matches Announcement from the Biden-Harris Administration in July 2023the Federal Communications Commission (FCC) Announces Order Establishing Framework for New U.S. Cyber Trust Mark Program. Under this voluntary program, eligible consumer Internet of Things (IoT) products can display the new U.S. Cybertrust mark logo to indicate that the product meets minimum cybersecurity standards. . The logo displays his QR code, which allows consumers to access a database containing detailed information about specific his IoT products. The program aims to help consumers make informed purchasing decisions, differentiate trustworthy products on the market, and create incentives for manufacturers to meet higher cybersecurity standards.
Along with this order, the FCC will also issue a proposed rulemaking requesting comments on whether the FCC should prohibit participation in the U.S. Cyber Trust Mark Program when the customer data collected by the product or the product’s software/software updates are dangerous. Announced further notice regarding. Sent to or from a “foreign hostile country” as defined by the U.S. Department of Commerce.
While this order provides a general overview, the details of the FCC’s IoT labeling program will be established in further decisions over the coming months. Based on the timeline set out in the order, the new program could be up and running by the end of 2024. (For background information on the U.S. Cyber Trust Mark Program, see our August 2023 and September 2023 Client alert. )
Consumer IoT products only
Initially, only wireless, rather than wired, consumer IoT products will be eligible for U.S. Cybertrust Mark designation. Certain foreign vendor medical devices, automotive and automotive equipment, corporate and industrial products, and communications equipment are specifically excluded from the program. To qualify for this program, a product must be connected to the Internet, must be capable of intentionally emitting radio frequency (RF) energy, and must have at least one network interface, such as Wi-Fi or Bluetooth. there is.
The FCC found that consumers’ security expectations extend across the products they purchase. Therefore, the IoT labeling program applies to “IoT products” rather than simply “IoT devices” and takes into account the full functionality of all product components required for the use of an IoT device. Examples of additional components beyond the IoT device itself include networking/gateway hardware, mobile apps to communicate with the device, cloud services, and data processing and storage. The FCC also states that manufacturers are responsible for third-party applications used on their devices.[W]Here, manufacturers, for example, allow third-party apps to connect to and control their IoT products. Such manufacturers are responsible for the security of their connecting links and apps.[,] If such an app exists on an IoT product. ”
Certified products are permitted to display the U.S. Cybertrust Mark logo along with a QR code. The QR code takes the consumer to a registry with specific information about the product, including information on how to securely configure the device. Details about which data elements will be included in the registry and where and how the US Cybertrust mark logo and his QR code will be displayed will be determined in future proceedings.
Two-step verification process
The FCC has established a two-step process for product certification. The parties first submit the product for testing by an accredited laboratory. The laboratory does not certify products or issue approvals. Perform necessary tests and create test reports. Each test report is reviewed by a Cybersecurity Label Administrator (CLA) and if the report certifies that the product complies with the requirements of the IoT Labeling Program, the product is certified and bears the U.S. Cybertrust Mark logo. You are allowed to do so.
Laboratories eligible for certification include independent laboratories, laboratories operated in-house by manufacturers, and laboratories operated by CLA. To be certified, a testing laboratory must be accredited to perform compliance testing in accordance with the ISO/IEC 17025 standard and must meet certain criteria that the FCC will develop in future proceedings.
Companies participating in the program pay fees to the lab and CLA. Fees to the CLA cover the costs of running the program. The FCC will also require manufacturers to renew their certifications, but has not said how often they will need to do so.
next step
The FCC accepts applications and appoints a lead CLA to oversee the entire program. The lead CLA will work with stakeholders to develop and recommend specific testing standards, the design and placement of the U.S. Cybertrust Mark label, and a consumer education plan. The FCC will consider the recommendations and accept public comments before adopting the final requirements. After the details of the program recommended by the Lead CLA and approved by the FCC are announced, the FCC and/or the Lead CLA will begin the application process to certify the laboratory and the CLA.
Parties wishing to influence how the program is implemented should consider monitoring or participating in further procedures establishing specific requirements for the program.
[View source.]
