as follows: Subchapter A—General PART 8—SAFEGUARDING AND SECURING THE INTERNET 2. The authority citation for part 8 continues to read as follows: ■ Authority: 47 U.S.C. 151, 152, 153, 154, 163, 201, 202, 206, 207, 208, 209, 216, 217, 257, 301, 302a, 303, 304, 307, 309, 312, 316, 332, 403, 501, 503, 522, 1302, 1753. 3. Revise the heading for part 8 to read as set forth above. ■ §§ 8.1, 8.2, 8.3, and 8.6 Subpart A] [Designated as 4. Designate §§ 8.1, 8.2, 8.3, and 8.6 as subpart A. ■ 5. Add a heading for newly designated subpart A to read as follows: ■ Subpart A—Protections for internet Openness ■ 6. Add subpart B to read as follows: Subpart B—Cybersecurity Labeling Program for IoT Products Sec. 8.201 Incorporation by reference. 8.202 Basis and purpose. 8.203 Definitions. 8.204 Prohibition on use of the FCC IoT Label on products produced by listed sources. 8.205 Cybersecurity labeling authorization. 8.206 Identical defined. 8.207 Responsible party. 8.208 Application requirements. 8.209 Grant of authorization to use FCC IoT Label. 8.210 Dismissal of application. 8.211 Denial of application. 8.212 Review of CLA decisions. E:\FR\FM\30JYR2.SGM 30JYR2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations 8.213 Limitations on grants to use the FCC IoT Label. 8.214 IoT product defect and/or design change. 8.215 Retention of records. 8.216 Termination of authorization to use the FCC IoT Label. 8.217 CyberLABs. 8.218 Recognition of CyberLAB accreditation bodies. 8.219 Approval/recognition of Cybersecurity Label Administrators. 8.220 Requirements for CLAs. 8.221 Requirements for the Lead Administrator. 8.222 Establishment of an IoT Registry. Subpart B—Cybersecurity Labeling Program for IoT Products § 8.201 Incorporation by reference. khammond on DSKJM1Z7X2PROD with RULES2 Certain material is incorporated by reference into this subpart with the approval of the Director of the Federal Register in accordance with 5 U.S.C. 552(a) and 1 CFR part 51. All approved incorporation by reference (IBR) material is available for inspection at the Federal Communications Commission (FCC or Commission) and at the National Archives and Records Administration (NARA). Contact the FCC at the address indicated in 47 CFR 0.401(a), phone: (202) 418–0270. For information on the availability of this material at NARA, visit www.archives.gov/federal-register/cfr/ ibr-locations or email fr.inspection@ nara.gov. The material may be obtained from the International Electrotechnical Commission (IEC), IEC Central Office, 3, rue de Varembe, CH–1211 Geneva 20, Switzerland, Email: inmail@iec.ch, www.iec.ch. (a) ISO/IEC 17011:2017(E), Conformity assessment—Requirements for accreditation bodies accrediting conformity assessment bodies, Second Edition, November 2017; IBR approved for § 8.217. (b) ISO/IEC 17025:2017(E), General requirements for the competence of testing and calibration laboratories, Third Edition, November 2017; IBR approved for §§ 8.217; 8.220. (c) ISO/IEC 17065:2012(E), Conformity assessment—Requirements for bodies certifying products, processes and services, First Edition, 2012–09–15; IBR approved for § 8.220. Note 1 to § 8.201: The standards listed in this section are co-published with the International Organization for Standardization (ISO), 1, ch. De la VoieCreuse, CP 56, CH–1211, Geneva 20, Switzerland; www.iso.org; Tel.: + 41 22 749 01 11; Fax: + 41 22 733 34 30; email: central@ iso.org. Note 2 to § 8.201: ISO publications can also be purchased from the American National VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 Standards Institute (ANSI) through its NSSN operation (www.nssn.org), at Customer Service, American National Standards Institute, 25 West 43rd Street, New York, NY 10036, telephone (212) 642–4900. § 8.202 Basis and purpose. In order to elevate the Nation’s cybersecurity posture and provide consumers with assurances regarding their baseline cybersecurity, thereby addressing risks of harmful radiofrequency interference to and from consumer internet-connected (Internet of Things or IoT) products the Federal Communications Commission establishes a labeling program for consumer IoT products. § 8.203 Definitions. (a) Affiliate. For purposes of this subpart and the IoT labeling program, an affiliate is defined as a person that (directly or indirectly) owns or controls, is owned or controlled by, or is under common ownership or control with, another person. For purposes of this subpart, the term own means to own an equity interest (or the equivalent thereof) of more than 10 percent. (b) Consumer IoT products. IoT products intended primarily for consumer use, rather than enterprise or industrial use. Consumer IoT products exclude medical devices regulated by the U.S. Food and Drug Administration (FDA) and excludes motor vehicles and motor vehicle equipment regulated by the National Highway Traffic Safety Administration (NHTSA). (c) Cybersecurity Label Administrator (CLA). An accredited third-party entity that is recognized and authorized by the Commission to manage and administer the labeling program in accordance with the Commission’s rules in this subpart. (d) Cybersecurity Testing Laboratory (CyberLAB). Accredited third-party entities recognized and authorized by a CLA to assess consumer IoT products for compliance with requirements of the labeling program. (e) Cyber Trust Mark. A visual indicator indicating a consumer IoT product complies with program requirements of the labeling program and the Commission’s minimum cybersecurity requirements in this subpart. (f) FCC IoT Label. A binary label displayable with a consumer IoT product complying with program requirements of the labeling program, the binary label bearing the Cyber Trust Mark, and a scannable QR code that directs consumers to a registry containing further information on the complying consumer IoT product. PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 61273 (g) Intentional radiator. A device that intentionally generates and emits radiofrequency energy by radiation or induction. (h) Internet-connected device. A device capable of connecting to the internet and exchanging data with other devices or centralized systems over the internet. (i) IoT device. (1) An internetconnected device capable of intentionally emitting radiofrequency energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world; coupled with (2) At least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world. (j) IoT product. An IoT device and any additional product components (e.g., backend, gateway, mobile app) that are necessary to use the IoT device beyond basic operational features, including data communications links to components outside this scope but excluding those external components and any external third-party components that are outside the manufacturer’s control. (k) Labeling program. A voluntary program for consumer IoT products that allows a complying consumer IoT product to display an FCC IoT Label. (l) Lead Administrator. A CLA selected from among Cybersecurity Label Administrators (CLAs) to be responsible for carrying out additional administrative responsibilities of the labeling program. (m) Product components. Hardware devices, plus supporting components that generally fall into three main types per NISTIR 8425: specialty networking/ gateway hardware (e.g., a hub within the system where the IoT device is used); companion application software (e.g., a mobile app for communicating with the IoT device); and backends (e.g., a cloud service, or multiple services, that may store and/or process data from the IoT device). Should a product component also support other IoT products through alternative features and interfaces, these alternative features and interfaces may, through risk-assessment, be considered as separate from and not part of the IoT product for purposes of authorization. (n) Registry. Information presented to consumers about consumer IoT products that comply with the program requirements of the labeling program, the registry is publicly accessible through a link from the QR Code of the FCC IoT Label displayed with the complying consumer IoT product, and containing information about the complying consumer IoT product, manufacturer of the complying E:\FR\FM\30JYR2.SGM 30JYR2 61274 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations consumer IoT product, and other information as required by the labeling program. § 8.204 Prohibition on use of the FCC IoT Label on products produced by listed sources. All consumer IoT products produced by sources listed in this subpart are prohibited from obtaining use of the FCC IoT Label under this subpart. This includes: (a) All communications equipment on the Covered List, as established pursuant to 47 CFR 1.50002; (b) All IoT products containing IoT devices or product components produced by entities listed in paragraph (c) or (d) of this section; (c) IoT devices or IoT products produced by any entity, its affiliates, or subsidiaries identified on the Covered List as producing covered equipment, as established pursuant to 47 CFR 1.50002; (d) IoT devices or IoT products produced by any entity, its affiliates, or subsidiaries identified on the Department of Commerce’s Entity List, 15 CFR part 744, supplement no. 4, and/ or the Department of Defense’s List of Chinese Military Companies, U.S. Department of Defense, Entities Identified as Chinese Military Companies Operating in the United States in Accordance with Section 1260H of the William M. (‘‘Mac’’) Thornberry National Defense Authorization Act for Fiscal Year 2021 (Pub. L. 116–283), Tranche 2 (2022), https://media.defense.gov/2022/Oct/05/ 2003091659/-1/-1/0/ 1260H%20COMPANIES.PDF. and (e) Products produced by any entity owned or controlled by or affiliated with any person or entity that has been suspended or debarred from receiving Federal procurements or financial awards, to include all entities and individuals published as ineligible for award on the General Service Administration’s System for Award Management. khammond on DSKJM1Z7X2PROD with RULES2 § 8.205 Cybersecurity labeling authorization. (a) Cybersecurity labeling authorization is an authorization issued by a Cybersecurity Label Administrator (CLA) and authorized under the authority of the Commission, which grants an applicant of a complying consumer IoT product to display the FCC IoT Label on the relevant packaging for the complying consumer product, based on compliance with the program requirements as determined by the CLA. (b) Cybersecurity labeling authorization attaches to all units of the complying consumer IoT product VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 subsequently marketed by the grantee that are identical (see § 8.206) to the sample determined to comply with the program requirements except for permissive changes or other variations authorized by the Commission. § 8.206 Identical defined. As used in this subpart, the term identical means identical within the variation that can be expected to arise as a result of quantity production techniques. § 8.207 Responsible party. In the case of a complying consumer IoT product that has been granted authorization to use the FCC IoT Label, the applicant to whom that grant of cybersecurity labeling authorization is issued is responsible for continued compliance with the program requirements for continued use of the FCC IoT Label. § 8.208 Application requirements. (a) An application to certify the consumer IoT product as being compliant with the labeling program shall be submitted in writing to a Cybersecurity Labeling Administrator (CLA) in the form and format prescribed by the Commission. Each application shall be accompanied by all information required by this subpart. (b) The applicant shall provide to the CLA in the application all information that the CLA requires to determine compliance with the program requirements of the labeling program. (c) The applicant will provide a declaration under penalty of perjury that all of the following are true and correct: (1) The product for which the applicant seeks to use the FCC IoT Label through cybersecurity certification meets all the requirements of the IoT labeling program. (2) The applicant is not identified as an entity producing covered communications equipment on the Covered List, established pursuant to 47 CFR 1.50002. (3) The product is not comprised of ‘‘covered’’ equipment on the Covered List. (4) The product is not produced by any entity, its affiliates, or subsidiaries identified on the Department of Commerce’s Entity List, 15 CFR part 744, supplement no. 4, and/or the Department of Defense’s List of Chinese Military Companies, U.S. Department of Defense, Entities Identified as Chinese Military Companies Operating in the United States in Accordance with Section 1260H of the William M. (‘‘Mac’’) Thornberry National Defense PO 00000 Frm 00034 Fmt 4701 Sfmt 4700 Authorization Act for Fiscal Year 2021 (Pub. L. 116–283), Tranche 2 (2022), https://media.defense.gov/2022/Oct/05/ 2003091659/-1/-1/0/ 1260H%20COMPANIES.PDF; and (5) The product is not owned or controlled by or affiliated with any person or entity that has been suspended or debarred from receiving Federal procurements or financial awards, to include all entities and individuals published as ineligible for award on the General Service Administration’s System for Award Management as described in § 8.204. (6) The applicant has taken every reasonable measure to create a securable product. (7) The applicant will, until the support period end date disclosed in the registry, diligently identify critical vulnerabilities in our products and promptly issue software updates correcting them, unless such updates are not reasonably needed to protect against security failures. (8) The applicant will not elsewhere disclaim or otherwise attempt to limit the substantive or procedural enforceability of this declaration or of any other representations and commitments made on the FCC IoT Label or made for purposes of acquiring or maintaining authorization to use it. (d) The applicant shall provide a written and signed declaration to the CLA that all statements it makes in the application are true and correct to the best of its knowledge and belief. (e) Each application, including amendments thereto, and related statements of fact and authorizations required by the Commission, shall be signed by the applicant or their authorized agent. (f) The applicant declares the product is reasonably secure and will be updated through minimum support period for the product and the end date of the support period must be disclosed. (g) The applicant shall declare under penalty of perjury that the consumer IoT product for which the applicant is applying for participation in the labeling program is not prohibited pursuant to § 8.204. (h) If the identified listed sources under § 8.204 are modified after the date of the declaration required by paragraph (c) of this section but prior to grant of authorization to use the FCC IoT Label, then the applicant shall provide a new declaration as required by paragraph (c). (i) The applicant shall designate an agent located in the United States for the purpose of accepting service of process on behalf of the applicant. (1) The applicant shall provide a written attestation: E:\FR\FM\30JYR2.SGM 30JYR2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations (i) Signed by both the applicant and its designated agent for service of process, if different from the applicant; (ii) Acknowledging the applicant’s consent and the designated agent’s obligation to accept service of process in the United States for matters related to the applicable product, and at the physical U.S. address and email address of its designated agent; and (iii) Acknowledging the applicant’s acceptance of its obligation to maintain an agent for service of process in the United States for no less than one year after either the grantee has permanently terminated all marketing and importation of the applicable equipment within the U.S., or the conclusion of any Commission-related administrative or judicial proceeding involving the product, whichever is later. (2) An applicant located in the United States may designate itself as the agent for service of process. (j) Technical test data submitted to the CLA shall be signed by the person who performed or supervised the tests. The person signing the test data shall attest to the accuracy of such data. The CLA may require the person signing the test data to submit a statement showing that they are qualified to make or supervise the required measurements. (k) Signed, as used in this section, means an original handwritten signature or any symbol executed or adopted by the applicant or CLA with the intent that such symbol be a signature, including symbols formed by computergenerated electronic impulses. khammond on DSKJM1Z7X2PROD with RULES2 § 8.209 Grant of authorization to use FCC IoT Label. (a) A CLA will grant cybersecurity labeling authorization if it finds from an examination of the application and supporting data, or other matter which it may officially notice, that the consumer IoT product complies with the program requirements. (b) Grants will be made in writing showing the effective date of the grant. (c) Cybersecurity certification shall not attach to any product, nor shall any use of the Cyber Trust Mark be deemed effective, until the application has been granted. (d) Grants will be effective from the date of authorization. (e) The grant shall identify the CLA granting the authorization and the Commission as the issuing authority. (f) In cases of a dispute, the Commission will be the final arbiter. § 8.210 Dismissal of application. (a) An application that is not in accordance with the provisions of this subpart may be dismissed. VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 (b) Any application, upon written request signed by the applicant or their agent, may be dismissed prior to a determination granting or denying the authorization requested. (c) If an applicant is requested to submit additional documents or information and fails to submit the requested material within the specified time period, the application may be dismissed. § 8.211 Denial of application. If the CLA is unable to make the findings specified in § 8.209(a), it will deny the application. Notification of the denial to the applicant will include a statement of the reasons for the denial. § 8.212 Review of CLA decisions. (a) Seeking review from a CLA. Any party aggrieved by an action taken by a CLA must first seek review from the CLA. The CLA should respond to appeals of their decisions in a timely manner and within 10 business days of receipt of a request for review. (b) Seeking review from the Commission. A party aggrieved by an action taken by a CLA may, after seeking review by the CLA, seek review from the Commission. (c) Filing deadlines. (1) An aggrieved party seeking review of a CLA decision by the CLA shall submit such a request within sixty (60) days from the date the CLA issues a decision. Such request shall be deemed submitted when received by the CLA. (2) An aggrieved party seeking review of a CLA decision by the Commission shall file such a request within sixty (60) days from the date the CLA issues a decision on the party’s request for review. Parties must adhere to the time periods for filing oppositions and replies set forth in 47 CFR 1.45. (d) Review by the Public Safety and Homeland Security Bureau or the Commission. (1) Requests for review of CLA decisions that are submitted to the Federal Communications Commission shall be considered and acted upon by the Public Safety and Homeland Security Bureau; provided, however, that requests for review that raise novel questions of fact, law or policy shall be considered by the full Commission. (2) An aggrieved party may seek review of a decision issued under delegated authority by the Public Safety and Homeland Security Bureau pursuant to the rules set forth in 47 CFR part 1. (e) Standard of review. (1) The Public Safety and Homeland Security Bureau shall conduct de novo review of request for review of decisions issued by the CLA. PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 61275 (2) The Federal Communications Commission shall conduct de novo review of requests for review of decisions by the CLA that involve novel questions of fact, law, or policy; provided, however, that the Commission shall not conduct de novo review of decisions issued by the Public Safety and Homeland Security Bureau under delegated authority. (f) Time periods for Commission review of CLA decisions. (1) The Public Safety and Homeland Security Bureau shall, within forty-five (45) days, take action in response to a request for review of a CLA decision that is properly before it. The Public Safety and Homeland Security Bureau may extend the time period for taking action on a request for review of a CLA decision for a period of up to ninety days. The Commission may also at any time, extend the time period for taking action of a request for review of a CLA decision pending before the Public Safety and Homeland Security Bureau. (2) The Commission shall issue a written decision in response to a request for review of a CLA decision that involves novel questions of fact, law, or policy within forty-five (45) days. The Commission may extend the time period for taking action on the request for review of a CLA decision. The Public Safety and Homeland Security Bureau also may extend action on a request for review of a CLA decision for a period of up to ninety days. (g) No authorization pending CLA review. While a party seeks review of a CLA decision, they are not authorized to use the FCC IoT Label until the Commission issues a final decision authorizing their use of the FCC IoT Label. § 8.213 Limitations on grants to use the FCC IoT Label. (a) A grant of authorization to use the FCC IoT Label remains effective until set aside, revoked or withdrawn, rescinded, surrendered, or a termination date is otherwise established by the Commission. (b) No person shall, in any advertising matter, brochure, etc., use or make reference to the FCC IoT Label or the Cyber Trust Mark in a deceptive or misleading manner. § 8.214 IoT product defect and/or design change. When a complaint is filed directly with the Commission or submitted to the Commission by the Lead Administrator or other party concerning a consumer IoT product being noncompliant with the labeling program, and the Commission determines that the E:\FR\FM\30JYR2.SGM 30JYR2 61276 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations complaint is justified, the Commission may require the grantee to investigate such complaint and report the results of such investigation to the Commission within 20 days. The report shall also indicate what action if any has been taken or is proposed to be taken by the grantee to correct the defect, both in terms of future production and with reference to articles in the possession of users, sellers, and distributors. § 8.215 Retention of records. (a) For complying consumer IoT products granted authorization to use the FCC IoT Label, the grantee shall maintain the records listed as follows: (1) A record of the original design and specifications and all changes that have been made to the complying consumer IoT product that may affect compliance with the standards and testing procedures of this subpart. (2) A record of the procedures used for production inspection and testing to ensure conformance with the standards and testing procedures of this subpart. (3) A record of the test results that demonstrate compliance with the appropriate regulations in this chapter. (b) Records shall be retained for a two-year period after the marketing of the associated product has been permanently discontinued, or until the conclusion of an investigation or a proceeding if the grantee is officially notified that an investigation or any other administrative proceeding involving its product has been instituted. khammond on DSKJM1Z7X2PROD with RULES2 § 8.216 Termination of authorization to use the FCC IoT Label. (a) Grant of authorization to use the FCC IoT Label is automatically terminated by notice of the Bureau following submission of a report as specified in § 8.214 has not been adequately corrected: (1) For false statements or representations made either in the application or in materials or response submitted in connection therewith or in records required to be kept by § 8.215. (2) If upon subsequent inspection or operation it is determined that the consumer IoT product does not conform to the pertinent technical requirements in this subpart or to the representations made in the original application. (3) Because of conditions coming to the attention of the Commission which would warrant it in refusing to grant authorization to use the FCC IoT Label. (4) Because the grantee or affiliate has been listed as described in § 8.204. (b) [Reserved] VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 § 8.217 CyberLABs. (a) A CyberLAB providing testing of products seeking a grant of authorization to use the FCC IoT Label shall be accredited by a recognized accreditation body, which must attest that the CyberLAB has demonstrated: (1) Technical expertise in cybersecurity testing and conformity assessment of IoT devices and products. (2) Compliance with accreditation requirements based on ISO/IEC 17025 (incorporated by reference, see § 8.201). (3) Knowledge of FCC rules and procedures associated with products compliance testing and cybersecurity certification. (4) Necessary equipment, facilities, and personnel to conduct cybersecurity testing and conformity assessment of IoT devices and products. (5) Documented procedures for conformity assessment. (6) Implementation of controls to eliminate potential conflicts of interests, particularly with regard to commercially sensitive information. (7) That the CyberLAB is not an organization, its affiliates, or subsidiaries identified by the listed sources of prohibition under § 8.204. (8) That it has certified the truth and accuracy of all information it has submitted to support its accreditation. (b) Once accredited or recognized the CyberLAB will be periodically audited and reviewed to ensure they continue to comply with the requirements of the ISO/IEC 17025 standard. (c) The Lead Administrator will verify that the CyberLAB is not listed in any of the lists in § 8.204. (d) The Lead Administrator will maintain a list of accredited CyberLABs that it has recognized, and make publicly available the list of accredited CyberLAB. Inclusion of a CyberLAB on the accredited list does not constitute Commission endorsement of that facility. Recognition afforded to a CyberLAB under the labeling program will be automatically terminated for entities that are subsequently placed on the Covered List, listed sources of prohibition under § 8.204, or of it, its affiliate, or subsidiary is owned or controlled by a foreign adversary country defined by the Department of Commerce in 15 CFR 7.4. (e) In order to be recognized and included on the list in paragraph (d) of this section, the accrediting organization must submit the information in paragraphs (e)(1) through (9) of this section to the Lead Administrator: (1) Laboratory name, location of test site(s), mailing address and contact information; (2) Name of accrediting organization; PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 (3) Scope of laboratory accreditation; (4) Date of expiration of accreditation; (5) Designation number; (6) FCC Registration Number (FRN); (7) A statement as to whether or not the laboratory performs testing on a contract basis; (8) For laboratories outside the United States, details of the arrangement under which the accreditation of the laboratory is recognized; and (9) Other information as requested by the Commission. (f) A laboratory that has been accredited with a scope covering the measurements required for the types of IoT products that it will test shall be deemed competent to test and submit test data for IoT products subject to cybersecurity certification. Such a laboratory shall be accredited by a Public Safety and Homeland Security Bureau-recognized accreditation organization based on ISO/IEC 17025. The organization accrediting the laboratory must be recognized by the Public Safety and Homeland Security Bureau to perform such accreditation based on ISO/IEC 17011 (incorporated by reference, see § 8.201). The frequency for reassessment of the test facility and the information that is required to be filed or retained by the testing party shall comply with the requirements established by the accrediting organization, but shall occur on an interval not to exceed two years. § 8.218 Recognition of CyberLAB accreditation bodies. (a) A party wishing to become a laboratory accreditation body recognized by the Public Safety and Homeland Security Bureau (PSHSB or Bureau) must submit a written request to the Chief of PSHSB requesting such recognition. PSHSB will make a determination based on the information provided in support of the request for recognition. (b) Applicants shall provide the information in paragraphs (b)(1) through (4) of this section as evidence of their credentials and qualifications to perform accreditation of laboratories that test equipment to Commission requirements, consistent with the requirements of § 8.217(e). PSHSB may request additional information, or showings, as needed, to determine the applicant’s credentials and qualifications. (1) Successful completion of an ISO/ IEC 17011 peer review, such as being a signatory to an accreditation agreement that is acceptable to the Commission. (2) Experience with the accreditation of conformity assessment testing laboratories to ISO/IEC 17025. E:\FR\FM\30JYR2.SGM 30JYR2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations (3) Accreditation personnel/assessors with specific technical experience on the Commission cybersecurity certification rules and requirements. (4) Procedures and policies developed for the accreditation of testing laboratories for FCC cybersecurity certification programs. § 8.219 Approval/recognition of Cybersecurity Label Administrators. (a) An accredited third-party entity wishing to become a Cybersecurity Label Administrator (CLA) must file a written application with the Commission. The Commission may approve the written application for the accredited third-party entity to be recognized and authorized by the Commission as a CLA to manage and administer the labeling program by meeting the requirements of paragraph (b) of this section. An accredited thirdparty entity is recognized and authorized by the Commission to manage and administer the labeling program in accordance with the Commission’s rules in this subpart. (b) In the United States, the Commission, in accordance with its procedures, allows qualified accrediting bodies to accredit CLAs based on ISO/ IEC 17065 and other qualification criteria. CLAs shall comply with the requirements in § 8.220. khammond on DSKJM1Z7X2PROD with RULES2 § 8.220 Requirements for CLAs. (a) In general. CLAs designated by the Commission, or designated by another authority recognized by the Commission, shall comply with the requirements of this section. Each entity seeking authority to act as a CLA must file an application with the Commission for consideration by PSHSB, which includes a description of its organization structure, an explanation of how it will avoid personal and organizational conflict when processing applications, a description of its processes for evaluating applications seeking authority to use the FCC IoT Label, and a demonstration of expertise that will be necessary to effectively serve as a CLA including, but not limited to, the criteria in paragraph (c) of this section. (b) Methodology for reviewing applications. (1) A CLA’s methodology for reviewing applications shall be based on type testing as identified in ISO/IEC 17065 (incorporated by reference, see § 8.201). (2) A CLA’s grant of authorization to use the FCC IoT Label shall be based on the application with all the information specified in this part. The CLA shall review the application to determine compliance with the Commission’s VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 requirements in this subpart and shall issue a grant of product cybersecurity certification in accordance with § 8.208. (c) Criteria for designation. (1) To be designated as a CLA under this section, an entity shall demonstrate cybersecurity expertise and capabilities in addition to industry knowledge of IoT and IoT labeling requirements. (2) The entity shall demonstrate expert knowledge of National Institute of Standards and Technology’s (NIST) cybersecurity guidance, including but not limited to NIST’s recommended criteria and labeling program approaches for cybersecurity labeling of consumer IoT products. (3) The entity shall demonstrate expert knowledge of FCC rules and procedures associated with product compliance testing and certification. (4) The entity shall demonstrate knowledge of Federal law and guidance governing the security and privacy of agency information systems. (5) The entity shall demonstrate an ability to securely handle large volumes of information and demonstrate internal security practices. (6) To expedite initial deployment of the FCC labeling program, the Commission will accept and conditionally approve applications from entities seeking to be designated as a CLA provided they commit to obtain accreditation pursuant to all the requirements associated with ISO/IEC 17065 with the appropriate scope within six (6) months of the effective date by the adopted standards and testing procedures and otherwise meet the FCC’s IoT Labeling Program requirements. The entity must also demonstrate implementation of controls to eliminate actual or potential conflicts of interests (including both personal and organizational), particularly with regard to commercially sensitive information. The Bureau will finalize the entity’s application upon receipt and demonstration of ISO/IEC 17065 accreditation with the appropriate scope. (7) The entity is not owned or controlled by or affiliated with any entity identified on the Commission’s Covered List, listed sources of prohibition under § 8.204, or of it, its affiliate, or subsidiary is owned or controlled by a foreign adversary country defined by the Department of Commerce in 15 CFR 7.4. (8) The entity must demonstrate it has implemented controls to eliminate actual or potential conflicts of interests (including both personal and organizational), particularly with regard to commercially sensitive information, to include but not limited to, remaining PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 61277 impartial and unbiased and prevent them from giving preferential treatment to certain applications (e.g., application line jumping) and from implementing heightened scrutiny of applications from entities not members or otherwise aligned with the CLA. (d) External resources. (1) In accordance with the provisions of ISO/ IEC 17065 the evaluation of a product, or a portion thereof, may be performed by bodies that meet the applicable requirements of ISO/IEC 17025, in accordance with the applicable provisions of ISO/IEC 17065 for external resources (outsourcing). Evaluation is the selection of applicable requirements and the determination that those requirements are met. Evaluation may be performed using internal CLA resources or external (outsourced) resources. (2) A CLA shall not outsource review or decision activities. (3) When external resources are used to provide the evaluation function, including the testing of products subject to labeling, the CLA shall be responsible for the evaluation and shall maintain appropriate oversight of the external resources used to ensure reliability of the evaluation. Such oversight shall include periodic audits of products that have been tested and other activities as required in ISO/IEC 17065 when a CLA uses external resources for evaluation. (e) Commission approves a CLA. (1) The Commission will approve as a CLA: (i) Any entity in the United States that meets the requirements of this section. (ii) The Commission will not approve as a CLA any organization, its affiliates, or subsidiaries listed in the listed sources of prohibition under § 8.204. (2) The Commission will withdraw its approval of a CLA if the CLA’s designation or accreditation is withdrawn, if the Commission determines there is just cause for withdrawing the approval, or upon request of the CLA. The Commission will limit the scope of products that can be certified by a CLA if its accreditor limits the scope of its accreditation or if the Commission determines there is good cause to do so. The Commission will notify a CLA in writing of its intention to withdraw or limit the scope of the CLA’s approval and provide at least 60 days for the CLA to respond. (3) The Commission will notify a CLA in writing when it has concerns or evidence that the CLA is not carrying out its responsibilities under the labeling program in accordance with the Commission’s rules in this subpart and policies and request that it explain and correct any apparent deficiencies. E:\FR\FM\30JYR2.SGM 30JYR2 khammond on DSKJM1Z7X2PROD with RULES2 61278 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations (4) The Public Safety and Homeland Security Bureau shall provide notice to the CLA that the Bureau proposes to terminate the CLA’s authority and provide the CLA a reasonable opportunity to respond (not more than 20 days) before reaching a decision on possible termination. (5) If the Commission withdraws its recognition of a CLA, all grants issued by that CLA will remain valid unless specifically set aside or revoked by the Commission. (6) A list of recognized CLAs will be published by the Commission. (f) Scope of responsibility. (1) A CLA shall receive and evaluate applications and supporting data requesting authority to use the FCC IoT Label on the product subject to the application. (2) A CLA shall grant authorization to use the FCC IoT Label with a complying consumer IoT product in accordance with the Commission’s rules in this subpart and policies. (3) A CLA shall accept test data from any Lead Administrator-recognized accredited CyberLAB, subject to the requirements in ISO/IEC 17065 and shall not unnecessarily repeat tests. (4) A CLA may establish and assess fees for processing applications and other Commission-required tasks. (5) A CLA may only act on applications that it has received or which it has issued a certification authorizing use of the FCC IoT Label. (6) A CLA shall dismiss an application that is not in accordance with the provisions of this subpart or when the applicant requests dismissal, and may dismiss an application if the applicant does not submit additional information or test samples requested by the CLA. (7) A CLA shall ensure that manufacturers make all required information accessible to the IoT registry. (8) A CLA shall participate in a consumer education campaign in coordination with the Lead Administrator. (9) A CLA shall receive complaints alleging a product bearing the FCC IoT Label does not support the cybersecurity criteria conveyed by the Cyber Trust Mark and refer these complaints to the Lead Administrator which will notify the Public Safety and Homeland Security Bureau. (10) A CLA may not: (i) Make policy, interpret unclear provisions of the statute or rules, or interpret the intent of Congress; (ii) Grant a waiver of the rules in this subpart; or (iii) Take enforcement actions. (11) All CLA actions are subject to Commission review. VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 (g) Post-market surveillance requirements. (1) In accordance with ISO/IEC 17065, a CLA shall perform appropriate post-market surveillance activities. These activities shall be based on type testing a certain number of samples of the total number of product types for which the CLA has certified use of the Label. (2) PSHSB may request that a grantee of authority to use the FCC IoT Label submit a product sample directly to the CLA that evaluated the grantee’s application as part of the post market surveillance. Any product samples requested by the Commission and tested by the CLA will be counted toward a minimum number of samples that the CLA must test to meet its post market surveillance requirements. (3) A CLA may also request a grantee submit samples of products that the CLA has certified to use the FCC IoT Label directly to the CLA. (4) If during post market surveillance of a complying consumer IoT product, a CLA determines that the product fails to comply with the technical regulations (or other FCC requirements) for that product, the CLA shall immediately notify the grantee and the Commission in writing of its findings. The grantee shall provide a report to the CLA describing the actions taken to correct the situation, as provided in § 8.216, and the CLA shall provide a report of these actions to the Commission within 30 days. (5) CLAs shall submit periodic reports to the Commission of their post-market surveillance activities and findings in a format and by a date specified by the Commission. § 8.221 Requirements for the Lead Administrator. (a) Establishing a Lead Administrator. If more than one qualified entity is selected by the Commission to be a CLA, the Commission will select a Lead Administrator. The Lead Administrator shall: (1) Interface with the Commission on behalf of the CLAs, including but not limited to submitting to the Bureau all complaints alleging a product bearing the FCC IoT Label does not meet the requirements of the Commission’s labeling program; (2) Coordinate with CLAs and moderate stakeholder meetings; (3) Accept, review, and approve or deny applications from labs seeking recognition as a lab authorized to perform the conformity testing necessary to support an application for authority to affix the FCC IoT Label, and maintain a publicly available list of Lead Administrator-recognized labs and PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 a list of labs that have lost their recognition; (4) Within 90 days of election as Lead Administrator, the Lead Administrator will, in collaboration with the CLAs and stakeholders (e.g., cyber experts from industry, government, and academia): (i) Submit to the Bureau recommendations identifying and/or developing the technical standards and testing procedures for the Commission to consider with regard to at least one class of IoT products eligible for the IoT labeling program. The Bureau will evaluate the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission’s rules in this subpart; (ii) Submit to the Bureau a recommendation on how often a given class of IoT products must renew their request for authority to bear the FCC IoT Label, which may be dependent on the type of product, and that such a recommendation be submitted in connection with the relevant standards recommendations for an IoT product or class of IoT products. The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission’s rules in this subpart; (iii) Submit to the Bureau a recommendation on procedures for post market surveillance by the CLAs. The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission’s rules in this subpart; (iv) Make recommendations to the Bureau with regard to updates to the registry including whether the registry should be in additional languages, and if so, to recommend specific languages for inclusion; and (v) Submit to the Bureau recommendations on the design of the FCC IoT Label, including but not limited to labeling design and placement (e.g., size and white spaces, product packaging) and whether to include the product support end date on labels for certain products or category of products. The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission’s rules in this subpart; (5) Within 45 days of publication of updates or changes to NIST guidelines, or adoption by NIST of new guidelines, E:\FR\FM\30JYR2.SGM 30JYR2 Federal Register / Vol. 89, No. 146 / Tuesday, July 30, 2024 / Rules and Regulations khammond on DSKJM1Z7X2PROD with RULES2 recommend in collaboration with CLAs and other stakeholders any appropriate modifications to the labeling program standards and testing procedures to stay aligned with the NIST guidelines; (6) Submit to the Commission reports on CLAs’ post-market surveillance activities and findings in the format and by the date specified by Public Safety and Homeland Security Bureau; (7) Develop in collaboration with stakeholders a consumer education campaign, submit the plan to the Public Safety and Homeland Security Bureau, and participate in consumer education; (8) Receive complaints about the labeling program, including but not limited to consumer complaints about the registry and coordinate with manufacturers to resolve any technical problems associated with consumers accessing the information in the registry; (9) Facilitate coordination between CLAs; and (10) Submit to the Commission any other reports upon request of the Commission or as required by Commission rules in this subpart. (b) Criteria for designation. In addition to completing the CLA application information, entities seeking to be the Lead Administrator will submit a description of how they will execute the duties of the Lead Administrator, including: VerDate Sep<11>2014 16:59 Jul 29, 2024 Jkt 262001 (1) Their previous experience in IoT cybersecurity; (2) What role, if any, they have played in IoT labeling; (3) Their capacity to execute the Lead Administrator duties; (4) How they would engage and collaborate with stakeholders to identify or develop the Bureau recommendations; (5) A proposed consumer education campaign; and (6) Additional information the applicant believes demonstrates why they should be the Lead Administrator. § 8.222 Establishment of an IoT Registry. (a) A grantee of authority to use the FCC IoT Label shall provide information about the complying consumer IoT product to the public. Information supplied by grantees shall be made available in a dynamic, decentralized, publicly accessible registry through a common Application Programming Interface (API) that is secure by design. (b) A grantee of authority to use the FCC IoT Label shall publish the following information through the common API in the Registry: (1) Product Name; (2) Manufacturer name; (3) Date the product received authorization (i.e., cybersecurity certification) to affix the label and current status of the authorization (if applicable); PO 00000 Frm 00039 Fmt 4701 Sfmt 9990 61279 (4) Name and contact information of the CLA that authorized use of the FCC IoT Label; (5) Name of the lab that conducted the conformity testing; (6) Instructions on how to change the default password (specifically state if the default password cannot be changed); (7) Information (or link) for additional information on how to configure the device securely; (8) Information as to whether software updates and patches are automatic and how to access security updates/patches if they are not automatic; (9) The date until which the entity promises to diligently identify critical vulnerabilities in the product and promptly issue software updates correcting them, unless such an update is not reasonably needed to protect against cybersecurity failures (i.e., the minimum support period); alternatively, a statement that the device is unsupported and that the purchaser should not rely on the manufacturer to release security updates; (10) Disclosure of whether the manufacturer maintains a Hardware Bill of Materials (HBOM) and/or a Software Bill of Materials (SBOM); and (11) Additional data elements that the Bureau deems necessary. [FR Doc. 2024–14148 Filed 7–29–24; 8:45 am] BILLING CODE 6712–01–P E:\FR\FM\30JYR2.SGM 30JYR2

Agencies

[Federal Register Volume 89, Number 146 (Tuesday, July 30, 2024)]
[Rules and Regulations]
[Pages 61242-61279]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-14148]



[[Page 61241]]

Vol. 89

Tuesday,

No. 146

July 30, 2024

Part II





Federal Communications Commission





-----------------------------------------------------------------------





47 CFR Subchapter A





Cybersecurity Labeling for Internet of Things; Final Rule

Federal Register / Vol. 89 , No. 146 / Tuesday, July 30, 2024 / Rules 
and Regulations

[[Page 61242]]


-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Subchapter A

[PSHSB: PS Docket No. 23-239; FR ID 210726]


Cybersecurity Labeling for Internet of Things

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(Commission or FCC) establishes a voluntary cybersecurity labeling 
program for wireless consumer Internet of Things, or IoT, products. The 
program will provide consumers with an easy-to-understand and quickly 
recognizable FCC IoT Label that includes the U.S. Cyber Trust Mark and 
a QR code linked to a dynamic, decentralized, publicly available 
registry of more detailed cybersecurity information. This program will 
help consumers make safer purchasing decisions, raise consumer 
confidence regarding the cybersecurity of the IoT products they buy, 
and encourage manufacturers to develop IoT products with security-by-
design principles in mind.

DATES: 
    Effective date: This rule is effective August 29, 2024.
    Incorporation by reference: The incorporation by reference of 
certain material listed in the rule is approved by the Director of the 
Federal Register as of August 29, 2024.
    Compliance date: Compliance with 47 CFR 8.208, 8.209, 8.212, 8.214, 
8.215, 8.217, 8.218, 8.219, 8.220, 8.221, and 8.222 will not be 
required until the Office of Management and Budget has completed review 
under the Paperwork Reduction Act. The Commission will publish a 
document in the Federal Register announcing that compliance date.

FOR FURTHER INFORMATION CONTACT: Zoe Li, Cybersecurity and 
Communications Reliability Division, Public Safety and Homeland 
Security Bureau, (202) 418-2490, or by email to [email protected].
    For additional information concerning the Paperwork Reduction Act 
information collection requirements contained in this document, contact 
Nicole Ongele, Office of Managing Director, Performance and Program 
Management, 202-418-2991, or by email to [email protected].

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Report 
and Order, PS Docket No. 23-239, adopted March 14, 2024, and released 
March 15, 2024. The full text of this document is available by 
downloading the text from the Commission's website at: https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf. When the FCC 
Headquarters reopens to the public, the full text of this document will 
also be available for public inspection and copying during regular 
business hours in the FCC Reference Center, 45 L Street NE, Washington, 
DC 20554. To request this document in accessible formats for people 
with disabilities (e.g., Braille, large print, electronica files, audio 
format, etc.) or to request reasonable accommodations (e.g., accessible 
format documents, sign language interpreters, CART, etc.), send an 
email to [email protected] or call the FCC's Consumer and Government 
Affairs Bureau at (202) 418-0530 (voice), (202) 418-0432 (TTY).
    Congressional Review Act: The Commission has determined, and the 
Administrator of the Office of Information and Regulatory Affairs, 
Office of Management and Budget, concurs, that this rule is non-major 
under the Congressional Review Act, 5 U.S.C. 804(2). The Commission 
will send a copy of the Order to Congress and the Government 
Accountability Office pursuant to 5 U.S.C. 801(a)(1)(A).

Synopsis

    1. With the Report and Order (Order), the Commission takes prompt 
and decisive measures to strengthen the nation's cybersecurity posture 
by adopting a voluntary cybersecurity labeling program for wireless IoT 
products. The Commission's IoT Labeling Program will provide consumers 
with an easy-to-understand and quickly recognizable FCC IoT Label that 
includes the U.S. Government certification mark (referred to as the 
U.S. Cyber Trust Mark) that provides assurances regarding the baseline 
cybersecurity of an IoT product, together with a QR code that directs 
consumers to a registry with specific information about the product. 
Consumers who purchase an IoT product that bears the FCC IoT Label can 
be assured that their product meets the minimum cybersecurity standards 
of the IoT Labeling Program, which in turn will strengthen the chain of 
connected IoT products in their own homes and as part of a larger 
national IoT ecosystem. The Order will help consumers make better 
purchasing decisions, raise consumer confidence with regard to the 
cybersecurity of the IoT products they buy to use in their homes and 
their lives, and encourage manufacturers of IoT products to develop 
products with security-by-design principles in mind.
    2. In the Order, we set forth the framework by which the IoT 
Labeling Program will operate. We focus the IoT Labeling Program 
initially on IoT ``products,'' which we define to include one or more 
IoT devices and additional product components necessary to use the IoT 
device beyond basic operational features. Recognizing that a successful 
voluntary IoT Labeling Program will require close partnership and 
collaboration between industry, the Federal Government, and other 
stakeholders, we adopt an administrative framework for the IoT Labeling 
Program that capitalizes on the existing public, private, and academic 
sector work in this space, while ensuring the integrity of the IoT 
Labeling Program through oversight by the Commission.
    3. Voluntary IoT Labeling Program. We establish a voluntary IoT 
Labeling Program for wireless consumer IoT products. While 
participation is voluntary, those that choose to participate must 
comply with the requirements of the IoT Labeling Program to receive 
authority to utilize the FCC IoT Label bearing the Cyber Trust Mark. 
The IoT Labeling Notice of Proposed Rulemaking (NPRM), 88 FR 58211 
(August 25, 2023), sought comment on whether the proposed IoT Labeling 
Program should be voluntary, reasoning that ``success of a 
cybersecurity labeling program will be dependent upon a willing, close 
partnership and collaboration between the federal government, industry, 
and other stakeholders.'' The record shows substantial support for a 
voluntary approach. The Custom Electronic Design & Installation 
Association (CEDIA) suggests that IoT Labeling Program must be 
voluntary ``for the program to gain momentum in the marketplace.'' AIM, 
Inc. (AIM) suggests that the voluntary aspect of the IoT Labeling 
Program ``will help drive adoption of the label by device producers.'' 
Further, commenters suggest that a voluntary program will ensure the 
broadest reach, most efficiency, and widest access to a diversity of 
IoT technologies. We agree that a voluntary program will help drive 
adoption of the IoT Labeling Program, so that a willing, close 
partnership can be achieved. We also agree with the record that 
flexible, voluntary, risk-based best practices are the hallmarks of IoT 
security as it exists today and as it is being developed around the 
world. Additionally, we acknowledge the view that ``consumer labeling 
is a difficult undertaking in any context,'' especially

[[Page 61243]]

in the evolving area of cybersecurity, and that the ``best approach is 
to start the Program with something achievable and effective.'' We 
concur that willing participation will allow the IoT Labeling Program 
to be more easily achievable than requiring participation in a novel 
program. With the added imprimatur of a U.S. Government certification 
mark, the IoT Labeling Program will help distinguish products in the 
marketplace that meet minimum requirements and provide options to 
consumers.
    4. We reject arguments that mandating participation in the IoT 
Labeling Program is necessary. While we recognize that a voluntary IoT 
Labeling Program may cause concern that smaller businesses with limited 
resources may choose not to participate, we believe the strong 
stakeholder engagement and collaboration that we expect to result from 
willing participation, and which is vital to establishing this new 
program, outweighs these risks. Further, while we acknowledge that, at 
least in the near term, allowing the IoT Labeling Program to be 
voluntary ``could limit its adoption and impact,'' we believe this risk 
is outweighed by the benefits that a voluntary program will garner, 
such as speed to market to hasten impact, efficiency of resources, and 
the likelihood that consumer demand will drive widespread adoption over 
time.
    5. In adopting the IoT Labeling Program with the parameters 
discussed in the Order, we are establishing a collaborative effort 
between the Federal Government and relevant stakeholders in industry 
and the private sector. We emphasize that the Order is intended to 
provide the high-level programmatic structure that is reasonably 
necessary to establish the IoT Labeling Program and create the 
requirements necessary for oversight by the Commission, while 
leveraging the extensive work, labeling schemes, processes and 
relationships that have already been developed in the private sector. 
We also note that there is further development to be done by the 
private sector and other Federal agencies to implement the IoT Labeling 
Program and, as discussed below, expects many of the details not 
expressly addressed in the Order will be resolved through these 
separate efforts and by the authorities the Commission delegates to the 
Public Safety and Homeland Security Bureau (PSHSB or the Bureau).

A. Eligible Devices or Products

    6. The Order initially establishes the IoT Labeling Program for 
wireless consumer IoT products. We do not, however, foreclose the 
possibility of expanding the IoT Labeling Program in the future.
    7. The record supports adopting an IoT Labeling Program that 
encompasses consumer-focused IoT products. We focus our IoT Labeling 
Program initially on consumer IoT products, rather than enterprise or 
industrial IoT products. Because medical devices regulated by the U.S. 
Food and Drug Administration (FDA) already are subject to statutory and 
regulatory cybersecurity requirements under other Federal laws more 
specifically focused on such devices, we do not include such devices in 
our IoT Labeling Program. In addition, we exclude from this program 
motor vehicles \1\ and motor vehicle equipment (as defined in 49 U.S.C. 
30102(8) given that the National Highway Traffic Safety Administration 
(NHTSA) ``has the authority to promulgate motor vehicle safety 
regulations on cybersecurity and has enforcement authority to secure 
recalls of motor vehicles and motor vehicle equipment with a safety-
related defect, including one involving cybersecurity flaws.'' We also 
exclude from our IoT Labeling program any communications equipment on 
the Covered List that the Commission maintains pursuant to the Secure 
and Trusted Communications Networks Act and equipment produced by 
certain other entities as discussed below. Finally, our initial IoT 
Labeling Program will focus on wireless consumer IoT devices consistent 
with the core of our section 302 authority governing the interference 
potential of devices that emit radio frequency energy--and thus we 
exclude wired IoT devices at this time.
---------------------------------------------------------------------------

    \1\ Motor Vehicle ``means a vehicle driven or drawn by 
mechanical power and manufactured primarily for use on public 
streets, roads, and highways, but does not include a vehicle 
operated only on a rail line.'' 49 U.S.C. 30102(7).
---------------------------------------------------------------------------

    8. Definition of IoT Devices. Although we focus our IoT Labeling 
program on IoT ``products,'' to lay a foundation we must first address 
the definition of IoT ``devices'' because this definition is a building 
block of the IoT ``product'' definition. In this respect, we adopt the 
modified version of the National Institute of Standards and Technology 
(NIST) definition of ``IoT device'' that the Commission proposed in the 
IoT Labeling NPRM. Specifically, the IoT Labeling NPRM proposed 
defining an IoT device to include (1) an internet-connected device 
capable of intentionally emitting radio frequency (RF) energy that has 
at least one transducer (sensor or actuator) for interacting directly 
with the physical world, coupled with (2) at least one network 
interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital 
world. This definition builds on NIST's definition by adding 
``internet-connected'' as a requirement, because ``a key component of 
IoT is the usage of standard internet protocols for functionality.'' 
The modified definition adopted in the Order also adds that a device 
must be ``capable of intentionally emitting RF energy,'' because 
aspects of the Commission's authority recognizes the particular risks 
of harmful interference associated with such devices. It should be 
noted that we direct the Label Administrator to collaborate with 
Cybersecurity Label Administrators (CLAs) and other stakeholders (e.g., 
cyber experts from industry, government, and academia) as appropriate 
and recommend within 45 days of publication of updates or changes to 
NIST guidelines, or adoption by NIST of new guidelines, to the FCC any 
appropriate modifications to the Labeling Program standards and testing 
procedures to stay aligned with the NIST guidelines.
    9. The record supports this reasoning. For example, Consumer 
Reports states that ``[i]f you're going to sell a device where some of 
the benefits come from having a cloud connection, an app, and 
connectivity, then those must also be secured.'' Consumer Reports 
provides further support for the Commission's reasoning by noting that 
``connectivity may be so central to the functionality of the device 
that it may no longer be able to operate safely [without it].'' TIC 
Council Americas similarly ``agrees that `internet-connected' should be 
included in the definition of IoT devices.'' We agree with these 
arguments and adopt the modified IoT device definition requiring 
``internet-connected'' device element to assure consumers that the 
functionality of the IoT device or product displaying the Cyber Trust 
Mark is reasonably secure as well. As noted by ioXt Alliance, including 
``internet-connected'' in the definition of IoT makes ``sense if the 
program focuses on IoT products instead of devices because not all IoT 
devices are `internet-connected.' '' Because the IoT Labeling Program 
will be focused on the broader category of IoT consumer products and 
not devices, including ``internet-connected'' in the definition of IoT 
device is further justified.
    10. We disagree with commenters who argue the Commission should 
adopt the NIST definition of a device without change. We acknowledge 
that the record indicates some concern regarding the internet-connected 
element of the Commission's proposed definition; however, we find these 
concerns to be misplaced. TIC Council

[[Page 61244]]

Americas, for example, supports adding ``internet-connected'' to the 
definition, but argues that ``there are devices that are able to 
connect to non-internet connected networks, and that those devices 
should not be excluded from the program.'' While we do not foreclose 
the possibility of expanding the IoT Labeling Program to devices on 
non-internet connected networks in the future, we focus initially on 
the more common category of internet-connected consumer IoT products. 
Others argue that ``internet-connected'' is too ``situational,'' with a 
concern that the device might become ``disconnected from the internet 
and, therefore, no longer be an `IoT device.' '' We do not agree that 
``internet-connected device'' must be interpreted so narrowly as to 
exclude from the IoT Labeling Program devices that may become 
disconnected from the internet. ``internet-connected,'' in terms of the 
IoT Labeling Program, applies to the functional capability of the 
device; if the device is capable of being connected to the internet, 
the fact that it may not be connected at any given point in time does 
not exclude its eligibility for participation in the IoT Labeling 
Program. Further, any potential concerns arising from requiring an IoT 
device be ``internet-connected'' for inclusion in the IoT Labeling 
Program are outweighed by the benefit of giving consumers further 
assurance that the security of their IoT device or product extends to 
the connected functionality that a consumer expects when making such a 
purchase. In this respect, including ``internet-connected'' in the 
definition of IoT device also recognizes the highest risk functional 
component of an IoT device that distinguishes ``smart'' devices from 
other devices a consumer may use, and allows the Cyber Trust Mark to 
more effectively support consumer expectations.
    11. The record also supports adding an RF energy-emitting element 
to the IoT device definition, acknowledging the Commission's authority 
under section 302 governing the interference potential of devices that 
emit RF energy and can cause harmful interference to radio 
communications. We reject the argument that limiting the definition to 
RF-emitting devices may lead to marketplace confusion if a product does 
not bear the Cyber Trust Mark due solely to its lack of RF energy 
emissions. In the first instance, we note the need to launch an 
achievable IoT Labeling Program consistent with the Commission's core 
authority. We also note that the benefits that a focus on wireless 
products will have in elevating the overall cybersecurity posture of 
the IoT ecosystem, especially in view of the record indicating that the 
majority of IoT devices are wireless, outweigh the risks associated 
with concerns regarding marketplace confusion. In any case, there will 
be a number of products--both wired and wireless--that do not bear the 
Cyber Trust Mark while uptake occurs. We also anticipate that consumer 
education in this space will help alleviate these concerns.
    12. We further disagree with the view that the capability of a 
device to emit RF radiation is ``unrelated to the general, far-ranging 
cybersecurity concerns the Commission is confronting in this 
proceeding.'' Instead, we agree with Comcast that interference caused 
by a [distributed denial of service] attack raises ``the same policy 
concerns and has the same practical effect as interference caused by 
traditional means.'' The Electronic Privacy Information Center (EPIC) 
explains how hackers exploit unpatched vulnerabilities to attack a 
large number of wireless devices, and turning them into signal jammers 
to take down mobile networks. The record thus bears out our view that 
cybersecurity vulnerabilities in wireless IoT devices could cause 
harmful interference to radio communications. Given Congress' direction 
to the Commission in section 302 of the Act to guard against the 
interference potential of wireless devices, requiring the element of 
``emitting RF energy interference'' in the IoT device definition for 
the initial iteration of the IoT Labeling Program focuses on that core 
Commission authority without ruling out future action regarding wired 
IoT devices. Further, while we acknowledge that devices that 
unintentionally or incidentally emit RF radiation may also pose 
interference potential, we find that a focus initially on 
``intentional'' radiators provides the ability of a nascent program to 
target products with the highest risk profile from among those that 
emit RF energy.
    13. Definition of IoT Products. We adopt the NIST definition of an 
``IoT product.'' Specifically, the IoT Labeling NPRM's proposed 
definition of IoT product is an ``IoT device and any additional product 
components (e.g., backend, gateway, mobile app) that are necessary to 
use the IoT device beyond basic operational features.'' The record 
supports adopting the IoT product definition developed by NIST, with 
Garmin International, Inc. (Garmin) noting that a fundamental purpose 
of the IoT Labeling Program ``is to inform consumers regarding device 
security as they evaluate potential IoT purchases. . . . [T]his purpose 
is best achieved by focusing on `consumer IoT products' as defined by 
NIST in NISTIR 8425.'' Additionally, Kaiser Permanente states that 
adopting the NIST definition of IoT products will ``promote consistency 
across federal agency programs and related industry norms and 
requirements.'' Further, the Information Technology Industry Council 
(ITI) explained that the ``Commission's implementation of the program 
will be more successful if it aligns as closely as possible to the 
definitions, processes and procedures already outlined by NIST.'' We 
agree with these commenters, in that adopting NIST's IoT product 
definition will allow for consistency in the treatment of programmatic 
elements across the Federal Government, and allow the Commission to 
appropriately leverage the work existing in this space to promote the 
IoT Labeling Program's success. We also note that no commenters opposed 
the NIST definition of IoT products. For purposes of the IoT Labeling 
Program, when discussing IoT products and their ``components'' in the 
Order, we are using the NISTIR 8425 scoping definition of 
``components.'' We believe that this definition allows the IoT Labeling 
Program to address the most relevant ``package'' components expected by 
consumers to be securable when making purchasing decisions, and 
encompasses the appropriate level of ``component'' pieces to address 
the functionalities that generate the most salient cybersecurity 
risks.\2\ This view is supported by the record, with Consumer 
Technology Association (CTA) providing a proposed testing framework 
where ``all individual components provided by the manufacturer should 
be in scope for testing,'' including all components of the IoT product 
``that are necessary for the device to function in a normal use case 
scenario.''
---------------------------------------------------------------------------

    \2\ For purposes of the IoT Labeling Program, the NISTIR 8425 
scoping definition of ``components'' falls into three main types: 
Specialty networking/gateway hardware (e.g., a hub within the system 
where the IoT device is used); Companion application software (e.g., 
a mobile app for communicating with the IoT device); and Backends 
(e.g., a cloud service, or multiple services, that may store and/or 
process data from the IoT device). See NISTIR 8425 at 2. Our use of 
this scoping definition of ``components'' is intended only to apply 
to the IoT Labeling program. We note that Commission rules use the 
term ``components'' in a variety or contexts and different rule 
provisions, and we are not intending to affect the use of that term 
in those other contexts.
---------------------------------------------------------------------------

    14. IoT Devices vs. IoT Products. We find that the IoT Labeling 
Program should apply to ``IoT products'' as defined above, rather than 
being limited only to ``IoT devices.'' In the IoT Labeling NPRM, the 
Commission noted

[[Page 61245]]

that it was important to ensure that the IoT Labeling Program ``would 
be sufficiently inclusive to be of value to consumers.'' Since the 
Commission's adoption of the IoT Labeling NPRM, NIST has provided 
clarity in this realm by stating ``the cybersecurity technical and non-
technical outcomes defined in the NISTIR 8425 consumer profile apply to 
IoT products and not just IoT devices.'' In addition, in reviewing the 
record, we believe applying the IoT Labeling Program to IoT products 
instead of IoT devices alone achieves these priorities because only by 
addressing the full functionality of a consumer product (i.e., one or 
more IoT devices and any additional product components (e.g., backend, 
gateway, mobile app) that are necessary to use the IoT device, beyond 
basic operational features) ``including data communications links to 
components outside this scope but excluding those external components 
and any external third-party components that are outside the 
manufacturer's control'' will provide consumers the necessary scope to 
satisfy the basic security expectation of the consumer and effectuate a 
discernable increase in the cybersecurity posture of the IoT ecosystem 
at large.
    15. There is significant support in the record for an IoT product 
focus for the IoT Labeling Program. As explained by UL Solutions, 
applying the IoT Labeling Program to IoT products is necessary since 
``most IoT devices sold to consumers cannot be meaningfully used 
without additional components.'' The Cybersecurity Coalition further 
supports this position by saying ``IoT devices are typically part of a 
broader ecosystem of components that can have their own security 
issues, requiring `IoT cybersecurity' to extend beyond individual 
devices to be effective.'' ITI notes an IoT product focus benefits 
consumers because it ``will appropriately capture the relevant devices/
components of the product that could be vulnerable to attack (and are 
always included in an IoT product, as NIST points out).'' Applying the 
IoT Labeling Program to IoT products further benefits consumers by 
promoting consumer safety because it ``encourages manufacturers to 
prioritize security across all components, ultimately leading to safer 
and more reliable IoT experiences for consumers.'' Additionally, the 
record indicates that ``the entire service which includes cloud 
infrastructure as well as apps or other ways to control or manage the 
device by the user, and not simply the physical device itself, is 
critical for an assessment of safety and security.'' Further, focusing 
on IoT products aligns not only with the technical requirements of 
NISTIR 8425, but also ``emerging requirements in Europe and the UK 
[United Kingdom], such as the EU [European Union] [Cyber Resilience 
Act], and EU Directives on consumer protections EU 2019/770, 771.'' We 
agree and will apply the IoT Labeling Program to consumer IoT products, 
which provides for the greatest level of consumer benefit by 
prioritizing cybersecurity across the entirety of the consumer product, 
as compared to just the device, which is able to perform its full 
functionality only when working in conjunction with other product 
components.
    16. We disagree with Samsung, CTIA--The Wireless Association 
(CTIA), LG Electronics, and CTA, who advocate focusing on IoT devices 
instead of IoT products. Samsung and CTIA argue that cybersecurity 
standards for devices are more mature than standards for products, and 
CTA argues that applying the FCC IoT Label to products would be more 
complex than devices. LG Electronics expresses concern that expanding 
to products ``would require device manufacturers to attest to the 
security of product components that are outside of their control.'' We 
do not agree that these rationales support limiting application of the 
IoT Labeling Program only to devices, rather than products. First, 
applying the IoT Labeling Program narrowly to IoT devices would run 
counter to NIST's guidance and considerable work in this space, upon 
which the Commission has relied for the basis for the IoT Labeling 
Program proposal. NIST's Profile of the IoT Core Baseline for Consumer 
IoT Products (NISTIR 8425), discussed above, provides fundamental IoT 
guidelines and applies to the broader product category, and the more 
recent NIST IoT Product Component Requirements Essay clearly states 
that the outcomes listed in NISTIR 8425 apply to consumer IoT products 
and not just IoT devices.
    17. Further, regarding the notion that the IoT Labeling Program 
should be focused on IoT devices because existing standards for IoT 
devices are more readily available or achievable in the near term, we 
counter that the record shows existing IoT device standards can be 
leveraged to support assessing IoT products as well. As noted by 
commenter ITI, existing IoT industry standards ``capture similar 
baseline themes'' to the NIST criteria. In view of these similarities, 
the IoT Labeling Program can leverage these existing standards for IoT 
devices as building blocks, and tailor them in view of the IoT products 
being assessed. Accordingly, the need to realize the benefits of a 
product-level label weigh in favor of taking a small amount of time to 
get to product-based standards by leveraging existing device standards.
    18. We also reject the argument that because ``cybersecurity 
frameworks and testing programs have been developed to focus on device-
level--rather than product-level--assessment'' that a device-level IoT 
Labeling Program is the appropriate outcome. We note, for example, that 
ITI recommends recognizing IoT security assessments from our 
international partners, such as IoT assessments under the Cybersecurity 
Labelling Scheme (CLS) by Singapore's Cyber Security Agency, which 
assesses the overall IoT product, and not just a single device included 
in the IoT product. In this regard, the ability to recognize 
international efficiencies for IoT Labeling Program participants would 
be hindered by limiting the Cyber Trust Mark to the device level, as 
Singapore's CLS (and other evolving international standards) focus on 
product-level assessments.
    19. Finally, applying the IoT Labeling Program to products enhances 
value to consumers without requiring manufacturers to be responsible 
for products or devices that are outside of their control. The record 
shows that a consumer's expectation of security extends to the entire 
IoT product they purchase. This consumer expectation is evidenced in 
the record by ITI, clarifying that ``because consumers purchase, 
interact with, and view IoT merchandise not as component parts but as 
complete physical product . . . Consumers are primarily concerned with 
the entire physical product they are purchasing.'' Additionally, as 
noted by UL Solutions, ``most IoT devices sold to consumers cannot be 
meaningfully used without additional components.'' In view of this 
need, a manufacturer seeking authority to affix the FCC IoT Label is 
expected to secure the whole IoT product, including the product's 
internal communication links connecting the different parts of the 
product to each other as well as the product's communication links that 
connect the IoT product to the outside world. We do not require 
manufacturers to be responsible for third-party products or devices 
(including apps) that are outside of their control; \2\

[[Page 61246]]

however, where a manufacturer allows third-party apps, for example, to 
connect to and they allow that application to control their IoT 
product, such manufacturer is responsible for the security of that 
connection link and the app if such app resides on the IoT product. 
Further, we agree with CTIA that if ``a [p]roduct [c]omponent also 
support[s] other IoT Products through alternative features and 
interfaces, these alternative features and interfaces may, through 
risk-assessment, be considered as separate from and not part of the IoT 
Product for purposes of authorization.'' Moreover, NIST enumerates the 
dangers of an IoT device-only focus, establishing that the ``additional 
product components have access to the IoT device and the data it 
creates and uses-making them potential attack vectors that could impact 
the IoT device, customer, and others,'' and that ``these additional 
components can introduce new or unique risks to the IoT product.'' 
Consumer expectations that the FCC IoT Label would apply to the 
entirety of the product purchased is further highlighted by Consumer 
Reports, explaining that ``If everything is sold within a box, then 
everything in the box should be approved to use the mark.'' Consumer 
Reports also notes that ``[i]f the labeling programs were only to 
address the physical device and not other system components, consumers 
would likely be deceived as to the scope and efficacy of the program.'' 
The record is adamant that the ``Cyber Trust Mark must be trusted by 
consumers to be successful.'' In view of the record, securing only a 
portion of an IoT product by just assessing a single IoT device 
included in the IoT product, instead of assessing the devices and 
components that comprise the IoT product holistically, could deceive 
consumers and go against consumer expectation that the technology being 
brought into their homes is reasonably secure. We weigh heavily the 
likelihood for consumer confusion should the device-only approach be 
taken, and accordingly we apply this consumer IoT Labeling Program to 
IoT products and not just IoT devices.
---------------------------------------------------------------------------

    \2\ To further clarify, nothing in this item prohibits 
manufacturers from allowing product owners from installing the 
software of their choice, from disabling security features, or from 
replacing or modifying components of a product, including the 
firmware and software. An IoT manufacturer cannot be held 
responsible for the owner's decision to make such changes, just as a 
traditional product manufacturer cannot be responsible for the 
actions of a consumer who modifies the core mechanisms of a product 
and thereby risks rendering it unsafe. However, we reiterate that in 
order to be authorized to use the FCC IoT Label, manufacturers must 
meet the requirements of the program.
---------------------------------------------------------------------------

    20. In sum, although there are relative advantages and 
disadvantages with either a narrow focus on IoT devices or a broader 
focus on IoT products, on balance we are persuaded to focus our initial 
IoT Labeling Program on IoT products. As explained above, we find 
commenters' concerns about encompassing full IoT products in our IoT 
Labeling Program to be overstated. At the same time, we see significant 
shortcomings with a narrower focus just on IoT devices. Weighing the 
totality of these considerations, we are persuaded that targeting the 
IoT Labeling Program on IoT products is the best approach at this time.
    21. Consumer IoT Products vs. Enterprise IoT Products. The IoT 
Labeling Program applies to the labeling of consumer IoT products that 
are intended for consumer use, and does not include products that are 
primarily intended to be used in manufacturing, healthcare, industrial 
control, or other enterprise applications. While we do not foreclose 
expansion of the IoT Labeling Program at a later date, this initial 
scope will provide value to consumers most efficiently and expediently, 
without added complexity from the enterprise environment.
    22. The record supports the IoT Labeling Program having a consumer 
IoT focus, with support provided by UL Solutions, the Cybersecurity 
Coalition, and the Connectivity Standards Alliance (CSA), among others. 
The FDA also suggests that IoT outside of the consumer scope may need 
``[g]reater and more tailored controls,'' suggesting that different 
considerations might attend IoT with a purpose outside of that in the 
routine consumer realm. Additionally, commenters highlight the 
differing security needs of consumer and enterprise products. For 
example, UL Solutions notes that ``IoT products intended for commercial 
or industrial settings are exposed to different types of threats than 
consumer products and often carry higher risk if breach, which 
necessitates different requirements.'' CSA also highlights that 
``[e]nterprise device security approaches are often customized and vary 
based on the specific needs of the business.'' We agree that applying 
the IoT Labeling Program to consumer IoT products will reduce 
complexity, which will bolster the likelihood of success when starting 
the new IoT Labeling Program.
    23. The International Speech and Communication Association (ISCA) 
supports including enterprise IoT, stating that a broader scope will 
ensure the IoT Labeling Program remains flexible to the extent that the 
boundary between consumer and enterprise IoT is blurring. Further, ISCA 
and Abhishek Bhattacharyya note that attackers have more to gain from 
targeting enterprise settings. While there are considerable threat 
vectors and vulnerabilities associated with all classes of IoT 
products,\3\ we agree with Everything Set, Inc., that focusing the IoT 
Labeling Program on household use of IoT products will be more useful 
and have greater impact, given that enterprises tend to have more time, 
resources, and expertise to devote to network security. They note 
further that many small- and medium-sized businesses also buy consumer 
devices, so a consumer-focused Cyber Trust Mark would be of utility to 
them, as well. We believe in the near term that a consumer focus will 
provide the most initial impact, and create a level of recognition and 
trust in the Cyber Trust Mark itself as the IoT Labeling Program 
progresses that could be leveraged to enterprise IoT at a later time, 
and we therefore defer consideration of the IoT Labeling Program's 
expansion.
---------------------------------------------------------------------------

    \3\ There are many types IoT devices and products, which may be 
divided into various categories or classes based on their purpose, 
application, and functionality. These classes of IoT devices and 
products include smart home (e.g., smart thermostats, smart lights, 
smart locks, smart cameras), wearables (e.g., fitness trackers, 
smart watches), and Healthcare (e.g., remote patient monitoring 
devices, smart medical equipment). It is worth noting that not all 
IoT devices or products are created equal, in terms of features, 
security and the level of risk they present. Additionally, from 
security standpoint, an IoT product that is appropriate for consumer 
or home use may not be suitable for industrial or enterprise 
environment. These differences suggest the need for different 
security standards that distinguish between low-risk, medium-risk 
and high-risk applications. Our approach to identifying the specific 
cybersecurity standards to apply enables us to appropriately account 
for that in the case of particular wireless consumer products (or 
categories of such products) in our initial implementation of the 
IoT Labeling Program.
---------------------------------------------------------------------------

    24. Exclusion of Certain Devices/Products. As an initial matter, we 
exclude from the IoT Labeling Program medical devices regulated by the 
U.S. Food and Drug Administration (FDA). The Center for Devices and 
Radiological Health (within the FDA) expresses concern that the 
Commission's labeling IoT Labeling Program may lack controls and 
minimum criteria that it believes are necessary for IoT medical 
devices. In addition, the FDA is concerned that including medical 
devices in the IoT Labeling Program may cause consumer confusion and 
``potentially creates conflict where product manufacturers attempt to 
both qualify for the Cyber Trust Mark and comply with existing 
statutory and regulatory cybersecurity requirements under other federal 
laws, such as the Federal Food, Drug, and Cosmetic Act (FD&C Act).'' 
These considerations persuade us to exclude FDA-regulated medical 
devices from our IoT Labeling Program, consistent with commenters' 
recommendations. In

[[Page 61247]]

addition, we exclude from this program motor vehicles and motor vehicle 
equipment given that the National Highway Traffic Safety Administration 
(NHTSA) ``has the authority to promulgate motor vehicle safety 
regulations on cybersecurity and has enforcement authority to secure 
recalls of motor vehicles and motor vehicle equipment with a safety-
related defect, including one involving cybersecurity flaws.''
    25. Exclusion of Devices/Products Produced by Certain Entities. We 
adopt the following measures to promote national security in connection 
with the IoT Labeling Program. The IoT Labeling NPRM proposed to 
exclude from the IoT Labeling Program (1) any communications equipment 
on the Covered List maintained by the Commission pursuant to section 2 
of the Secure and Trusted Communications Networks Act (STCNA); (2) any 
IoT device produced by an entity identified on the Covered List (i.e., 
an entity named or any of its subsidiaries or affiliates) as producing 
``covered'' equipment; and (3) any device or product from a company 
named on certain other lists maintained by other Federal agencies that 
represent the findings of a national security review. We now adopt all 
of these prohibitions as they relate to our decision to focus the IoT 
Labeling Program on consumer IoT products. Thus, any communications 
equipment identified on the Covered List, now or in the future, will be 
ineligible for the IoT Labeling Program, and any such product will be 
denied approval to use the Cyber Trust Mark. Furthermore, any 
additional products produced by an entity identified on the Covered 
List as producing ``covered'' equipment, or any product containing 
devices or product components produced by such an entity, will be 
ineligible for the IoT Labeling Program; this would include products 
that may not fit within the definition of ``communications equipment'' 
under STCNA. Only entities identified on the Covered List as producers 
of ``covered'' equipment--not those on the Covered List only because of 
their ``covered'' services--are subject to this prohibition. In 
addition, we adopt the proposal that IoT devices or products containing 
devices manufactured by companies named on the Department of Commerce's 
Entity List, named on the Department of Defense's List of Chinese 
Military Companies, or suspended or debarred from receiving Federal 
procurements or financial awards, including those published as 
ineligible for award on the General Service Administration's System for 
Award Management, will not be authorized to display the FCC IoT Label 
or participate in the IoT Labeling Program. Further, we exclude from 
the IoT Labeling Program any products containing devices produced or 
manufactured by these entities. We conclude that inclusion on these 
lists represents a determination by an agency charged with making 
national security determinations that a company's products lack the 
indicia of trustworthiness that the Cyber Trust Mark is intended to 
represent. Our action here thus supports and reinforces the steps we 
have taken in other proceedings to safeguard consumers and 
communications networks from equipment that poses an unacceptable risk 
to national security and that other Federal agencies have taken to 
identify potential concerns that could seriously jeopardize the 
national security and law enforcement interests of the United States.
    26. With the exception of China's comments raising the same World 
Trade Organization (WTO) issue we rejected in the Report and Order 
applying the Covered List to the FCC equipment authorization program, 
the record overwhelmingly supports excluding from the IoT Labeling 
Program these products and devices produced by companies identified on 
the Covered List. Additionally, USTelecom, CTIA, CTA, Cybersecurity 
Coalition and Consumer Reports specifically support excluding from the 
IoT Labeling Program IoT devices that are manufactured by companies on 
the Covered List, but also urge the Commission to restrict any 
equipment manufactured by companies on additional Federal restricted 
lists, including those otherwise banned from Federal procurement. 
Consumer Reports agrees with excluding systems that include components 
included on the Covered List or similar lists from the IoT Labeling 
Program. Each of these lists represent the determination by relevant 
Federal agencies that the entities on the list may pose a national 
security threat within their respective areas, and as such we find that 
we cannot separately sanction their products as trustworthy via the IoT 
Labeling Program. While each list is designed to support specific 
prohibitions, their use here only excludes their contents from a 
voluntary program representing U.S. Government assessment of their 
security and does not prohibit any other use. Insofar as the FCC IoT 
Label reflects the FCC's signal to consumers about cybersecurity, it is 
reasonable for the FCC to take a cautious approach especially for those 
products for which relevant Federal agencies have expressed other 
security concerns.
    27. Applicant Declaration Under Penalty of Perjury. To implement 
the Commission's goal of ensuring the Cyber Trust Mark is not affixed 
to products that pose a risk to national security or a risk to public 
safety, we require applicants seeking authorization to use the FCC IoT 
Label to provide a declaration under penalty of perjury that all of the 
following are true and correct:
    (i) The product for which the applicant seeks to use the FCC IoT 
Label through cybersecurity certification meets all the requirements of 
the IoT Labeling Program.
    (ii) The applicant is not identified as an entity producing covered 
communications equipment on the Covered List, established pursuant to 
Sec.  1.50002 of the Commission's rules.
    (iii) The product is not comprised of ``covered'' equipment on the 
Covered List.
    (iv) The product is not produced by any entity, its affiliates, or 
subsidiaries identified on the Department of Commerce's Entity List, or 
the Department of Defense's List of Chinese Military Companies.
    (v) The product is not owned or controlled by or affiliated with 
any person or entity that has been suspended or debarred from receiving 
Federal procurements or financial awards, to include all entities and 
individuals published as ineligible for award on the General Service 
Administration's System for Award Management.
    (vi) The applicant has taken every reasonable measure to create a 
securable product.
    (vii) The applicant will, until the support period end date 
disclosed in the registry, diligently identify critical vulnerabilities 
in our products and promptly issue software updates correcting them, 
unless such updates are not reasonably needed to protect against 
security failures.
    (viii) The applicant will not elsewhere disclaim or otherwise 
attempt to limit the substantive or procedural enforceability of this 
declaration or of any other representations and commitments made on the 
FCC IoT Label or made for purposes of acquiring or maintaining 
authorization to use it.
    28. If any applicant fails to make any of the above disclosures 
within 20 days after being notified of its noncompliance, such failure 
would result in termination of any improperly granted authorization to 
use the Label, and/or subject the applicant to other

[[Page 61248]]

enforcement measures. The applicant is required to update its 
declaration, or withdraw a not-yet granted application, if any of the 
applicant's circumstances impacting the declarations materially change 
while the application is pending.
    29. Wireless Consumer IoT Devices vs. Wired Consumer IoT Devices. 
The Order adopts the IoT Labeling NPRM's proposal that the IoT Labeling 
Program apply initially to wireless consumer IoT devices. This is 
consistent with the IoT Labeling NPRM proposal to focus the scope of 
the IoT Labeling Program on intentional radiators that generate and 
emit RF energy by radiation or induction and exclude wired-only IoT 
devices, noting such devices are encompassed by the Commission's 
section 302 authority governing the interference potential of devices 
that emit RF energy and can cause harmful interference. We find that 
this distinction is appropriate, both because of the Commission's 
interest in keeping the scope of the IoT Labeling Program clear and 
manageable during its debut and because there is support in the record 
for wireless intentional radiators as most prevalent types of consumer 
IoT devices contemplated in the IoT Labeling NPRM. While we recognize 
that there are other types of RF devices--both unintentional and 
incidental radiators--that are subject to our jurisdiction, we are not 
including them in our IoT Labeling Program at this time.
    30. We acknowledge there is substantial support in the record for 
including wired IoT consumer products within the scope of the IoT 
Labeling Program. Consumer Reports recommends including both wired and 
wireless IoT within the scope of the IoT Labeling Program, pointing out 
that wired IoT devices or products are vulnerable to cybersecurity 
threats just as wireless IoT devices or products are. Consumer Reports 
also points out that ``while wireless devices are the majority of IoT 
devices, there are still almost 700 million wired IoT devices globally, 
and they are expected to grow by a 10% [compound annual growth rate] 
through 2027 according to IoT Analytics `State of IoT--Spring 2023 
Report.' '' T[Uuml]V S[Uuml]D also encourages the Commission to cover 
both wired and wireless devices within the scope of the IoT Labeling 
Program, and AIM emphasizes the importance of the security of both 
wired and wireless IoT to the cybersecurity ecosystem. CTA further 
states that the Commission should not define the scope of the IoT 
Labeling Program in such a way as to exclude wired IoT products. The 
Association of Home Appliance Manufacturers (AHAM) points out that both 
wired and wireless IoT are included in the NIST definition.
    31. While we agree that wired IoT products are susceptible to 
cyberattacks and similarly pose security risks to consumers and others, 
we find it to be in the public interest for the IoT Labeling Program to 
start with wireless consumer IoT products in view of the record 
indicating that ``wireless devices are the majority of IoT devices,'' 
which would indicate that a focus on this product segment will have a 
substantial impact on the overall IoT market. The record also supports 
this approach, with Keysight Technologies, Inc. concurring that ``the 
program should include consumer RF IoT products initially.'' Further, 
we do not agree with arguments that there may be an unintended 
perception that ``[c]reating a program that would only certify wireless 
IoT devices would send an improper message that only wireless IoT 
devices are secure.'' Instead, we believe that beginning with wireless 
IoT products is both feasible and can be adopted with more speed, 
providing more prompt benefit in the marketplace. Further, a more 
limited scope will streamline the initial rollout of the IoT Labeling 
Program, provide focus to the additional tasks necessary to stand up 
the program, and lay the groundwork for expansion, and we do not 
foreclose consideration including wired IoT products in the future. As 
such and as discussed below, we also defer consideration of our legal 
authority to consider wired products at this time.

B. Oversight and Management of the IoT Labeling Program

    32. Based on the comments filed regarding oversight and management 
of the IoT Labeling Program, the Commission finds it is in the public 
interest to continue to foster public-private collaboration, including 
with regard to the management and administration of the IoT Labeling 
Program, while ensuring the Commission retains ultimate control and 
oversight of the IoT Labeling Program. In this respect, providing a 
broad, unifying government oversight framework for existing private 
labeling schemes and other private efforts in this context will allow 
current participants in this ecosystem to capitalize on their existing 
investments and relationships in a way that not only promotes the 
overall effectiveness of the FCC's IoT Labeling Program and increases 
the security of the IoT ecosystem.
    33. The Commission adopts the IoT Labeling NPRM proposal that the 
IoT Labeling Program be comprised of a single ``program owner'' 
responsible for the overall management and oversight of the IoT 
Labeling Program, with administrative support from one or more third-
party administrators. NIST's white paper recommends one ``scheme 
owner'' responsible for managing the labeling program, determining its 
structure and management, and performing oversight to ensure the 
program is functioning consistently in keeping with overall objectives. 
We agree that it is appropriate for a single entity to perform these 
functions and find that the Commission will be the program owner of the 
IoT Labeling Program, and as such retains ultimate control over the 
program, and determines the program's structure. CSA highlights support 
in the record for having the Commission as the program owner, arguing 
that ``[p]lacing the regulatory authority in the hands of the 
Commission and providing government-backed endorsement may strengthen 
trust with Consumers.'' However, the NIST Cybersecurity White Paper 
also recommends the ``scheme owner'' be responsible for defining the 
conformity assessment requirements, developing the label and associated 
information, and conducting consumer outreach and education.
    34. While the Commission as program owner will oversee the elements 
of the program, the program will be supported by Cybersecurity Label 
Administrators (Label Administrators or CLAs) who will manage certain 
aspects of the program and authorize use the FCC IoT Label as well as a 
Lead Administrator selected by the Bureau from among the CLAs, which 
will undertake additional duties including acting as the point of 
contact between the CLAs and the Commission. In addition, the 
Commission believes it is appropriate for a Lead Administrator, in 
collaboration with the CLAs and other stakeholders, to identify or 
develop, and recommend to the Commission for approval, the IoT specific 
standards and testing procedures, procedures for post-market 
surveillance, as well as design and placement of the label. The Lead 
Administrator will also be responsible for developing, in coordination 
with stakeholders, a consumer education plan and submitting the plan to 
the Bureau and engaging in consumer education. Each of these duties are 
discussed in depth below. The Cybersecurity Coalition recommends the 
Commission utilize a single administrator, rather than multiple 
administrators ``to reduce the likelihood of conflict among 
administrators and simplify engagement with

[[Page 61249]]

manufacturers, consumers, and government agencies.'' CTA, on the other 
hand, contemplates multiple administrators, suggesting that the 
Commission may consider leveraging ``a consortium of scheme owners[ ] 
to ensure that the IoT Labeling Program is administered and issues are 
adjudicated in an effective, objective, and timely fashion.'' We agree 
with CTA's reasoning, while also acknowledging the Cybersecurity 
Coalition's concern regarding potential conflict. Accordingly, the 
Bureau will select a Lead Administrator from among the CLA applicants 
to address conflicts.
    35. As an initial matter, we have looked to the structure of, and 
experiences with, the Commission's equipment authorization program and 
rules in developing the IoT Labeling Program, as proposed and discussed 
in the IoT Labeling NPRM. We emphasize, however, that the IoT Labeling 
Program is new and distinct, and it will operate under its own rules 
and with new authorities specifically delegated to PSHSB. This is 
consistent with the record developed in the proceeding, in which many 
commenters urged the Commission to keep the equipment authorization and 
IoT Labeling programs separate. In addition, several commenters 
addressed whether obtaining a valid equipment authorization should be a 
pre-requisite for obtaining the Cyber Trust Mark, or whether obtaining 
approval to use the Cyber Trust Mark would be required as a condition 
for applying for an equipment authorization. We emphasize that our IoT 
Labeling Program is voluntary, and parties are required to follow the 
Commission's equipment authorization program regardless of whether or 
not they choose to participate in the IoT Labeling Program. We also 
clarify that there is no requirement to complete the equipment 
authorization process before qualifying for the Cyber Trust Mark; 
however, our existing part 2 rules will continue to prohibit the 
marketing of a device that does not have a valid equipment 
authorization.
    36. We conclude that it is in the public interest and supported in 
the record to adopt the IoT Labeling Program structure recommended by 
NIST, with the modifications discussed above regarding third-party 
administrators that are overseen by the Commission as the program 
owner. This and the following paragraph preview the remaining roles and 
responsibilities for the IoT Labeling Program, which will be developed 
in depth in the remaining sections of the Order. The Commission also 
will be responsible for coordinating mutual recognition of the Cyber 
Trust Mark with international partners, coordinating with the Lead 
Administrator, Federal partners, industry, and other stakeholders on 
consumer education programs, and performing oversight to ensure the IoT 
Labeling Program is functioning properly. In addition, the Commission 
will specify the data to be included in a consumer-friendly registry 
that provides additional information about the security of the products 
approved to use the Cyber Trust Mark and is accessible through the QR 
Code that is required to accompany the Cyber Trust Mark. Further, the 
Commission will own and maintain the registration for the Cyber Trust 
Mark, which may only be used when the product has been appropriately 
tested and complies with the Commission's IoT Labeling Program 
requirements.
    37. The Commission will approve qualified Cybersecurity Label 
Administrators (Label Administrators or CLAs) to manage certain aspects 
of the labeling program and be authorized by the Commission to license 
the Cyber Trust Mark to manufacturers whose products are in compliance 
with the Commission's IoT cybersecurity labeling rules. The Commission 
will also select a Lead Administrator, which will be responsible for 
carrying out additional administrative responsibilities, including but 
not limited to reviewing applications and recognizing qualified and 
accredited Cybersecurity Testing Laboratories (CyberLABs) and engaging 
in consumer education regarding the Cyber Trust Mark. The Lead 
Administrator will also collaborate with cyber experts from industry, 
government, academia, and other relevant sectors if needed to identify, 
develop, and maintain consumer IoT cybersecurity technical and 
conformity assessment standards that are based on NIST standards and 
guidance, that will be submitted to PSHSB for consideration and 
approval, and, subject to any required public notice and comment, 
adopted into the Commission's rules. The standards and testing 
procedures developed or identified in collaboration with CLAs and other 
stakeholders and submitted by the Lead Administrator for consideration 
by the Commission will, in turn, be used by accredited \4\ testing labs 
recognized by the Lead Administrator--whether CyberLABs,\5\ a CLA-run 
lab, or a testing lab internal to a company (in-house testing lab) for 
product testing.
---------------------------------------------------------------------------

    \4\ The organization(s) accrediting the prospective Label 
Administrators and testing labs must meet the requirements and 
conditions in ISO/IEC 17011. See 47 CFR 8.910(b)(1) ISO/IEC 
17011:2004(E), ``Conformity assessment--General requirements for 
accreditation bodies accrediting conformity assessment bodies,'' 
First Edition, 2004-09-01, IBR approved for Sec. Sec.  8.217(e) and 
8.218(b).
    \5\ There appeared to be some confusion in the record with the 
Commission's use of the term Cybersecurity Labeling Authorization 
Bodies. Specifically, the ANSI National Accreditation Board (ANAB) 
recommended the Commission reconsider the use of the term 
``CyberLAB'' as the ``implication that such organizations are 
laboratories could create market confusion.'' ANAB Reply at 2. We 
disagree that the term CyberLAB may be confusing because these 
organizations are, in fact, laboratories/testing bodies that will be 
testing products to determine compliance with applicable standards. 
The CyberLABs, however, are not ``certification bodies.'' Rather, 
the entity that will be authorizing an applicant to use the Cyber 
Trust Mark on their product is the CLA, as described below. To 
ensure there is no confusion, the Commission has changed the term 
from Cybersecurity Labeling ``Authorization Bodies'' as these terms 
are reserved for accreditation bodies, to Cybersecurity Testing 
Laboratories, reflecting that the function of these labs is for 
testing and generating reports, and not certifying or issuing a 
label. We continue to use the short-form term ``CyberLAB'' to refer 
to these testing labs.
---------------------------------------------------------------------------

    38. Retaining key overarching functions within the Commission as 
discussed above will ensure the effective administration and oversight 
of this government program and protect the integrity of the FCC-owned 
Cyber Trust Mark, while perpetuating, where appropriate, the relevant 
efforts of the private sector that meet the goals and requirements of 
the program. We also agree with CSA that program ownership by the 
Commission will increase consumer confidence in the Cyber Trust Mark. 
In addition, the clear high-level oversight functions retained for the 
Commission ensures the Commission has meaningful decision-making 
control. Here, while the CLA(s) will recommend standards and testing 
procedures to be approved by the Commission as well as manage the day-
to-day administrative functions assigned, the Commission will 
ultimately review, consider, and exercise judgment on whether the 
requirements are appropriate to support the Commission's program, and 
on how the program is ultimately administered.
    39. We adopt the IoT Labeling NPRM's proposal that one or more 
qualified third-party administrators (Cybersecurity Labeling 
Administrators or CLAs) be designated by the Commission to manage 
certain aspects of the labeling program and be authorized to certify 
the application of the FCC IoT Label by manufacturers whose products 
are found to be in compliance with the Commission's IoT cybersecurity 
labeling rules and regulations. The record supports the Commission's 
adoption of a labeling program that is supported by CLAs.

[[Page 61250]]

According to TIC Council Americas, involving independent third-party 
administrators who verify that labeled products meet the program 
requirements will bring trust, consistency, and an impartial level 
playing field to the Cyber Trust Mark. The Cybersecurity Coalition, 
Widelity, and CSA highlight that utilizing experienced third-party 
administrators will allow the program to run more efficiently and will 
provide ``the required expertise for the administration of the 
program.'' CTA and other commenters also assert that the IoT Labeling 
Program will be best served if the Commission ``leverage[s] the unique 
expertise and existing certification infrastructure offered by well-
regarded industry organizations.'' AHAM says that ``[g]iven the volume 
and increasing numbers of IoT products on the market, [the] FCC needs 
to give manufacturers as many options as possible as far as obtaining 
the Cyber Trust mark'' and that ``third parties will play an important 
role in any successful program.''
    40. CTA supports assigning certain responsibilities to one or more 
independent, (i.e., neutral) third-party administrators which it refers 
to as ``Authorized Scheme Owners.'' However, the Commission disagrees 
with this descriptor insofar as some commenters are confused as to 
whether the ``scheme owner'' is the entity ultimately responsible for 
the program, or a third-party entity responsible for certain program 
administration functions or specified tasks under the ultimate 
direction of the Commission. To avoid confusion, the Commission refers 
to these third-party administrators as CLAs. These CLAs are neutral 
third parties independent of the applicant and within the context of a 
program overseen by the Commission.
    41. We believe that authorizing one or more CLAs to handle the 
routine administration of the program will help to ensure a timely and 
consistent rollout of the program. In particular, several private 
entities have already implemented robust IoT cybersecurity labeling 
programs with established business processes in place to receive 
applications from IoT manufacturers and conduct conformity/standards 
testing against widely accepted cybersecurity guidelines (e.g., NIST 
guidelines) or proprietary product profiles based on the NIST criteria. 
We anticipate a large number of entities will seek grants of 
authorization to use the FCC IoT Label and we are concerned that if we 
were to adopt a program limited to a single administrator, there may be 
bottlenecking delays in the processing of applications and a single 
administrator could result in a single point of failure in the program. 
Allowing multiple CLAs to execute the role of day-to-day administration 
of the program will provide for the simultaneous processing of a 
significant number of applications, provide redundancy of structure, 
and potentially foster competition in this space to better serve those 
seeking access to the label. In addition, leveraging the expertise of 
multiple existing program managers and using pre-existing systems and 
processes that meet our program specifications will minimize 
administrative delay, while promoting an efficient and timely rollout 
of the Cyber Trust Mark. This will also ensure that the Commission 
effectively utilizes the expertise of those entities who have made 
investments in their own cybersecurity labeling programs and have 
experience working with manufacturers and IoT conformity and standards 
testing, expediting the ability to provide consumers with a simple way 
to understand the relative security of the products and devices they 
purchase under a government-backed standard.
    42. We recognize, however, that there is a need for a common 
interface between the CLAs and the Commission to facilitate ease of 
engagement and to conduct other initial tasks associated with the 
launch of the program. We delegate authority to PSHSB to review CLA 
applications, review CLA applications that also request consideration 
for Lead Administrator, select the Lead Administrator and manage 
changes in the Lead Administrator.
    43. Lead Administrator Duties. The Lead Administrator will 
undertake the following duties in addition to the CLA duties outlined 
below:
    a. interface with the Commission on behalf of the CLAs, including 
but not limited to submitting to the Bureau all complaints alleging a 
product bearing the FCC IoT Label does not meet the requirements of the 
Commission's labeling program;
    b. conduct stakeholder outreach as appropriate;
    c. accept, review, and approve or deny applications from labs 
seeking recognition as a lab authorized to perform the conformity 
testing necessary to support an application for authority to affix the 
FCC IoT Label,\6\ and maintain a publicly available list of Lead 
Administrator-recognized labs and a list of labs that have lost their 
recognition;
---------------------------------------------------------------------------

    \6\ If the Lead Administrator, in addition to its administrative 
duties, intends to offer lab testing service (CLA-run lab), it must 
submit an application with PSHSB seeking FCC recognition as a lab 
authorized to perform conformity testing to support an application 
for authority to affix the FCC IoT Label. The Lead Administrator is 
not authorized to recognize its own cybersecurity testing lab. If 
approved by PSHSB, the Lead Administrator will add the name of its 
lab to the list of recognized labs.
---------------------------------------------------------------------------

    d. within 90 days of release of the Public Notice announcing the 
Lead Administrator selection, the Lead Administrator shall, in 
collaboration with stakeholders (e.g., cyber experts from industry, 
government, and academia) as appropriate:
    i. submit to the Bureau recommendations identifying and/or 
developing the technical standards and testing procedures for the 
Commission to consider with regard to at least one class of IoT 
products eligible for the IoT Labeling Program. The Bureau will 
evaluate the recommendations, and if the Bureau approves of the 
recommendations, subject to any required public notice and comment, 
incorporate them by reference into the Commission's rules;
    ii. submit to the Bureau a recommendation on how often a given 
class of IoT products must renew their request for authority to bear 
the FCC IoT Label, which may be dependent on the type of product, and 
that such a recommendation be submitted in connection with the relevant 
standards recommendations for an IoT product or class of IoT products; 
The Bureau will evaluate the recommendations, and if the Bureau 
approves of the recommendations, subject to any required public notice 
and comment, incorporate them by reference into the Commission's rules;
    iii. submit to the Bureau recommendations on the design of the FCC 
IoT Label, including but not limited to labeling design and placement 
(e.g., size and white spaces, product packaging.) The Bureau will 
evaluate the recommendations, and if the Bureau approves of the 
recommendations, subject to any required public notice and comment, 
incorporate them by reference into the Commission's rules; and
    iv. submit to the Bureau recommendations with regard to updates to 
the registry including whether the registry should be in additional 
languages, and if so, to recommend specific languages for inclusion;
    v. submit to the Bureau recommendations on the design of the FCC 
IoT Label, including but not limited to labeling design and placement 
(e.g., size and white spaces, product packaging, whether to include

[[Page 61251]]

the product support end date and other security and privacy information 
on the label.) The Bureau will evaluate the recommendations, and if the 
Bureau approves of the recommendations, subject to any required public 
notice and comment, incorporate them by reference into the Commission's 
rules.
    e. The Lead Administrator shall, in collaboration with CLAs and 
other stakeholders (e.g., cyber experts from industry, government, and 
academia) as appropriate recommend within 45 days of publication of 
updates or changes to NIST guidelines, or adoption by NIST of new 
guidelines, to the FCC any appropriate modifications to the Labeling 
Program standards and testing procedures to stay aligned with the NIST 
guidelines;
    f. submit to the Commission reports on CLAs' post-market 
surveillance activities and findings in the format and by the date 
specified by PSHSB;
    g. develop in collaboration with stakeholders a consumer education 
campaign, submit the plan to the PSHSB, and participate in consumer 
education;
    h. receive complaints about the Labeling Program, including but not 
limited to consumer complaints about the registry and coordinate with 
manufacturers to resolve any technical problems associated with 
consumers accessing the information in the registry;
    i. facilitate coordination between CLAs; and
    j. submit to the Commission any other reports upon request of the 
Commission or as required by Commission rule.
    44. Cybersecurity Label Administrator Duties. CLA(s) are 
responsible for various administrative duties, including:
    a. receive and evaluate applications and supporting data requesting 
authority to use the FCC IoT Label on the product subject to the 
application;
    b. grant an application only if it meets all of the Commission's 
requirements to use the FCC IoT Label and authorize (i.e., certify) the 
applicant to use the FCC IoT Label on the product subject to the 
application;
    c. ensure that manufacturers make all required information 
accessible by the IoT registry;
    d. participate in consumer education campaign in coordination with 
the Lead Administrator;
    e. perform post-market surveillance activities, such as audits, in 
accordance with ISO/IEC 17065 and submit periodic reports to the Lead 
Administrator of their post-market surveillance activities and findings 
in the format and by the date specified by PSHSB; and
    f. receive complaints alleging an IoT product does not support the 
cybersecurity criteria conveyed by the Cyber Trust Mark and refer these 
complaints to the Lead Administrator which will notify PSHSB.\7\
---------------------------------------------------------------------------

    \7\ This process does not foreclose the ability of consumers to 
file an informal complaint in accordance with the Commission's 
rules. See 47 CFR 1.716 through 1.719. In the event an informal 
complaint is filed with the Commission, the complaint will be 
forwarded to the Lead Administrator for investigation and/or 
referral to the issuing CLA.
---------------------------------------------------------------------------

    45. The record supports the use of CLAs to support a variety of 
tasks within the program's construct. ioXt Alliance supports utilizing 
CLAs for evaluating and certifying products for the Cyber Trust Mark. 
CTA supports utilizing CLAs to conduct program operations. The 
Cybersecurity Coalition and Kaiser Permanente also support utilizing 
CLAs for managing the day-to-day operations of the IoT Labeling 
Program. CSA argues that, ``the day-to-day administration of the Cyber 
Trust Mark Program should be managed by a Third-Party Administrator, 
serving as the entity that grants permission to use the Program 
trademark to applicants.'' In addition, ITI recommends that it should 
be the responsibility of the CLA to review or audit self-attestations 
and that ``third-party administrators can and should play a key role in 
administering conformity assessment schemes.'' CSA and CTIA further 
recommend adopting the IoT Labeling NPRM's proposal that a third-party 
administrator evaluate, accredit, or recognize the CyberLABs, and CSA 
also ``recommends that the Commission hire a third-party administrator 
to operate the IoT Registry.'' Finally, ioXt Alliance recommends that 
third-party administrators should also ``vet companies and products 
during the certification process'' to determine which products pose a 
threat to national security, based on Commission guidance. ioXt 
Alliance also notes in its comments that the ``label design and 
associated information should be informed by the expertise of 
manufacturers and third-party administrators.''
    46. Subject to Commission oversight, and consistent with 
recommendations in the record, the CLAs will evaluate and grant or deny 
requests for authority to use the FCC IoT Label on consumer IoT 
products in accordance with the IoT Labeling Program. Each 
administrator will be responsible for certifying that the consumer IoT 
products for which it authorizes a manufacturer to apply the FCC IoT 
Label are tested by an accredited testing lab, which as discussed 
further below may be a CyberLAB, the applicant's own in-house lab, or a 
CLA-run lab, and that the testing report demonstrates the product 
conforms to all Commission IoT labeling rules. The CLA will track each 
application it receives requesting authority to use the FCC IoT Label, 
and the disposition of all applications, including date of filing, date 
of acceptance as complete, the date and reason application is returned 
to applicant, and date of grant or denial. The CLAs will review each 
application they receive to ensure the application and supporting 
documents are provided and are sufficient to show the product conforms 
to all Commission rules and that it includes a compliance test report 
generated by an accredited and Lead Administrator-recognized testing 
lab (e.g., third-party lab (CyberLAB), applicant's in-house testing 
lab, or CLA-run lab). If the application is deficient, it will not be 
granted until all necessary conditions are satisfied. If the 
application is complete and meets all of the Commission's requirements, 
the CLA will issue a cybersecurity labeling authorization (i.e., 
cybersecurity certification) approving the applicant to affix the FCC 
IoT Label to the identified product.
    47. In addition to its role as a CLA, the Lead Administrator must 
collaborate with CLAs and other stakeholders (e.g., cyber experts from 
industry, government, and academia) as appropriate to develop or 
identify, and maintain, consumer IoT cybersecurity technical and 
conformity assessment standards to be met for each class of IoT product 
seeking authority to affix the FCC IoT Label on their product, which 
the Lead Administrator will submit to PSHSB for consideration and 
approval and, subject to any required public notice and comment, 
adoption into its rules. Adopting standards through consensus is 
supported by the record in this proceeding.\8\ The Information 
Technology Industry Counsel (ITI) supports the Commission retaining 
ownership of the IoT Labeling Program and authorizing the ``various 
industry-led, consensus standards, which can be used to gain approval 
for the Cyber Trust Mark.'' ITI also notes that using industry-led, 
consensus standards will also limit the likelihood of legal challenges. 
UL Standards & Engagement

[[Page 61252]]

agrees that the FCC should use a ``voluntary consensus-based standards 
development process'' to create and update standards for the IoT 
Labeling Program. The U.S. Chamber of Commerce also supports a 
consensus-based approach urging the Commission ``to track closely with 
public-private developments in IoT cybersecurity as well as industry-
driven initiatives, such as the C2 Consensus on IoT Device Security 
Baseline Capabilities (C2 Consensus) and CTIA's cybersecurity 
certification program for IoT devices.'' The Council to Secure the 
Digital Economy (CSDE), which is ``composed of USTelecom, the Consumer 
Technology Association (CTA), and 13 global information and 
communications technology (ICT) companies--has also already convened 
technical experts from 19 leading organizations throughout the ICT 
sector to develop and advance industry consensus on baseline security 
capabilities for new devices,'' including the C2 Consensus document, 
which provides guidance to the public and private sectors on IoT 
devices security. We agree with these recommendations that the 
Commission adopt standards following recommendations based on an 
industry-led consensus process, leveraging standards work already in 
process or completed, which will provide for the swift development and 
implementation of the IoT Labeling Program.
---------------------------------------------------------------------------

    \8\ As below, we emphasize the importance of leveraging existing 
expertise in this space, and as such adopt as a criterion for 
consideration in selecting the lead administrator the ability to 
convene and develop consensus among stakeholders.
---------------------------------------------------------------------------

    48. The Lead Administrator is to base the recommended technical 
standards and testing procedures on the NISTIR 8425, Profile of the IoT 
Core Baseline for Consumer IoT Products. As noted by ITI, there is ``a 
suite of existing standards that might be leveraged to ensure that the 
outcomes NIST outlines can be met.'' In addition, NIST's IoT Product 
Component Requirements Essay provides a summary of standards and 
guidance that NIST has initially identified as applicable to IoT 
devices and IoT product components, that the Lead Administrator may 
determine are applicable to the IoT Labeling Program. The Lead 
Administrator should evaluate and leverage existing work for efficiency 
and speed to market where appropriate in making its recommendations to 
the Commission.
    49. The Lead Administrator in collaboration with stakeholders as 
appropriate will identify or develop IoT cybersecurity standards (or 
packages of standards) and testing procedures that they determine can 
be used to test that a product meets the NISTIR 8425 criteria for each 
class of products identified by the working group. The Lead 
Administrator will submit to the Bureau recommendations on a rolling 
basis as they are identified, but shall submit the initial set of 
recommendations no later than 90-days after release of the Public 
Notice selecting the Lead Administrator. We specify a timeframe here to 
ensure timeliness of initial standards and prompt launch of the 
program. Noting the work already ongoing on these issues, we also find 
such a timeframe to be reasonably achievable. The proposed standards 
(or packages of standards) and testing procedures must be approved by 
the Commission prior to implementation. The Commission delegates 
authority to PSHSB to evaluate and (after any required public notice 
and comment) approve (or not approve) the technical standards and 
testing procedures proposed by the Lead Administrator for use in the 
IoT Labeling Program and incorporate the approved standards and testing 
procedures by reference into the Commission's rules. The Commission 
further directs the Bureau to ensure the standards and testing 
procedures are relevant and appropriate to support the Commission's IoT 
Labeling Program.
    50. Selecting CLAs. Each entity seeking authority to act as a CLA 
must file an application with the Commission for consideration by 
PSHSB,\9\ which includes a description of its organization structure, 
an explanation of how it will avoid personal and organizational 
conflict when processing applications, a description of its processes 
for evaluating applications seeking authority to use the FCC IoT Label, 
and a demonstration of expertise that will be necessary to effectively 
serve as a CLA including, but not limited to:
---------------------------------------------------------------------------

    \9\ This approach necessitates a mechanism for the Commission to 
recognize administrators, and we accordingly adopt a rule doing so. 
See 47 CFR 8.219. We model our approach on analogous elements of our 
equipment authorization rules, with which the Commission and 
industry have substantial experience, and which have proven workable 
in practice. See 47 CFR 2.949. We delegate to PSHSB and OMD 
authority to take any necessary steps, including adoption of 
additional procedures and any applicable fees (pursuant to any 
required public notice and comment), as necessary to ensure 
compliance with the Communications Act with respect to any rules 
adopted here that contemplate the filing of applications directly 
with the Commission. 47 U.S.C. 158(c).
---------------------------------------------------------------------------

    1. Cybersecurity expertise and capabilities in addition to industry 
knowledge of IoT and IoT labeling requirements.
    2. Expert knowledge of NIST's cybersecurity guidance, including but 
not limited to NIST's recommended criteria and labeling program 
approaches for cybersecurity labeling of consumer IoT products.
    3. Expert knowledge of FCC rules and procedures associated with 
product compliance testing and certification.
    4. Knowledge of Federal law and guidance governing the security and 
privacy of agency information systems.
    5. Demonstration of ability to securely handle large volumes of 
information and demonstration of internal security practices.
    6. Accreditation pursuant to all the requirements associated with 
ISO/IEC 17065 with the appropriate scope.\10\ We recognize that CLAs 
cannot obtain accreditation to the FCC scope until after the Commission 
adopts standards and testing procedures. As such, the Commission will 
accept and conditionally approve CLA applications from entities that 
meet the other FCC program requirements and commit to obtain ISO/IEC 
17065 accreditation with the appropriate scope within six (6) months of 
the effective date by the adopted standards and testing procedures. CLA 
approval to authorize use of the FCC IoT Label will be finalized upon 
receipt and demonstration to the Commission of ISO/IEC 17065 
accreditation with the appropriate scope.\11\
---------------------------------------------------------------------------

    \10\ The scope of CLA's ISO/IEC 17065 certification includes 
certifying IoT products and devices for compliance with FCC 
cybersecurity standards.
    \11\ Consistent with standard practice for accreditation, the 
organization accrediting the CLAs must be recognized by the Bureau 
to perform such accreditation based on International Standard ISO/
IEC 17011.
---------------------------------------------------------------------------

    7. Demonstrate implementation of controls to eliminate actual or 
potential conflicts of interests (including both personal and 
organizational), particularly with regard to commercially sensitive 
information, to include but not limited to, remaining impartial and 
unbiased and prevent them from giving preferential treatment to certain 
applications (e.g., application line jumping) and from implementing 
heightened scrutiny of applications from entities not members or 
otherwise aligned with the CLA.
    8. That the applicant is not owned or controlled by or affiliated 
with any entity identified on the Commission's Covered List or is 
otherwise prohibited from participating in the IoT Labeling Program. We 
will dismiss all CLA applications from an entity (company) identified 
on the Commission's Covered List, the Department of Commerce's Entity 
List, and the Department of Defense's List of Chinese Military 
Companies.
    9. That the applicant is not owned or controlled by or affiliated 
with any person or entity that has been suspended or debarred from 
receiving

[[Page 61253]]

Federal procurements or financial awards, to include all entities and 
individuals published as ineligible for award on the General Service 
Administration's System for Award Management.
    10. In addition to completing the CLA application information, 
entities seeking to be the Lead Administrator will submit a description 
of how they will execute the duties of the Lead Administrator, 
including:
    a. their previous experience in IoT cybersecurity;
    b. what role, if any, they have played in IoT labeling;
    c. their capacity to execute the Lead Administrator duties outlined 
in the Order;
    d. how they would engage and collaborate with stakeholders to 
identify or develop the Bureau recommendations discussed in the Order;
    e. a proposed consumer education campaign; and
    f. additional information the applicant believes demonstrates why 
they should be the Lead Administrator.
    51. For items #7 and #8, we note that the record raises national 
security considerations when selecting a Label Administrator. For 
example, CTIA urges that the Commission ``exclude all entities on the 
Covered List (not just those included on the list for producing 
equipment), all entities on the other lists identified in the IoT 
Labeling NPRM, as well as entities that are otherwise banned from 
federal procurement.'' CTIA explains that these broad exclusions for 
program participation are necessary because of ``the unique nature of 
the proposed labeling program--namely that it is both government-
administered and voluntary--counsels in favor of painting with a broad 
brush on national security-based exclusions.'' We agree with the 
commenters in the record, and consistent with our reasoning herein 
addressing the exclusion of certain products that would raise potential 
national security concerns, we also prohibit entities owned or 
controlled by or affiliated with entities that produce equipment found 
on the Covered List, as well as entities specified on the other lists 
referenced above or those suspended or debarred from receiving Federal 
procurements or financial awards from being a CLA in view of national 
security considerations and to insure the integrity of the IoT Labeling 
Program. Each of these lists represent the determination of relevant 
Federal agencies that the entities on the list may pose a national 
security threat within their respective areas, and as such we find that 
it is not in the public interest to permit these entities to provide 
assurances to the American public that products meet minimum 
cybersecurity standards. Importantly, we are only excluding the 
entities of the lists from a voluntary program under which the FCC 
approves their capability to oversee cybersecurity certification 
testing for purposes of the IoT Label. Insofar as the FCC IoT Label 
reflects the FCC's signal to consumers about cybersecurity, it is 
reasonable for us to take a cautious approach when approving entities 
to conduct the underlying product evaluations when relevant Federal 
agencies have expressed security concerns with the entity.
    52. NCTA--The Internet & Television Association (NCTA) also 
suggests that ``any `foreign entity of concern' as defined by the CHIPS 
Act should be ineligible for certification or recognition as a 
CyberLAB.'' Further, ioXt Alliance recommends that the Commission 
``establish rules to ensure CyberLABs are not subject to undue 
influence by foreign adversaries.'' We agree that it would be 
problematic for the U.S. to rely on the determination of entities 
controlled or affiliated with ``foreign adversaries'' as to the 
security of products approved to use the Cyber Trust Mark, and 
therefore the FCC will not recognize for purposes of the IoT Labeling 
Program any applicant that is an entity, its affiliate, or subsidiary 
owned or controlled by a ``foreign adversary'' country. A ``foreign 
adversary'' country is defined in the Department of Commerce's rule, 15 
CFR 7.4, and includes China (including Hong Kong), Cuba, Iran, North 
Korea, Russia, and Maduro Regime. We do not otherwise see a basis to 
preclude other foreign entities from serving as CLAs, but at this 
preliminary stage of establishing the IoT Labeling Program--where no 
international agreements are yet in place in this regard, and oversight 
details continue to be effectuated--we defer action in this regard. We 
delegate authority to PSHSB, in consultation with the Office of 
International Affairs (OIA), to evaluate and (after any appropriate 
public notice and comment) establish qualification criteria for any 
entity outside the United States to be approved to act as a CLA once 
any appropriate international agreements or other appropriate 
prerequisites are in place.
    53. We decline to require that a CLA be a non-profit. The 
Cybersecurity Coalition recommends that the CLA be a non-profit entity, 
but did not elaborate on why, focusing their comments on having a 
neutral, independent third-party that followed consistent pricing 
guidelines and had industry experience and strong security practices. 
Researchers from the Northeastern University's College of Engineering 
similarly agreed that the Label Administrator should be a non-profit 
while emphasizing that the CLA should not have conflicts of interest. 
We decline, however, to require that the CLA be a non-profit 
organization, recognizing that there may be well-qualified companies 
that may be for-profit organizations or non-profit organizations that 
possess the other relevant qualifications. We agree with what appear to 
be the underlying concerns of the record, that the CLA be neutral, have 
the knowledge outlined above (e.g., knowledge regarding FCC rules, IoT 
cybersecurity standards and testing procedures), and be free of 
conflicts. However, we believe that a company that satisfies the above 
requirements could carry out the CLA duties without being a non-profit 
organization. Moreover, expanding the pool of potential participants 
should increase the likelihood that a reasonable number of qualified 
entities apply to fulfill the specified roles. In addition, the record 
did not highlight reasons why a for-profit company would be incapable 
of fulfilling the role of label administrator.
    54. Termination of CLA Authority. To address national security 
concerns, the authority of CLAs to grant applications to use the FCC 
IoT Label under the IoT Labeling Program will automatically terminate 
if the CLA subsequently becomes owned or controlled by or affiliated 
with an entity that produces equipment found on the Covered List, or 
otherwise added to any exclusionary list identified in this item as 
precluding authorization as a CLA. In addition, a CLA's authority may 
also be terminated for failure to uphold the required competencies or 
accreditations enumerated above. We delegate authority to PSHSB, to 
determine if a CLA's authority is to be terminated in the latter 
circumstance, and to terminate such authorization.\12\ PSHSB, may 
identify such CLA deficiencies itself or receive notice from other 
entities, including other agencies, consumers,

[[Page 61254]]

and industry, that products granted authorization by a CLA do not 
accurately reflect the security posture of the product. Products 
authorized to use the FCC IoT Label by a disqualified CLA will be 
subject to the disqualification procedures described further below.
---------------------------------------------------------------------------

    \12\ Because of the public safety importance of a CLA having the 
requisite qualifications and adhering to our rules when evaluating 
requests to use the FCC IoT Label, this process should proceed 
appropriately expeditiously to minimize any periods of time where a 
CLA continues to operate in that capacity once concerns have come to 
PSHSB's attention. In particular, PSHSB shall provide notice to the 
CLA that the Bureau proposes to terminate the CLA's authority and 
provide the CLA a reasonable opportunity to respond (not more than 
20 days) before reaching a decision on possible termination. PSHSB 
may suspend the CLA's ability to issues labeling authorizations 
during the pendency of such consideration if appropriate.
---------------------------------------------------------------------------

    55. CLA Application Filing Window. We delegate authority to the 
Bureau to issue a Public Notice opening the initial filing window to 
receive applications from entities seeking authority to be recognized 
as a CLA (and Lead Administrator) under the IoT Labeling Program with 
instructions on how to apply and further details on the qualifications 
required of CLA applicants as well as the decision criteria used to 
select applicants. We also delegate to the Bureau authority to open 
additional filing windows or otherwise accept additional applications 
for authority to be recognized by the Bureau as a CLA when and as the 
Bureau determines it is necessary. Interested parties must establish 
they meet the requirements established in the Order. The Commission 
notes that it may refer applications to the U.S. Committee for the 
Assessment of Foreign Participation in the U.S. Telecommunications 
Sector (Team Telecom) for their review and consideration of national 
security and law-enforcement risks. We further delegate authority to 
PSHSB in coordination with the Office of the Managing Director (OMD) 
(specifically Office of the Chief Information Officer) and, to the 
extent necessary, the Office of General Counsel (OGC) (specifically the 
Senior Agency Official for Privacy), to receive and review each 
application for compliance with the criteria established in the Order. 
We also delegate to PSHSB authority to adopt additional criteria and 
administrative procedures necessary to efficiently select one or more 
independent, non-governmental entities, to act as CLA(s) and Lead 
Administrator. The Lead Administrator must provide equitable 
recommendations to the Commission to encourage the broadest possible 
participation of CLAs within the parameters of the FCC's rules.\13\ We 
also delegate to PSHSB authority to adopt additional criteria and 
procedures in the event the Lead Administrator must be replaced or 
chooses to withdraw from its responsibilities.\14\ We delegate 
authority to PSHSB to release a Public Notice announcing the CLA(s) 
selected by the Bureau and next steps for each entity, including but 
not limited the execution of appropriate documentation governing the 
details of the CLA's responsibilities. Moreover, we delegate to PSHSB 
and OMD authority to take any necessary steps, including adoption of 
additional procedures and any applicable fees after selection of the 
CLAs, if necessary to ensure compliance with the Communications Act or 
applicable government-wide statutes that are implicated by the IoT 
Labeling Program. Finally, we also delegate authority to PSHSB and OMD, 
in consultation with OGC, to take any additional actions necessary to 
preserve the Commission's rights to the Cyber Trust Mark under 
trademark and other applicable laws. Only entities who have followed 
the procedures required by PSHSB and OMD and executed relevant required 
documentation will be authorized by the Commission to accept and grant 
applications authorizing the use of the FCC IoT Label, which includes 
the Cyber Trust Mark and QR Code.
---------------------------------------------------------------------------

    \13\ We also agree with CTA in highlighting the importance of 
PSHSB's involvement in matters where the Lead Administrator and CLAs 
may share vested interests.
    \14\ We recognize the potential raised by ioXt Alliance for 
anticompetitive preferences in recommendations made to the Bureau if 
a CLA is chosen as Lead Administrator.
---------------------------------------------------------------------------

C. CyberLABs, CLA-Run Labs, and In-House Testing Labs

    56. The Commission envisioned the role of CyberLABs as assessing 
IoT devices or products for compliance against IoT security standards, 
once developed. The Commission sought comment on whether the Commission 
or one of the authorized label administrators would evaluate, accredit, 
or recognize the CyberLABs, noting that it was seeking to ensure that 
CyberLABs have the necessary expertise and resources to properly test 
and assess whether IoT devices and products are in compliance with the 
IoT security standards. To become accredited and FCC-recognized for the 
proposed IoT Labeling Program, the Commission proposed the submission 
of applications demonstrating the applicant CyberLAB met the following 
requirements:
     Qualifications: The CyberLAB has technical expertise in 
cybersecurity testing and conformity assessment of IoT devices and 
products.
     Resources: The CyberLAB has the necessary equipment, 
facilities, and personnel to conduct cybersecurity testing and 
conformity assessment of IoT devices and products.
     Procedures: The CyberLAB has documented procedures for 
conformity assessment.
     Continued competence: Once accredited and recognized, 
CyberLABs would be periodically audited and reviewed to ensure they 
continue to comply with the IoT security standards and testing 
procedures.
    57. We adopt our proposal to accept CyberLABs, in-house labs, and 
CLA-run labs, to test and assess IoT products for compliance with the 
consumer IoT standards that are established pursuant to the process 
described above to actualize the outcome of the NIST criteria. Rather 
than having the Commission or CLA evaluate or accredit a lab, however, 
we are persuaded that it is appropriate to recognize testing labs that 
have been accredited to ISO/IEC 17025 standards to conduct compliance 
testing that would support an application for authority to affix the 
FCC IoT Label. Consistent with standard practice for accreditation, the 
organization accrediting the testing labs must be recognized by the 
Bureau to perform such accreditation based on International Standard 
ISO/IEC 17011. We recognize that labs cannot be accredited or 
recognized in the context of this IoT Labeling Program until after the 
IoT cybersecurity standards have been approved by the Commission and 
incorporated into the Commission's rules. We delegate authority to 
PSHSB to publish a Public Notice, subject to any required notice and 
comment, outlining the specific standards CyberLABs, in-house labs, and 
CLA-run labs must meet to be recognized as qualified to conduct 
conformity testing to support applications seeking authority to use the 
FCC IoT Label. We also find it to be in the public interest for the 
Lead Administrator to review and recognize labs that meet these 
accreditation requirements and make a list of recognized labs publicly 
available.\15\
---------------------------------------------------------------------------

    \15\ To enable the Lead Administrator to compile a reliable and 
verifiable list, we require accredited CyberLABs to submit certain 
information to the Lead Administrator: (1) Laboratory name, location 
of test site(s), mailing address and contact information; (2) Name 
of accrediting organization; (3) Scope of laboratory accreditation; 
(4) Date of expiration of accreditation; (5) Designation number; (6) 
FCC Registration Number (FRN); (7) A statement as to whether or not 
the laboratory performs testing on a contract basis; (8) For 
laboratories outside the United States, details of the arrangement 
under which the accreditation of the laboratory is recognized; and 
(9) Other information as requested by the Commission.
---------------------------------------------------------------------------

    58. The Order agrees with CTIA that entities specializing in 
testing and certification will be valuable to program participants, and 
that such entities are likely to have the resources and expertise to 
evaluate IoT products in accordance with a standard. CTIA also notes, 
``a third-party certification model will help to lend credibility to 
the program'' because CyberLABs can focus on the assessment aspects of 
the program in a way that helps ensure the

[[Page 61255]]

integrity of the IoT Labeling Program. The Order also agrees with CTA 
that leveraging accredited industry bodies to perform conformity 
assessments will ``speed the establishment of the program and increase 
the program's ultimate quality.''
    59. We agree with CSA's argument that the Commission should adopt a 
model where CyberLABs must be ISO/IEC 17025 accredited. CSA notes its 
confusion as to whether CyberLABs were intended to be ``certification 
bodies'' as defined by ISO/IEC 17065 or ``evaluation laboratories'' as 
defined by ISO/IEC 17025. We clarify that the proposal as envisioned by 
the IoT Labeling NPRM and adopted here is for CyberLABs, in-house labs, 
and CLA-run labs to function as a body responsible for assessing the 
security of IoT products (i.e., testing lab). CSA proposes that such 
bodies hold ISO/IEC 17025 accreditations, as this model has been the 
basis for mutual recognition agreements in the cybersecurity industry, 
and we agree.
    60. We note the objection of LG Electronics, which asserts that 
``[t]he CyberLAB concept described in the NPRM would almost certainly 
create a testing bottleneck'' that would slow the process, and deter 
participation in the IoT Labeling Program. Instead, LG Electronics 
argues, self-certification is required to avoid these problems, 
although LG Electronics concedes that some compliance certification is 
required to participate in the IoT Labeling Program. As a nascent 
program, and as discussed above in connection with the envisioned 
process, we do not find it appropriate to adopt at this time a labeling 
path that does not include some level of laboratory testing in 
combination with an application to a CLA to ensure the product bearing 
the FCC IoT Label complies with the IoT Labeling Program's 
requirements. However, we recognize the benefits of time, efficiency 
and cost-savings associated with in-house testing and will allow the 
option for applicants to use an in-house testing labs, provided the lab 
is ISO/IEC 17025 accredited.
    61. CyberLABs' Programmatic Role. CyberLABs will receive requests 
for conformance testing from manufacturers seeking to use the FCC IoT 
Label and will assess and test the products using the cybersecurity 
standards developed by industry and approved by the Commission and 
provide the applicant with a report of their findings. There was 
confusion in the record with how the term CyberLAB is to be applied. 
The Commission clarifies that the CyberLABs are laboratories whose role 
is limited to conducting compliance tests and generating reports. 
CyberLABs are not, in the organizational structure adopted in the 
Order, either certifying products or issuing authorization to use the 
FCC IoT Label. While the IoT Labeling NPRM defined a CyberLAB as an 
``authorization body'' we remove that reference here as the term 
``authorization body'' might be seen as referring to certification 
bodies, not laboratories. The role of CyberLABs is to conduct the 
required tests and generate test reports for use by the applicant in 
seeking CLA authorization to use the FCC IoT Label.
    62. In-House Testing Lab. We also adopt an option for manufacturers 
to use an accredited and Lead Administrator-recognized in-house testing 
lab to perform the cybersecurity conformity testing for their IoT 
products, provided the in-house lab meets the same vigorous standards 
as the CyberLABs. In the IoT Labeling NPRM, the Commission sought 
comment on whether there is an avenue for ``a comprehensive review that 
an IoT device or product compl[ies] with the IoT security standards.'' 
We received significant support in the record for an in-house testing 
option. Samsung argues that, to encourage widespread adoption, the 
Commission must allow manufacturers an option to perform in-house 
testing to receive the label. The Cybersecurity Coalition urges the 
Commission to allow for in-house testing. We agree that an in-house 
testing option, for some manufacturers, will be more cost-effective, 
encourage participation in the IoT Labeling Program, and when combined 
with the filing of an application with a CLA can assure quality and 
trust in the IoT Labeling Program. However, we do require that in-house 
labs meet the same accreditation and recognition requirements as 
CyberLABs. In this respect, consumers may be assured that the label 
achieved on an in-house basis meets the same standards as those tested 
elsewhere, promoting consistency and reliance on the IoT Labeling 
Program generally. We also expect that ensuring a common baseline 
testing standard will ultimately aid in the ability to gain 
international recognition of the Cyber Trust Mark.
    63. CLA-Run Testing Lab. We also recognize that CLAs may also have, 
or seek to have, their own in-house labs conduct conformity testing for 
applicants seeking certification to use the Mark. The Commission finds 
no need to limit the number of potential testing facilities by 
prohibiting CLA-run labs from also being considered recognized labs. 
Applicants who wish to do so, may file an application with an 
authorized CLA and request the services of the CLA's accredited and 
Lead Administrator-recognized lab. Again, the Commission requires CLA 
labs to meet the same accreditation and recognition requirements as 
CyberLABs. Only after a lab has been accredited by a recognized 
accreditation body may the lab file an application with the Lead 
Administrator seeking to be recognized as an approved cybersecurity 
testing lab.\16\ As explained by the American Association for 
Laboratory Accreditation (A2LA), ``[a]ccreditation is a means of 
determining the technical competence of conformity assessment 
organizations such as laboratories using qualified, third-party 
accreditation bodies. It assures federal government agencies as well as 
private sector organizations that assessments conducted by 
accreditation bodies are objective and reliable and that one can have 
confidence in the data generated by the accredited testing 
laboratory.'' Recognizing that, whether an IoT product is evaluated by 
a CyberLAB, CLA-run lab, or an in-house lab there is a need to ensure 
equal rigor in the process, this requirement applies to in-house 
testing labs and third-party testing labs (CyberLABs and CLA-run labs). 
For ease of understanding, when we refer to CyberLABs below, we are 
including CyberLABs, in-house testing labs, and CLA-run labs.
---------------------------------------------------------------------------

    \16\ This approach necessitates a mechanism for the Commission 
to recognize lab accreditation bodies, and we accordingly adopt a 
rule doing so. See 47 CFR 8.218. We model our approach on analogous 
elements of our equipment authorization rules, with which the 
Commission and industry have substantial experience, and which have 
proven workable in practice. See 47 CFR 2.949. We delegate to PSHSB 
and OMD authority to take any necessary steps, including adoption of 
additional procedures and any applicable fees (pursuant to any 
required public notice and comment), as necessary to ensure 
compliance with the Communications Act with respect to any rules 
adopted here that contemplate the filing of applications directly 
with the Commission. 47 U.S.C 158(c).
---------------------------------------------------------------------------

    64. In order to achieve recognition by the Lead Administrator, all 
labs seeking recognition under the Commission's IoT Labeling Program 
must submit evidence of accreditation in the form of an attestation 
from an accreditation body that the prospective lab has demonstrated:
    1. Technical expertise in cybersecurity testing and conformity 
assessment of IoT devices and products. Compliance with all 
requirements associated with ISO/IEC 17025. If we determine that other 
ISO standards or other relevant requirements are missing, the 
Commission will provide guidance to industry on how they may be 
addressed.

[[Page 61256]]

    2. Knowledge of FCC rules and procedures associated with IoT 
cybersecurity compliance testing and certification.
    3. Necessary equipment, facilities, and personnel to conduct 
cybersecurity testing and conformity assessment of IoT devices and 
products.
    4. Documented procedures for IoT cybersecurity conformity 
assessment.
    5. Demonstrated implementation of controls to eliminate actual or 
potential conflicts of interests (including both personal and 
organizational), particularly with regard to commercially sensitive 
information.
    6. That the applicant is not owned or controlled by or affiliated 
with any entity that produces equipment on the FCC Covered List or is 
otherwise prohibited from participating in the IoT Labeling Program. We 
will dismiss all applications from a company named on the Department of 
Commerce's Entity List, the Department of Defense's List of Chinese 
Military Companies.
    7. That the applicant is not owned or controlled by or affiliated 
with any person or entity that has been suspended or debarred from 
receiving Federal procurements or financial awards, to include all 
entities and individuals published as ineligible for award on the 
General Service Administration's System for Award Management.
    65. Once accredited and recognized, the lab will be periodically 
audited and reviewed by the Lead Administrator to ensure they continue 
to comply with the IoT security standards and testing procedures.
    66. Concerning items #6 and #7, national security considerations 
must be considered when allowing testing labs to participate because of 
``the unique nature of the proposed labeling program.'' As recommended 
in the record and consistent with our exclusions as to eligible 
products and eligibility to serve as a third-party administrator, all 
entities owned or controlled by or affiliated with entities that 
produce equipment found on the Covered List, as well as entities 
specified on the other U.S. Government exclusionary lists referenced 
above are prohibited from serving as a CyberLAB. Each of these lists 
represent the determination of relevant Federal agencies that the 
entities on the list may pose a national security threat within their 
respective areas, and as such we find that we cannot give U.S. 
Government endorsement to their security testing while claiming they 
pose such a threat. Insofar as the label reflects the FCC's signal to 
consumers about cybersecurity, it is reasonable for the FCC to take a 
cautious approach especially for those products for which relevant 
Federal agencies have expressed other security concerns with the 
testing lab.
    67. NCTA also suggests also suggests that ``any `foreign entity of 
concern' as defined by the CHIPS Act should be ineligible for 
certification or recognition as a CyberLAB.'' Further, ioXt Alliance 
recommends that the Commission ``establish rules to ensure CyberLABs 
are not subject to undue influence by foreign adversaries.'' We agree 
that it would be problematic for the U.S. to rely on the determination 
of entities controlled or affiliated with ``foreign adversaries'' as to 
the security of products approved to use the Cyber Trust Mark, and 
therefore the Lead Administrator will not recognize for purposes of the 
IoT Labeling Program any testing lab that is an entity, its affiliate, 
or subsidiary owned or controlled by a ``foreign adversary'' country. A 
``foreign adversary'' country is defined in the Department of 
Commerce's rule, 15 CFR 7.4, and includes China (including Hong Kong), 
Cuba, Iran, North Korea, Russia, and Maduro Regime. Because of the role 
CLAs will play in the labeling program, we find that the concerns 
related to entities identified as ``foreign adversaries'' are equally 
applicable to entities acting as CLAs as they are testing labs. To 
avoid these issues, the record suggests requiring testing labs certify 
compliance with the Commission's rules, including the rules pertaining 
to the Covered List. Accordingly, we find it appropriate that each 
testing lab must certify to the truth and accuracy of all information 
included in its recognition application and immediately update the 
information if the information changes.
    68. The Order notes that Garmin advocates even stricter measures on 
the testing labs, suggesting that the labs be ``located in the U.S.'' 
We decline to require physical location within the U.S. to avoid 
``unnecessarily limiting the pool of legitimate CyberLABs approved to 
conduct testing and conformity assessment for the Mark.'' Further, the 
record indicates that this stricter approach ``would vastly diminish 
manufacturers' abilities to select and access evaluation labs, conduct 
proper risk management and promote competition and diversity in the lab 
market.'' Such a restriction might also unduly limit the ability of 
legitimate foreign corporations that do not raise national security 
concerns to participate in the IoT Labeling Program to the detriment of 
the goal of elevating the cybersecurity posture of those IoT devices 
sold in the U.S. and to promote international recognition of the Cyber 
Trust Mark. We delegate authority to the Bureau to adopt any additional 
criteria or procedures necessary with respect to labs located outside 
of the United States.
    69. Terminating CyberLAB Testing Authority. To address national 
security concerns, the CyberLAB recognition afforded to entities under 
this IoT Labeling Program will be automatically terminated for entities 
that subsequently become affiliated with an entity that is owned or 
controlled by or affiliated with entities that produce equipment placed 
on the Covered List, or that are otherwise added to any exclusionary 
list identified in this item as precluding authorization as a CyberLAB. 
CyberLAB testing authority may also be terminated for failure to uphold 
the required competencies or accreditations enumerated above. We 
delegate authority to the Bureau to determine when a CyberLAB's 
authority is to be terminated, and to terminate such authorization.\17\ 
The Bureau may identify such deficiencies itself or receive notice from 
other entities, including other agencies, consumers, and industry, that 
products tested by a CyberLAB do not accurately reflect the security 
posture of the product. Products authorized to use the FCC IoT Label by 
a disqualified CyberLAB will be subject to the disqualification 
procedures described further below.
---------------------------------------------------------------------------

    \17\ Because of the public safety importance of a CyberLAB 
having the requisite qualifications and adhering to our rules when 
evaluating requests to use the FCC IoT Label, this process should 
proceed appropriately expeditiously to minimize any periods of time 
where a CyberLAB continues to operate in that capacity once concerns 
have come to PSHSB's attention. In particular, PSHSB shall provide 
notice to the CyberLAB that the Bureau proposes to terminate the 
CyberLAB's authority and provide the CyberLAB a reasonable 
opportunity to respond (not more than 20 days) before reaching a 
decision on possible termination. PSHSB may suspend the CLA's 
ability conduct product testing during the pendency of such 
consideration if appropriate.
---------------------------------------------------------------------------

    70. Fees. To fulfill their role, as envisioned by the IoT Labeling 
NPRM, we authorize CyberLABs to charge reasonable fees to conduct the 
tasks adopted in the Order. The IoT Labeling NPRM proposed a fee 
calculation methodology adopted by the Commission in the 2020 
Application Fee Report and Order, 86 FR 15026 (March 19, 2021), and 
sought comment on whether any oversight is needed by the Commission 
over such charges. We did not receive any comments on the suitability 
of the approach proposed in the IoT Labeling NPRM or detailed comments 
about the degree of oversight the Commission should conduct over

[[Page 61257]]

the charges. We recognize the Cybersecurity Coalition's comments that 
high fees would deter participation in the IoT Labeling Program. We 
anticipate that there will be multiple CyberLABs authorized through the 
approach adopted in the Order, and we believe that market competition 
will ensure fees are reasonable, competitive, and accessible while 
covering the costs incurred by the CyberLABs in performing their 
designated tasks. We believe this addresses the concerns raised by the 
Cybersecurity Coalition and renders the approach proposed in the IoT 
Labeling NPRM unnecessary. The National Association of Manufacturers 
(NAM) rightly indicates, however, that the fee structure for CyberLABs 
will necessitate ``robust protections to ensure that CyberLABs focus on 
the underlying mission of protecting the public rather than boosting 
their revenues.'' We delegate to the Bureau, in connection with OMD, to 
review and reconsider if necessary whether the level and structure of 
the fees should be regulated by the Commission.

D. Two-Step Process for Obtaining Authority To Use the FCC IoT Label

    71. The Commission adopts a two-step process for a manufacturer 
seeking authority to use the FCC IoT Label, which includes (1) product 
testing by an accredited and Lead Administrator-recognized lab (e.g., 
CyberLAB, CLA lab, or an in-house lab) and (2) product label 
certification by a CLA. In the context of this IoT Labeling Program and 
as discussed in detail below, we find that in order to ensure the 
integrity of this nascent program, that the FCC IoT Label certification 
process will include a two-step process involving (1) the use of an 
accredited and Lead Administrator-recognized laboratory (CyberLAB, CLA 
lab, or in-house lab) to test the IoT product for compliance to FCC 
rules and generate a test report; and (2) an application to an FCC-
recognized CLA (i.e., an accredited certification body) to certify the 
product as fully compliant with all relevant FCC IoT Labeling Program 
rules.
    72. The record is split on the processes the Commission should 
adopt for manufacturers to follow when seeking to use the FCC IoT 
Label, specifically with regard to whether it is necessary for a third-
party to review and verify the product meets all of the IoT Labeling 
Program requirements, including product testing, or if the manufacturer 
should be afforded the opportunity to ``self-declare'' compliance and 
affix the FCC IoT Label without third-party verification.
    73. UL Solutions, T[Uuml]V S[Uuml]D, and TIC Council Americas 
recommend that the Commission require all applications to be supported 
by conformity testing conducted by an accredited lab (e.g., ISO/IEC 
17025 accredited), and submitted to a third-party for verification of 
compliance with the Commission's program requirements. Others argue the 
Commission should accept a declaration of conformity or self-
certification, while others recommend the Commission enter into 
agreements with each manufacturer to allow the manufacturer to conduct 
internal conformity testing of its products and self-certify compliance 
with the Commission's program requirements resulting in approval to use 
the Cyber Trust Mark without third-party involvement. CTA, for example, 
contemplates a ``Manufacturer Self-Attestation Process'' where 
manufacturers apply to the Commission for access to a ``Mark Self-
Attestation License Agreement'' between the manufacturer and the FCC. 
Under this process, the manufacturer provides documentation showing how 
it complies with the NIST Criteria and if the Commission agrees with 
the documentation, the parties execute the agreement. The license 
agreement will identify the limits of the manufacturer's license 
authority, which may be corporate-wide, on a divisional basis, or for a 
specific product line.
    74. To ensure the Cyber Trust Mark retains the highest level of 
integrity and consumer trust, we agree with commenters who caution 
against allowing testing by entities that are not accredited and 
recognized. We also agree with Garmin and AHAM, who recommend third-
party verification of the information contained in a manufacturer's 
application to use the Cyber Trust Mark. UL Solutions notes that while 
the Commission's equipment authorization process allows some products 
that pose a low risk of RF interference to be approved via a Supplier's 
Declaration of Conformity (SDoC), there is no clear line to be drawn 
between low risk and high risk connected products when ``IoT devices 
are significant targets for an ever- growing number of cybersecurity 
attacks.'' In addition, UL Solutions points to the investigation 
conducted by the Government Accountability Office (GAO) into the ENERGY 
STAR program's initial reliance a supplier's declaration of conformity, 
which GAO found to be unreliable because GAO was able to obtain UL 
certification with blatantly non-conforming products.
    75. The Commission disagrees with commenters who believe the IoT 
Labeling Program should offer different methods of conformity 
assessment based on varying levels of risk and potential impact on 
consumers because doing so adds an unnecessary and significant layer of 
complexity to the process. The Commission recognizes the view of 
Keysight, the National Electronic Manufacturers Association (NEMA), 
AIM, Whirlpool, AHAM, Consumer Reports, Garmin, NAM, ITI, and TIC 
Council Americas, who support self-attestation as an efficient and cost 
effective methodology for applicants to conduct conformity assessments. 
However, the Commission agrees with A2LA, which urges caution with 
self-attestations of conformity ``due to the bias inherent in self-
declaration.'' We also take into serious consideration the 2010 GAO 
Report that found the ENERGY STAR program in effect at that time, which 
was ``primarily a self-certification program relying on corporate 
honesty and industry self-policing to protect the integrity of the 
Energy Star label,'' failed to require upfront third-party validation 
of manufacturers' self-reported claims of compliance with the program 
requirements, which resulted in the certification of bogus products as 
ENERGY STAR compliant. ENERGY STAR has since changed the manner in 
which it certifies products as ENERGY STAR compliant, stating that in 
order ``[t]o ensure consumer confidence in the ENERGY STAR label and to 
protect the investment of ENERGY STAR partners, the U.S. Environmental 
Protection Agency (EPA) requires all ENERGY STAR products to be third-
party certified. Products are tested in an EPA-recognized laboratory 
and reviewed by an EPA-recognized certification body before they can 
carry the label.''
    76. As such, in light of the nascent nature of the IoT Labeling 
Program, lessons learned in the ENERGY STAR context, and the need to 
ensure that the Cyber Trust Mark garners sufficient trust by consumers 
to be viewed as providing accurate information and manufacturer 
participation, we find that allowing a path to ``self-attestation'' is 
not appropriate at this time. While such a path may provide for prompt 
time to market for the Cyber Trust Mark itself, the concerns regarding 
the Mark's integrity at this initial stage counsel against ``self 
attestation.'' Moreover, we anticipate that the benefits and level of 
efficiency afforded manufacturers by the ability to use in-house labs 
will mitigate the additional process associated with certification by a 
CLA, as discussed below.
    77. We intend for the Cyber Trust Mark to serve as a reliable and 
trusted

[[Page 61258]]

way for consumers to quickly identify those products that meet the 
Commission's program requirements. To achieve this, the Commission must 
adopt sufficient controls over the IoT Labeling Program to ensure only 
those products that meet the Commission's requirements bear the Cyber 
Trust Mark. The Commission's second step of requiring an application be 
submitted to a CLA is a significant and important control to ensure 
that an independent disinterested third-party outside the 
manufacturer's control has reviewed the manufacturer's product 
application and supporting test report and verified that the product 
complies with the Commission's program requirements.
    78. The second step of the application process is particularly 
important because, as discussed above, the Commission allows the first 
step (testing) to be completed by an accredited and recognized 
CyberLAB, a CLA lab, or the manufacturer's in-house lab. Requiring the 
manufacturer to submit an application with a CLA is an important 
control, particularly to ensure that all products, including those 
products whose conformity testing is conducted, and reports are 
generated, by the manufacturer's in-house lab, are subject to third-
party scrutiny and oversight. As such, the Commission requires all 
entities seeking to use the FCC IoT Label must submit an application 
for authority to a CLA to use the FCC IoT Label that is supported by 
the appropriate report detailing the conformity testing conducted by a 
lab that is both accredited and Lead Administrator-recognized 
(CyberLAB, CLA lab, or manufacturer's in-house lab). Only entities who 
have received prior authorization from a CLA (i.e., cybersecurity 
certification) are authorized to use the FCC IoT Label, which will 
ensure the IoT Labeling Program retains its integrity.\18\ We further 
recognize that the CLA may charge a reasonable fee to cover the cost of 
reviewing the application and the costs of conducting the other tasks 
the CLA would perform. Once the IoT Labeling Program is established, we 
may revisit the issue of whether to adopt additional pathways to 
obtaining authority to use the FCC IoT Label.
---------------------------------------------------------------------------

    \18\ In addition to the discussion in the text, we adopt certain 
rules to support the administration and integrity of the IoT 
Labeling Program, including governing the designation of agents for 
service of process and governing required signatures. See 47 CFR 
8.208(i), (k). We model our approach on analogous elements of our 
equipment authorization rules, with which the Commission and 
industry have substantial experience, and which have proven workable 
in practice. See 47 CFR 2.911(d)(7), (f).
---------------------------------------------------------------------------

    79. The IoT Labeling NPRM sought comment on whether and how one or 
more third-party administrators should be utilized to manage the IoT 
Labeling Program, and whether the Commission should designate one or 
more administrators to authorize use of the label. Kaiser Permanente 
argues that the Commission should maintain ownership of the application 
process, as well as oversight and supervision of third parties 
administering the IoT Labeling Program. Garmin notes that the 
application process described in the IoT Labeling NPRM is unclear and 
worries that third-party involvement would require enormous effort, and 
cautioned that sharing sensitive information with a third-party 
administrator itself raises security concerns. However, the record was 
silent with respect to details about an application process. We agree 
that oversight and supervision of the IoT Labeling Program, including 
intaking applications, will require effort but believe a CLA is in the 
best position to streamline that process and, as noted, ensure the 
integrity of the process. We will require the CLA to have the ability 
to securely handle large volumes of information, which we believe 
should alleviate Garmin's concern. We outline the application process 
to use the FCC IoT Label below.
    80. Before being able to display the Cyber Trust Mark, the 
applicant must determine their product is an eligible product under our 
rules; have their product tested by an accredited and Lead 
Administrator-recognized CyberLAB, CLA Lab, or manufacturer's in-house 
lab; obtain a report of conformity and compliance from the lab; and 
submit an application for authority to use the FCC IoT Label to an FCC-
recognized CLA in accordance with their procedures. Using the CLAs' 
filing processes, entities seeking authority to use the FCC IoT Label 
will file an application to be developed by the Bureau. Each 
application must include a report of conformity issued by an accredited 
CyberLAB, accredited CLA lab, or accredited in-house lab whose testing 
and reporting is comparative in rigor to that completed by a CyberLAB. 
The CLA will review the application and supporting documentation to 
ensure it is complete and in compliance with the Commission's rules and 
will either grant or deny the application. If an application is 
granted, the CLA will provide the applicant with notification of the 
grant and authority to affix the FCC IoT Label to the product granted 
authorization.
    81. Applications that do not meet the Commission's IoT Labeling 
Program will be denied by the CLA. If an application is denied, the CLA 
will provide the applicant with notification of the denial and an 
explanation of why it was denied. An applicant may only re-submit an 
application for a denied product if the CLA-identified deficiencies 
have been corrected. The applicant must indicate on its application 
that it is re-submitting the application after it was denied, the name 
of the CLA that denied the application, and the CLA's explanation of 
why it was denied. Failure to disclose the denial of an application for 
the same or substantially similar product will result in denial of the 
application for that product and the FCC will take other regulatory 
and/or legal action it deems appropriate.
    82. Grant or denial of an application for authority to use the FCC 
IoT Label will be made by the CLA in the first instance. The CLA will 
return incomplete applications to the applicant or otherwise contact 
the applicant regarding the incomplete application, as soon as 
possible.
    83. We delegate authority to the Bureau to issue a Public Notice 
after any necessary notice and public comment and after completing any 
process required under the Paperwork Reduction Act, providing further 
details on how to apply for authority to use the FCC IoT Label, 
including but not limited to informational elements of the application, 
additional details on filing requirements (e.g., description or 
photograph of the label and how/where it will be affixed to the 
product), and how to request confidential treatment of submitted 
information. As the Commission anticipated in the NPRM, CLAs may charge 
reasonable fees for their services and to cover the costs of performing 
the administrative duties. The IoT Labeling NPRM proposed to follow the 
fee calculation methodology adopted by the Commission in the 2020 
Application Fee Report and Order and requested comment on the proposal 
and any changes. We did not receive any comments on the suitability of 
this approach. We recognize the Cybersecurity Coalition's comments that 
high fees would deter participation in the IoT Labeling Program. We 
anticipate that there will be multiple administrators authorized 
through the approach adopted in the Order, and we believe that market 
competition will ensure fees are reasonable, competitive, and 
accessible while covering the costs incurred by the CLA in performing 
their designated tasks. We believe this addresses the concerns raised 
by the Cybersecurity Coalition and renders the approach proposed in the 
IoT Labeling NPRM unnecessary. We therefore reject

[[Page 61259]]

the NPRM's proposal. To the extent that the Lead Administrator may 
incur costs in performing its duties on behalf of the program as a 
whole, we expect these costs to be shared among CLAs as a whole.\19\ We 
delegate to the Bureau, in connection with OMD, to consider these 
issues and provide guidance to the CLAs and Lead Administrator to 
ensure the fees do not become onerous, as indicated by the record.
---------------------------------------------------------------------------

    \19\ We recognize that many of the duties of the Lead 
Administrator benefit all the CLAs and the program as a whole, and 
we do not suggest that the costs associated with the duties of the 
Lead Administrator as described in the Order to be an exhaustive 
list of the shared costs we expect to be shared among CLAs as a 
whole.
---------------------------------------------------------------------------

    84. Seeking Review of CLA Decision. Any party aggrieved by an 
action taken by a CLA must first seek review from the CLA, which must 
be filed with the CLA within 60 days from the date of the CLA's 
decision. A party aggrieved by an action taken by a CLA may, after 
seeking review by the CLA, seek review from the Commission. A request 
for Commission review must be filed with the Commission within 60 days 
from the date the CLA issues a decision on the party's request for 
review. In all cases of requests for review, the request for review 
shall be deemed filed on the postmark date. If the postmark date cannot 
be determined, the applicant must file a sworn affidavit stating the 
date that the request for review was mailed. Parties must adhere to the 
time periods for filing oppositions and replies set forth in 47 CFR 
1.45.
    85. We delegate authority to PSHSB to consider and act upon 
requests for review of CLA decisions. Requests for review that raise 
novel questions of fact, law, or policy will be considered by the full 
Commission. An affected party may seek review of a decision issued 
under delegated authority pursuant to the rules set forth in part 1 of 
the Commission's rules. The Bureau will conduct de novo review of 
requests for review of decisions issued by a CLA. The Commission will 
conduct de novo review of requests for review of decisions by the CLA 
that involve novel questions of fact, law, or policy; provided, 
however, that the Commission will not conduct de novo review of 
decisions issued by the Bureau under delegated authority. The Bureau 
will, within 45 days, take action in response to a request for review 
of CLA decision that is properly before it. The Bureau may extend the 
time period for taking action on a request for review of a CLA decision 
for a period of up to 90 days. The Commission may also at any time, 
extend the time period for taking action of a request for review of a 
CLA decision pending before the Bureau. The Commission will issue a 
written decision in response to a request for review of a CLA decision 
that involves novel questions of fact, law, or policy within 45 days. 
The Commission may extend the time period for taking action on the 
request for review of a CLA decision. The Bureau also may extend action 
on a request for review of an CLA decision for a period of up to ninety 
days. While a party seeks review of a CLA decision, they are not 
authorized to use the FCC IoT Label until the Commission issues a final 
decision authorizing their use of the FCC IoT Label.

E. Consumer IoT Product Cybersecurity Criteria and Standards

    86. Technical Criteria for Consumer IoT Products. We adopt the IoT 
Labeling NPRM proposal that the NIST Core Baseline serve as the basis 
of the IoT Labeling Program. The NIST Core Baseline is based on 
product-focused cybersecurity capabilities (also referred to by NIST as 
``Outcomes'') rather than specific requirements, which NIST asserts 
provide the flexibility needed due to the diverse marketplace of IoT 
products, and we agree. As outlined in the IoT Labeling NPRM, the NIST 
criteria includes the following IoT product capabilities: (1) asset 
identification; (2) product configuration; (3) data protection; (4) 
interface access control; (5) software update; (6) cybersecurity state 
awareness; and the following IoT Product Developer Activities: (7) 
documentation; (8) information and query reception; (9) information 
dissemination; and (10) product education and awareness.
    87. The record reflects broad support for adoption of the technical 
criteria presented in NISTIR 8425. For example, a coalition of industry 
stakeholders including the Association of Home Appliance Manufacturers, 
Connectivity Standards Alliance, Consumer Technology Association, CTIA 
Information Technology, Industry Council, National Electrical 
Manufacturers Association, Plumbing Manufacturers International Power 
Tool Institute, Security Industry Association, Telecommunications 
Industry Association, U.S. Chamber of Commerce, and USTelecom submitted 
a letter to the Commission supporting the establishment of ``a 
voluntary program based on the technical criteria developed by [NIST], 
under NISTIR 8425.'' UL Solutions supports adoption of the NISTIR 8425 
criteria and asserts that there are several mature standards that can 
be drawn from that address the NISTIR 8425 criteria, such as UL 2900, 
UL 5500, and IEC 62443.
    88. CTIA supports adoption of the NIST Core Baseline but urges the 
Commission not to prescribe any specific methodologies that testing 
programs or standards must use, other than to require that such 
programs or standards be consistent with NIST Core Baseline. CSA also 
supports adoption of the NIST Core Baseline but urges the Commission to 
refrain from developing its own standards for testing. Rather, CSA 
asserts that they have developed a certification program that meets the 
requirements of NISTIR 8425 and other relevant standards documents, 
including ETSI EN 303 645 and the Singapore Cybersecurity Labeling 
Scheme, and CTA indicates that they are working on American National 
Standards (ANS) documents that will ``[d]efine a Framework that is a 
standardized and objective method of applying the Criteria in NISTIR 
8425 to a candidate Scheme or to a manufacturer's proposal for self-
attestation . . .'' Garmin encourages the Commission to consider ETSI 
303 645 standards, and commenters American Certification Body, Inc. and 
Consumer Reports encourage international standards such as those 
developed as a result of the EU Cyber Resiliency Act and UK's Product 
Security and Telecommunications Infrastructure Act. These commenters 
did not oppose referencing the NIST criteria.
    89. We agree with Infineon, Consumer Reports, and NCTA and adopt 
NISTIR 8425 as the basis for the Commission's IoT Labeling Program. The 
consumer IoT environment is complicated by a significant number of 
different types of consumer IoT products. Adoption of the NIST criteria 
as the foundation of the IoT Labeling Program will result in a robust 
consumer IoT program that is sufficiently flexible that it can be 
applied across all types of consumer IoT products. The NIST criteria 
were developed through a multi-year effort between NIST and various 
stakeholders, and includes significant industry input and will continue 
to be updated by NIST as necessary. The Commission agrees with NIST's 
publication, which avers that the following NISTIR 8425 criteria 
identify the cybersecurity capabilities that consumers would expect 
manufacturers to address within the products they buy. NIST 
contemplates that most of the criteria concern the IoT product directly 
and are expected to be satisfied by software and/or hardware 
implemented in the IoT product (1-6 below) and other criteria apply to 
the IoT product developer (7-10 below). The following is the list of

[[Page 61260]]

the NIST IoT product capability criteria, NIST's brief description of 
each, and the NIST-identified cybersecurity utility for each:
    (1) Asset Identification: The product can be uniquely identified by 
the customer and other authorized entities and the product uniquely 
identifies each IoT product component and maintains an up-todate 
inventory of connected product components
    i. Cybersecurity Utility: The ability to identify IoT products and 
their components is necessary to support such activities as asset 
management for updates, data protection, and digital forensics 
capabilities for incident response.
    (2) Product Configuration: The configuration of the IoT product is 
changeable, with an ability to restore a secure default setting, and 
changes can only be performed by authorized individuals, services, and 
other IoT product components.
    i. Cybersecurity Utility: The ability to change aspects of how the 
IoT product functions can help customers tailor the IoT product's 
functionality to their needs and goals. Customers can configure their 
IoT products to avoid specific threats and risk they know about based 
on their risk appetite.
    (3) Data Protection: The IoT product protects data store across all 
IoT product components and transmitted both between IoT product 
components and outside the IoT product from unauthorized access, 
disclosure, and modification.
    i. Cybersecurity Utility: Maintaining confidentiality, integrity, 
and availability of data is foundational to cybersecurity for IoT 
products. Customers will expect that data are protected and that 
protection of data helps to ensure safe and intended functionality of 
the IoT product.
    (4) Interface Access Control: The IoT product restricts logical 
access to local and network interfaces--and to protocols and services 
used by those interfaces--to only authorized individuals, services, and 
IoT product components.
    i. Cybersecurity Utility: Enumerating and controlling access to all 
internal and external interfaces to the IoT product will help preserve 
the confidentiality, integrity, and availability of the IoT product, 
its components, and data by helping prevent unauthorized access and 
modification.
    (5) Software Update: The software of all IoT product components can 
be updated by authorized individuals, services, and other IoT product 
components only by using a secure and configurable mechanism, as 
appropriate for each IoT product component.
    i. Cybersecurity Utility: Software may have vulnerabilities 
discovered after the IoT product has been deployed; software update 
capabilities can help ensure secure delivery of security patches.
    (6) Cybersecurity State Awareness: The IoT product supports 
detection of cybersecurity incidents affecting or affected by IoT 
product components and the data they store and transmit.
    i. Cybersecurity Utility: Protection of data and ensuring proper 
functionality can be supported by the ability to alert the customer 
when the device starts operating in unexpected ways, which could mean 
that unauthorized access is being attempted, malware has been loaded, 
botnets have been created, device software errors have happened, or 
other types of actions have occurred that was not initiated by the IoT 
product user or intended by the developer.
    The following is the list of NIST-identified IoT Product Developer 
Activities/Non-Technical Supporting Capabilities and their NIST-
identified cybersecurity utility:
    (7) Documentation: The IoT product developer creates, gathers, and 
stores information relevant to cybersecurity of the IoT product and its 
product components prior to customer purchase, and throughout the 
development of a product and its subsequent lifecycle.
    i. Cybersecurity Utility: Generating, capturing, and storing 
important information about the IoT product and its development (e.g., 
assessment of the IoT product and development practices used to create 
and maintain it) can help inform the IoT product developer about the 
product's actual cybersecurity posture.
    (8) Information and Query Reception: The IoT product developer has 
the ability to receive information relevant to cybersecurity and 
respond to queries from the customer and others about information 
relevant to cybersecurity.
    i. Cybersecurity Utility: As IoT products are used by customers, 
those customers may have questions or reports of issues that can help 
improve the cybersecurity of the IoT product over time.
    (9) Information Dissemination: The IoT product developer broadcasts 
(e.g., to the public) and distributes (e.g., to the customer or others 
in the IoT product ecosystem) information relevant to cybersecurity.
    i. Cybersecurity Utility: As the IoT product, its components, 
threats, and mitigations change, customers will need to be informed 
about how to securely use the IoT product.
    (10) Product Education and Awareness: The IoT product developer 
creates awareness of and educates customers and others in the IoT 
product ecosystem about cybersecurity-related information (e.g., 
considerations, features) related to the IoT product and its product 
components.
    i. Cybersecurity Utility: Customers will need to be informed about 
how to securely use the device to lead to the best cybersecurity 
outcomes for the customers and the consumer IoT product marketplace.
    90. Consumer IoT Product Standards. We find that standards are 
necessary to administer the IoT Labeling Program in a fair and 
equitable manner and to ensure the products with the FCC IoT Label have 
all been tested to the same standards to provide consumers with 
confidence that products bearing the FCC IoT Label include strong 
cybersecurity. Commenters generally agree with the adoption of 
standards based on NIST's Core Baseline for Consumer IoT products 
(NISTIR 8425). We take up the Cybersecurity Coalition's recommendation 
``that the Commission or a designated third-party administrator work 
with stakeholders to identify recognized standards that encompass the 
Core Baseline, or that offer equivalent controls.'' NCTA also notes 
that ``Standards Development Organizations (``SDOs'') and specification 
organizations are well-established organizations that can develop 
standards aligned with NIST guidelines and the Program's goals.'' 
According to NIST, the NISTIR 8425 ``outcomes are guidelines that 
describe what is expected . . . but more specific information may be 
needed to define how to implement IoT products or product components so 
that they meet an outcome. Requirements define how a component can meet 
an outcome for a specific use case, context, technology, IoT product 
component etc. . . ..''
    91. We reject CTIA's recommendation that the Commission refrain 
from adopting specific standards and solely rely on the NIST criteria. 
Rather, the Commission agrees with NIST and commenters that its 
criteria are general guidelines that must be further developed into a 
requirements document (i.e., standards) and corresponding testing 
procedures, which will demonstrate how the product bearing the FCC IoT 
Label has met the NIST criteria and to ensure consistency of 
application across a class of products. ITI adds that the ``Commission 
need not recreate [existing] work or develop its own standards but can 
leverage completed standards work for swift development

[[Page 61261]]

and implementation.'' The integrity of the Cyber Trust Mark requires 
the Commission to adopt standards that provide for adequate and 
consistent testing of products to ensure that all products bearing the 
FCC IoT Label have demonstrated conformance to the identified standards 
that the Commission has approved as compliant with the NIST criteria. 
In addition, for the Commission's IoT Labeling Program to be fairly 
administered by the multiple CLAs, all products displaying the FCC's 
label must be tested against the same standards to ensure that all 
products displaying the FCC IoT Label conform to the Commission's 
standards.
    92. Commenters such as T[Uuml]V S[Uuml]D agree that ``the main 
requirement when perform[ing] testing for compliance is that the test 
need[s] to be reliable and always offer the same outcome when a product 
is tested in the same condition. In the current state of the NIST IoT 
criteria there is not enough detail[ ] in the standard, so there is the 
need to write a more detail[ed] test method/standard.'' UL Solutions 
also ``supports the use of the NISTIR 8425 criteria as the basis for 
the IoT Labeling Program. These criteria help establish a minimum 
security baseline suitable for consumer IoT products . . . However, as 
noted in paragraphs 27 and 28 [of the IoT Labeling NPRM], these 
criteria must be defined by minimum IoT security requirements and 
standards to enable consistent and replicable product testing.'' 
Moreover, Somos similarly agrees that leveraging existing standards for 
device definition and security guidelines are the fastest, most 
effective path to the definition of a secure ecosystem, that NIST 8425 
standard is the appropriate starting point, and that ``existing 
standards should allow for the Commission to quickly create its 
definitions and guidelines.'' We agree with the Cybersecurity Coalition 
that ``only those standards and best practices recognized by the 
labeling program should be eligible, in order to avoid the inclusion of 
non-credible or irrelevant frameworks that may undermine trust in the 
label.''
    93. We further determine that, given the existing work in this 
space, the Commission should not undertake the initial development of 
the standards that underpin the NIST Core Baseline. Rather, as 
discussed in paragraph 56 above, we direct the Lead Administrator to 
undertake this task, and delegate authority to the Bureau to review and 
approve the consumer IoT cybersecurity standards and testing procedures 
that have been identified and/or developed by the Lead Administrator 
(after any appropriate public comment) that ensures the product to 
which a manufacturer seeks to affix the FCC IoT Label conforms to the 
NIST criteria. NIST's IoT Product Component Requirements Essay provides 
a summary of standards and guidance that NIST has initially identified 
as applicable to IoT devices and IoT product components, that the Lead 
Administrator may determine are applicable to the IoT Labeling Program. 
Moreover, the Lead Administrator may also determine existing standards 
or schemes that exist in the market already may be readily adaptable 
and leverage such work to meet the terms of the program.
    94. The Commission recognizes that since a ``product'' for purposes 
of the IoT Labeling Program is comprised of at least one IoT device and 
any additional product components that are necessary to use the IoT 
device beyond basic operational features, there may be multiple 
standards (e.g., a package of standards) applicable to a single IoT 
product (e.g., standards applicable to IoT devices; mobile apps; 
networking equipment included with IoT devices; and cloud platforms). 
The Commission does not anticipate a single standard would be developed 
or identified to apply to all consumer IoT products. However, a single 
package of standards may be developed or identified for each product 
type or class as identified by the Lead Administrator and reviewed and 
approved by the Bureau. We also agree with the Cybersecurity Coalition 
that ``participants should have discretion to include security features 
that go beyond standard requirements . . . So long as the additional 
security features do not conflict with conformity with the standard 
used for eligibility by the labeling program participants, participants 
should be encouraged to go beyond baseline requirements.''

F. The FCC IoT Label (Cyber Trust Mark and QR Code)

    95. We adopt the IoT Labeling NPRM's proposal to implement a single 
binary label with layering. As discussed in the IoT Labeling NPRM, 
``under a binary label construct, products will either qualify to carry 
the label or not qualify (i.e., not be able to carry the label) and 
`layers' of the label would include the Commission's Cyber Trust Mark 
representing that the product or device has met the Commission's 
baseline consumer IoT cybersecurity standards and a scannable code 
(e.g., QR Code) directing the consumer to more detailed information of 
the particular IoT product.''
    96. We adopt a binary label because we believe that a label 
signaling that an IoT product has met the minimum cybersecurity 
requirements will be simplest for consumers to understand, especially 
as the label is introduced to and established for the public. The 
Cybersecurity Coalition supports a binary label, citing the benefits of 
a simple, consumer friendly nature and its potential to streamline the 
purchasing decision for consumers. Similarly, as LG Electronics points 
out, ``[l]ike the ENERGY STAR program, a binary label specifying that a 
device has met a government standard--in this case for cybersecurity--
will be enough to drive consumers and manufacturers toward more secure 
products,'' while leaving manufacturers free to separately provide 
additional cybersecurity information about their products. And the 
Connectivity Standards Alliance supports the use of a single binary 
label with layering, as recommended by NIST, asserting that 
``[a]cademic studies have validated this approach.'' Conversely, Canada 
advocates a multi-tiered approach to labeling to ``lower barriers to 
entry into the labelling regime and facilitate trade and competition by 
ensuring Micro, Small and Medium Sized Enterprises (MSMEs), with fewer 
resources to meet a high level of cybersecurity,'' and to ``provide the 
incentives for a greater number of firms to innovate in IoT products 
and work on `climbing the ladder' of cybersecurity levels over time.'' 
Another commenter suggests a multi-tiered label that would have 
different colors depending on the length of time the product is 
supported. Other commenters advocate a multi-tiered approach that need 
not be reflected in different Cyber Trust Marks, but in different 
information available when a consumer scans the QR code. A study by 
Carnegie Mellon University indicates that different types of labels of 
various complexities have varying levels of effectiveness, but does not 
contest the idea of a binary label. We also recognize that some 
international regimes, such as Singapore, use a multi-tiered label.
    97. Although one could imagine myriad different approaches to 
labeling that each have relative advantages and disadvantages, on 
balance we are persuaded to rely on a binary label as we begin our IoT 
Labeling Program, consistent with NIST's recommended approach. We agree 
with the Cybersecurity Coalition that ``the primary value of the IoT . 
. . labeling program is to better enable ordinary consumers to 
distinguish labeled products as likely providing better basic security 
than unlabeled products.'' We believe a binary label meets this goal by

[[Page 61262]]

providing a clear indication that products with the label meet the 
Commission's cybersecurity requirements. We anticipate that promoting 
early consumer recognition of the FCC IoT Label--which we think is 
better advanced by a binary label--will, in turn, make consumers more 
attuned to cybersecurity issues and more receptive to additional 
cybersecurity information that manufacturers elect to provide apart 
from the FCC IoT Label and associated QR code. Thus, we believe that 
our use of a binary label still retains incentives for manufacturers to 
innovate and achieve higher levels of cybersecurity. Our approach to 
determining what cybersecurity standards will be applied also 
accommodates the potential for different requirements being necessary 
to meet the NIST baseline criteria in different contexts. To the extent 
that any multi-tiered labeling approach contemplated by commenters 
would allow manufacturers to obtain a label through lesser 
cybersecurity showings, that would be less effective at achieving the 
goals of our program. And to the extent that any multi-tiered labeling 
approach would require manufacturers to make heightened cybersecurity 
showings to achieve higher-tier labels, that is unlikely to lower 
barriers to participation in the IoT Labeling Program while also 
risking less understanding and acceptance of the FCC IoT Label by 
consumers. Because delay in moving forward with the IoT Labeling 
Program would have its own costs in pushing back the potential for 
benefits to consumers and device security, we also recognize the 
benefits of a binary label as more straightforward to implement, at 
least at the start of our IoT Labeling Program. Weighing all the 
relevant considerations, we are persuaded to move forward with a binary 
label at this time.
    98. We require that products bearing the FCC IoT Label, which 
includes the Cyber Trust Mark, must also include the corresponding QR 
Code. Approval to use the Cyber Trust Mark is conditioned on the label 
also bearing the QR Code in accordance with the IoT Labeling Program's 
label standards. In addition, the FCC IoT Label must be easily visible 
to consumers (e.g., on product packaging). This approach received 
considerable support in the record. We agree with USTelecom that 
``consumers should not have to open the package to get information 
because that could impact their ability to return the product.'' Power 
Tool Institute, Inc. concurs that ``[p]lacing a QR Code on the 
packaging is preferable to placing it on the device.'' Notable pros of 
using a QR Code are providing ``consumers with detailed information 
about a device or product,'' enhancing the program's objective by 
providing real-time updates. However, some commenters raise concerns 
with the placement of the QR Code on the product packaging. Logitech 
urges the Commission to not require a QR Code in conjunction with the 
label, stating that it could crowd packaging, cause consumer confusion, 
and may cause confusion if retailers scan the wrong barcode when 
checking out a customer. We believe that as the label becomes 
established and recognized by consumers and retailers, the benefit of 
providing a QR Code linking to a registry populated with current 
information on the IoT product outweighs the potential for consumer 
confusion. We also believe the registry will be of value to consumers 
such that they will want to see it acknowledged in an easily accessible 
manner, which will override any potential difficulty retailers may have 
with scanning the incorrect code. Moreover, recognizing the realities 
of inventory turnover against the need for a cybersecurity label to be 
dynamic, the use of a QR Code-embedded URL in this context ensures that 
(1) if a consumer desires more information about the product than what 
the label itself signifies there is a simple means of access; and (2) 
information associated with the product's compliance with the IoT 
Labeling Program is current. We view these as relevant considerations 
to purchasing decisions, which requires easy access to such information 
``on the spot'' rather than requiring a purchaser to independently seek 
it out.
    99. We direct the Lead Administrator to collaborate with 
stakeholders as needed to recommend to the Commission standards for how 
the FCC IoT Label bearing the Cyber Trust Mark and the QR Code should 
be designed (e.g., size and white spaces) and where such a label should 
be placed. This should include where the label could be placed on 
products where consumers may not see product packaging when shopping or 
after purchasing (e.g., refrigerators, washing machines, dryers, 
dishwashers, etc.) and including where consumers purchase products 
online. The Lead Administrator and stakeholders should also examine 
whether the label design should include the date the manufacturer will 
stop supporting the product as well as whether including other security 
and privacy information (e.g., sensor data collection) on the label 
would be useful to consumers. In addition, the Lead Administrator 
should address the use of the FCC IoT Label in store displays and 
advertising.\20\ We recognize the current work being done by industry 
on an appropriate format for the label, including the Cybersecurity 
Label Design, which is part of CTA's American National Standards 
Institute (ANSI)-accredited standards program. As noted by CTA in its 
reply comments, the FCC specifies requirements for the use of the Cyber 
Trust Mark, but ``there are several additional details needed regarding 
QR coding and resolution, white space for accurate recognition of QR 
codes, and more.'' CTA states that the draft ANSI/CTA-2120 details lay 
out requirements for packaging, and we encourage the Lead Administrator 
to review and consider the work CTA's Cybersecurity Label Design 
working group (a subgroup of CTA's Cybersecurity and Privacy Management 
Committee) has completed in this regard. We agree that we should take 
into consideration the considerable work that has already been 
undertaken with respect to labeling design and placement and seek to 
leverage and benefit from this expertise by directing the Lead 
Administrator to seek feedback from a cross-section of relevant 
stakeholders who have been working on these issues. We delegate 
authority to PSHSB to review, approve (or not approve) the Lead 
Administrator-recommended labeling design and placement standards after 
any required public notice and comment process and if approved 
incorporate into the Commission's part 8 rules. The provisions of 47 
CFR 2.935(a) (allowing the electronic display of ``or other information 
that the Commission's rules would otherwise require to be shown on a 
physical label attached to the device'') do not apply to the FCC IoT 
Label. The Cyber Trust Mark may only be used as directed by part 8, 
notwithstanding 47 CFR 2.935 or any other rule.
---------------------------------------------------------------------------

    \20\ The issue of where the FCC IoT Label would be placed was 
raised in the record. We agree that flexibility in placement is 
important in instances where the consumer might not see the 
product's packaging, such as in larger appliances, before purchasing 
the product. We recognize that some types of products might be 
customarily displayed in ways that make a one-size-fits-all approach 
inappropriate. As such, we agree with the ioXt Alliance's suggestion 
that we consider how the label may be placed in ways that will be 
helpful to a consumer, such as through an in-store display, 
advertisement on a screen, or website.
---------------------------------------------------------------------------

G. Registry

    100. We adopt our proposal from the IoT Labeling NPRM that the 
label include the Cyber Trust Mark and a QR Code that links to a 
decentralized publicly available registry containing

[[Page 61263]]

information supplied by entities authorized to use the FCC IoT Label 
(e.g., manufacturers) through a common Application Programming 
Interface (API). The registry will include and display consumer-
friendly information about the security of the product. We believe a 
publicly accessible registry furthers the Commission's mission of 
allowing consumers to understand the cybersecurity capabilities of the 
IoT devices they purchase. We also agree that it is important for the 
registry to be dynamic, so a consumer can be aware if a product loses 
authorization to use the FCC IoT Label or if the manufacturer is no 
longer providing security updates. There is robust support for the 
development of a publicly-accessible registry. We agree with NCTA that 
``the IoT Registry is foundational to the value and utility of the 
Cyber Trust Mark Program.'' In the following paragraphs, we establish 
general parameters for registry information.
    101. We adopt a decentralized registry that contains specific 
essential information that will be disclosed by the manufacturer, as 
discussed in further detail below. This essential information from the 
manufacturer will be provided to a consumer accessible application via 
the registry by utilizing a common API that is secure by design. When a 
consumer scans the QR Code, a consumer accessible application will 
access the registry using the common API and present the consumer with 
the information we require to be displayed from the registry. CTIA 
points out that a centralized registry containing all the information 
the Commission conceived in the IoT Labeling NPRM and by commenters in 
the record would be inordinately complex and costly. We agree, and 
endeavor to meet the policy goal of providing a transparent, accessible 
registry to the public through more efficient and less complicated 
means.
    102. We agree with the Commission's assessment in the IoT Labeling 
NPRM that the registry's goal is to assist the public in understanding 
security-related information about the products that bear the Cyber 
trust Mark. CTIA confirms this view, stating ``the Commission should 
focus on the [registry] as a means to provide consumers with 
information that is critical to the success of the program.'' CTIA 
further proposes that we should allow each manufacturer to establish 
their own mechanisms for conveying this information to consumers. 
However, we acknowledge ioXt Alliance's concern that a completely 
manufacturer-driven approach could lead to inconsistencies, 
inaccuracies, or other difficulties for the consumer. To balance the 
need for a workable, streamlined registry that is consistent for 
consumers and meets the Commission's goals while easing the 
administrative burden inherent in a centralized registry, we require a 
common API that would provide access to the following essential 
information from the manufacture and display it to the consumer in a 
simple, uniform way:
     Product Name;
     Manufacturer name;
     Date product received authorization (i.e., cybersecurity 
certification) to affix the label and current status of the 
authorization (if applicable);
     Name and contact information of the CLA that authorized 
use of the FCC IoT Label;
     Name of the lab that conducted the conformity testing;
     Instructions on how to change the default password 
(specifically state if the default password cannot be changed);
     Information (or link) for additional information on how to 
configure the device securely;
     Information as to whether software updates and patches are 
automatic and how to access security updates/patches if they are not 
automatic;
     The date until which the entity promises to diligently 
identify critical vulnerabilities in the product and promptly issue 
software updates correcting them, unless such an update is not 
reasonably needed to protect against cybersecurity failures (i.e., the 
minimum support period); alternatively, a statement that the device is 
unsupported and that the purchaser should not rely on the manufacturer 
to release security updates;
     Disclosure of whether the manufacturer maintains a 
Hardware Bill of Materials (HBOM) and/or a Software Bill of Materials 
(SBOM); \21\ and
---------------------------------------------------------------------------

    \21\ In addition to the declaration, the SBOM and HBOM will be 
made available upon request by the Commission, CyberLAB, and/or CLA.
---------------------------------------------------------------------------

     Additional data elements that the Bureau determines are 
necessary pursuant to the delegated authority discussed below.
    103. To reduce potential burdens and focus on essential 
information, we pare back the scope of the registry from what the 
Commission proposed in the IoT Labeling NPRM. We agree with the 
Cybersecurity Coalition that ``[t]he primary purpose of the label is to 
help consumers make informed purchasing decisions'' and include in the 
registry information that is key to making a purchasing decision, 
without overwhelming the consumer. To this end, we agree with 
commenters who suggest that including the information proposed in the 
IoT Labeling NPRM may be too burdensome. NEMA, for example, expresses 
concern about the resources required for a registry containing a full 
catalogue of devices. CTIA agrees that the IoT registry envisioned by 
the IoT Labeling NPRM would ``impose significant, unmeetable burdens'' 
for participants and the manager of the registry, and encourages us to 
refine our approach. The Cybersecurity Coalition likewise expresses 
concern over the complexity of the proposed registry. We agree that the 
registry be ``modest in its goals'' and ``limited to basic information 
that is uniform . . . and pragmatic and useful to the consumer.'' We 
believe that a registry containing simple, easy to understand 
information will be most helpful to a consumer making a purchasing 
decision, but also see the value in allowing manufacturers to include a 
second registry page (following the consumer-focused page) to enable 
manufacturers to provide additional technical details designed for 
researchers, enterprise purchasers, and other expert consumers of the 
label. Focusing only on the most critical information will further 
facilitate the speedy establishment of the IoT Labeling Program and the 
registry itself.
    104. In the interest of keeping information simple and establishing 
the database swiftly, we streamline the elements that should be 
included in the registry. We do require information about how to 
operate the device securely, including information about how to change 
the password, as it would help consumers understand the cybersecurity 
features of the products, how those products are updated or otherwise 
maintained by the manufacturer, and the consumer's role in maintaining 
the cybersecurity of the product. We do not require information about 
whether a product's security settings are protected against 
unauthorized changes as part of the initial rollout of the registry in 
an attempt to streamline the registry to address concerns that the 
registry would be too bulky or unfriendly to consumers. We recognize 
the value of ensuring the registry information is accessible to 
everyone, including those whose primary language is not English. 
Accordingly, we direct the Lead Administrator to recommend to the 
Bureau whether the registry should be in additional languages and if 
so, to recommend the specific languages for inclusion. We delegate 
authority to the Bureau to consider and adopt requirements in this 
regard upon review

[[Page 61264]]

of these recommendations. As the Association of Home Appliance 
Manufacturers points out, the location of the product's manufacture is 
redundant with existing legal requirements. We also do not require 
labels to include an expiration date at this time as it may not be an 
applicable requirement for every product, but we direct the Label 
Administrator to consider whether to recommend including the product 
support end date on labels for certain products, or category of 
products.
    105. While we recognize the value of utilizing the registry to keep 
consumers informed about product vulnerabilities, we note CTIA and 
Garmin's concerns about listing unpatched vulnerabilities as not 
providing value to consumers, discouraging manufacturers from 
participating in the program, and tipping off bad actors. We agree that 
these concerns are significant and do not require detailed information 
about vulnerability disclosures in the registry at this time. Rather, 
we require disclosure only of whether a manufacturer maintains an SBOM 
and HBOM for supply chain security awareness. We agree with Consumer 
Reports, NYC Cyber Command Office of Technology and Innovation (NYC 
OTI), and the Cybersecurity Coalition that an SBOM should be considered 
as an element of the registry. We also note that Garmin's concern is 
with disclosing the specific contents of an SBOM to the public, which 
``could reveal confidential business relationships with companies, as 
well as provide a roadmap for attackers,'' but this is not what we 
require here. Requiring participating manufacturers to disclose only 
the maintenance of an SBOM and HBOM, rather than the contents therein, 
indicates an added level of software and hardware security while also 
protecting potentially sensitive information. Further, while we agree 
with CTA that a searchable registry would have value for the public, we 
are mindful of the resources, costs, and time involved with creating a 
registry that is searchable by each of the elements identified in the 
IoT Labeling NPRM. In limiting the registry as we have, we address the 
concerns that the registry may be too complex to administer in the 
initial iteration of the IoT Labeling Program. As discussed above, the 
decentralized, API-driven registry we adopt in the Order addresses the 
complexity concerns raised in the record. We cabin our initial vision 
of the registry and direct the Bureau, as described further below, to 
consider ways to make the initial design of the registry modest, with 
potential to scale the registry as the IoT Labeling Program grows.
    106. In this respect, we note that NIST's research suggests that 
``future work should be done to examine potential issues of including 
an expiry date on a label.'' NIST cited studies conducted by the UK 
Government that consumers were confused about what the expiration date 
meant, and an Australian government study in which consumers thought 
the device would stop working after that date. The UK research did 
conclude, however, that continued manufacturer support was important to 
survey participants. Consumer Reports suggested an expiration date, if 
present, should be tied to an end-of-support date rather than a renewal 
date. NIST's research into the importance of support dates to consumers 
coupled with the potential confusion of expiration dates and the 
support from the record lead us to conclude an expiration date is not 
warranted. We do find, however, that the disclosure of a minimum 
support period and end date for the support period for the device is 
appropriate and will provide meaningful information to consumers on the 
manufacturer's commitment to provide patches or other support--a vital 
issue in a dynamic threat environment. To ensure that information about 
this support period remains accurate, and to encourage manufacturers to 
support their products for longer periods, manufacturers shall be able 
to extend the support period in the registry through a mechanism to be 
determined by the Lead Administrator, but which should be expeditious 
and require no further disclosures.
    107. While we identify the defined set of data that is consistent 
across all manufacturers, we believe the information contained in the 
registry for a particular IoT product or product class may also depend 
on the standards and testing procedures adopted for each particular IoT 
product. As such, in the near term, we expect there will be additional 
registry data elements that are specific to an IoT product, or classes 
of IoT products, that are not yet ripe for decision. We also recognize 
that some of the information recommended by NIST in its consumer 
education recommendations, discussed in further detail below, may be 
valuable for consumers to see in the registry. Accordingly, while we 
provide a baseline of necessary information that must be displayed for 
an IoT product in the registry, regardless of class the IoT product 
belongs to, we delegate authority to the Bureau to determine, subject 
to any required public notice and comment processes, whether any 
additional disclosure fields, such as the manufacturer's access control 
protections (e.g., information about passwords, multi-factor 
authentication), whether or not the data is encrypted while in motion 
and at rest (including in the home, app, and cloud), patch policies and 
security or privacy information are necessary, and if so, what should 
they be.
    108. We disagree with commenters, such as LG Electronics, who 
suggest that manufacturers should have discretion over whether to 
include additional privacy and/or security information through a QR 
Code, URL, or other scannable mechanism insofar as it would require 
additional information in the registry. LG Electronics, though 
supportive of adding a variety of data to the registry, acknowledges it 
is unclear how much detail or what types of information would be of 
value to a consumer. We believe that allowing discretion over what 
information is included in the registry may overcrowd it, or engender 
consumer confusion. Rather, uniform registry elements will provide 
greater consistency for consumers and adoption of uniform registry 
elements is supported by the record. We make clear, however, that we do 
not otherwise restrict what information manufacturers may include or 
reference on their product packaging, so long as it does not interfere 
with or undermine the display of the FCC IoT Label.
    109. We recognize that a decentralized registry relying on data 
derived through an API from manufacturers will require some oversight 
to ensure that the registry, when accessed by consumers using QR Codes, 
functions as described and displays the required information about 
individual products. We direct the Lead Administrator to receive and 
address any technical issues that arise in connection with displaying 
the registry through the QR Code, the associated API, and consumer 
complaints with respect to the registry. CSA recommends that the 
Commission engage a third-party with operating the registry for cost 
and efficiency reasons. CTA agrees that the Commission should use a 
third-party to host and manage the registry due to the resources 
required to establish the registry. We agree that, given the structure 
of the registry as we adopt in the Order, the Lead Administrator is in 
the best position to interface with manufacturers to ensure the smooth 
operation of the registry.
    110. We also recognize that for a registry of this magnitude to be 
effectively and timely rolled out requires significant input and

[[Page 61265]]

coordination with industry partners. To determine how the registry 
should be structured to best meet the goals of the IoT Labeling Program 
as we adopt in the Order, we direct the Bureau to seek comment and 
consider, as part of a public process, the technical details involved 
with the operation of the registry. We delegate authority to the Bureau 
to adopt a Public Notice, subject to any required public notice and 
comment, establishing the structure of the registry; identifying the 
common API; how the API should be structured; how the API should be 
used; how the queried data will be displayed to the consumer; how 
manufacturers need to maintain and implement the API in connection with 
its interactions with the registry; what, if any, additional disclosure 
fields would be most beneficial to consumers in the future, as 
discussed above; how the data in the registry returned by the API 
should be presented to the consumer; how the costs involved in 
maintaining the registry will be handled; how often the registry should 
be updated; whether to require the manufacturer to list the product 
sensors, what data is collected, if the data is shared with third 
parties, or security or privacy issues and if data should be 
replicated; and whether data should be replicated in multiple 
repositories--by the relevant CLA(s) or vendors, for example--and 
publicly accessible via a single query point; and any other technical 
information needed to establish the registry as we adopt in the Order. 
The Bureau should consider how to reduce burdens on manufacturers in 
supporting the decentralized registry. We delegate authority to PSHSB 
in coordination with, at a minimum, OMD (specifically the Office of the 
Chief Information Officer) and, to the extent necessary OGC 
(specifically the Senior Agency Official for Privacy) to identify and 
impose any applicable security or privacy requirements arising from 
Federal law or Federal guidance for the registry and to approve or 
modify the recommendations regarding the functional elements of the 
registry listed above. We further delegate authority to PSHSB to 
publish a Public Notice, subject to any required public notice and 
comment, adopting and incorporating into the Commission's rules any 
additional requirements or procedures necessary to implement the Cyber 
Trust Mark registry.

H. Continuing Obligations of Entities Authorized To Use the FCC IoT 
Label

    111. We adopt the proposal in the IoT Labeling NPRM that applicants 
must renew their authority to use the FCC IoT Label. Entities 
authorized to use the FCC IoT Label are required to ensure the product 
bearing the FCC IoT Label continue to comply with the Commission's 
program requirements. We disagree with the Connected Consumer Device 
Security Council (CCDS) that no renewals should be required and the 
product should simply bear the last date of testing. Such an approach 
could severely impair consumer trust in the label, especially if a 
product bearing the FCC IoT Label is being sold as new but is far out 
of date as to its initial achievement of the Mark.
    112. For those that support some interval of renewal, the record is 
divided with respect to whether IoT Labeling Program applicants should 
file for renewal each year, as proposed in the IoT Labeling NPRM. 
Consumer Reports and T[Uuml]V S[Uuml]D agree that annual renewal is 
appropriate. AHAM feels that an annual renewal application as the 
Commission proposed was unnecessary, or at minimum ``unnecessarily 
rigid.'' AHAM posits that a requirement to renew should only be 
triggered when a significant or substantive change is made to either 
the standard the manufacturer certifies to, or a significant design 
change to the product. Similarly, more durable IoT products (such as 
smart appliances) may need to be renewed less frequently. NAM argues 
that annual renewals are unnecessary for products that pose a limited 
risk. Kaiser Permanente believes higher-risk devices should be updated 
annually, and otherwise renewal should occur every three years. CCDS 
argues no annual testing is necessary, and the product should simply 
have the date it was authorized to bear the label that signals the 
product was compliant as of the initial date. CSA suggests limiting the 
need for annual testing, but suggests some kind of annual reporting 
should be required. We observe that other certifying bodies, such as 
ioXt Alliance, require annual renewal for products they certify and 
allow incentives for early renewal. Based on the record, we recognize 
the degrees of nuance attendant to the different types of products at 
issue. We agree with the notion that certain IoT products, depending on 
their lifespan and risk level, may need different standards for renewal 
to achieve the FCC IoT Label.
    113. We task the Lead Administrator to collaborate with 
stakeholders and provide recommendations to PSHSB on how often a given 
class of IoT products must renew their request for authority to bear 
the FCC IoT Label, which may be dependent on the type of product, and 
that such a recommendation be submitted in connection with the relevant 
standards recommendations for an IoT product or class of products. In 
doing so, consideration should be given as to whether annual continuous 
compliance reports are acceptable for purposes of renewing, and how to 
effectively balance the need for industry flexibility and the need to 
ensure that consumers have up-to-date information about the product 
they are considering purchasing. Consideration should also be given to 
the fees incurred as part of a renewal process, as we agree with Kaiser 
Permanente that renewal fees must not be unduly burdensome or cost-
prohibitive. We emphasize that renewals should occur frequently enough 
that a consumer can be sure that a product bearing the FCC IoT Label 
has reasonable cybersecurity protections in place, and some process 
must be in place to ensure accountability, even if annual testing is 
not required. We delegate authority to PSHSB to review, approve (if 
appropriate) and, subject to any required public notice and comment, 
incorporate by reference into the Commission's rules, the proposals 
from the Lead Administrator for renewal of authority to bear the FCC 
IoT Label.

I. Audits, Post-Market Surveillance, and Enforcement

    114. We adopt the IoT Labeling NPRM's proposal to rely on a 
combination of administrative remedies and civil litigation to address 
non-compliance and direct the CLA(s) to conduct post-market 
surveillance. The purpose of this IoT Labeling Program is to provide 
reasonable assurances to the consumer that the products they bring into 
their homes have at least a minimum level of cybersecurity. The success 
of the IoT Labeling Program hinges on the label retaining its integrity 
as a trusted consumer resource. This requires vigorous review and 
enforcement to ensure that products bearing the Cyber Trust Mark are in 
compliance with the program standards. We further observe that the ISO/
IEC 17065 standards require CLAs to perform appropriate post-market 
surveillance activities. We adopt post-market surveillance and civil 
enforcement, accordingly.
    115. We find support in the record that the ``Mark must be trusted 
by consumers to be successful'' and ``to gain consumer confidence and 
incentivize cybersecurity, the label must be backed by a robust 
enforcement program.'' We agree with the EPIC's position that weak 
enforcement may result in unmet consumer expectations regarding a 
product's actual level of cybersecurity and ``allow bad actors to take 
advantage of the goodwill created

[[Page 61266]]

by the cybersecurity program,'' and take up its recommendation of 
independent, post-market audits accordingly. Whirlpool also supports 
regular market surveillance to find instances of unapproved use of the 
Cyber Trust Mark, as well as products that may have been certified but 
no longer meet program requirements. Whirlpool states that surveillance 
``should include random auditing . . . as well as sampling of some 
established percentage on a regular basis of certified products/
devices.'' The American Association for Laboratory Accreditation 
supports adopting the product surveillance standards established for 
Telecommunication Certification Bodies (TCBs) and in the EPA's ENERGY 
STAR program. We also agree with commenters who indicate that the 
Commission, CLAs, and possibly the Federal Trade Commission (FTC) 
should be able to receive complaints of noncompliant displays of the 
Cyber Trust Mark, which could result in auditing. We delegate authority 
to the Bureau, in coordination with the Consumer and Governmental 
Affairs Bureau, to determine the process for receiving and responding 
to complaints. CTA and Planar Systems also support random auditing. We 
agree that random audits, in addition to regular post-market 
surveillance will best serve to maintain consumer confidence in the 
Cyber Trust Mark.\22\
---------------------------------------------------------------------------

    \22\ To enable a meaningful audit process it will be important 
to be able to review certain key records, which we consequently will 
require grantees to retain records regarding the original design and 
specifications and all changes that have been made to the relevant 
consumer IoT product that may affect compliance with the IoT 
Labeling Program requirements; a record of the procedures used for 
production inspection and testing; and a record of the test results 
that demonstrate compliance. See 47 CFR 8.215. We model our approach 
on analogous elements of our equipment authorization rules, with 
which the Commission and industry have substantial experience, and 
which have proven workable in practice. See 47 CFR 2.938(a), (f).
---------------------------------------------------------------------------

    116. Post-market surveillance. We agree with the Cybersecurity 
Coalition that post-market surveillance of products receiving the Cyber 
Trust Mark should be a principal enforcement mechanism, and find that 
CLAs are in the best position to conduct post-market surveillance and 
random auditing, in accordance with ISO/IEC 17065. These activities are 
based on type testing a certain number of samples of the total number 
of product types which the CLA has certified. In addition, each CLA 
must be prepared to receive and address post-market surveillance from 
the public. If a CLA determines that a product fails to comply with the 
technical regulations for that product, the CLA will immediately notify 
the grantee and the Lead Administrator in writing. The grantee will 
have 20 days to provide a report to the CLA describing actions taken to 
correct the deficiencies. Continued deficiency after 20 days will 
result in termination of the grantee's approval to display the Cyber 
Trust Mark. A grantee's approval to display the Cyber Trust Mark may 
also be terminated subject to the 20 day cure period for false 
statements or representations found in their application or associated 
materials or if other conditions come to the attention of a CLA which 
would warrant initial refusal to authorize use of the FCC Label. Such 
terminations will protect the integrity of the FCC IoT Label and 
encourage accurate representations and disclosures in application 
materials that will enhance the reliability of the Labeling Program's 
operation, more generally.
    117. We believe it is appropriate for the Lead Administrator, in 
collaboration with the CLAs and other stakeholders, to identify or 
develop, and recommend to the Commission for approval, the post market 
surveillance activities and procedures that CLAs will use for 
performing post-market surveillance. The recommendations should include 
specific requirements such as the number and types of samples that a 
CLA must test and the requirement that grantees submit, upon request by 
PSHSB or a CLA, a sample directly to the CLA to be evaluated for 
compliance at random or as needed.\23\ We delegate authority to the 
Bureau to review the recommendations and, subject to any required 
public notice and comment, incorporate post market procedures into the 
Commission's rules. We also delegate authority to the Bureau to 
establish requirements (subject to any required public notice and 
comment) regarding post-market surveillance of products in any 
instances where the CLA that granted the authorization of the product 
is not available to conduct such post-market surveillance. The document 
will also address procedures to be followed if a grantee's approval to 
display the Cyber Trust Mark is terminated based on mandatory post-
market surveillance or notice from the public, including 
disqualification from the IoT Labeling Program and potential further 
investigation into other products related to the manufacturer or the 
CyberLAB, as discussed below. Finally, the Lead Administrator will 
submit periodic reports to PSHSB of the CLAs' post-market surveillance 
activities and findings in the format and by the date specified by 
PSHSB.
---------------------------------------------------------------------------

    \23\ If necessary to accommodate the volume of auditing, a CLA 
may outsource some post-market surveillance testing to a recognized 
CyberLAB, but retains responsibility for the final review.
---------------------------------------------------------------------------

    118. The IoT Labeling NPRM sought comment on disqualification for 
nonconformity, referencing the Department of Energy's ENERGY STAR 
program, which sets out contractual Disqualification Procedures, 
including a 20 day period to dispute before a formal disqualification 
decision and what steps an ENERGY STAR partner must take after being 
formally disqualified (e.g., removing references to ENERGY STAR in the 
product labeling, marketing). The IoT Labeling NPRM asked whether the 
IoT Labeling Program should adopt a similar process. We agree with EPIC 
and Planar Systems in supporting a ``cure period [to] give[ ] good 
actors the opportunity to fix any issues without incurring penalties'' 
and '' to address any discovered non-conformance as long as the 
manufacturer is acting in good faith.'' Here, we adopt a cure period of 
20 days, which is in line with the ENERGY STAR program.
    119. EPIC also supports adopting disqualification procedures 
similar to ENERGY STAR's for non-compliance, including ceasing 
shipments of units displaying the label, ceasing the labeling of 
associated units, removing references to the label from marketing 
materials, and covering or removing labels on noncompliant units within 
the brand owner's control. It notes that the EPA also conducts retail 
store level assessments to identify mislabeled products and argues that 
a robust enforcement mechanism should include all of these actions. We 
delegate to the Bureau to consider whether such requirements should 
follow from termination of authority.
    120. In addition, we find that a combination of enforcement 
procedures for non-compliance are available, including administrative 
remedies under the Communications Act and civil litigation trademark 
infringement or breach of contract. Administrative remedies may 
include, but are not limited to, show cause orders, forfeitures, 
consent decrees, cease and desist orders, and penalties. The Commission 
will pursue all available means to prosecute entities who improperly or 
fraudulently use the FCC IoT Label, which may include, but are not 
limited to, enforcement actions, legal claims of deceptive practices 
prosecuted through the FTC,\24\ and legal

[[Page 61267]]

claims for trademark infringement or breach of contract. The record 
supports both administrative remedies to address consumer harm and 
civil enforcement actions for false use of the FCC IoT Label. We assert 
that this combination of enforcement mechanisms are best suited to 
protect consumer trust in the Cyber Trust Mark and incentivize 
participant compliance.
---------------------------------------------------------------------------

    \24\ In addition, to further help safeguard the integrity of the 
IoT Labeling Program and the FCC IoT Label, we codify a rule that 
prohibits any person from, in any advertising matter, brochure, 
etc., using or making reference to the FCC IoT Label or the Cyber 
Trust Mark in a deceptive or misleading manner. See 47 CFR 8.213(b). 
We model our approach on analogous elements of our equipment 
authorization rules, with which the Commission and industry have 
substantial experience, and which have proven workable in practice. 
See 47 CFR 2.927(c).
---------------------------------------------------------------------------

    121. Cyber Trust Mark Demonstrates Adherence to Widely Accepted 
Industry Cybersecurity Standards. While we decline to preempt state 
law, we find that approval to use the Cyber Trust Mark on a particular 
product is an indicator of reasonableness and demonstrates adherence to 
widely accepted industry cybersecurity standards. While several 
commenters support Commission preemption of state laws, as well as 
adoption of liability protections for devices approved to display the 
Cyber Trust Mark, we decline to preempt state law and decline to 
implement a legal safe harbor beyond reiterating the Commission's view 
that achievement of FCC IoT Label is an indicium of reasonableness for 
entities whose products are compromised despite being approved to use 
the Cyber Trust Mark. We recognize that a more fulsome safe harbor 
provision may indeed incentivize participation in the IoT Labeling 
Program, as the U.S. Chamber of Commerce urges. However, on this record 
we are not persuaded that it would be feasible or prudent for the 
Commission to make liability pronouncements as to laws or standards 
outside the Commission's purview as would be necessary for a broader 
safe harbor in the absence of preemption. As EPIC observes, such a safe 
harbor could also decrease consumer trust in the label. In addition, 
several states have adopted legal safe harbors for entities that 
implement reasonable security measures (e.g., voluntarily adopt 
recognized best practices such as NIST's and implement written security 
programs), and we defer to the states to determine whether approval to 
use the Cyber Trust Mark meets these State requirements. Given the 
uncertain interplay between qualification to use the Cyber Trust Mark 
and various state law regimes, coupled with the risk that such a safe 
harbor could decrease consumer trust in the label, we decline to 
preempt state liability requirements at this time.

J. International Reciprocal Recognition of the Cyber Trust Mark

    122. We note the robust record highlighting the immense value to 
manufacturers of IoT products in international harmonization of 
cybersecurity standards. We agree with Widelity that ``IoT devices are 
often manufactured and sold globally. As supply chains evolve, a 
consistent set of standards will support the rapid growth of innovation 
and security.'' We further agree with Consumer Reports that ``mutual 
recognition should only occur when the other program to be recognized 
has standards as stringent or more stringent'' than the IoT Labeling 
Program.
    123. We recognize several other countries already have an 
established national cyber IoT labeling program, including Singapore, 
Finland, and Germany. The record cites to these programs and highlights 
their features for consideration in developing the IoT Labeling 
Program. For example, the record explains how Singapore's CLS takes 
reference from the EN 303 645 standards developed by the European 
Telecommunications Standards Institute (ETSI). We note that other 
commenters have also recommended use of the ETSI EN 303 645 standards. 
Further, the record provides Finland's IoT labeling database as an 
example for developing our IoT registry. Several other countries have 
government activity around IoT devices or products. For example, Canada 
has a cybersecurity certification program for small and medium-sized 
organizations. As another example, South Korea has a IoT security 
certification system justified under Article 48-6 of their ``Act on 
Promotion of Information and Communications Network Utilization and 
Information Protection'' statute.
    124. We also observe continuing developments in IoT security across 
the globe for consideration. The European Union Agency for 
Cybersecurity (ENISA) is currently developing a cybersecurity 
certification framework that would require certain products, services, 
and processes to adhere to specific requirements. Relatedly, the U.S. 
has signed an agreement for a joint roadmap between the Cyber Trust 
Mark and similar consumer labeling programs in the EU. Further, Japan 
has committed to work with the U.S. to ``ensure interoperability'' of 
its IoT labeling scheme currently under development.
    125. We fully recognize the importance of ensuring international 
recognition of the IoT Labeling Program and reciprocity considerations 
underlie our decisions in the Order. We delegate authority to the 
Bureau and the FCC Office of International Affairs to work with other 
Federal agencies to develop international recognition of the 
Commission's IoT label and mutual recognition of international labels, 
where appropriate, as promptly as possible to enable recipients of the 
Cyber Trust Mark to realize the benefits an internationally recognized 
Cyber Trust Mark can have to promote global market access. Moreover, 
the proliferation in the marketplace both in the U.S. and abroad of 
products meeting a common baseline standard will elevate the overall 
global cybersecurity baseline for IoT and promote security-by-design 
approaches to smart products.

K. Consumer Education

    126. We adopt the IoT Labeling NPRM's proposal and base the IoT 
Labeling Program's consumer education requirements on the 
considerations NIST outlines in the NIST Cybersecurity White Paper due 
to its general applicability to an IoT label and in light of support 
from the record. The Lead Administrator will be responsible for 
developing a consumer education campaign that is based on the 
considerations recommended by NIST in the NIST Cybersecurity White 
Paper and discussed in greater detail below. In developing its consumer 
education plan, we task the Lead Administrator with considering ways to 
roll out a robust campaign with a reasonable national reach, including 
ways to make the consumer education accessible and whether education 
materials should be developed in multiple languages. We further task 
the Lead Administrator with considering the costs of conducting such 
outreach and how that outreach would be funded. Once developed, the 
Lead Administrator will submit this consumer education plan to the 
Bureau for consideration and for coordination in publicizing the 
benefits of the IoT Labeling Program. We recognize the importance of 
close collaboration between industry and delegate authority to the 
Bureau to consider and work with the Lead Administrator and other 
stakeholders to determine how the consumer education campaign would be 
executed and to execute the campaign. In addition and in furtherance of 
our expectation that the success of the IoT Labeling Program will be 
dependent on a close collaboration with the Federal Government, 
industry, and other relevant stakeholders, the Commission will 
coordinate as needed with relevant agencies, such as the Department of 
Homeland Security, Cybersecurity and Infrastructure Security Agency 
(CISA), the Federal Bureau of Investigation

[[Page 61268]]

(FBI), as well as the FTC, the Consumer Product Safety Commission 
(CPSC), and other industry stakeholders who have indicated a 
willingness to publicize the benefits of the IoT Labeling Program as 
part of their own consumer education activities.
    127. We agree with CEDIA that consumer education will have a 
significant impact on meeting the IoT Labeling Program's goals. We 
further agree that adequate consumer education must inform consumers of 
the limitations of the Cyber Trust Mark as well as the benefits of 
having a product that meets baseline cybersecurity requirements, and we 
agree with CSA that consumers should understand that the label does not 
guarantee complete device security, but that such protections are an 
important component of risk management. As pointed out by the City of 
New York's Office of Technology and Innovation, an effective consumer 
education program would need to cover the risks and threats to 
``digital integration of [IoT] devices'' and how those risks ``can be 
lessened by helping operators, users, and consumers . . . learn the key 
elements of a strong IoT Cybersecurity posture.'' We agree with 
commenters in the record that NIST's approach to consumer education is 
best, and note that no commenters opposed NIST's approach.
    128. As the Commission acknowledged in the IoT Labeling NPRM, NIST 
has prepared a document identifying consumer education considerations 
as part of its analysis of a cybersecurity labeling program. In 
following with NIST's recommendations, the Commission believes 
consumers should have access to the following information as part of 
the IoT Labeling Program's consumer education plan:
    (1) What the label means and does not mean, including that the 
label does not imply an endorsement of the product and that labeled 
products have not completely eliminated risk;
    (2) What cybersecurity baselines must be met to obtain authority to 
affix the label, why they were included, and how those criteria address 
security risks;
    (3) A glossary of applicable terms, written in plain English;
    (4) General information about the conformity assessment process, 
including information about how the conformity assessment was conducted 
and the date the label was awarded to the product;
    (5) The kinds of products eligible for the label and an easy way 
for consumers to identify labeled products;
    (6) The current state of device labeling as new cybersecurity 
threats and vulnerabilities emerge;
    (7) Security considerations for end-of-life IoT products and 
functionality implications if the product is no longer connected to the 
internet;
    (8) Consumer's shared responsibility for securing the device 
software and how their actions (or inactions) can impact the product's 
software cybersecurity; and
    (9) Contact information for the IoT Labeling Program and 
information on how consumers can lodge a complaint regarding a product 
label.
    129. We recognize that some aspects of this consumer education 
campaign overlap other aspects of the IoT Labeling Program, such as the 
registry. We see no harm with including that information in the 
registry as well as the consumer education campaign. We also observe 
the importance of conducting what NIST describes as a ``campaign'' to 
establish and increase label recognition, and thus envision a Lead 
Administrator-led, multiple stakeholder engagement that puts NIST's 
recommendations into practice.
    130. NIST has conducted research into the consumer perspective on 
the loss of manufacturer support in IoT products. The research suggests 
that proactive communication to consumers from the manufacturer with 
information about end-of-life support policies, the expected lifespan, 
and how to sign up for notifications about changes to support is an 
additional, important step. NIST also emphasizes the importance of 
consumer education about the meaning of the dates attached to a label, 
and cautions that this can confuse consumers as to the date's meaning. 
We agree with Consumer Reports that educating consumers about the 
meaning of support periods is an important aspect of consumer 
education. We believe that the recommendations identified by NIST in 
the NIST Cybersecurity White Paper, coupled with the consumer research 
done by NIST and industry, provide a strong model that the Lead 
Administrator can utilize in its consumer education campaign to meet 
the goals NIST and the record, discussed above, identify as important 
for a successful consumer education campaign.
    131. To assist the Lead Administrator in promoting consumer 
education, the Commission will coordinate publicizing the benefits of 
the IoT Labeling Program with the relevant agencies, including the 
Department of Homeland Security, CISA, FBI, FTC, CPSC, and other 
industry stakeholders who have indicated a willingness to assist with 
consumer education. A coalition of trade associations advocates for a 
consumer education program led by the U.S. Government, but do not 
propose how to conduct outreach consistent with the Federal outreach 
concerns articulated in the IoT Labeling NPRM. We agree that a 
government outreach program is essential in a larger campaign to 
effectively inform consumers about the IoT Labeling Program, consistent 
with NIST's recommendations identified above. The Commission intends to 
work closely with CISA to make use of their ``Secure our World'' 
program. We agree with CTA that Federal consumer education efforts do 
not preclude independent communication and outreach programs. For 
example, the National Retail Foundation indicated their willingness to 
support consumer education efforts. While Everything Set, Inc. is 
concerned that outsized private sector involvement in consumer 
education might hurt the campaign's credibility, we believe that retail 
and manufacturer involvement in promoting the IoT Labeling Program and 
the limitations of the IoT Labeling Program are important to ensure 
widespread recognition of the Cyber Trust Mark in commerce. To promote 
consumer education and engage in a joint effort with industry and 
stakeholders to raise awareness of the label, the Commission will 
coordinate with the Lead Administrator, Executive Agencies, and other 
industry stakeholders who have indicated a willingness to publicize the 
benefits of the IoT Labeling Program as part of their own consumer 
education efforts.

L. Cost/Benefit Analysis

    132. Our analysis indicates that the expected benefits of the IoT 
Labeling Program greatly exceed the expected costs of the program. The 
expected benefits of the IoT Labeling Program include improved consumer 
cyber awareness; reduced vulnerability of products that could be used 
in cyberattacks both in people's homes and as part of a larger national 
IoT ecosystem; and increased manufacturer competition and relational 
benefits stemming from increased goodwill and product awareness. 
Consumers value the security of their devices, and the complexity of 
understanding whether IoT devices meet baseline security standards, and 
making informed purchases on that basis is a significant cost to 
consumers.
    133. Consumer Benefit from Reduced Search Costs. The Cyber Trust 
Mark can lower consumer research costs by reducing the amount of time 
consumers spend researching the cybersecurity

[[Page 61269]]

characteristics of IoT products before making a purchase. We estimate 
that the Cyber Trust Mark will save consumers at least $60 million 
annually from reduced time spent researching cybersecurity features of 
potential purchases. We use the U.S. Department of Transportation 
(DOT)'s approach of valuing the time savings of travel to value the 
time savings to consumers of the Cyber Trust Mark. Our analysis relies 
on the share of households with a smart home device (which we note is 
only one segment of the IoT market likely to be impacted by the Order), 
the share of those households that are likely to devote time to 
investigating the cybersecurity of their connected products, and an 
estimate of their time value of researching cybersecurity 
characteristics of devices. First, we estimate that 49 million U.S. 
households own at least one IoT device from a market segment that 
likely will be impacted by the Cyber Trust Mark. Further, recent survey 
evidence suggests that 32% of households are invested in reducing their 
cybersecurity risk. We estimate each hour of time savings to be valued 
at $16 based on the median compensation in the U.S. and an individual's 
potential preference for researching products rather than working an 
additional hour. We note that this calculation only focuses on one 
segment of the IoT market, which may underestimate the time savings 
induced by the Order. We recognize that the exact time savings of 
utilizing the Cyber Trust Mark relative to searching for information 
online is unknown, so a lower end estimate of 15 minutes of time 
savings per year per household is used. We find a 15-minute time 
savings is consistent with the value of cybersecurity features 
disclosed in surveys. Given manufacturer and industry group comments 
showing support for consumer awareness and cybersecurity, we believe 
there would be sufficiently large enough immediate manufacturer 
participation in the IoT Labeling Program to incur these benefits in 
the first year of the program, and every year thereafter. Nationwide, 
the Cyber Trust Mark would result in a minimum of $60 million in time 
savings annually.\25\
---------------------------------------------------------------------------

    \25\ $60 million = (15,000,000*$16*(15/60)) is the estimated 
value for 15 minutes of time savings nationwide.
---------------------------------------------------------------------------

    134. A separate approach to calculating the benefit of the Cyber 
Trust Mark is to estimate the value consumers place on security and 
privacy features of IoT devices. A study submitted by Consumer Reports 
found that respondents valued individual security upgrades between $6 
and $13. The study also found that devices were valued at around $34 
more if they had a label emphasizing a bundle of the most protective 
security features. Given the difficulty consumers face in understanding 
what security and privacy features are included in a device, the Cyber 
Trust Mark would help consumers easily identify and choose products 
with features they value. For example, if the Cyber Trust Mark 
represented the most protective features associated with the label in 
the in the study, a consumer would benefit by $34 from purchasing a 
device with the Cyber Trust Mark over a device that did not display the 
Mark. Based on our estimate of 15 million households that would be 
impacted by the IoT labeling program, we estimate that the benefit to 
consumers, in terms of the added value of the Cyber Trust Mark, would 
be between $85 million and $500 million annually. While the exact 
security features that will be proposed by the Lead Administrator in 
collaboration with stakeholders are not yet determined, if the Cyber 
Trust Mark only emphasized the lowest valued security feature, the 
program would produce a benefit of at least $85 million.
    135. Manufacturer Competitive and Reputational Benefits. Aside from 
the direct benefits to consumers, there are also wider benefits of the 
Cyber Trust Mark. Participating businesses benefit from product 
differentiation and quality signaling vis-a-vis competitors that do not 
participate in the IoT Labeling Program and from increased company 
goodwill and reduced risks related to cybersecurity incidents. By 
aligning minimum security practices with the proposed standards, and 
communicating those standards to consumers, manufacturers may be able 
to generate goodwill and reduce business loss after cybersecurity 
incidences. While we do not revisit our discussion of a safe harbor 
from liability as discussed above, we note that manufacturers may 
benefit from adopting security practices that are consistent with 
standards necessary to bear the Cyber Trust Mark. We highlight that 
there have been several instances where the Federal Trade Commission 
investigated and settled with firms due to poor security practices or 
inaccurate communication of their security practices. We merely note 
that a manufacturer that has gone through the process of obtaining the 
Cyber Trust Mark may benefit from likely having documented the security 
practices and attendant testing necessary to acquire the Mark.
    136. Market-Wide Benefits of Reduced Cybersecurity Incidents. 
Insecure IoT products are often used in distributed denial-of-service 
(DDoS) attacks, which can be used to overwhelm websites to create a 
distraction during other cybersecurity crimes, or to request a ransom 
be paid to stop the attack. While we cannot quantify the expected 
benefits the Cyber Trust Mark may have on reducing the number of 
vulnerable devices and/or the potential reduction on their likelihood 
of being used in a cybersecurity attack, commenters do highlight 
improved security as one of the major benefits of this IoT Labeling 
Program. We do further emphasize this as a benefit that is likely to 
have significant impacts on firms in a wide range of industries.
    137. Costs to IoT Labeling Program Participants. Only those 
entities who choose to participate will incur costs associated with the 
voluntary IoT Labeling Program. The specific costs of to participating 
manufacturers cannot be readily measured but are expected to include: 
conformity testing fees at a CyberLAB, CLA lab, or through in-house 
testing; CLA fees; internal compliance and filing costs; Cyber Trust 
Mark placement on product; costs incurred for API access as part of the 
QR Code; a customer information campaign; and adjustments to security 
practices necessary to meet the standards established for the Cyber 
Trust Mark. These costs are likely to vary depending on the standards 
and testing procedures proposed by the Lead Administrator as well as 
the extent of manufacturer participation. Any in-house testing lab will 
also be required to obtain accreditation to ISO/IEC standards and will 
incur the accreditation costs. We expect that manufacturers that choose 
to pursue this option may offset the accreditation costs with time 
savings, and potentially cost savings, associated with in-house 
testing.
    138. Participating manufacturers will incur conformity testing, 
reporting costs, potential renewal fees, and Label Administrator 
processing fees, but the Commission's IoT Labeling Program is voluntary 
and we only expect manufacturers who would benefit from the program to 
participate in the long-run, further indicating that accrued benefits 
will exceed manufacturer costs. Furthermore, comments in the record 
show that many manufacturers and industry groups are in favor of 
consumer awareness and addressing cybersecurity concerns. This provides 
some indication that manufacturers perceive the benefits of 
participating in the IoT Labeling Program as outweighing the costs. We 
understand

[[Page 61270]]

that manufacturers' security practices for IoT products vary. Some 
manufacturers will find it beneficial to align their cybersecurity 
standards with the IoT Labeling Program's standards and apply for the 
Cyber Trust Mark. If a manufacturer decides not to participate in the 
program, then they will not experience any additional costs.
    139. Cost of Registry Development and Administration. We attempt to 
estimate the cost of developing and administering the registry with 
currently available information, recognizing that our cost estimate is 
unable to incorporate pending issues that will be addressed by the 
Bureau as discussed above. While the cost to the Lead Administrator to 
manage the registry in accordance with the Bureau's pending 
determinations and as discussed above are forthcoming, we nevertheless 
attempt to estimate the costs of the Lead Administrator' administrative 
role in managing the registry as described above. Our estimate utilizes 
data submitted by Consumer Reports, which envisioned a centralized 
registry. We note that the registry, as adopted, will be less 
burdensome than the costs described by Consumer Reports in their 
estimates.\26\ Our estimate to maintain registry components and review 
applications as part of the CLA duties, which aligns with the middle of 
the expert range based on commenter submissions, is approximately $5 
million annually. The high-end estimate submitted by Consumer Reports 
is $10 million. Consumer Reports indicates that setting up a 
centralized registry could be done by one individual with a few 
contractors at a cost less than $200,000 a year. Depending on the 
requirements, the Lead CLA may still need to set up some minimal 
components of a registry and incur a small portion of these costs. The 
estimates on the annual administration costs are much less precise with 
the expert proposed estimate of between $100k and $10 million annually, 
with indication that the $10 million estimate is on the very high end. 
Staff calculate a more reasonable, but likely still high, estimate in 
the middle of that range, even accounting for the advanced technical 
expertise that would be required to review applications. For example, 
an organization relying on five lawyers, five electrical engineers, and 
five software developers in a full-time capacity would require $3 
million annually in wage compensation. If we generously assume another 
$2 million in additional costs to accommodate ISO/IEC accreditation, 
contractors, facilities, and other resources, the total is $5 million. 
While these estimates are for a single administrator, we believe this 
is a reasonable estimate of the staffing costs that would be 
distributed among the CLAs to meet the requirements of reviewing 
applications.
---------------------------------------------------------------------------

    \26\ The Consumer Reports proposed registry architecture 
includes a dataset that can store images and PDFs as well as allows 
for device manufacturers, retailers, security researchers and 
administrators to access the platform. The registry, as adopted, 
does not include these features and therefore would not incur the 
costs to develop and maintain them.
---------------------------------------------------------------------------

    140. The estimated high-end costs of administering the IoT Labeling 
Program annually ($10 million) are far less than the low-end estimate 
of annual benefits to consumers ($60 million) of just one aspect of the 
program. We further highlight that the benefits to manufacturers are 
likely to exceed manufacturer's participation costs. Together this 
indicates the total program benefits exceed costs. Because the initial 
startup costs are so low relative to the benefits, we do not compare 
the discounted values.

I. Legal Authority

    141. We adopt the IoT Labeling NPRM's tentative conclusion that the 
FCC has authority to adopt the IoT Labeling Program. We conclude that 
section 302 provides us with the authority to adopt a voluntary program 
for manufacturers seeking authority to affix the FCC-owned Cyber Trust 
Mark on wireless consumer IoT products that comply with the program 
requirements. In the IoT Labeling NPRM, the Commission sought comment 
on its authority under section 302 of the Act, along with other 
possible sources of authority. In particular, under section 302(a) of 
the Act, consistent with the public interest, convenience, and 
necessity, the Commission is authorized to make reasonable regulations 
(1) governing the interference potential of devices which in their 
operation are capable of emitting radio frequency energy by radiation, 
conduction, or other means in sufficient degree to cause harmful 
interference to radio communications; and (2) establishing minimum 
performance standards for home electronic equipment and systems to 
reduce their susceptibility to interference from radio frequency 
energy.
    142. Some commenters question our authority under section 302 to 
establish an IoT Labeling Program. The U.S. Chamber of Commerce 
cautions the Commission to not ``overinterpret its harmful interference 
authority'' under sections 302(a) and 333. CTIA argues that the 
Commission does not have the authority to regulate cybersecurity, but 
does not cite to section 302(a) or explain why the Commission's action 
in the Order does not fall within the scope of section 302(a) or any 
other section of the Communications Act. Others do not dispute the 
Commission's authority to adopt a voluntary program but argue that the 
Commission does not have the authority to make the IoT Labeling Program 
mandatory.
    143. We agree with Comcast that Congress intended section 302 to be 
flexible enough ``to address novel issues not yet on the legislative 
radar[.]'' As Comcast further observes, ``[t]he stated goal of the [IoT 
Labeling] Program is to `ensure that IoT devices have implemented 
certain minimum cybersecurity protocols to prevent their being hacked 
by bad actors who could cause the devices to cause harmful interference 
to radio communications,' which falls squarely within the Commission's 
remit under section 302(a).'' Further, NYC OTI points out that IoT 
which ``by design doesn't protect against the reception of spurious or 
unintended RF communications may be subject to a series of radio-layer 
attacks due to the lack of these protections'' and thus is within our 
authority to regulate. A voluntary IoT Labeling Program thus assures 
consumers that certain cybersecurity standards are met to protect those 
devices from being used to generate interference to other devices.
    144. In addition to our authority under section 302(a)(1), section 
302(a)(2) authorizes the Commission to ``establish minimum performance 
standards for home electronic equipment and systems to reduce their 
susceptibility to interference from radio frequency energy.'' A 
voluntary program for consumer IoT products is encompassed within our 
authority to regulate home electronic equipment and their accompanying 
systems that render that home electronic equipment operational.
    145. Section 302(a)(2) allows such regulations to apply to ``the 
manufacture, import, sale, offer for sale, or shipment of such devices 
and home electronic equipment and systems[.]'' The legislative history 
of section 302 also supports our conclusion. Congress adopted section 
302 due to concerns about radio frequency interference to consumer 
electronic equipment:

    In the market for home devices, however, good faith industry 
attempts to solve this interference have not always been as 
successful. . . . [T]he Conferees believe that Commission authority 
to impose appropriate regulations on home electronic equipment and 
systems is now necessary to insure that consumers' home electronic 
equipment and

[[Page 61271]]

systems will not be subject to malfunction due to [radio frequency 
interference].

    146. Congress envisioned ``home electronic equipment and systems'' 
to include not only radio and television sets, but all types of 
electronics and their supporting systems used by consumers. Examples 
given by Congress were home burglar alarms, security systems, automatic 
garage door openers, record turntables, and sound systems. Congress 
clearly foresaw interference and disruption to consumer equipment and 
the systems that equipment was connected to as within the ambit of 
section 302 when it gave the Commission ``exclusive jurisdiction'' over 
matters involving radio frequency interference. The many alternatives 
available to the Commission to accomplish its duty under section 302 
include directing manufacturers to meet ``certain minimal standards'' 
or utilizing labels.
    147. We additionally conclude that our section 302(a) authority to 
adopt ``reasonable regulations'' governing the interference potential 
of devices capable of causing RF interference empowers us to choose 
specific approaches that advance goals of the Act in addition to the 
core concerns in section 302(a)(1) and (2). For one, as widely 
supported in the record, we rely on NIST's recommended IoT criteria 
(the NIST Core Baseline) as the foundation for the cybersecurity 
requirements to be applied under the IoT Labeling Program. Even if some 
elements or applications of those criteria could advance policies or 
interests in addition to guarding against the risk that exploited 
vulnerabilities in internet-connected wireless consumer IoT products 
could cause harmful interference, it would be neither prudent nor 
workable to try to segregate or disaggregate that package of criteria 
in an effort to isolate some product capabilities from others in an 
effort to narrow the Program's focus. To the contrary, maintaining the 
integrity of the cohesive package of NIST criteria advances the 
directive in section 302(a) to address the interference potential of 
wireless devices through ``reasonable regulations.'' Commenters point 
out, for example, that even when harmful interference to IoT products 
from cyberattacks ``is not necessarily the traditional form of 
interference caused by devices operating in frequencies and at power 
levels not approved by the Commission[,]'' it can implicate statutory 
policy concerns nonetheless. Under the circumstances here, we thus find 
it ``reasonable'' for our IoT Labeling Program to rely on the full 
package of IoT cybersecurity criteria that guard against the risk that 
the covered products cause harmful interference, and also guard against 
the risk of interference to those covered products--even in the case of 
non-RF interference--consistent with the policy goals underlying 
provisions such as sections 302(a) and 333 and of the Act. Our 
understanding of the reasonableness of our approach here also is 
informed by the public safety and national security goals in sections 1 
and 4(n) of the Act. Thus, although we do not rely on additional 
provisions beyond section 302 as authority for the voluntary IoT 
Labeling Program we adopt in the Order, they inform our understanding 
of what regulatory approach to implementing section 302(a) is 
reasonable under these circumstances.\27\
---------------------------------------------------------------------------

    \27\ Because we conclude that section 302 of the Act authorizes 
our actions in the Order, we defer consideration of other sources of 
authority that the Communications Act may grant the Commission over 
this area.
---------------------------------------------------------------------------

    148. Comcast also cites the legislative history of section 302(a) 
in support of our authority to establish an IoT Labeling Program. 
Congress agreed with a letter from the Commission that initial language 
that would have restricted section 302(a) to devices that cause harmful 
interference to ```commercial, aircraft, and public safety' radio 
communications'' was too narrow. Congress instead adopted the current 
language: ``reasonable regulations . . . consistent with the public 
interest, convenience, and necessity.'' The Commission's authority 
under section 302 was designed by Congress to be ``sufficiently broad 
to permit it to formulate rules relating to any service where 
interference from these devices is a serious problem.'' Such language, 
it was believed, would be ``sufficiently broad to permit it to 
formulate rules relating to any service where interference from these 
devices is a serious problem.'' We conclude that a voluntary program 
with minimum standards to prevent radio interference to consumer IoT 
products is consistent with the text and history of section 302.
    149. Further, we have previously imposed security requirements that 
prevent unauthorized parties from accessing and alerting technology to 
cause radio interference under our section 302 authority. In 2020, we 
required that access points to automated frequency coordination systems 
were secure so unauthorized parties could not alter the list of 
available frequencies and power levels sent to an access point. We 
agree with Comcast that our previous actions requiring end user devices 
to ``contain security features sufficient to protect against 
modification of software and firmware by any unauthorized parties'' and 
actions to secure unlicensed national information infrastructure 
devices are sufficiently analogous to this proceeding as to be 
supported by our section 302 authority.
    150. Finally, consistent with our tentative conclusion in the IoT 
Labeling NPRM, we find that our section 302 authority enables us to 
rely on third parties in carrying out the implementation details of our 
Program. As the Commission pointed out in the NPRM, section 302(e) of 
the Act authorizes the Commission to delegate equipment testing and 
certification to private laboratories, and the Commission already has 
relied in part on third parties in carrying out its equipment 
authorization rules that likewise implement section 302 of the Act.

II. Incorporation by Reference

    151. These final rules include regulatory text that is incorporated 
by reference. In accordance with requirements of 1 CFR 51.5, the 
Commission describes the incorporated materials here. These final rules 
are incorporating by reference the following ISO/IEC standards: ISO/IEC 
17011:2017(E), Conformity assessment--Requirements for accreditation 
bodies accrediting conformity assessment bodies, Second Edition, 
November 2017, ISO/IEC 17025:2017(E), General requirements for the 
competence of testing and calibration laboratories, Third Edition, 
November 2017, and ISO/IEC 17065:2012(E), Conformity assessment--
Requirements for bodies certifying products, processes and services, 
First Edition, 2012-09-15, which establish international standards 
requirements for accreditation bodies accrediting conformity assessment 
bodies; general requirements for testing and calibration laboratories; 
and conformity assessment requirements for certifying products, 
processes, and services; respectively. Copies of these standards are 
available for purchase from the American National Standards Institute 
(ANSI) through its NSSN operation (www.nssn.org) at Customer Service, 
American National Standards Institute, 25 West 43rd Street, New York, 
NY 10036, telephone (212) 642-4900.

III. Procedural Matters

    152. Paperwork Reduction Act. This document contains new and 
modified information collection requirements subject to the Paperwork 
Reduction Act of 1995 (PRA), Public Law 104-13. It

[[Page 61272]]

will be submitted to the Office of Management and Budget (OMB) for 
review under section 3507(d) of the PRA. OMB, the general public, and 
other Federal agencies will be invited to comment on the new or 
modified information collection requirements contained in this 
proceeding. In addition, we note that pursuant to the Small Business 
Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 
3506(c)(4), we previously sought specific comment on how the Commission 
might further reduce the information collection burden for small 
business concerns with fewer than 25 employees.
    153. In this document, we have assessed the effects of the 
operational framework for a voluntary IoT cybersecurity labeling 
program. Since the IoT Labeling Program is voluntary, small entities 
who do not participate in the IoT Labeling Program will not be subject 
to any new or modified reporting, recordkeeping, or other compliance 
obligations. Small entities that choose to participate in the IoT 
Labeling Program by seeking authority to affix the Cyber Trust Mark on 
their products will incur recordkeeping and reporting as well as other 
obligations that are necessary to test their IoT products to 
demonstrate compliance with the requirements we adopt in the Order. We 
find that, for the Cyber Trust Mark to have meaning for consumers, the 
requirements for an IoT product to receive the Cyber Trust Mark must be 
uniform for both small businesses and other entities. Thus, the 
Commission continues to maintain the view we expressed in the IoT 
Labeling NPRM, that the significance of mark integrity, and building 
confidence among consumers that devices and products containing the 
Cyber Trust Mark label can be trusted to be cyber secure, necessitates 
adherence by all entities participating in the IoT Labeling Program to 
the same rules regardless of size.
    154. Regulatory Flexibility Act Analysis. A Final Regulatory 
Flexibility Act (FRFA) Analysis for the final rules adopted in the 
Order was prepared and can be found as Exhibit B of the FCC's Report 
and Order, FCC 24-26, adopted March 15, 2024, at this link: https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf.
    155. OPEN Government Data Act. The OPEN Government Data Act 
requires agencies to make ``public data assets'' available under an 
open license and as ``open Government data assets,'' i.e., in machine-
readable, open format, unencumbered by use restrictions other than 
intellectual property rights, and based on an open standard that is 
maintained by a standards organization. This requirement is to be 
implemented ``in accordance with guidance by the Director'' of the OMB. 
The term ``public data asset'' means ``a data asset, or part thereof, 
maintained by the Federal Government that has been, or may be, released 
to the public, including any data asset, or part thereof, subject to 
disclosure under the Freedom of Information Act (FOIA).'' A ``data 
asset'' is ``a collection of data elements or data sets that may be 
grouped together,'' and ``data'' is ``recorded information, regardless 
of form or the media on which the data is recorded.'' We delegate 
authority, including the authority to adopt rules, to the Bureau, in 
consultation with the agency's Chief Data Officer and after seeking 
public comment to the extent it deems appropriate, to determine whether 
to make publicly available any data assets maintained or created by the 
Commission within the meaning of the OPEN Government Act pursuant to 
the rules adopted herein, and if so, to determine when and to what 
extent such information should be made publicly available. Such data 
assets may include assets maintained by a CLA or other third party, to 
the extent the Commission's control or direction over those assets may 
bring them within the scope of the OPEN Government Act, as interpreted 
in the light of guidance to be issued by OMB.\28\ In doing so, the 
Bureau shall take into account the extent to which such data assets are 
subject to disclosure under the FOIA.
---------------------------------------------------------------------------

    \28\ OMB has not yet issued final guidance.
---------------------------------------------------------------------------

    156. People with Disabilities. To request materials in accessible 
formats for people with disabilities (braille, large print, electronic 
files, audio format), send an email to [email protected] or call the 
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice).

IV. Ordering Clauses

    157. Accordingly, it is ordered that pursuant to the authority 
contained in sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, 
of the Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 
154(i), 154(n), 302a, 303(r), 312, 333, 503; the IoT Cybersecurity 
Improvement Act of 2020, 15 U.S.C. 278g-3a through 278g-3e; the Report 
and Order is hereby adopted.
    158. It is further ordered that the Office of the Managing 
Director, Performance Program Management, SHALL SEND a copy of the 
Report and Order in a report to be sent to Congress and the Government 
Accountability Office pursuant to the Congressional Review Act, see 5 
U.S.C. 801(a)(1)(A).

List of Subjects in 47 CFR Part 8

    Communications, Consumer protection, Cybersecurity, Electronic 
products, Incorporation by reference, internet, Labeling, Product 
testing and certification, Telecommunications.

Federal Communications Commission
Marlene Dortch,
Secretary.

Final Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission amends 47 CFR subchapter A as follows:

0
1. Under the authority of 47 U.S.C. 151, 152, 153, 154(i)-(j), 160, 
163, 201, 202, 206, 207, 208, 209, 214, 215, 216, 217, 218, 219, 220, 
230, 251, 254, 256, 257, 301, 303, 304, 307, 309, 310, 312, 316, 332, 
403, 501, 503, 522, 1302, revise the heading for subchapter A to read 
as follows:

Subchapter A--General

PART 8--SAFEGUARDING AND SECURING THE INTERNET

0
2. The authority citation for part 8 continues to read as follows:

    Authority: 47 U.S.C. 151, 152, 153, 154, 163, 201, 202, 206, 
207, 208, 209, 216, 217, 257, 301, 302a, 303, 304, 307, 309, 312, 
316, 332, 403, 501, 503, 522, 1302, 1753.


0
3. Revise the heading for part 8 to read as set forth above.


Sec. Sec.  8.1, 8.2, 8.3, and 8.6  [Designated as Subpart A]

0
4. Designate Sec. Sec.  8.1, 8.2, 8.3, and 8.6 as subpart A.

0
5. Add a heading for newly designated subpart A to read as follows:

Subpart A--Protections for internet Openness

0
6. Add subpart B to read as follows:
Subpart B--Cybersecurity Labeling Program for IoT Products
Sec.
8.201 Incorporation by reference.
8.202 Basis and purpose.
8.203 Definitions.
8.204 Prohibition on use of the FCC IoT Label on products produced 
by listed sources.
8.205 Cybersecurity labeling authorization.
8.206 Identical defined.
8.207 Responsible party.
8.208 Application requirements.
8.209 Grant of authorization to use FCC IoT Label.
8.210 Dismissal of application.
8.211 Denial of application.
8.212 Review of CLA decisions.

[[Page 61273]]

8.213 Limitations on grants to use the FCC IoT Label.
8.214 IoT product defect and/or design change.
8.215 Retention of records.
8.216 Termination of authorization to use the FCC IoT Label.
8.217 CyberLABs.
8.218 Recognition of CyberLAB accreditation bodies.
8.219 Approval/recognition of Cybersecurity Label Administrators.
8.220 Requirements for CLAs.
8.221 Requirements for the Lead Administrator.
8.222 Establishment of an IoT Registry.

Subpart B--Cybersecurity Labeling Program for IoT Products


Sec.  8.201  Incorporation by reference.

    Certain material is incorporated by reference into this subpart 
with the approval of the Director of the Federal Register in accordance 
with 5 U.S.C. 552(a) and 1 CFR part 51. All approved incorporation by 
reference (IBR) material is available for inspection at the Federal 
Communications Commission (FCC or Commission) and at the National 
Archives and Records Administration (NARA). Contact the FCC at the 
address indicated in 47 CFR 0.401(a), phone: (202) 418-0270. For 
information on the availability of this material at NARA, visit 
www.archives.gov/federal-register/cfr/ibr-locations or email 
[email protected]. The material may be obtained from the 
International Electrotechnical Commission (IEC), IEC Central Office, 3, 
rue de Varembe, CH-1211 Geneva 20, Switzerland, Email: [email protected], 
www.iec.ch.
    (a) ISO/IEC 17011:2017(E), Conformity assessment--Requirements for 
accreditation bodies accrediting conformity assessment bodies, Second 
Edition, November 2017; IBR approved for Sec.  8.217.
    (b) ISO/IEC 17025:2017(E), General requirements for the competence 
of testing and calibration laboratories, Third Edition, November 2017; 
IBR approved for Sec. Sec.  8.217; 8.220.
    (c) ISO/IEC 17065:2012(E), Conformity assessment--Requirements for 
bodies certifying products, processes and services, First Edition, 
2012-09-15; IBR approved for Sec.  8.220.

    Note 1 to Sec.  8.201: The standards listed in this section are 
co-published with the International Organization for Standardization 
(ISO), 1, ch. De la Voie-Creuse, CP 56, CH-1211, Geneva 20, 
Switzerland; www.iso.org; Tel.: + 41 22 749 01 11; Fax: + 41 22 733 
34 30; email: [email protected].


    Note 2 to Sec.  8.201: ISO publications can also be purchased 
from the American National Standards Institute (ANSI) through its 
NSSN operation (www.nssn.org), at Customer Service, American 
National Standards Institute, 25 West 43rd Street, New York, NY 
10036, telephone (212) 642-4900.

Sec.  8.202  Basis and purpose.

    In order to elevate the Nation's cybersecurity posture and provide 
consumers with assurances regarding their baseline cybersecurity, 
thereby addressing risks of harmful radiofrequency interference to and 
from consumer internet-connected (Internet of Things or IoT) products 
the Federal Communications Commission establishes a labeling program 
for consumer IoT products.


Sec.  8.203  Definitions.

    (a) Affiliate. For purposes of this subpart and the IoT labeling 
program, an affiliate is defined as a person that (directly or 
indirectly) owns or controls, is owned or controlled by, or is under 
common ownership or control with, another person. For purposes of this 
subpart, the term own means to own an equity interest (or the 
equivalent thereof) of more than 10 percent.
    (b) Consumer IoT products. IoT products intended primarily for 
consumer use, rather than enterprise or industrial use. Consumer IoT 
products exclude medical devices regulated by the U.S. Food and Drug 
Administration (FDA) and excludes motor vehicles and motor vehicle 
equipment regulated by the National Highway Traffic Safety 
Administration (NHTSA).
    (c) Cybersecurity Label Administrator (CLA). An accredited third-
party entity that is recognized and authorized by the Commission to 
manage and administer the labeling program in accordance with the 
Commission's rules in this subpart.
    (d) Cybersecurity Testing Laboratory (CyberLAB). Accredited third-
party entities recognized and authorized by a CLA to assess consumer 
IoT products for compliance with requirements of the labeling program.
    (e) Cyber Trust Mark. A visual indicator indicating a consumer IoT 
product complies with program requirements of the labeling program and 
the Commission's minimum cybersecurity requirements in this subpart.
    (f) FCC IoT Label. A binary label displayable with a consumer IoT 
product complying with program requirements of the labeling program, 
the binary label bearing the Cyber Trust Mark, and a scannable QR code 
that directs consumers to a registry containing further information on 
the complying consumer IoT product.
    (g) Intentional radiator. A device that intentionally generates and 
emits radiofrequency energy by radiation or induction.
    (h) Internet-connected device. A device capable of connecting to 
the internet and exchanging data with other devices or centralized 
systems over the internet.
    (i) IoT device. (1) An internet-connected device capable of 
intentionally emitting radiofrequency energy that has at least one 
transducer (sensor or actuator) for interacting directly with the 
physical world; coupled with
    (2) At least one network interface (e.g., Wi-Fi, Bluetooth) for 
interfacing with the digital world.
    (j) IoT product. An IoT device and any additional product 
components (e.g., backend, gateway, mobile app) that are necessary to 
use the IoT device beyond basic operational features, including data 
communications links to components outside this scope but excluding 
those external components and any external third-party components that 
are outside the manufacturer's control.
    (k) Labeling program. A voluntary program for consumer IoT products 
that allows a complying consumer IoT product to display an FCC IoT 
Label.
    (l) Lead Administrator. A CLA selected from among Cybersecurity 
Label Administrators (CLAs) to be responsible for carrying out 
additional administrative responsibilities of the labeling program.
    (m) Product components. Hardware devices, plus supporting 
components that generally fall into three main types per NISTIR 8425: 
specialty networking/gateway hardware (e.g., a hub within the system 
where the IoT device is used); companion application software (e.g., a 
mobile app for communicating with the IoT device); and backends (e.g., 
a cloud service, or multiple services, that may store and/or process 
data from the IoT device). Should a product component also support 
other IoT products through alternative features and interfaces, these 
alternative features and interfaces may, through risk-assessment, be 
considered as separate from and not part of the IoT product for 
purposes of authorization.
    (n) Registry. Information presented to consumers about consumer IoT 
products that comply with the program requirements of the labeling 
program, the registry is publicly accessible through a link from the QR 
Code of the FCC IoT Label displayed with the complying consumer IoT 
product, and containing information about the complying consumer IoT 
product, manufacturer of the complying

[[Page 61274]]

consumer IoT product, and other information as required by the labeling 
program.


Sec.  8.204  Prohibition on use of the FCC IoT Label on products 
produced by listed sources.

    All consumer IoT products produced by sources listed in this 
subpart are prohibited from obtaining use of the FCC IoT Label under 
this subpart. This includes:
    (a) All communications equipment on the Covered List, as 
established pursuant to 47 CFR 1.50002;
    (b) All IoT products containing IoT devices or product components 
produced by entities listed in paragraph (c) or (d) of this section;
    (c) IoT devices or IoT products produced by any entity, its 
affiliates, or subsidiaries identified on the Covered List as producing 
covered equipment, as established pursuant to 47 CFR 1.50002;
    (d) IoT devices or IoT products produced by any entity, its 
affiliates, or subsidiaries identified on the Department of Commerce's 
Entity List, 15 CFR part 744, supplement no. 4, and/or the Department 
of Defense's List of Chinese Military Companies, U.S. Department of 
Defense, Entities Identified as Chinese Military Companies Operating in 
the United States in Accordance with Section 1260H of the William M. 
(``Mac'') Thornberry National Defense Authorization Act for Fiscal Year 
2021 (Pub. L. 116-283), Tranche 2 (2022), https://media.defense.gov/2022/Oct/05/2003091659/-1/-1/0/1260H%20COMPANIES.PDF. and
    (e) Products produced by any entity owned or controlled by or 
affiliated with any person or entity that has been suspended or 
debarred from receiving Federal procurements or financial awards, to 
include all entities and individuals published as ineligible for award 
on the General Service Administration's System for Award Management.


Sec.  8.205  Cybersecurity labeling authorization.

    (a) Cybersecurity labeling authorization is an authorization issued 
by a Cybersecurity Label Administrator (CLA) and authorized under the 
authority of the Commission, which grants an applicant of a complying 
consumer IoT product to display the FCC IoT Label on the relevant 
packaging for the complying consumer product, based on compliance with 
the program requirements as determined by the CLA.
    (b) Cybersecurity labeling authorization attaches to all units of 
the complying consumer IoT product subsequently marketed by the grantee 
that are identical (see Sec.  8.206) to the sample determined to comply 
with the program requirements except for permissive changes or other 
variations authorized by the Commission.


Sec.  8.206  Identical defined.

    As used in this subpart, the term identical means identical within 
the variation that can be expected to arise as a result of quantity 
production techniques.


Sec.  8.207  Responsible party.

    In the case of a complying consumer IoT product that has been 
granted authorization to use the FCC IoT Label, the applicant to whom 
that grant of cybersecurity labeling authorization is issued is 
responsible for continued compliance with the program requirements for 
continued use of the FCC IoT Label.


Sec.  8.208  Application requirements.

    (a) An application to certify the consumer IoT product as being 
compliant with the labeling program shall be submitted in writing to a 
Cybersecurity Labeling Administrator (CLA) in the form and format 
prescribed by the Commission. Each application shall be accompanied by 
all information required by this subpart.
    (b) The applicant shall provide to the CLA in the application all 
information that the CLA requires to determine compliance with the 
program requirements of the labeling program.
    (c) The applicant will provide a declaration under penalty of 
perjury that all of the following are true and correct:
    (1) The product for which the applicant seeks to use the FCC IoT 
Label through cybersecurity certification meets all the requirements of 
the IoT labeling program.
    (2) The applicant is not identified as an entity producing covered 
communications equipment on the Covered List, established pursuant to 
47 CFR 1.50002.
    (3) The product is not comprised of ``covered'' equipment on the 
Covered List.
    (4) The product is not produced by any entity, its affiliates, or 
subsidiaries identified on the Department of Commerce's Entity List, 15 
CFR part 744, supplement no. 4, and/or the Department of Defense's List 
of Chinese Military Companies, U.S. Department of Defense, Entities 
Identified as Chinese Military Companies Operating in the United States 
in Accordance with Section 1260H of the William M. (``Mac'') Thornberry 
National Defense Authorization Act for Fiscal Year 2021 (Pub. L. 116-
283), Tranche 2 (2022), https://media.defense.gov/2022/Oct/05/2003091659/-1/-1/0/1260H%20COMPANIES.PDF; and
    (5) The product is not owned or controlled by or affiliated with 
any person or entity that has been suspended or debarred from receiving 
Federal procurements or financial awards, to include all entities and 
individuals published as ineligible for award on the General Service 
Administration's System for Award Management as described in Sec.  
8.204.
    (6) The applicant has taken every reasonable measure to create a 
securable product.
    (7) The applicant will, until the support period end date disclosed 
in the registry, diligently identify critical vulnerabilities in our 
products and promptly issue software updates correcting them, unless 
such updates are not reasonably needed to protect against security 
failures.
    (8) The applicant will not elsewhere disclaim or otherwise attempt 
to limit the substantive or procedural enforceability of this 
declaration or of any other representations and commitments made on the 
FCC IoT Label or made for purposes of acquiring or maintaining 
authorization to use it.
    (d) The applicant shall provide a written and signed declaration to 
the CLA that all statements it makes in the application are true and 
correct to the best of its knowledge and belief.
    (e) Each application, including amendments thereto, and related 
statements of fact and authorizations required by the Commission, shall 
be signed by the applicant or their authorized agent.
    (f) The applicant declares the product is reasonably secure and 
will be updated through minimum support period for the product and the 
end date of the support period must be disclosed.
    (g) The applicant shall declare under penalty of perjury that the 
consumer IoT product for which the applicant is applying for 
participation in the labeling program is not prohibited pursuant to 
Sec.  8.204.
    (h) If the identified listed sources under Sec.  8.204 are modified 
after the date of the declaration required by paragraph (c) of this 
section but prior to grant of authorization to use the FCC IoT Label, 
then the applicant shall provide a new declaration as required by 
paragraph (c).
    (i) The applicant shall designate an agent located in the United 
States for the purpose of accepting service of process on behalf of the 
applicant.
    (1) The applicant shall provide a written attestation:

[[Page 61275]]

    (i) Signed by both the applicant and its designated agent for 
service of process, if different from the applicant;
    (ii) Acknowledging the applicant's consent and the designated 
agent's obligation to accept service of process in the United States 
for matters related to the applicable product, and at the physical U.S. 
address and email address of its designated agent; and
    (iii) Acknowledging the applicant's acceptance of its obligation to 
maintain an agent for service of process in the United States for no 
less than one year after either the grantee has permanently terminated 
all marketing and importation of the applicable equipment within the 
U.S., or the conclusion of any Commission-related administrative or 
judicial proceeding involving the product, whichever is later.
    (2) An applicant located in the United States may designate itself 
as the agent for service of process.
    (j) Technical test data submitted to the CLA shall be signed by the 
person who performed or supervised the tests. The person signing the 
test data shall attest to the accuracy of such data. The CLA may 
require the person signing the test data to submit a statement showing 
that they are qualified to make or supervise the required measurements.
    (k) Signed, as used in this section, means an original handwritten 
signature or any symbol executed or adopted by the applicant or CLA 
with the intent that such symbol be a signature, including symbols 
formed by computer-generated electronic impulses.


Sec.  8.209  Grant of authorization to use FCC IoT Label.

    (a) A CLA will grant cybersecurity labeling authorization if it 
finds from an examination of the application and supporting data, or 
other matter which it may officially notice, that the consumer IoT 
product complies with the program requirements.
    (b) Grants will be made in writing showing the effective date of 
the grant.
    (c) Cybersecurity certification shall not attach to any product, 
nor shall any use of the Cyber Trust Mark be deemed effective, until 
the application has been granted.
    (d) Grants will be effective from the date of authorization.
    (e) The grant shall identify the CLA granting the authorization and 
the Commission as the issuing authority.
    (f) In cases of a dispute, the Commission will be the final 
arbiter.


Sec.  8.210  Dismissal of application.

    (a) An application that is not in accordance with the provisions of 
this subpart may be dismissed.
    (b) Any application, upon written request signed by the applicant 
or their agent, may be dismissed prior to a determination granting or 
denying the authorization requested.
    (c) If an applicant is requested to submit additional documents or 
information and fails to submit the requested material within the 
specified time period, the application may be dismissed.


Sec.  8.211  Denial of application.

    If the CLA is unable to make the findings specified in Sec.  
8.209(a), it will deny the application. Notification of the denial to 
the applicant will include a statement of the reasons for the denial.


Sec.  8.212  Review of CLA decisions.

    (a) Seeking review from a CLA. Any party aggrieved by an action 
taken by a CLA must first seek review from the CLA. The CLA should 
respond to appeals of their decisions in a timely manner and within 10 
business days of receipt of a request for review.
    (b) Seeking review from the Commission. A party aggrieved by an 
action taken by a CLA may, after seeking review by the CLA, seek review 
from the Commission.
    (c) Filing deadlines. (1) An aggrieved party seeking review of a 
CLA decision by the CLA shall submit such a request within sixty (60) 
days from the date the CLA issues a decision. Such request shall be 
deemed submitted when received by the CLA.
    (2) An aggrieved party seeking review of a CLA decision by the 
Commission shall file such a request within sixty (60) days from the 
date the CLA issues a decision on the party's request for review. 
Parties must adhere to the time periods for filing oppositions and 
replies set forth in 47 CFR 1.45.
    (d) Review by the Public Safety and Homeland Security Bureau or the 
Commission. (1) Requests for review of CLA decisions that are submitted 
to the Federal Communications Commission shall be considered and acted 
upon by the Public Safety and Homeland Security Bureau; provided, 
however, that requests for review that raise novel questions of fact, 
law or policy shall be considered by the full Commission.
    (2) An aggrieved party may seek review of a decision issued under 
delegated authority by the Public Safety and Homeland Security Bureau 
pursuant to the rules set forth in 47 CFR part 1.
    (e) Standard of review. (1) The Public Safety and Homeland Security 
Bureau shall conduct de novo review of request for review of decisions 
issued by the CLA.
    (2) The Federal Communications Commission shall conduct de novo 
review of requests for review of decisions by the CLA that involve 
novel questions of fact, law, or policy; provided, however, that the 
Commission shall not conduct de novo review of decisions issued by the 
Public Safety and Homeland Security Bureau under delegated authority.
    (f) Time periods for Commission review of CLA decisions. (1) The 
Public Safety and Homeland Security Bureau shall, within forty-five 
(45) days, take action in response to a request for review of a CLA 
decision that is properly before it. The Public Safety and Homeland 
Security Bureau may extend the time period for taking action on a 
request for review of a CLA decision for a period of up to ninety days. 
The Commission may also at any time, extend the time period for taking 
action of a request for review of a CLA decision pending before the 
Public Safety and Homeland Security Bureau.
    (2) The Commission shall issue a written decision in response to a 
request for review of a CLA decision that involves novel questions of 
fact, law, or policy within forty-five (45) days. The Commission may 
extend the time period for taking action on the request for review of a 
CLA decision. The Public Safety and Homeland Security Bureau also may 
extend action on a request for review of a CLA decision for a period of 
up to ninety days.
    (g) No authorization pending CLA review. While a party seeks review 
of a CLA decision, they are not authorized to use the FCC IoT Label 
until the Commission issues a final decision authorizing their use of 
the FCC IoT Label.


Sec.  8.213  Limitations on grants to use the FCC IoT Label.

    (a) A grant of authorization to use the FCC IoT Label remains 
effective until set aside, revoked or withdrawn, rescinded, 
surrendered, or a termination date is otherwise established by the 
Commission.
    (b) No person shall, in any advertising matter, brochure, etc., use 
or make reference to the FCC IoT Label or the Cyber Trust Mark in a 
deceptive or misleading manner.


Sec.  8.214  IoT product defect and/or design change.

    When a complaint is filed directly with the Commission or submitted 
to the Commission by the Lead Administrator or other party concerning a 
consumer IoT product being non-compliant with the labeling program, and 
the Commission determines that the

[[Page 61276]]

complaint is justified, the Commission may require the grantee to 
investigate such complaint and report the results of such investigation 
to the Commission within 20 days. The report shall also indicate what 
action if any has been taken or is proposed to be taken by the grantee 
to correct the defect, both in terms of future production and with 
reference to articles in the possession of users, sellers, and 
distributors.


Sec.  8.215  Retention of records.

    (a) For complying consumer IoT products granted authorization to 
use the FCC IoT Label, the grantee shall maintain the records listed as 
follows:
    (1) A record of the original design and specifications and all 
changes that have been made to the complying consumer IoT product that 
may affect compliance with the standards and testing procedures of this 
subpart.
    (2) A record of the procedures used for production inspection and 
testing to ensure conformance with the standards and testing procedures 
of this subpart.
    (3) A record of the test results that demonstrate compliance with 
the appropriate regulations in this chapter.
    (b) Records shall be retained for a two-year period after the 
marketing of the associated product has been permanently discontinued, 
or until the conclusion of an investigation or a proceeding if the 
grantee is officially notified that an investigation or any other 
administrative proceeding involving its product has been instituted.


Sec.  8.216  Termination of authorization to use the FCC IoT Label.

    (a) Grant of authorization to use the FCC IoT Label is 
automatically terminated by notice of the Bureau following submission 
of a report as specified in Sec.  8.214 has not been adequately 
corrected:
    (1) For false statements or representations made either in the 
application or in materials or response submitted in connection 
therewith or in records required to be kept by Sec.  8.215.
    (2) If upon subsequent inspection or operation it is determined 
that the consumer IoT product does not conform to the pertinent 
technical requirements in this subpart or to the representations made 
in the original application.
    (3) Because of conditions coming to the attention of the Commission 
which would warrant it in refusing to grant authorization to use the 
FCC IoT Label.
    (4) Because the grantee or affiliate has been listed as described 
in Sec.  8.204.
    (b) [Reserved]


Sec.  8.217  CyberLABs.

    (a) A CyberLAB providing testing of products seeking a grant of 
authorization to use the FCC IoT Label shall be accredited by a 
recognized accreditation body, which must attest that the CyberLAB has 
demonstrated:
    (1) Technical expertise in cybersecurity testing and conformity 
assessment of IoT devices and products.
    (2) Compliance with accreditation requirements based on ISO/IEC 
17025 (incorporated by reference, see Sec.  8.201).
    (3) Knowledge of FCC rules and procedures associated with products 
compliance testing and cybersecurity certification.
    (4) Necessary equipment, facilities, and personnel to conduct 
cybersecurity testing and conformity assessment of IoT devices and 
products.
    (5) Documented procedures for conformity assessment.
    (6) Implementation of controls to eliminate potential conflicts of 
interests, particularly with regard to commercially sensitive 
information.
    (7) That the CyberLAB is not an organization, its affiliates, or 
subsidiaries identified by the listed sources of prohibition under 
Sec.  8.204.
    (8) That it has certified the truth and accuracy of all information 
it has submitted to support its accreditation.
    (b) Once accredited or recognized the CyberLAB will be periodically 
audited and reviewed to ensure they continue to comply with the 
requirements of the ISO/IEC 17025 standard.
    (c) The Lead Administrator will verify that the CyberLAB is not 
listed in any of the lists in Sec.  8.204.
    (d) The Lead Administrator will maintain a list of accredited 
CyberLABs that it has recognized, and make publicly available the list 
of accredited CyberLAB. Inclusion of a CyberLAB on the accredited list 
does not constitute Commission endorsement of that facility. 
Recognition afforded to a CyberLAB under the labeling program will be 
automatically terminated for entities that are subsequently placed on 
the Covered List, listed sources of prohibition under Sec.  8.204, or 
of it, its affiliate, or subsidiary is owned or controlled by a foreign 
adversary country defined by the Department of Commerce in 15 CFR 7.4.
    (e) In order to be recognized and included on the list in paragraph 
(d) of this section, the accrediting organization must submit the 
information in paragraphs (e)(1) through (9) of this section to the 
Lead Administrator:
    (1) Laboratory name, location of test site(s), mailing address and 
contact information;
    (2) Name of accrediting organization;
    (3) Scope of laboratory accreditation;
    (4) Date of expiration of accreditation;
    (5) Designation number;
    (6) FCC Registration Number (FRN);
    (7) A statement as to whether or not the laboratory performs 
testing on a contract basis;
    (8) For laboratories outside the United States, details of the 
arrangement under which the accreditation of the laboratory is 
recognized; and
    (9) Other information as requested by the Commission.
    (f) A laboratory that has been accredited with a scope covering the 
measurements required for the types of IoT products that it will test 
shall be deemed competent to test and submit test data for IoT products 
subject to cybersecurity certification. Such a laboratory shall be 
accredited by a Public Safety and Homeland Security Bureau-recognized 
accreditation organization based on ISO/IEC 17025. The organization 
accrediting the laboratory must be recognized by the Public Safety and 
Homeland Security Bureau to perform such accreditation based on ISO/IEC 
17011 (incorporated by reference, see Sec.  8.201). The frequency for 
reassessment of the test facility and the information that is required 
to be filed or retained by the testing party shall comply with the 
requirements established by the accrediting organization, but shall 
occur on an interval not to exceed two years.


Sec.  8.218  Recognition of CyberLAB accreditation bodies.

    (a) A party wishing to become a laboratory accreditation body 
recognized by the Public Safety and Homeland Security Bureau (PSHSB or 
Bureau) must submit a written request to the Chief of PSHSB requesting 
such recognition. PSHSB will make a determination based on the 
information provided in support of the request for recognition.
    (b) Applicants shall provide the information in paragraphs (b)(1) 
through (4) of this section as evidence of their credentials and 
qualifications to perform accreditation of laboratories that test 
equipment to Commission requirements, consistent with the requirements 
of Sec.  8.217(e). PSHSB may request additional information, or 
showings, as needed, to determine the applicant's credentials and 
qualifications.
    (1) Successful completion of an ISO/IEC 17011 peer review, such as 
being a signatory to an accreditation agreement that is acceptable to 
the Commission.
    (2) Experience with the accreditation of conformity assessment 
testing laboratories to ISO/IEC 17025.

[[Page 61277]]

    (3) Accreditation personnel/assessors with specific technical 
experience on the Commission cybersecurity certification rules and 
requirements.
    (4) Procedures and policies developed for the accreditation of 
testing laboratories for FCC cybersecurity certification programs.


Sec.  8.219  Approval/recognition of Cybersecurity Label 
Administrators.

    (a) An accredited third-party entity wishing to become a 
Cybersecurity Label Administrator (CLA) must file a written application 
with the Commission. The Commission may approve the written application 
for the accredited third-party entity to be recognized and authorized 
by the Commission as a CLA to manage and administer the labeling 
program by meeting the requirements of paragraph (b) of this section. 
An accredited third-party entity is recognized and authorized by the 
Commission to manage and administer the labeling program in accordance 
with the Commission's rules in this subpart.
    (b) In the United States, the Commission, in accordance with its 
procedures, allows qualified accrediting bodies to accredit CLAs based 
on ISO/IEC 17065 and other qualification criteria. CLAs shall comply 
with the requirements in Sec.  8.220.


Sec.  8.220  Requirements for CLAs.

    (a) In general. CLAs designated by the Commission, or designated by 
another authority recognized by the Commission, shall comply with the 
requirements of this section. Each entity seeking authority to act as a 
CLA must file an application with the Commission for consideration by 
PSHSB, which includes a description of its organization structure, an 
explanation of how it will avoid personal and organizational conflict 
when processing applications, a description of its processes for 
evaluating applications seeking authority to use the FCC IoT Label, and 
a demonstration of expertise that will be necessary to effectively 
serve as a CLA including, but not limited to, the criteria in paragraph 
(c) of this section.
    (b) Methodology for reviewing applications. (1) A CLA's methodology 
for reviewing applications shall be based on type testing as identified 
in ISO/IEC 17065 (incorporated by reference, see Sec.  8.201).
    (2) A CLA's grant of authorization to use the FCC IoT Label shall 
be based on the application with all the information specified in this 
part. The CLA shall review the application to determine compliance with 
the Commission's requirements in this subpart and shall issue a grant 
of product cybersecurity certification in accordance with Sec.  8.208.
    (c) Criteria for designation. (1) To be designated as a CLA under 
this section, an entity shall demonstrate cybersecurity expertise and 
capabilities in addition to industry knowledge of IoT and IoT labeling 
requirements.
    (2) The entity shall demonstrate expert knowledge of National 
Institute of Standards and Technology's (NIST) cybersecurity guidance, 
including but not limited to NIST's recommended criteria and labeling 
program approaches for cybersecurity labeling of consumer IoT products.
    (3) The entity shall demonstrate expert knowledge of FCC rules and 
procedures associated with product compliance testing and 
certification.
    (4) The entity shall demonstrate knowledge of Federal law and 
guidance governing the security and privacy of agency information 
systems.
    (5) The entity shall demonstrate an ability to securely handle 
large volumes of information and demonstrate internal security 
practices.
    (6) To expedite initial deployment of the FCC labeling program, the 
Commission will accept and conditionally approve applications from 
entities seeking to be designated as a CLA provided they commit to 
obtain accreditation pursuant to all the requirements associated with 
ISO/IEC 17065 with the appropriate scope within six (6) months of the 
effective date by the adopted standards and testing procedures and 
otherwise meet the FCC's IoT Labeling Program requirements. The entity 
must also demonstrate implementation of controls to eliminate actual or 
potential conflicts of interests (including both personal and 
organizational), particularly with regard to commercially sensitive 
information. The Bureau will finalize the entity's application upon 
receipt and demonstration of ISO/IEC 17065 accreditation with the 
appropriate scope.
    (7) The entity is not owned or controlled by or affiliated with any 
entity identified on the Commission's Covered List, listed sources of 
prohibition under Sec.  8.204, or of it, its affiliate, or subsidiary 
is owned or controlled by a foreign adversary country defined by the 
Department of Commerce in 15 CFR 7.4.
    (8) The entity must demonstrate it has implemented controls to 
eliminate actual or potential conflicts of interests (including both 
personal and organizational), particularly with regard to commercially 
sensitive information, to include but not limited to, remaining 
impartial and unbiased and prevent them from giving preferential 
treatment to certain applications (e.g., application line jumping) and 
from implementing heightened scrutiny of applications from entities not 
members or otherwise aligned with the CLA.
    (d) External resources. (1) In accordance with the provisions of 
ISO/IEC 17065 the evaluation of a product, or a portion thereof, may be 
performed by bodies that meet the applicable requirements of ISO/IEC 
17025, in accordance with the applicable provisions of ISO/IEC 17065 
for external resources (outsourcing). Evaluation is the selection of 
applicable requirements and the determination that those requirements 
are met. Evaluation may be performed using internal CLA resources or 
external (outsourced) resources.
    (2) A CLA shall not outsource review or decision activities.
    (3) When external resources are used to provide the evaluation 
function, including the testing of products subject to labeling, the 
CLA shall be responsible for the evaluation and shall maintain 
appropriate oversight of the external resources used to ensure 
reliability of the evaluation. Such oversight shall include periodic 
audits of products that have been tested and other activities as 
required in ISO/IEC 17065 when a CLA uses external resources for 
evaluation.
    (e) Commission approves a CLA. (1) The Commission will approve as a 
CLA:
    (i) Any entity in the United States that meets the requirements of 
this section.
    (ii) The Commission will not approve as a CLA any organization, its 
affiliates, or subsidiaries listed in the listed sources of prohibition 
under Sec.  8.204.
    (2) The Commission will withdraw its approval of a CLA if the CLA's 
designation or accreditation is withdrawn, if the Commission determines 
there is just cause for withdrawing the approval, or upon request of 
the CLA. The Commission will limit the scope of products that can be 
certified by a CLA if its accreditor limits the scope of its 
accreditation or if the Commission determines there is good cause to do 
so. The Commission will notify a CLA in writing of its intention to 
withdraw or limit the scope of the CLA's approval and provide at least 
60 days for the CLA to respond.
    (3) The Commission will notify a CLA in writing when it has 
concerns or evidence that the CLA is not carrying out its 
responsibilities under the labeling program in accordance with the 
Commission's rules in this subpart and policies and request that it 
explain and correct any apparent deficiencies.

[[Page 61278]]

    (4) The Public Safety and Homeland Security Bureau shall provide 
notice to the CLA that the Bureau proposes to terminate the CLA's 
authority and provide the CLA a reasonable opportunity to respond (not 
more than 20 days) before reaching a decision on possible termination.
    (5) If the Commission withdraws its recognition of a CLA, all 
grants issued by that CLA will remain valid unless specifically set 
aside or revoked by the Commission.
    (6) A list of recognized CLAs will be published by the Commission.
    (f) Scope of responsibility. (1) A CLA shall receive and evaluate 
applications and supporting data requesting authority to use the FCC 
IoT Label on the product subject to the application.
    (2) A CLA shall grant authorization to use the FCC IoT Label with a 
complying consumer IoT product in accordance with the Commission's 
rules in this subpart and policies.
    (3) A CLA shall accept test data from any Lead Administrator-
recognized accredited CyberLAB, subject to the requirements in ISO/IEC 
17065 and shall not unnecessarily repeat tests.
    (4) A CLA may establish and assess fees for processing applications 
and other Commission-required tasks.
    (5) A CLA may only act on applications that it has received or 
which it has issued a certification authorizing use of the FCC IoT 
Label.
    (6) A CLA shall dismiss an application that is not in accordance 
with the provisions of this subpart or when the applicant requests 
dismissal, and may dismiss an application if the applicant does not 
submit additional information or test samples requested by the CLA.
    (7) A CLA shall ensure that manufacturers make all required 
information accessible to the IoT registry.
    (8) A CLA shall participate in a consumer education campaign in 
coordination with the Lead Administrator.
    (9) A CLA shall receive complaints alleging a product bearing the 
FCC IoT Label does not support the cybersecurity criteria conveyed by 
the Cyber Trust Mark and refer these complaints to the Lead 
Administrator which will notify the Public Safety and Homeland Security 
Bureau.
    (10) A CLA may not:
    (i) Make policy, interpret unclear provisions of the statute or 
rules, or interpret the intent of Congress;
    (ii) Grant a waiver of the rules in this subpart; or
    (iii) Take enforcement actions.
    (11) All CLA actions are subject to Commission review.
    (g) Post-market surveillance requirements. (1) In accordance with 
ISO/IEC 17065, a CLA shall perform appropriate post-market surveillance 
activities. These activities shall be based on type testing a certain 
number of samples of the total number of product types for which the 
CLA has certified use of the Label.
    (2) PSHSB may request that a grantee of authority to use the FCC 
IoT Label submit a product sample directly to the CLA that evaluated 
the grantee's application as part of the post market surveillance. Any 
product samples requested by the Commission and tested by the CLA will 
be counted toward a minimum number of samples that the CLA must test to 
meet its post market surveillance requirements.
    (3) A CLA may also request a grantee submit samples of products 
that the CLA has certified to use the FCC IoT Label directly to the 
CLA.
    (4) If during post market surveillance of a complying consumer IoT 
product, a CLA determines that the product fails to comply with the 
technical regulations (or other FCC requirements) for that product, the 
CLA shall immediately notify the grantee and the Commission in writing 
of its findings. The grantee shall provide a report to the CLA 
describing the actions taken to correct the situation, as provided in 
Sec.  8.216, and the CLA shall provide a report of these actions to the 
Commission within 30 days.
    (5) CLAs shall submit periodic reports to the Commission of their 
post-market surveillance activities and findings in a format and by a 
date specified by the Commission.


Sec.  8.221  Requirements for the Lead Administrator.

    (a) Establishing a Lead Administrator. If more than one qualified 
entity is selected by the Commission to be a CLA, the Commission will 
select a Lead Administrator. The Lead Administrator shall:
    (1) Interface with the Commission on behalf of the CLAs, including 
but not limited to submitting to the Bureau all complaints alleging a 
product bearing the FCC IoT Label does not meet the requirements of the 
Commission's labeling program;
    (2) Coordinate with CLAs and moderate stakeholder meetings;
    (3) Accept, review, and approve or deny applications from labs 
seeking recognition as a lab authorized to perform the conformity 
testing necessary to support an application for authority to affix the 
FCC IoT Label, and maintain a publicly available list of Lead 
Administrator-recognized labs and a list of labs that have lost their 
recognition;
    (4) Within 90 days of election as Lead Administrator, the Lead 
Administrator will, in collaboration with the CLAs and stakeholders 
(e.g., cyber experts from industry, government, and academia):
    (i) Submit to the Bureau recommendations identifying and/or 
developing the technical standards and testing procedures for the 
Commission to consider with regard to at least one class of IoT 
products eligible for the IoT labeling program. The Bureau will 
evaluate the recommendations, subject to any required public notice and 
comment, incorporate them by reference into the Commission's rules in 
this subpart;
    (ii) Submit to the Bureau a recommendation on how often a given 
class of IoT products must renew their request for authority to bear 
the FCC IoT Label, which may be dependent on the type of product, and 
that such a recommendation be submitted in connection with the relevant 
standards recommendations for an IoT product or class of IoT products. 
The Bureau will evaluate the recommendations, and if the Bureau 
approves of the recommendations, subject to any required public notice 
and comment, incorporate them by reference into the Commission's rules 
in this subpart;
    (iii) Submit to the Bureau a recommendation on procedures for post 
market surveillance by the CLAs. The Bureau will evaluate the 
recommendations, and if the Bureau approves of the recommendations, 
subject to any required public notice and comment, incorporate them by 
reference into the Commission's rules in this subpart;
    (iv) Make recommendations to the Bureau with regard to updates to 
the registry including whether the registry should be in additional 
languages, and if so, to recommend specific languages for inclusion; 
and
    (v) Submit to the Bureau recommendations on the design of the FCC 
IoT Label, including but not limited to labeling design and placement 
(e.g., size and white spaces, product packaging) and whether to include 
the product support end date on labels for certain products or category 
of products. The Bureau will evaluate the recommendations, and if the 
Bureau approves of the recommendations, subject to any required public 
notice and comment, incorporate them by reference into the Commission's 
rules in this subpart;
    (5) Within 45 days of publication of updates or changes to NIST 
guidelines, or adoption by NIST of new guidelines,

[[Page 61279]]

recommend in collaboration with CLAs and other stakeholders any 
appropriate modifications to the labeling program standards and testing 
procedures to stay aligned with the NIST guidelines;
    (6) Submit to the Commission reports on CLAs' post-market 
surveillance activities and findings in the format and by the date 
specified by Public Safety and Homeland Security Bureau;
    (7) Develop in collaboration with stakeholders a consumer education 
campaign, submit the plan to the Public Safety and Homeland Security 
Bureau, and participate in consumer education;
    (8) Receive complaints about the labeling program, including but 
not limited to consumer complaints about the registry and coordinate 
with manufacturers to resolve any technical problems associated with 
consumers accessing the information in the registry;
    (9) Facilitate coordination between CLAs; and
    (10) Submit to the Commission any other reports upon request of the 
Commission or as required by Commission rules in this subpart.
    (b) Criteria for designation. In addition to completing the CLA 
application information, entities seeking to be the Lead Administrator 
will submit a description of how they will execute the duties of the 
Lead Administrator, including:
    (1) Their previous experience in IoT cybersecurity;
    (2) What role, if any, they have played in IoT labeling;
    (3) Their capacity to execute the Lead Administrator duties;
    (4) How they would engage and collaborate with stakeholders to 
identify or develop the Bureau recommendations;
    (5) A proposed consumer education campaign; and
    (6) Additional information the applicant believes demonstrates why 
they should be the Lead Administrator.


Sec.  8.222  Establishment of an IoT Registry.

    (a) A grantee of authority to use the FCC IoT Label shall provide 
information about the complying consumer IoT product to the public. 
Information supplied by grantees shall be made available in a dynamic, 
decentralized, publicly accessible registry through a common 
Application Programming Interface (API) that is secure by design.
    (b) A grantee of authority to use the FCC IoT Label shall publish 
the following information through the common API in the Registry:
    (1) Product Name;
    (2) Manufacturer name;
    (3) Date the product received authorization (i.e., cybersecurity 
certification) to affix the label and current status of the 
authorization (if applicable);
    (4) Name and contact information of the CLA that authorized use of 
the FCC IoT Label;
    (5) Name of the lab that conducted the conformity testing;
    (6) Instructions on how to change the default password 
(specifically state if the default password cannot be changed);
    (7) Information (or link) for additional information on how to 
configure the device securely;
    (8) Information as to whether software updates and patches are 
automatic and how to access security updates/patches if they are not 
automatic;
    (9) The date until which the entity promises to diligently identify 
critical vulnerabilities in the product and promptly issue software 
updates correcting them, unless such an update is not reasonably needed 
to protect against cybersecurity failures (i.e., the minimum support 
period); alternatively, a statement that the device is unsupported and 
that the purchaser should not rely on the manufacturer to release 
security updates;
    (10) Disclosure of whether the manufacturer maintains a Hardware 
Bill of Materials (HBOM) and/or a Software Bill of Materials (SBOM); 
and
    (11) Additional data elements that the Bureau deems necessary.

[FR Doc. 2024-14148 Filed 7-29-24; 8:45 am]
BILLING CODE 6712-01-P


This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.