FCC Proposed Rules: Cybersecurity Labeling for Internet of Things Program

The Federal Communications Commission (FCC) has introduced a set of proposed rules aimed at implementing the Cybersecurity Labeling for Internet of Things (IoT) Program. These rules, found in document 58312–58323 [2024–15379], seek public commentary to ensure the efficient and timely rollout of this important program.

Key Points of the Proposal

1. Application Formats and Fees:
   • The FCC seeks comments on the application format for CLAs and Lead Administrator positions, proposing a narrative format.
   • Proposed filing fees are defined.
2. Criteria for Selection:
   • The criteria for selecting CLAs and the Lead Administrator include cybersecurity expertise, knowledge of NIST guidelines, FCC rules, and federal security and privacy laws.
   • Applicants must demonstrate their ability to handle large volumes of sensitive information securely and avoid conflicts of interest.
3. Expense Sharing and Neutrality:
   • The expenses of the Lead Administrator are expected to be shared among CLAs. The FCC seeks comments on effective mechanisms for this sharing.
   • Ensuring the neutrality of the Lead Administrator is crucial to prevent competitive advantages.
4. Complaint Processes:
   • The FCC proposes a structured process for handling complaints related to the misuse of the U.S. Cyber Trust Mark, involving the Lead Administrator and CLAs.
   • A 20-day cure period for addressing non-compliance complaints is suggested.
5. Confidentiality and Security:
   • Manufacturer applications to CLAs are to be treated as presumptively confidential to protect sensitive information.
   • Compliance with the Federal Information Security Modernization Act (FISMA) is tentatively required for CLAs and the Lead Administrator.
6. IoT Registry:
   • A public registry, accessed via a QR code on the IoT label, will provide detailed information about the cybersecurity features of certified products.
   • The registry will be hosted by a third party, managed by the Lead Administrator, and should meet high-security standards to ensure data integrity and availability.

How to Submit Comments

Comments on the proposal are due by August 19, 2024, with reply comments due by September 3, 2024. The FCC encourages stakeholders to provide input on various aspects, including application processes, fee structures, expense sharing, complaint handling, confidentiality measures, and registry management. Comments may be filed electronically using the internet by accessing the ECFS: https://www.fcc.gov/ecfs/.

If you would like more information about FCC regulations or if you require a local US Agent, please get in touch with iCertifi, your trusted FCC partner.