Public Safety and Homeland Security Bureau Announces 15-Business Day Filing Window for Cybersecurity Labeling Administrator and Lead Administrator Applications, 84086-84096 [2024-23844]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 89, Number 203 (Monday, October 21, 2024)]
[Rules and Regulations]
[Pages 84086-84096]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-23844]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 8

[PS Docket Nos. 23-239; FR ID 250049]


Public Safety and Homeland Security Bureau Announces 15-Business 
Day Filing Window for Cybersecurity Labeling Administrator and Lead 
Administrator Applications

AGENCY: Federal Communications Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission's (FCC 
or Commission) Public Safety and Homeland Security Bureau (PSHSB or 
Bureau) announces a 15-business day filing window for applications from 
entities seeking designation as a Cybersecurity Labeling Administrator 
(CLA) and Lead Administrator and also adopt additional requirements for 
CLA and Lead Administrator applications as well as responsibilities 
that must be met by the selected Lead Administrator and CLAs. These 
requirements will provide additional guidance to administrator 
applicants and further implements the Commission's IoT labeling 
program.

DATES: 
    Effective date: November 20, 2024, except for amendment 3 (47 CFR 
8.220(f)(14)) which is delayed indefinitely until the Office of 
Management and Budget has completed review under the Paperwork 
Reduction Act. The Commission will publish a document in the Federal 
Register announcing that effective date.
    Comments due date: Written comments on the Paperwork Reduction Act 
information collection requirements must be submitted by the public, 
Office of Management and Budget (OMB), and other interested parties on 
or before December 20, 2024.

ADDRESSES: 
     All hand-delivered or messenger-delivered paper filings: 
Office of the Secretary, Federal Communications Commission, 9050 
Junction Drive, Annapolis Junction, MD 20701.
     Commercial overnight deliveries (other than U.S. Postal 
Service Express Mail and Priority Mail): Office of the

[[Page 84087]]

Secretary, Federal Communications Commission, 9050 Junction Drive, 
Annapolis Junction, MD 20701.
     U.S. Postal Service First-Class, Express, and Priority 
mail: Office of the Secretary, Federal Communications Commission, 45 L 
Street NE, Washington, DC 20554.
     People with Disabilities. To request materials in 
accessible formats for people with disabilities (braille, large print, 
electronic files, audio format), send an email to [email protected] or 
call the Consumer & Governmental Affairs Bureau at 202-418-0530 
(voice), 202-418-0432 (TTY).

FOR FURTHER INFORMATION CONTACT: Tara Shostek, Attorney Advisor, 
Cybersecurity and Communications Reliability Division, Public Safety 
and Homeland Security Bureau, (202) 418-8130, or by email to 
[email protected].
    For additional information concerning the Paperwork Reduction Act 
information collection requirements contained in this document, contact 
Nicole Ongele, Office of Managing Director, Performance & Program 
Management, 202-418-2991, or by email to [email protected].

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's 
document in PS Docket No. 23-239, released September 10, 2024. The full 
text of this document is available by downloading the text from the 
Commission's website at: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.
    The Commission has determined, and the Administrator of the Office 
of Information and Regulatory Affairs, Office of Management and Budget, 
concurs, that this rule is ``non-major'' under the Congressional Review 
Act, 5 U.S.C. 804(2). The Commission will send a copy of this Report & 
Order to Congress and the Government Accountability Office pursuant to 
5 U.S.C. 801(a)(1)(A).

Synopsis

    1. By this document, the Federal Communications Commission's (FCC 
or Commission) Public Safety and Homeland Security Bureau (Bureau) 
announces a 15-business day filing window for applications from 
entities seeking designation by the Commission as a Cybersecurity 
Labeling Administrator (CLA) and Lead Administrator.\1\ The Bureau also 
provides determinations regarding application format, filing fees, 
selection criteria, sharing of expenses, Lead Administrator neutrality, 
and confidentiality and security requirements in this document.
---------------------------------------------------------------------------

    \1\ While the Bureau may open additional filing windows at later 
dates, the Bureau will not accept applications for this initial 
round of applications that are filed after this filing window 
closes. However, applicants requiring additional time may, in 
accordance with Sec.  1.46 of the Commission's rules, request an 
extension of time for up to 10 additional calendar days to complete 
their applications.
---------------------------------------------------------------------------

I. Background

    2. In March 2024, the Commission established a framework for a 
voluntary cybersecurity labeling program for consumer wireless Internet 
of Things (IoT) products (IoT Labeling Program), which includes 
selecting third party administrators to support the program. The 
Commission delegated authority to the Bureau to open an initial filing 
window to receive applications from entities seeking authority to be 
recognized as a CLA and those seeking to be recognized as the Lead 
Administrator (see Cybersecurity Labeling for Internet of Things, 89 FR 
61242 (July 30, 2024) (IoT Labeling Order)).\2\ CLAs will be authorized 
by the Commission to certify use of the FCC IoT Label, which includes 
the U.S. government certification mark (U.S. Cyber Trust Mark), by 
manufacturers whose products are found to be in compliance with the 
Commission's IoT cybersecurity labeling program rules. The Lead 
Administrator will, among other duties, act as liaison between the 
Commission and CLAs, conduct stakeholder outreach to identify and/or 
develop and recommend to the Bureau technical standards and testing 
procedures for at least one class of IoT products, and in collaboration 
with CLAs, the FCC, and other stakeholders, develop and execute a plan 
for a consumer education campaign.
---------------------------------------------------------------------------

    \2\ The IoT Labeling Order also delegated authority to the 
Bureau to open additional filing windows or otherwise accept 
additional applications for authority to be recognized by the Bureau 
as a CLA when and as the Bureau determines it is necessary.
---------------------------------------------------------------------------

II. CLA and Lead Administrator Applications

A. Format of CLA and Lead Administrator Applications

    3. In a public notice released in June, 2024 the Bureau proposed 
that applications be submitted in narrative format via email and sought 
comment on this tentative determination (see Public Safety and Homeland 
Security Bureau Requests Comment on Implementation of the Cybersecurity 
Labeling for Internet of Things Program, 89 FR 58312 (July 18, 2024), 
at 58313 (June 2024 IoT Labeling Public Notice)). We continue to 
believe that the information to be submitted by entities applying to be 
a CLA or Lead Administrator lends itself to a narrative discussion of 
their qualifications and adopt the narrative format proposed. While 
ioXt argues that a fillable form would better ensure uniformity among 
applications, we believe the evaluation criteria and CLA/Lead 
Administrator responsibilities in the IoT Labeling Order are specific 
enough to allow for tailored applicant responses and comparative 
evaluation by the Commission at this time. In addition, as outlined by 
the Wi-Fi Alliance, ``. . . a narrative format will better allow CLA 
applicants to describe in detail their expertise, the types of 
cybersecurity assessments in which they are involved, and how those 
activities and other qualifications will enable them to perform the CLA 
role. Because all these attributes are imperative to the performance of 
CLA responsibilities, a narrative will best allow the Commission to 
assess applicant qualifications.'' UL Solutions also supports a 
narrative-format application, noting that this format will allow 
applicants to provide the detailed information needed to support their 
applications. T[Uuml]V S[Uuml]D also commented that email is 
functional, and that a fillable form, while helpful for clarification, 
should also include a narrative text field so applicants can add 
relevant information. One commenter, ioXt, expressed concern that a 
``narrative email'' may require additional communication between staff 
and applicants to obtain all necessary information to evaluate an 
application. We note that an enumeration of the evaluation criteria, 
and additional application instructions, including a ``Frequently Asked 
Questions'' link, are also provided below in this document and will 
provide further guidance to applicants. Further, the Bureau has 
considered and anticipates that staff may need to respond to applicant 
questions during the application review process and has designated 
staff for that purpose below.
    4. Entities applying to be a CLA or the Lead Administrator must 
file a narrative explanation of their qualifications to the Office of 
the Secretary.\3\ Consistent with the record, we determine that CLA and 
Lead Administrator applications and supporting documentation shall be 
treated as presumptively confidential. Each page of the application 
must be clearly and conspicuously labeled

[[Page 84088]]

``CONFIDENTIAL, NOT FOR PUBLIC INSPECTION.'' As we expect applications 
will contain commercially sensitive and proprietary information that 
the Commission routinely treats as confidential, applications shall 
remain presumptively confidential, regardless of disposition of the 
application. We decline to publish applications as a matter of course, 
including for those entities selected as CLAs or the Lead 
Administrator. We disagree with commenters who argue that the value of 
understanding CLA methodologies outweighs confidentiality protections, 
as Commission evaluators will still have the opportunity to review the 
applicant's testing methodologies submitted to the agency. Maintaining 
the presumptive confidentiality of CLA and Lead Administrator 
applications, including those applications that are approved by the 
Bureau, will provide applicants with assurances that the commercially 
sensitive business information they submit in conjunction with their 
voluntary participation in the FCC's Program will not be publicly 
disclosed.\4\ We believe maintaining the presumptive confidentiality of 
these applications will encourage additional entities to submit 
applications for these voluntary roles. Thus, in announcing the 
entities selected as CLAs and Lead Administrator, we only plan to make 
public the entity's name and their contact information.
---------------------------------------------------------------------------

    \3\ As stated in the 2024 IoT Labeling Public Notice, the Bureau 
may re-evaluate the need for a fillable form and seek additional 
comment on this issue after this CLA application filing window 
closes.
    \4\ As NCTA's comments recognize, to the extent that Commission 
records ``would be subject to disclosure under the Freedom of 
Information Act,'' the Commission would have an obligation to make 
that available in accordance with that law and the Commission's 
implementing rules. NCTA Comments at 9. See also, e.g., 47 CFR 
0.461.
---------------------------------------------------------------------------

    5. While the Bureau will review the narrative applications received 
via email, we seek to leverage existing procedures, including records 
management, by building on a framework for the filing of confidential 
materials that the Commission has used in the past. Consistent with 
that historical approach, applicants must file the application and 
supporting materials with the Office of the Secretary either via hand 
or messenger delivery, by commercial overnight courier, or First-Class 
or overnight U.S. Postal Service mail. A copy must be sent to the 
Bureau via email as a password protected .pdf file to 
[email protected]. Additional instructions on submitting 
applications are provided below.

B. FCC Filing Fees for CLA and Lead Administrator Applications

    6. In the June 2024 IoT Labeling Public Notice, the Bureau sought 
comment on whether a filing with the Commission by an entity that is 
seeking to be a CLA or Lead Administrator constitutes an application 
under section 8 of the Communications Act, and if so, whether an 
existing FCC fee category would cover such applications or if a new 
application fee category should be established. In addition, the Bureau 
sought comment on what fee the Commission should charge in connection 
with such a filing, if applicable. Commenters do not opine on whether 
it is appropriate to charge application fees. The Association of Home 
Appliance Manufacturers (AHAM), however, explains that if fees are 
charged, they ``should not be cost prohibitive to the point where it 
unnecessarily limits those entities that wish to apply.'' T[Uuml]V 
S[Uuml]D does not comment on whether a fee should be assessed, but does 
indicate that if a fee is assessed, the Commission should set a new fee 
category.
    7. In this instance, our IoT Labeling Program derives in part from 
our authority to hold and utilize a registered certification mark. In 
reviewing applications to be a CLA or Lead Administrator, we therefore 
are not acting solely under our Communications Act authority, but also 
to protect our registered certification mark. Given this dual role, at 
this time, we do not believe that the nature of our review of the 
applications is such that they should be subject to an application 
fee.\5\ We recognize that the process for applying to be a CLA or Lead 
Administrator may evolve with time. As such, we do not wholly foreclose 
adopting application fees in the future. Given these facts coupled with 
the lack of support in the record, the Bureau will not assess FCC 
application fees on CLA and Lead Administrator applications at this 
time.
---------------------------------------------------------------------------

    \5\ The decision in section II.B of this document is made in 
conjunction with the Office of Managing Director (OMD).
---------------------------------------------------------------------------

C. Bureau Selection of Cybersecurity Label Administrators and the Lead 
Administrator

    8. The Bureau declines to expand the CLA and Lead Administrator 
selection criteria beyond what is set out in the IoT Labeling Order. In 
the June 2024 IoT Public Notice, the Bureau sought comment on whether 
there are additional areas of expertise or specific requirements a CLA 
applicant should be required to demonstrate in addition to those listed 
in the Order. The Bureau also asked what additional criteria, if any, 
the Bureau should take into consideration during the Lead Administrator 
selection process, as well as safeguards the Bureau might adopt to 
ensure the stakeholder process remains competitively neutral and 
whether all selection criteria should be weighted the same.
    9. NCTA suggests that ``when selecting a Lead Administrator, the 
Bureau should consider candidates' ability to maintain the Program's 
integrity when translating the substantive technical security 
requirements into recommended standards and test procedures, and do so 
without creating unnecessary deterrents for manufacturer participation 
in the Program.'' We agree that a Lead Administrator's maintenance of 
the Program's integrity during the 90-day stakeholder process and 
resulting recommendations is very important to the success of the 
Program. However, the Bureau finds that the criteria outlined in the 
IoT Labeling Order are sufficient to ensure the selected Lead 
Administrator has the technical experience and the high integrity 
expected of an entity supporting an FCC program. This position is 
supported by UL Solutions, which states the ``[IoT Labeling Order] did 
not neglect any important considerations for assessing the 
qualifications of organizations to serve as CLAs or as the Lead 
Administrator.'' We believe that the public/private partnership and 
close collaboration between industry and other stakeholders 
contemplated in the IoT Labeling Order, along with the Commission's 
oversight, will ensure that there are adequate guardrails to maintain 
the Program's integrity in this regard.
    10. NCTA also encourages the Bureau to evaluate Lead Administrator 
applications for their ability to avoid conflicts of interest, 
including any relationships the Lead Administrator applicant may have 
that could create the appearance of impropriety or a conflict of 
interest, such as complaints from manufacturers, and suggests 
evaluating whether Lead Administrator applicants have the financial 
resources to avoid such conflicts going forward. We disagree that it is 
necessary to take additional measures when evaluating applications for 
this purpose. Existing application criteria require an applicant to 
describe their organization structure, including an explanation of how 
it will avoid personal and organizational conflict when processing 
applications, and demonstrate implementation of controls to eliminate 
actual or potential conflicts of interests (both personal and 
organizational), to remain impartial and unbiased. In addition, the 
Future of

[[Page 84089]]

Privacy Forum urges the Bureau to ``consider requiring program 
administrators to possess relevant privacy expertise as well as 
cybersecurity expertise.'' We agree that privacy is an integral aspect 
of cybersecurity, and note that existing application criteria require 
applicants to possess both privacy and cybersecurity expertise, 
including demonstrated expert knowledge of the National Institute of 
Standards and Technology (NIST) cybersecurity guidance and recommended 
criteria and labeling program approaches, which include privacy among 
their core cybersecurity capabilities.
    11. We also note that the Wi-Fi Alliance recommends that in 
addition to demonstrating their ``[e]xpert knowledge of FCC rules and 
procedures associated with product compliance testing and 
certification,'' CLA applicants also demonstrate their experience in 
this area. Wi-Fi Alliance recognizes that while a lack of current 
experience with developing and implementing security standards should 
not be disqualifying, it would serve the public interest for the Bureau 
to include this ``additional requirement, particularly concerning 
specific IoT products where cybersecurity standards have already been 
developed and tested.'' The Wi-Fi Alliance encourages the Bureau to 
give a preference to CLA applicants with this experience. The Bureau 
declines to require applicants to demonstrate previous experience with 
FCC rules and procedures associated with product compliance testing and 
certification as a condition precedent to being an approved CLA or give 
preference to CLA applicants with this experience. In particular, 
applicants are always encouraged to provide any additional information 
that helps demonstrate their expertise or experience under the relevant 
criteria and, providing examples of an applicant's experience where 
applicable, in general, will provide more information from which the 
Bureau can evaluate an application. Additionally, CTIA proposes 
criteria for evaluating CLA applications to include a minimum of 5-10 
years of experience managing a cyber certification program and proven 
experience in running or participating in a working group on 
cybersecurity standards. While we agree that this set of criteria can 
be useful to demonstrate a ``proven track record,'' we are concerned 
that requiring such specific criteria may unnecessarily exclude 
applicants that otherwise may have appropriate knowledge and expertise. 
Therefore, we decline to adopt this recommendation.
    12. We conclude that we will maintain the criteria as set out in 
the IoT Labeling Order for the initial round of CLA and Lead 
Administrator applications. The Bureau, jointly with OMD and, to the 
extent necessary, Office of General Counsel, will receive and review 
administrators' applications for compliance with each criteria set 
forth in the IoT Labeling Order and to best ensure the success of the 
program. We note that UL Solutions recommends certain requirements be 
defined in greater detail to avoid subjective determinations, but we 
believe that the IoT Labeling Order provided a comprehensive list of 
required criteria that covers the breadth of expertise and capabilities 
necessary to select a CLA and Lead Administrator at this early stage of 
the program and is neutral toward applicants. Further, as noted above, 
applicants are not limited to providing the required criteria listed in 
the IoT Labeling Order, but have the flexibility to offer additional 
expertise or selection criteria they believe are pertinent and support 
their application (e.g., expected costs/budget for Lead Administrator 
to carry out their responsibilities, information to support their 
ability to carry out the respective responsibilities, etc.). Should the 
Bureau conclude that it would be appropriate to open subsequent filing 
windows, we may seek comment on, and consider adoption of, additional 
selection criteria at that time.
    13. As discussed in the IoT Labeling Order, authorizing one or more 
CLAs subject to Commission oversight to handle the routine 
administration of the program will help to ensure its timely and 
consistent rollout, and independent third-party CLAs will bring trust, 
consistency, and an impartial level playing field to the IoT Labeling 
Program and will provide the required expertise for the administration 
of the program. Leveraging the expertise of multiple existing program 
managers and using pre-existing systems and processes that meet our 
program specifications will minimize administrative delay and ensure 
the Commission effectively utilizes the expertise of those entities who 
have made investments in their own cybersecurity labeling programs. 
Entities that have experience working with manufacturers and IoT 
conformity and standards testing, as required in the criteria adopted 
in the IoT Labeling Order, will also best be able to promote an 
efficient and timely rollout of the IoT Labeling Program.
    14. We disagree with CTIA's suggestion that the Bureau adopt a 
flexible approach with respect to International Organization for 
Standardization/International Electrotechnical Commission (ISO/IEC) 
17065 accreditation requirements for CLAs with a certain level of 
experience to avoid unnecessary costs and delays. CTIA posits that 
``[accreditation] can be costly and time-consuming to obtain and is 
unnecessary for prospective CLAs that have demonstrated track records 
in managing similar certification programs.'' Instead, CTIA proposes 
for entities with at least 5-10 years of experience running 
certification programs, ISO/IEC 17065 accreditation should be optional. 
In contrast, A2LA submits that the ``ISO/IEC 17065 accreditation 
requirement will be of benefit to the FCC and the consumers it serves 
by providing necessary risk mitigation . . . Claiming a certain number 
of years' experience is not equivalent to demonstrating technical 
competence or compliance.'' The IoT Labeling Order and accompanying 
rules require that all CLAs obtain ISO/IEC 17065 accreditation to the 
Commission's scope within six months of the effective date of the 
adopted standards and testing procedures. The Commission previously 
determined that ``leveraging accredited industry bodies to perform 
conformity assessments will `speed the establishment of the program and 
increase the program's ultimate quality.' '' As such, we decline to 
adopt CTIA's suggested exemption. Alternatively, CTIA recommends an 18-
month grace period to obtain such accreditation, for entities that have 
a proven track record of successfully managing a certification program. 
The Commission recognized it would take time for selected CLAs to 
obtain ISO/IEC 17065 accreditation and for that reason found it 
appropriate to conditionally approve CLAs and allow an additional six 
months for selected administrators to obtain accreditation. While we 
decline to adopt a blanket 18-month grace period, we are mindful that 
some entities may require more than six months to obtain accreditation. 
We think the Commission's existing rule waiver procedure is an 
appropriate and sufficient vehicle for CLAs that cannot meet the 
accreditation deadline to request a waiver of the rule along with their 
requested extension period.
    15. We also disagree with CTA's suggestion that conditional 
approval of CLA applications will allow CLAs to certify products to use 
the FCC IoT Label before obtaining ISO/IEC 17065 accreditation to the 
Commission's

[[Page 84090]]

scope.\6\ The Commission indicated that CLA applications will be 
conditionally approved in order to expedite initial deployment of the 
FCC's program. However, CLAs that have not demonstrated that they have 
received ISO/IEC 17065 accreditation to the Commission's scope will not 
be recognized and approved by the Bureau to receive applications or 
otherwise approved to authorize use the FCC IoT Label.
---------------------------------------------------------------------------

    \6\ CTA also recommends the Bureau similarly conditionally 
approve CyberLABs to begin testing products before they become 
accredited and provide CyberLABs a 6-month grace period to obtain 
accreditation, which the Bureau declines to do. CyberLABs are not 
authorized by the Commission to begin testing products for 
compliance with the IoT Labeling Program until after they have 
obtained the appropriate accreditation to the Commission's scope and 
have been recognized by the Lead Administrator.
---------------------------------------------------------------------------

    16. It is premature for the Bureau to address the specific scope of 
the Commission's accreditation program as the standards and testing 
procedures have not yet been adopted. However, we emphasize that each 
CLA will be required to obtain ISO/IEC 17065 accreditation to the FCC 
scope before it will be recognized by the Commission as an entity 
authorized to certify a product as being compliant with FCC IoT 
Labeling Program rules and authorize use of the FCC IoT Label 
consistent with the IoT Labeling Order.

D. Lead Administrator Expenses Shared Among CLAs

    17. The June 2024 IoT Labeling Public Notice sought recommendations 
for an effective mechanism for CLAs to share the Lead Administrator's 
expenses. Parties are generally in agreement that Lead Administrator 
startup costs will be higher than the Lead Administrator's ongoing 
costs once the program is stood up and should be reflected in the CLA's 
cost sharing obligations. UL Solutions recommends an initial standup 
fee for the Lead Administrator and a per-certificate fee going forward. 
The Wi-Fi Alliance recommends the Lead Administrator submit to the 
Bureau a claim for expenses incurred in the performance of its duties, 
which if approved, would be shared proportionally among the CLAs, with 
the proportionality being based on the annual number of products the 
CLA certifies to use the FCC IoT Label. The Wi-Fi Alliance notes that 
Lead Administrator expenses subject to sharing by the CLAs should be 
limited to those ``that are unique to the Lead Administrator as Lead 
Administrator,'' and not related to its activities as a CLA.
    18. The Bureau recognizes that the Lead Administrator's expenses 
incurred as a result of the performance of its duties under this 
program must be reasonable and accurately reflect its actual costs. In 
addition, it is also important to ensure each CLA shares in the Lead 
Administrator's costs as required by the IoT Labeling Order and that 
the costs shared reflect the Lead Administrator's actual and reasonable 
expenses incurred as a result of performance of its Lead Administrator 
duties and only those expenses incurred in its capacity as Lead 
Administrator. To ensure this occurs, the Lead Administrator is 
required to implement internal controls adequate to ensure its 
operations maintain best practices to protect against improper payments 
and to prevent fraud, waste, and abuse in its handling of funds. Once 
selected, the Lead Administrator will also submit to the Bureau and 
OMD, an estimate of its forward-looking costs including, separately, 
program stand-up costs and ongoing program costs to perform the Lead 
Administrator duties for the Lead Administrator's upcoming calendar 
year, which will be reviewed by CLAs, PSHSB, and OMD for 
reasonableness, and if determined to be reasonable by PSHSB and OMD, 
will be used to estimate the overall CLA cost sharing obligation.\7\
---------------------------------------------------------------------------

    \7\ CTIA, and others, point out the need for federal funding to 
support core aspects of the program, such as consumer education. 
NCTA argues the Federal government should lead the consumer 
education campaign, which would reduce the burden on the Lead 
Administrator and CLAs. However, both of these recommendations are 
beyond the Bureau's delegation of authority and the scope of this 
document.
---------------------------------------------------------------------------

    19. Consistent with the IoT Labeling Order, each CLA will share in 
these Lead Administrator costs, however, we decline to establish the 
methodology for such cost sharing and instead rely on CLAs and the Lead 
Administrator to determine the sharing methodology, which should be 
reasonable and equitable and will be subject to ongoing oversight by 
the Commission. Further, we require the Lead Administrator to submit to 
the Bureau and OMD, an annual, independently audited, statement of 
program expenditures and monies received from the CLAs due before the 
end of the calendar year. The Bureau will provide further guidance on 
CLA cost sharing once the CLAs and the Lead Administrator have been 
selected.

E. Lead Administrator Neutrality

    20. Neutral Treatment of CLAs and Other Stakeholders. In the IoT 
Labeling Order, the Commission recognized the competitive implications 
of an entity being both the Lead Administrator and a CLA. The June 2024 
IoT Labeling Public Notice sought comment on what safeguards, if any, 
the Bureau should adopt to ensure Lead Administrator neutrality as a 
potential competitor of other CLAs. The Bureau also asked whether there 
are additional safeguards, beyond those contemplated in the IoT 
Labeling Order, the Bureau should adopt to ensure the stakeholder 
engagement process and related recommendations the Lead Administrator 
makes to the Commission (e.g., standards and testing criteria and label 
design) are consensus-based and competitively neutral.
    21. Commenters emphasize the importance of ensuring Lead 
Administrator neutrality to prevent actual, as well as perceptions of, 
unfair economic advantage by the Lead Administrator over other CLAs, 
and support adopting reasonable safeguards to do so. We share ioXt's 
concern that if the Lead Administrator gained an economic advantage by 
passing on fees to other CLAs, for example, CLAs would have to raise 
their prices, which would pass on the costs to the manufacturers, and 
then on to consumers. In order to ensure impartiality, A2LA recommends 
considering ISO/IEC 17065 requirements, which describe a mechanism 
(often a committee) for safeguarding impartiality and assuring a 
competitively neutral environment between the Lead Administrator, CLAs, 
and other stakeholders. T[Uuml]V S[Uuml]D also recommends that Lead 
Administrator neutrality be evaluated on a yearly basis, with the 
possibility of triggering an investigation by the Commission and 
revocation of Lead Administrator designation. Infineon suggests 
requiring a ``firewall'' to separate the Lead Administrator from its 
role as CLA, similar to those instituted by law firms to avoid 
conflicts between multiple clients' interests. Somos, Inc. recommends 
applying relevant rules from its role as the North American Numbering 
Plan Administrator to the Lead Administrator, including impartial 
allocation of resources, transparency, non-discrimination, avoidance of 
conflicts of interest, and compliance with regulations.
    22. We agree that ensuring Lead Administrator neutrality ``is 
critical to maximizing the Program's credibility and fostering trust 
among stakeholders,'' and we believe the IoT Labeling Order 
sufficiently addresses the concerns raised in the record. We note that 
the requirement that the Lead Administrator be accredited to ISO/IEC 
17065 will ensure that the entity is appropriately aligned with those 
impartiality mechanisms. Further, we require all CLA applicants, 
including those

[[Page 84091]]

applying to be the Lead Administrator, to demonstrate implementation of 
controls to eliminate actual or potential conflicts of interests, 
including remaining impartial and unbiased. The Bureau will evaluate 
such applications to ensure rigorous compliance with these criteria. We 
also note that approval of the Lead Administrator may be subject to 
withdrawal by the Commission upon a determination of just cause, and 
this includes failing to follow those impartiality requirements. The 
Lead Administrator must be committed to neutrality and impartiality, 
consistent with the IoT Labeling Order. Because we anticipate those 
measures will be sufficient, we are not persuaded of the need to adopt 
additional requirements at this time.
    23. Finally, CTA proposes asking prospective CyberLABs and CLAs to 
attest that they meet the requirements in the (draft) CTA-2119 Scheme 
Assessment Framework, as an industry consensus standard to preserve 
neutrality when assessing applicant entities. We decline to adopt this 
requirement at this time, given that the draft CTA-2119 Framework has 
not undergone public notice and comment. However, we may reconsider 
this proposal at a later date, once the Labeling Program's standards 
and testing procedures have been finalized.\8\
---------------------------------------------------------------------------

    \8\ CTA also proposes applying the CTA-2119 Scheme Assessment 
Framework as a uniform way to evaluate whether a scheme recommended 
by the Lead Administrator-led working group meets the NISTIR 8425 
criteria required in the IoT Labeling Order. We similarly decline to 
adopt this proposal at this time.
---------------------------------------------------------------------------

    24. Transparency in 90-day Stakeholder Process. As an initial 
matter, we emphasize that the IoT Labeling Order requires the Lead 
Administrator to ``provide equitable recommendations to the Commission 
to encourage the broadest possible participation of CLAs within the 
parameters of the FCC's rules.'' Therefore, while we believe it is 
premature to adopt additional rules in this regard, we note that UL 
Solutions emphasizes the importance of transparency in the stakeholder 
collaboration process, stating that the Lead Administrator should 
invite a wide variety of stakeholders and ensure they all have 
sufficient opportunity to have their views heard and participate in 
manageable working groups. Further, UL Solutions states that 
recommendations made to the Commission should also include dissenting 
views and how those dissenting views were addressed, which would be 
considered in the final rules adopted by the Commission. UL Solutions 
also recommends the importance of a clear and transparent process to 
shield the Lead Administrator from accusations or perceptions of bias 
when recognizing accredited CyberLABs. T[Uuml]V S[Uuml]D similarly 
proposes safeguards, such as a mandatory consultation round before 
making critical decisions regarding recommendations to the Commission.
    25. While we do not adopt additional guardrails at this stage, we 
reiterate the position in the IoT Labeling Order that the Lead 
Administrator should ensure participation from a wide variety of 
stakeholders and consider various resources when developing the IoT 
Labeling Program recommendations. As noted above, ISO/IEC 17065 
accreditation is required for all CLAs, including the Lead 
Administrator, and adherence to that standard requires the convener of 
working groups to develop recommendations (here, the Lead 
Administrator), and achieve a balanced representation of interests, 
such that no single interest predominates. We agree that transparency 
in the 90-day stakeholder process is of the highest importance and the 
Bureau expects to provide additional guidelines on that process when it 
announces the selection of CLAs and the Lead Administrator.

F. Confidentiality and Security Requirements

    26. The Bureau adopts its proposal from the June 2024 IoT Labeling 
Public Notice that manufacturer applications submitted to CLAs are 
presumptively confidential and CLAs are required to maintain this 
confidentiality. CLAs will be required to maintain the confidentiality 
of non-public information received as part of an application for 
authority to use the FCC IoT Label, and must implement appropriate 
administrative, technical, procedural, and physical safeguards to 
protect the confidentiality of information received by the CLA and 
protect against the unauthorized disclosure and unauthorized use of 
non-public information received as a result of its participation in the 
FCC IoT Labeling Program.
    27. We agree with commenters that the program would benefit from a 
presumption of confidentiality for filings and related information 
provided to CLAs from applicants seeking use of the FCC IoT Label, 
which would encourage manufacturer participation and protect 
proprietary technology and trade secrets. We disagree with commenters 
that such a presumption of confidentiality is not necessary due to the 
public-facing nature of the label. While this is true for product 
information required to be disclosed in the registry if approval is 
granted, this would not be the case for products that are denied 
authorization to bear the FCC IoT Label. In addition, as discussed 
above, we expect that applications submitted to the Commission by CLAs 
will also continue to be treated as presumptively confidential. We 
emphasize here that information submitted by manufacturers to CLAs, the 
Lead Administrator, and/or CyberLABs, in the course of seeking 
authority to use the FCC IoT Label, including but not limited to 
applications and test reports, and information submitted to the Lead 
Administrator by a lab seeking recognition as a CyberLAB (i.e., 
authorized to conduct conformance testing under the Commission's IoT 
Labeling Program) are not agency records of the Commission. Only 
information submitted to the Commission, such as submissions in 
furtherance of applications by entities seeking authority from the 
Commission to be a CLA and/or Lead Administrator, are records of the 
Commission.
    28. In the June 2024 IoT Labeling Public Notice, the Bureau 
tentatively concluded that the requirements of the Federal Information 
Security Modernization Act of 2014 (FISMA) apply to the Lead 
Administrator and CLAs.\9\ Some commenters oppose a FISMA requirement, 
stating that it would ``strongly discourage CLAs from applying to the 
program,'' and that FISMA has not been applied by other agencies 
supporting analogous programs, such as the Health and Human Services 
Department's Office of the National Coordinator's (ONC) certification 
program for health IT products. While we acknowledge these concerns, 
alone, they are not dispositive for not applying FISMA.
---------------------------------------------------------------------------

    \9\ The June 2024 IoT Labeling Public Notice also asks whether 
``. . . the registry operator(s) [should] as appropriate, be 
required to implement adequate security, privacy, and availability 
controls to meet FISMA low/moderate standards, or a commercial 
equivalent?'' The Bureau recognizes the importance of the registry's 
security requirements, and will address these issues in a future 
Public Notice addressing the structure of the Registry's Application 
Programming Interface (API).
---------------------------------------------------------------------------

    29. FISMA was enacted to ensure that each federal agency develops, 
documents, and implements an agency-wide program to secure federal 
information systems from unauthorized access, use, disclosure, 
disruption, modification, or destruction. Given this scope, we 
reconsider our tentative conclusion to apply FISMA to CLAs and the Lead 
Administrator and determine that, as presently contemplated, neither 
the CLAs nor the Lead Administrator

[[Page 84092]]

will operate an information system on behalf of the agency. That is so 
because the Commission has no plans to establish any interconnection 
between its systems and the Lead Administrator's or CLA's information 
systems; indeed, the FCC does not expect to routinely request, obtain 
access to, otherwise collect, use, process, or maintain the data or 
information held by the Lead Administrator or the CLAs, excepting for 
investigative purposes. Moreover, although the Lead Administrator will 
receive information from CLAs and applicant manufacturers necessary for 
it to carry out its responsibilities under the FCC's program, and CLAs 
will receive and evaluate applications and supporting data from 
applicant manufacturers, this, without more, does not mean that the 
Lead Administrator or CLAs are managing their information systems ``on 
behalf of'' the FCC.
    30. Nevertheless, we agree with NCTA that ``[c]lear guidelines, 
safeguards, and protocols for handling confidential information should 
be established to prevent unauthorized disclosure'' and believe that 
other mature security frameworks may be applied to CLAs and the Lead 
Administrator to reduce the risk of unauthorized access, use, 
disclosure, disruption, modification, or destruction of program data. 
Accordingly, we require that all CLAs and the Lead Administrator 
create, update, and implement cybersecurity risk management plans. Such 
a cybersecurity risk management plan must identify the cyber risks that 
the entity faces, the controls used to mitigate those risks, and the 
steps taken to ensure that these controls are applied effectively to 
their operations. The plans must also describe how each entity employs 
its organizational resources and processes to ensure the 
confidentiality, integrity, and availability of its information and 
information systems. These requirements are consistent with the 
National Cyber Strategy and are in keeping with a whole-of-government 
effort to ``establish cybersecurity requirements to support national 
security and public safety.'' We expect that creating, updating, and 
implementing a cybersecurity risk management plan will help protect 
each CLA and the Lead Administrator from serious national security 
threats.
    31. We note that, under this approach, each entity has flexibility 
to structure its cybersecurity risk management plan in a manner that is 
tailored to its operations after consideration of a variety of factors, 
provided that the plan demonstrates that the entity is taking 
affirmative steps to analyze security risks and improve its security 
posture. We further note that an entity could successfully demonstrate 
satisfaction with this requirement by following an established risk 
management framework, such as the NIST Cybersecurity Framework (CSF) or 
Risk Management Framework (RMF). CLAs and the Lead Administrator 
security plans should be informed by established cybersecurity best 
practices such as the standards and controls set forth in the 
Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity 
Cross-sector Performance Goals and Objectives (CISA CPGs), ISO/IEC 
27001, NIST Special Publication 800-53 (rev 5), or the Center for 
Internet Security Critical Security Controls (CIS Controls) version 7.1 
or later. These frameworks are designed to be scalable and adaptable to 
the needs and capabilities of companies both large and small, are well 
understood by industry, and are flexible. CTIA and CTA argue compliance 
with a commercial equivalent framework to FISMA, such as ISO 27001 can 
``take a year or more at a cost upwards of $100,000.'' However, these 
cost and timelines would not apply to this program, because while we 
require entities to implement security plans reflecting standards and 
controls, such as ISO/IEC 27001, we do not specifically require a CLA 
or the Lead Administrator to be certified to ISO/IEC 27001. Moreover, 
we expect that many entities in the industry that might seek to be CLAs 
or the Lead Administrator will have adopted plans along the lines we 
require here and may have obtained such certifications in the ordinary 
course of business. And in any event, we find that any costs that might 
be incurred by an entity seeking to be a CLA or Lead Administrator are 
outweighed by the benefits that will redound to such entities 
themselves, the industry more broadly, and U.S. national security from 
our requiring such entities to take these steps to protect the 
confidentiality, integrity, and availability of the information they 
hold--including from other entities in the industry--and the 
information systems they maintain. We expect risk management plans to 
contribute to the CLAs' and the Lead Administrator's existing internal 
security practices that maintain the confidentiality, integrity, 
availability of all information received in support of this program 
without significantly increasing the time or costs of 
participation.\10\
---------------------------------------------------------------------------

    \10\ We expect CLA and Lead Administrator applicants to address 
these internal security practices in their applications to the 
Commission, which will be enforceable under the Commission's rules.
---------------------------------------------------------------------------

    32. We additionally require each applicant seeking to serve as a 
CLA or Lead Administrator to submit with its application an attestation 
that it already has created and implemented--or upon selection will 
create and implement--a cybersecurity risk management plan as described 
above--which will demonstrate compliance with these requirements as 
well as the entity's cybersecurity expertise and capabilities, 
knowledge of NIST's cybersecurity guidance, and knowledge of federal 
law and guidance governing the security and privacy of information 
systems. We also require that CLAs and the Lead Administrator make such 
cybersecurity risk management plans available to the Commission upon 
request. Access to cybersecurity risk management plans will allow the 
Commission to confirm whether plans are being regularly updated, to 
review a specific plan as needed, or to proactively review a sample of 
plans to confirm they sufficiently identify the cybersecurity risks to 
the Lead Administrator and CLAs in this program. In such circumstances, 
cybersecurity risk management plans would be presumptively 
confidential.

III. Who May Apply

    33. Any domestic, independent,\11\ non-governmental entity eligible 
to enter into a licensing agreement with the FCC may apply for the role 
of CLA and/or Lead Administrator; \12\ however, an applicant cannot be 
owned or controlled by, or affiliated with, any entity that produces 
equipment on the FCC Covered List or is otherwise prohibited from 
participating in the IoT Labeling Program, to include companies named 
on the Department of Commerce's Entity List and the Department of 
Defense's List of Chinese Military Companies.
---------------------------------------------------------------------------

    \11\ Here, ``independent'' means the applicant is not affiliated 
with or a subsidiary of another CLA/Lead Administrator applicant. It 
also means that the applicant is a disinterested third-party outside 
of a prospective manufacturer's control that is applying for 
authority to use the FCC IoT Label.
    \12\ The IoT Labeling Order declined to require that a CLA be a 
non-profit, stating that a for-profit or non-profit organization 
could possess the requisite qualifications and carry out the CLA 
duties effectively. We note that Congress, from time to time, adopts 
appropriation riders that preclude federal agencies from entering 
into agreements with certain entities.
---------------------------------------------------------------------------

IV. Application Procedures

A. Applications for Cybersecurity Label Administrator (CLA)

    34. Applicants seeking the role of CLA must demonstrate the 
following:

[[Page 84093]]

    a. Applicant is not owned or controlled by or affiliated \13\ with 
any entity identified on the Commission's Covered List, or is otherwise 
prohibited from participating in the IoT Labeling Program,\14\ 
including being an entity identified on the Department of Commerce's 
Entity List or on the Department of Defense's List of Chinese Military 
Companies;
---------------------------------------------------------------------------

    \13\ For purposes of the Commission's IoT labeling program, an 
affiliate is defined as a person that (directly or indirectly) owns 
or controls, is owned or controlled by, or is under common ownership 
or control with, another person. The term own means to own an equity 
interest (or the equivalent thereof) of more than 10 percent.
    \14\ The Order includes this catchall for entities otherwise 
prohibited from participating in the program, to include those 
listed in 47 CFR 8.204 and those considered a ``foreign adversary'' 
country as defined by the Department of Commerce.
---------------------------------------------------------------------------

    b. Applicant is not owned or controlled by or affiliated with any 
person or entity that has been suspended or debarred from receiving 
federal procurements or financial awards, to include all entities and 
individuals published as ineligible for award on the General Service 
Administration's System for Award Management;
    c. Description of Applicant's organization structure; \15\
---------------------------------------------------------------------------

    \15\ In describing its organizational structure, an Applicant 
may describe its relevant expertise, processes, and key personnel 
that would support the CLA IoT Labeling Program requirements and 
responsibilities.
---------------------------------------------------------------------------

    d. Implementation of controls to eliminate actual or potential 
conflicts of interests (both personal and organizational), particularly 
with regard to commercially sensitive information, to include but not 
limited to, remaining impartial and unbiased and prevent Applicant from 
giving preferential treatment to certain applications particularly with 
regard to applicants from entities with whom the CLA has a business 
relationship (e.g., application line jumping or same level of scrutiny 
when reviewing the application) and from implementing heightened 
scrutiny of applications from entities not members or otherwise aligned 
with the CLA; \16\
---------------------------------------------------------------------------

    \16\ In addition to demonstrating the relevant controls in place 
to avoid conflicts of interest, Applicants may also provide prior 
experience in avoiding personal and organizational conflict (e.g., 
history of, processes for, working with, certification labs on an 
equitable basis.
---------------------------------------------------------------------------

    e. Description of the process(es) Applicant will use to evaluate 
applications seeking authority to use the FCC IoT Label; \17\
---------------------------------------------------------------------------

    \17\ Applicants may describe existing data systems, personnel 
and other resources, processes (e.g., record-keeping etc.) in place 
or to be developed, for reviewing, accepting or denying applications 
to use the FCC IoT label in accordance with ISO/IEC 17065.
---------------------------------------------------------------------------

    f. Cybersecurity expertise and capabilities, in addition to 
industry knowledge of IoT generally, and IoT Labeling requirements;
    g. Expert knowledge of NIST's cybersecurity guidance, including but 
not limited to NIST's recommended criteria and labeling program 
approaches for cybersecurity labeling of consumer IoT products;
    h. Expert knowledge of FCC rules and procedures associated with 
product compliance testing and certification; \18\
---------------------------------------------------------------------------

    \18\ For example, Applicants may describe their experience with 
the FCC's Equipment Authorization Program or another FCC-run 
compliance program.
---------------------------------------------------------------------------

    i. Knowledge of Federal law and guidance governing the security and 
privacy of agency information systems; and
    j. The ability to securely handle large volumes of information, 
including a description of Applicant's related internal security 
practices.
    35. Applicants seeking the role of CLA must also commit to 
complying with the obligations of CLAs under the IoT Labeling Order and 
the Commission's rules, including but not limited to the following: 
\19\
---------------------------------------------------------------------------

    \19\ CLAs must also comply with all requirements enumerated in 
47 CFR 8.220.
---------------------------------------------------------------------------

    a. Obtaining accreditation pursuant to all of the requirements 
associated with ISO/IEC 17065 with the forthcoming FCC program scope; 
\20\
---------------------------------------------------------------------------

    \20\ E.g., For purposes of conditional approval, applicants may 
meet this requirement by demonstrating they are certified to ISO/IEC 
17065 under another scope. Alternatively, Applicants may outline a 
plan to receive ISO/IEC 17065 accreditation within six months of the 
effective date of the standards and testing procedures to be adopted 
under the forthcoming FCC program scope and demonstrate that their 
current or planned product testing processes align with ISO/IEC 
17065. Each CLA must obtain 17065 accreditation to the FCC scope 
before it will be recognized by the Commission and authorized to 
begin processing applications to certify use of the FCC IoT Label.
---------------------------------------------------------------------------

    b. The ability (e.g., appropriate testing equipment, and personnel 
with the necessary technical expertise and training) to conduct post-
market surveillance activities, such as audits, in accordance with ISO/
IEC 17065;
    c. Implementation of a process for receiving complaints alleging an 
IoT product does not support the cybersecurity criteria conveyed by the 
Cyber Trust Mark and referring those complaints to the Lead 
Administrator;
    d. Collaborating with the Lead Administrator and other stakeholders 
to develop those items to be submitted to the Commission within 90 days 
of election of the Lead Administrator, and listed in 47 CFR 
8.221(a)(4); and
    e. Being an active participant in the consumer education campaign 
led by and in coordination with the Lead Administrator.
    36. In addition to the above requirements for CLA applications, 
Lead Administrator applicants must demonstrate the following:
    a. Description of Applicant's previous experience in IoT 
cybersecurity; \21\
---------------------------------------------------------------------------

    \21\ Where an Applicant describes previous experience or roles 
in IoT cybersecurity or IoT labeling, it may also describe how it 
expects to apply such previous experience to meet the Lead 
Administrator responsibilities.
---------------------------------------------------------------------------

    b. Description of Applicant's previous roles, if any, in IoT 
labeling; \22\
---------------------------------------------------------------------------

    \22\ E.g., Applicant may show a history of certifying IoT 
devices to a specific set of cybersecurity requirements. 
Alternatively, Applicant may show a history of certifying non-IoT 
devices to a designated cybersecurity scope.
---------------------------------------------------------------------------

    c. Description of Applicant's capacity (e.g., available resources, 
systems, infrastructure etc.), and commitment to execute the following 
Lead Administrator duties: \23\
---------------------------------------------------------------------------

    \23\ Applicant may demonstrate relevant past experience, or 
otherwise provide a detailed plan to meet, each of the duties 
listed.
---------------------------------------------------------------------------

    i. Interfacing with the Commission on behalf of CLAs, which 
includes but is not limited to, submitting to the Bureau all complaints 
alleging a product bearing the FCC IoT Label does not meet the 
requirements of the Commission's labeling program;
    ii. Conducting stakeholder outreach, coordinating with CLAs and 
other stakeholders, and moderating stakeholder meetings;
    iii. Accepting, reviewing, and approving or denying applications 
from labs seeking recognition as a lab authorized to perform the 
conformity testing necessary to support an application for authority to 
affix the FCC IoT Label, and maintaining a publicly available list of 
Lead Administrator-recognized labs and a publicly available list of 
labs that have lost their recognition;
    iv. Within 90 days of selection as Lead Administrator, in 
collaboration with the CLAs and other stakeholders (e.g., cyber experts 
from industry, government, and academia) submitting to the Bureau:
    (a) Recommendations identifying and/or developing the technical 
standards and testing procedures for the Commission to consider with 
regard to at least one class of IoT products eligible for the IoT 
Labeling Program;
    (b) A recommendation on how often a given class of IoT products 
must renew their request for authority to bear the FCC IoT Label, which 
may be dependent on the type of product, and that such a recommendation 
be submitted in connection with the relevant standards recommendations 
for an IoT product or class of IoT products;

[[Page 84094]]

    (c) A recommendation on procedures for post market surveillance by 
the CLAs;
    (d) Recommendations on the design of the FCC IoT Label, including 
but not limited to labeling design and placement (e.g., size and white 
spaces, product packaging) and whether to include the product support 
end date on labels for certain products or category of products; and
    (e) Recommendations with regard to updates to the registry 
including whether the registry should be in additional languages, and 
if so, to recommend specific languages for inclusion.
    d. Recommending appropriate modifications to the IoT Labeling 
Program standards and testing procedures within 45 days of publication 
of updates or changes to the NIST guidelines, or adoption by NIST of 
new guidelines, to stay aligned with NIST guidelines;
    e. Developing, in collaboration with CLAs and other stakeholders, a 
consumer education campaign, submitting the consumer education plan to 
the Bureau, and participating in consumer education;
    f. Receiving complaints about the Labeling Program, including but 
not limited to consumer complaints about the registry and coordinating 
with manufacturers to resolve any technical problems associated with 
consumers accessing the information in the registry;
    g. Facilitating coordination between CLAs; and
    h. Submitting to the Commission any other reports upon request of 
the Commission or as required by Commission rule.
    i. Any additional information Applicant believes demonstrates why 
they should be designated the Lead Administrator.

C. Required Certification Statements

    37. All applications MUST include the following certification 
statements under penalty of perjury or they will be dismissed:
    a. Applicant certifies that all statements made in this application 
and in the exhibits, attachments, or documents incorporated by 
reference are material, are part of this application, and are true, 
complete, correct, and made in good faith, see 47 CFR 1.17, 8.220, 
8.221.
    b. Applicant certifies that neither the Applicant nor any other 
party to the application is subject to a denial of Federal benefits 
pursuant to Sec.  5301 of the Anti-Drug Abuse Act of 1988, 21 U.S.C. 
862, because of a conviction for possession or distribution of a 
controlled substance. See 47 CFR 1.2002(b) for the definition of 
``party to the application'' as used in this certification.
    c. The Applicant certifies that it is not delinquent on any debts 
to the Commission, see 47 CFR 1.1910.
    d. Applicant acknowledges that willful false statements made on the 
application or on any attachments are punishable by fine and/or 
imprisonment (18 U.S.C. 1001) and/or forfeiture (47 U.S.C. 503).

D. The Application Must Be Signed and Dated

    38. The Application must be signed and dated by the individual 
authorized to sign on behalf of the Applicant. FAILURE TO SIGN THE 
APPLICATION MAY RESULT IN DISMISSAL OF THE APPLICATION.

E. Application Submission

    39. The Bureau expects CLA and Lead Administrator applications and 
supporting documentation to be filed confidentially. Each page of the 
application must be clearly and conspicuously labeled ``CONFIDENTIAL, 
NOT FOR PUBLIC INSPECTION.'' Applicant must file an original and one 
copy of each filing and supporting materials with the Office of the 
Secretary. All filings must reference PS Docket No. 23-239 and be 
addressed to the Commission's Secretary, Office of the Secretary, 
Federal Communications Commission. Filings can be sent by hand or 
messenger delivery by commercial overnight courier, or First-Class or 
overnight U.S. Postal Service mail.
     All hand-delivered or messenger-delivered paper filings 
for the Commission's Secretary are accepted between 8:00 a.m. and 4:00 
p.m. at 9050 Junction Drive, Annapolis Junction, MD 20701. All hand 
deliveries must be held together with rubber bands or fasteners. Any 
envelopes and boxes must be disposed of before entering the building.
     Commercial overnight deliveries (other than U.S. Postal 
Service Express Mail and Priority Mail) must be sent to 9050 Junction 
Drive, Annapolis Junction, MD 20701.
     U.S. Postal Service First-Class, Express, and Priority 
mail must be sent to 45 L Street NE, Washington, DC 20554.
    40. An electronic version of the application and supporting 
material is required to be submitted to FCC staff as a .pdf file via 
email to [email protected]. The document must be password 
protected and the password communicated in a separate email to 
[email protected]. Submissions may be broken into multiple emails 
when necessary.
    41. Applications should be received by the Commission as soon as 
possible, but no later than October 1, 2024. Applicants requiring 
additional time may request an extension of time for up to 10 
additional calendar days to complete their applications. Applications 
received after October 1, 2024 from an entity that has not been 
approved an extension of time, will not be accepted and will be 
dismissed. Procedures for submitting applications are set forth below.

F. Additional Instructions To Assist With CLA and/or Lead Administrator 
Applications

     Instructions. General filing instructions can be found in 
Appendix A of the Commission's Public Notice, DA-24-900, released 
September 10, at this link: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.
     Frequently Asked Questions (FAQs). The FAQs are available 
at https://www.fcc.gov/CyberTrustMark.
     FCC Notice Required by the Paperwork Reduction Act. The 
FCC Notice Required by the Paperwork Reduction Act can be found in 
Appendix D of the Commission's Public Notice, DA-24-900, released 
September 10, at this link: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.
     Privacy Act Statement. The Privacy Act Statement can be 
found in Appendix E of the Commission's Public Notice, DA-24-900, 
released September 10, at this link: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.
     Requirement for an FCC Registration Number (FRN). We 
remind all applicants that they must have an FRN to file their 
applications. An FRN is the 10-digit number assigned to all individuals 
and entities that transact business with the Commission, and it must be 
provided any time an applicant submits or updates their application.
     Applicant Does Not Have an FRN. If an applicant does not 
have an FRN, the applicant must obtain an FRN through the Commission 
Registration System (CORES) web page at https://apps.fcc.gov/cores/userLogin.do.
    [cir] For additional assistance, submit a help request at https://www.fcc.gov/wireless/available-support-services or call the FRN Help 
Desk at (877) 480-3201 (Monday-Friday, 8 a.m.-6 p.m. ET).
    [cir] If the applicant has further questions, an email can be sent 
to [email protected].

[[Page 84095]]

     Applicant has an FRN. If an applicant has an FRN, the 
applicant must use that FRN with its application.
    [cir] The applicant should not obtain a new FRN if Applicant 
already has an FRN.
    [cir] An applicant can identify its FRN by accessing records the 
Commission's Registration Systems (CORES) and click ``Search''. 
Individuals can search by name, or contact related information. 
Business organizations can search by name, Employer Identification 
Number (EIN), or contact-related information.

V. Next Steps

    42. After the application filing window closes October 1, 2024, the 
Bureau will review and evaluate properly filed applications. The 
Bureau's selection of CLAs and a Lead Administrator will be announced 
by public notice. The Public Notice will describe the next steps for 
selected entities, including but not limited to the execution of a 
licensing agreement and/or other appropriate documentation governing 
the details of the CLAs' and Lead Administrator's responsibilities and 
relationship to the Commission.

VI. Procedural Matters

    43. Regulatory Flexibility Act. The Regulatory Flexibility Act of 
1980, as amended (RFA), requires that an agency prepare a regulatory 
flexibility analysis for notice and comment rulemakings, unless the 
agency certifies that ``the rule will not, if promulgated, have a 
significant economic impact on a substantial number of small 
entities.'' Accordingly, we have prepared a Supplemental Final 
Regulatory Flexibility Analysis (Supplemental FRFA) concerning the 
possible impact of the rule changes contained in this document on small 
entities. The Supplemental FRFA is set forth in Appendix C the 
Commission's Public Notice, DA-24-900, released September 10, at this 
link: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.
    44. Paperwork Reduction Act. This document contains modified 
information collection requirements subject to the Paperwork Reduction 
Act of 1995 (PRA), Public Law 104-13. It will be submitted to the 
Office of Management and Budget (OMB) for review under Section 3507(d) 
of the PRA. OMB, the general public, and other Federal agencies will be 
invited to comment on the new or modified information collection 
requirements contained in this proceeding. In addition, we note that 
pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 
107-198, see 44 U.S.C. 3506(c)(4), we previously sought specific 
comment on how the Commission might further reduce the information 
collection burden for small business concerns with fewer than 25 
employees.
    45. In this present document, we have assessed the effects of 
requiring CLAs to develop and implement a cybersecurity risk management 
plan identifying the cyber risks that the entity faces, the controls 
used to mitigate those risks, and the steps taken to ensure that these 
controls are applied effectively to their operations. The plans must 
also describe how the CLA employs its organizational resources and 
processes to ensure the confidentiality, integrity, and availability of 
its information and information systems and find that Since applying to 
be a CLA is voluntary, small entities who do not apply to be a CLA will 
not be subject to any new or modified reporting, recordkeeping, or 
other compliance obligations. Small entities that choose to apply to be 
a CLA, and whose applications are approved by the Bureau, will incur 
recordkeeping and reporting as well as other obligations to comply with 
the requirements we adopt in this document. We find that, for the FCC's 
IoT Labeling Program to have meaning for consumers, CLA requirements 
must be uniform for both small businesses and other entities. Thus, 
significance of program integrity, and building confidence among 
consumers that devices and products containing the Cyber Trust Mark 
label can be trusted to be cyber secure, necessitates adherence by all 
entities participating in the IoT Labeling Program to the same rules 
regardless of size.

VII. Ordering Clauses

    46. Accordingly, it is ordered that pursuant to the authority 
contained in sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503 
of the Communications Act of 1934, as amended, this document is hereby 
adopted.
    47. It is further ordered that the amendments of the Commission's 
Rules as set forth in Appendix B are adopted, effective 30 days after 
publication in the Federal Register, except for the amendment to 47 CFR 
8.220(f)(14). The amendment to 47 CFR 8.220(f)(14), which may contain 
modified information collection requirements, will not become effective 
until OMB completes any review that the Public Safety and Homeland 
Security Bureau determines is required under the Paperwork Reduction 
Act. The Public Safety and Homeland Security Bureau will announce 
effective dates for this section by publication in the Federal Register 
and by subsequent Public Notice.
    48. It is further ordered that the Commission's Office of the 
Secretary shall send a copy of this document, including the 
Supplemental Final Regulatory Flexibility Analysis, to the Chief 
Counsel for Advocacy of the Small Business Administration.
    49. It is further ordered that the Office of the Managing Director, 
Performance Program Management, shall send a copy of this document in a 
report to be sent to Congress and the Government Accountability Office 
pursuant to the Congressional Review Act, see 5 U.S.C. 801(a)(1)(A).

List of Subjects in 47 CFR Part 8

    Communications, Consumer protection, Cybersecurity, Electronic 
products, Internet, Labeling, Product testing and certification, 
Telecommunications.

Federal Communications Commission.
Marlene Dortch,
Secretary.

Final Rule

    For the reasons set forth above, part 8 of title 47 of the Code of 
Federal Regulations is amended as follows:

PART 8--SAFEGUARDING AND SECURING THE INTERNET

0
1. The authority citation for part 8 continues to read as follows:

    Authority:  47 U.S.C. 151, 152, 153, 154, 163, 201, 202, 206, 
207, 208, 209, 216, 217, 257, 301, 302a, 303, 304, 307, 309, 312, 
316, 332, 403, 501, 503, 522, 1302, 1753.

Subpart B--Cybersecurity Labeling Program for IoT Products

0
2. Amend Sec.  8.220 by adding paragraphs (f)(12) and (13) to read as 
follows:


Sec.  8.220  Requirements for CLAs.

* * * * *
    (f) * * *
    (12) A CLA shall share the Lead Administrator's expenses incurred 
as a result of the Lead Administrator's performance of its duties under 
the FCC IoT Labeling Program.
    (i) The Lead Administrator expenses subject to sharing by CLAs are 
those expenses determined to be reasonable by the Public Safety and 
Homeland Security Bureau and the Office of Managing Director.
    (ii) A CLA shall share Lead Administrator expenses pursuant to a 
methodology agreed to by the CLAs and the Lead Administrator subject to 
ongoing oversight by the Commission.

[[Page 84096]]

    (13) A CLA shall maintain the confidentiality of non-public 
information received as part of an application for authority to use the 
FCC IoT Label, and will implement appropriate administrative, 
technical, procedural, and physical safeguards to protect the 
confidentiality of information received by the CLA and protect against 
the unauthorized disclosure and unauthorized use of non-public 
information received as a result of its participation in the FCC IoT 
Labeling Program.
* * * * *

0
3. Delayed indefinitely, amend Sec.  8.220 by adding paragraph (f)(14) 
to read as follows:


Sec.  8.220  Requirements for CLAs.

* * * * *
    (f) * * *
    (14) A CLA shall create, update, and implement a cybersecurity risk 
management plan identifying the cyber risks that the entity faces, the 
controls used to mitigate those risks, and the steps taken to ensure 
that these controls are applied effectively to their operations. The 
plan must also describe how the CLA employs its organizational 
resources and processes to ensure the confidentiality, integrity, and 
availability of its information and information systems. The CLA's 
cybersecurity risk management plan must be available to the Commission 
upon request.
* * * * *

0
4. Amend Sec.  8.221 by adding paragraphs (a)(11) through (14) to read 
as follows:


Sec.  8.221  Requirements for the Lead Administrator.

    (a) * * *
    (11) Create, update, and implement a cybersecurity risk management 
plan identifying the cyber risks that the entity faces, the controls 
used to mitigate those risks, and the steps taken to ensure that these 
controls are applied effectively to their operations. The plan must 
also describe how the Lead Administrator employs its organizational 
resources and processes to ensure the confidentiality, integrity, and 
availability of its information and information systems. The Lead 
Administrator's cybersecurity risk management plan must be available to 
the Commission upon request;
    (12) Submit to the Public Safety and Homeland Security Bureau and 
the Office of the Managing Director, an estimate of its forward-looking 
costs including, separately, program stand-up costs and ongoing program 
costs to perform the Lead Administrator duties for the Lead 
Administrator's upcoming calendar year, which will be reviewed by the 
Cybersecurity Labeling Administrators, Public Safety and Homeland 
Security Bureau, and the Office of the Managing Director for 
reasonableness, and if reasonable, will be used to estimate the overall 
CLA cost sharing obligation;
    (13) Implement internal controls adequate to ensure its operations 
maintain best practices to protect against improper payments and to 
prevent fraud, waste, and abuse in its handling of funds; and
    (14) Submit to the Public Safety and Homeland Security Bureau and 
the Office of the Managing Director, an annual, independently audited, 
statement of program expenditures and monies received from the CLAs due 
before the end of the Lead Administrator's calendar year.
* * * * *
[FR Doc. 2024-23844 Filed 10-18-24; 8:45 am]
BILLING CODE 6712-01-P