[Federal Register Volume 88, Number 164 (Friday, August 25, 2023)]
[Proposed Rules]
[Pages 58211-58229]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-18357]
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Chapter I
[PSHSB: PS Docket No. 23-239; FCC 23-65 FR ID 166265]
Cybersecurity Labeling for Internet of Things
AGENCY: Federal Communications Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission
(Commission) proposes measures to improve consumer confidence and
understanding of the security of their connected devices--commonly
known as Internet of Things (IoT) devices--that are woven into the
fabric of their everyday lives. To provide consumers with the peace of
mind that the technology being brought into their homes is reasonably
secure, and to help guard against risks to communications, the
Commission proposes a voluntary cybersecurity labeling program that
would provide easily understood, accessible information to consumers on
the relative security of an IoT device or product, and assure consumers
that manufacturers of devices bearing the Commission's IoT
cybersecurity label adhere to widely accepted cybersecurity standards.
In this regard, the Commission's cybersecurity labeling program would
help consumers compare IoT devices and make informed purchasing
decisions, drive consumers toward purchasing devices with greater
security, incentivize manufacturers to meet higher cybersecurity
standards to meet market demand, and encourage retailers to market
secure devices. The proposed IoT label would offer a trusted,
government-backed symbol for devices that comply with IoT cybersecurity
standards.
DATES: Comments are due on or before September 25, 2023 and reply
comments are due on or before October 10, 2023. Written comments on the
Paperwork Reduction Act proposed information collection requirements
must be submitted by the public and other interested parties on or
before October 24, 2023.
ADDRESSES: You may submit comments, identified by PS Docket No. 23-239,
by any of the following methods:
Federal Communications Commission's website: https://www.apps.fcc.gov/ecfs/. Follow the instructions for submitting
comments.
Mail: Parties who choose to file by paper must file an
original and one copy of each filing. If more than one docket or
rulemaking number appears in the caption of this proceeding, filers
must submit two additional copies for each additional docket or
rulemaking number. Filings can be sent by commercial overnight courier,
or by first-class or overnight U.S. Postal Service mail. All filings
must be addressed to the Commission's Secretary, Office of the
Secretary, Federal Communications Commission. Commercial overnight mail
(other than U.S. Postal Service Express Mail and Priority Mail) must be
sent to 9050 Junction Drive, Annapolis Junction, MD 20701. U.S. Postal
Service first-class, Express, and Priority mail must be addressed to 45
L Street NE, Washington, DC 20554.
Effective March 19, 2020, and until further notice, the Commission
no longer accepts any hand or messenger delivered filings. This is a
temporary measure taken to help protect the health and safety of
individuals, and to mitigate the transmission of COVID-19. See FCC
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, DA 20-304 (March 19, 2020). https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
People with Disabilities. To request materials in accessible
formats for people with disabilities (braille, large print, electronic
files, audio format), send an email to [email protected] or call the
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-
418-0432 (TTY).
FOR FURTHER INFORMATION CONTACT: Erika Olsen, Acting Chief,
Cybersecurity and Communications Reliability Division, Public Safety
and Homeland Security Bureau, (202) 418-2868, or by email to
[email protected]; or James Zigouris, Attorney-Advisor, Cybersecurity
and Communications Reliability Division, Public Safety and Homeland
Security Bureau, (202) 418-0697, or by email to [email protected].
For additional information concerning the Paperwork Reduction Act
information collection requirements contained in this document, send an
email to [email protected] or contact Nicole Ongele, Office of Managing
Director, Performance Evaluation and Records Management, 202-418-2991,
or by email to [email protected].
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice
of Proposed Rulemaking (NPRM), FCC 23-65, adopted August 6, 2023, and
released August 10, 2023. The full text of this document is available
by
[[Page 58212]]
downloading the text from the Commission's website at: https://docs.fcc.gov/public/attachments/FCC-23-7A1.pdf. When the FCC
Headquarters reopens to the public, the full text of this document will
also be available for public inspection and copying during regular
business hours in the FCC Reference Center, 45 L Street NE, Washington,
DC 20554. To request materials in accessible formats for people with
disabilities (Braille, large print, electronic files, audio format),
send an email to [email protected] or call the Consumer & Governmental
Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY).
Regulatory Flexibility Act: The Regulatory Flexibility Act of 1980,
as amended (RFA), requires an agency to prepare a regulatory
flexibility analysis for notice-and-comment rulemakings, unless the
agency certifies that ``the rule will not, if promulgated, have a
significant economic impact on a substantial number of small
entities.'' The Commission seeks comment on potential rule and policy
changes contained in the document, and accordingly, has prepared an
IRFA. The IRFA for this document in PS Docket No. 23-239 is set forth
below in this document and written public comments are requested.
Comments must be filed by the deadlines for comments on the document
indicated under the DATES section of this document and must have a
separate and distinct heading designating them as responses to the
IRFA. The Commission reminds commenters to file in the appropriate
docket: PS Docket No. 23-239.
Paperwork Reduction Act: This document may contain proposed
modified information collection requirements. Therefore, the Commission
seeks comment on potential new or revised information collections
subject to the Paperwork Reduction Act of 1995. If the Commission
adopts any new or revised information collection requirements, the
Commission will publish a notice in the Federal Register inviting the
general public and the Office of Management and Budget to comment on
the information collection requirements, as required by the Paperwork
Reduction Act of 1995, Public Law 104-13. In addition, pursuant to the
Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44
U.S.C. 3506(c)(4), the Commission seeks specific comments on how it
might further reduce the information collection burden for small
business concerns with fewer than 25 employees.
Ex Parte Rules--Permit-But-Disclose. This proceeding this document
initiates shall be treated as a ``permit-but-disclose'' proceeding in
accordance with the Commission's ex parte rules. Persons making ex
parte presentations must file a copy of any written presentation or a
memorandum summarizing any oral presentation within two business days
after the presentation (unless a different deadline applicable to the
Sunshine period applies). Persons making oral ex parte presentations
are reminded that memoranda summarizing the presentation must (1) list
all persons attending or otherwise participating in the meeting at
which the ex parte presentation was made, and (2) summarize all data
presented and arguments made during the presentation. If the
presentation consisted in whole or in part of the presentation of data
or arguments already reflected in the presenter's written comments,
memoranda or other filings in the proceeding, the presenter may provide
citations to such data or arguments in his or her prior comments,
memoranda, or other filings (specifying the relevant page and/or
paragraph numbers where such data or arguments can be found) in lieu of
summarizing them in the memorandum. Documents shown or given to
Commission staff during ex parte meetings are deemed to be written ex
parte presentations and must be filed consistent with Rule 1.1206(b).
In proceedings governed by Rule 1.49(f) or for which the Commission has
made available a method of electronic filing, written ex parte
presentations and memoranda summarizing oral ex parte presentations,
and all attachments thereto, must be filed through the electronic
comment filing system available for that proceeding, and must be filed
in their native format (e.g., .doc, .xml, .ppt, searchable .pdf).
Participants in this proceeding should familiarize themselves with the
Commission's ex parte rules.
Synopsis
I. Notice of Proposed Rulemaking in PS Docket No. 23-239
A. The Internet of Things (IoT) Landscape
1. As the world continues to become even more interconnected,
malicious cyber campaigns become bolder and continue to threaten
network security and privacy. Today, there are a wide range of consumer
IoT products on the market that communicate over wired and wireless
networks. These products are made up of various devices, and are based
on many technologies, each of which presents a set of security
challenges. Consumer IoT products and their component devices are
susceptible to a wide range of relatively common security
vulnerabilities including the continued use of default passwords, lack
of regular security updates, and weak encryption and insecure
authentication. Some IoT products and devices even lack any type of
physical security. These vulnerabilities can be exploited by attackers
to gain unauthorized access to the device or its data, launch denial of
service (DoS) attacks, use the device as part of a larger botnet, or
use the device as an interference generator. Compromised devices could
also be forced to transmit at times and intervals selected by the
attacker to interfere with other devices, either causing them to
function improperly or causing a denial of service.
2. The proliferation of consumer IoT devices has opened the door to
cyberattacks on consumer products that can have serious privacy and
national security consequences, ranging from theft of personal
information to disruption of critical infrastructure. In just the first
six months of 2021, for example, it was estimated ``that more than 1.5
billion attacks have occurred against IoT devices.'' Cybersecurity
vulnerabilities in IoT products and their devices also open a gateway
to larger and more significant intrusions that may threaten national
security.
B. Public and Private IoT Security Efforts
3. Significant work has already been conducted in the realm of IoT
cybersecurity. There are also ongoing efforts to address IoT security
labeling across both private and public sectors. In the private sector,
for example, the Consumer Technology Association (CTA) convened an IoT
working group tasked with supporting the advancement of the consumer
IoT industry, and produced a white paper addressing the current
regulatory approach to IoT. CTA has also convened with various
organizations to discuss IoT baseline security capabilities. In
addition, researchers at Carnegie Mellon University (CMU) conducted
significant research into consumer IoT purchasing and concluded there
is a need to ``provide consumers with readily accessible information to
help them make informed decisions about what they bring into their
homes.'' International efforts have also advanced in the IoT labeling
space.
4. In May 2021, Executive Order No. 14028 also emphasized the
importance of IoT cybersecurity, noting the ``persistent and
increasingly
[[Page 58213]]
sophisticated malicious cyber campaigns that threaten the public
sector, the private sector, and ultimately the American people's
security and privacy.'' Indeed, securing the Internet of Things forms a
significant pillar in the recently-released National Cybersecurity
Strategy, which noted in particular the need to advance the goals of
the E.O.'s IoT labeling efforts so that ``consumers will be able to
compare the cybersecurity protections offered by different IoT
products, thus creating a market incentive for greater security across
the entire IoT ecosystem.''
5. In this respect and pursuant to that E.O., in 2022 the National
Institute of Standards and Technology (NIST) issued a White Paper that
identified labeling criteria for cybersecurity capabilities of IoT
consumer devices, informed by existing consumer product labeling
programs and input provided by diverse stakeholders, and issued a
summary report about creating a cybersecurity labeling program for
consumer IoT products. Additionally, NIST produced a final report,
Profile of the IoT Core Baseline for Consumer IoT Products (NISTIR
8425), which identifies cybersecurity capabilities commonly needed for
the consumer IoT sector, thereby providing a starting point for what
consumers should consider when purchasing IoT products. From these
efforts, NIST identified key elements of a labeling program, including
encouraging innovation, and being practical and not burdensome, among
other elements. In addition, NIST initiated a pilot IoT cybersecurity
labeling program, in which it solicited contributions from stakeholders
regarding how current and future-planned labeling efforts could align
with the NIST recommendations. NIST describes a potential program that
would educate the public on IoT cybersecurity capabilities, thereby
allowing and enabling consumers in the marketplace to make informed
choices about their IoT purchases.
6. The foregoing priorities and efforts, Commission experience
guiding compliance assessment programs, and prior Commission action in
this space (including the recent Spectrum Requirements for Internet of
Things Notice of Inquiry, ET Docket No. 21-353, Notice of Inquiry, 36
FCC Rcd 14165 (2021), and efforts to address the potential for
reprogrammed communications equipment to operate outside of authorized
device parameters with the attendant risk of harmful interference)
provide important building blocks for the Commission's analysis and
inform its proposals today.
Discussion
C. Establishing a Voluntary Cybersecurity Labeling Program
7. The Commission proposes to establish a voluntary cybersecurity
labeling program. Given the nature of the IoT market, the Commission
believes that the success of a cybersecurity labeling program will be
dependent upon a willing, close partnership and collaboration between
the federal government, industry, and other stakeholders. While this
proposed program would be voluntary, entities that choose to
participate in the Commission's program would be required to ensure
their IoT devices and products comply with the Commission's program
requirements the Commission proposes to codify in its rules. As
described below, the Commission proposes the use of certain baseline
cybersecurity criteria and the development of product standards
informed by those criteria, as well as the parameters for labeling of
IoT products that conform with those standards and associated
informational requirements. IoT products qualifying for the program
would be authorized to use the Commission's proposed new distinctive
label signifying their participation in the program and adherence to
the standards set. The Commission anticipates that devices or products
bearing the Commission's cybersecurity label will be valued by
consumers, particularly by those who may otherwise have difficulty
determining whether a product they are thinking of buying meets basic
security standards. The Commission seeks comment on this proposed
approach.
8. In adopting this document, the Commission concludes its
consideration of IoT cybersecurity labeling issues related to the
Notice of Inquiry in ET Docket No. 21-232 and EA Docket No. 21-233, and
close that proceeding as to those issues. See Authorization Program;
Protecting Against National Security Threats to the Communications
Supply Chain through the Competitive Bidding Program, ET Docket No. 21-
232, EA Docket No. 21-233, Notice of Proposed Rulemaking and Notice of
Inquiry, 36 FCC Rcd 10578, para. 104 (2021) (Supply Chain NOI). That
NOI raised IoT cybersecurity labeling in the specific context of the
Commission's existing equipment authorization program, and although the
Commission does not formally rule out building on its equipment
authorization program at this stage, the Commission believes that its
proposals for a voluntary labeling program building on the efforts of
NIST and others as reflected in this document represent the most
appropriate, and targeted, approach to IoT cybersecurity labeling that
the Commission wants to explore at this time. The Commission believes
that closing the Supply Chain NOI with respect to IoT cybersecurity
labeling issues will focus commenters on this proceeding and spur
comments that better reflect that distinct focus. Thus, although the
Commission hereby incorporates relevant comments in those dockets into
this proceeding, PS Docket 23-239, the Commission also requests that,
going forward, interested parties use PS Docket 23-239 for any filings.
The Commission directs the Office of Engineering and Technology to
provide public notice of the closed issues in ET Docket Nos. 21-232,
21-233.
D. Eligible Devices or Products
9. The Commission seeks comment on the scope of IoT devices or
products for sale in the United States that should be eligible for
inclusion in the Commission's labeling program. To help inform the
program's scope, the Commission observes that the practical goal is to
provide consumers with a clear, easily understood indicator that the
IoT devices displaying the Commission's label satisfy certain baseline
cybersecurity requirements and have specific cybersecurity
capabilities. In assessing scope, the Commission seeks to ensure that
its program would be sufficiently inclusive to be of value to consumers
in this regard.
10. The Commission seek comment on whether to focus the program
initially on IoT ``devices'' (as defined in this document) and
specifically those wireless devices that intentionally emit radio
frequency (RF) energy. The Commission begins by considering NIST's
definition of IoT devices. NIST defines IoT devices as those devices
that have at least one transducer (sensor or actuator) for interacting
directly with the physical world and at least one network interface
(e.g., Ethernet, Wi-Fi, Bluetooth) for interfacing with the digital
world. The Commission proposes two modifications to the NIST definition
for purposes of its labeling program. First, the Commission proposes to
add ``internet-connected'' to its definition because, as NIST observes,
a key component of IoT is the usage of standard internet protocols for
functionality, which expose IoT to related security threats and
challenges caused by being internet-connected. Second, because the
Commission's relevant statutory authorities recognize the more
extensive risks of harmful interference associated with devices that
intentionally emit RF energy, the Commission proposes to include the
[[Page 58214]]
premise that an IoT device must be capable of intentionally emitting RF
energy. In this respect, the Commission is referring to an IoT device,
with a wireless interface, that intentionally uses RF energy to
communicate or interact with the physical world. Accordingly,
incorporating the Commission's modifications, the Commission proposes,
for purposes of the IoT labeling program, to define an IoT device as:
(1) an internet-connected device capable of intentionally emitting RF
energy that has at least one transducer (sensor or actuator) for
interacting directly with the physical world, coupled with (2) at least
one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the
digital world. The Commission seeks comment on this proposed
definition.
11. The Commission proposes to focus the scope of its program on
intentional radiators that generate and emit RF energy by radiation or
induction. Such devices--if exploited by a vulnerability--could be
manipulated to generate and emit RF energy to cause harmful
interference. While the Commission observes that any IoT device may
emit RF energy (whether intentionally, incidentally, or
unintentionally), in the case of incidental and unintentional
radiators, the RF energy emitted because of exploitation may not be
enough to be likely to cause harmful interference to radio
transmissions. The Commission seeks comment on this view. Does this
proposed definition unduly limit the devices that should be eligible
for participation in the cybersecurity labeling program? Are there
specific unintentional radiators or incidental radiators that should be
included in the program, or should they be included generally?
Alternatively, should the Commission consider adding these devices to
the program at a later date? The Commission also seeks comment on any
other ways in which the Commission's proposal might be limiting or
should otherwise be expanded. For example, would the exclusion of
wired-only IoT devices impact the success, usefulness and effectiveness
of this labeling program and confuse consumers, rather than adequately
informing them on IoT devices with appropriate network security
standards?
12. To ensure that its program is able to be of greatest value to
the consumer, the Commission also seeks comment on whether it should
focus the cybersecurity labeling program on to IoT ``products,'' rather
than IoT devices as defined above. For such purposes the Commission
could define an IoT product consistent with the NIST definition as
follows: An IoT device and any additional product components (e.g.,
backend, gateway, mobile app, etc.) that are necessary to use the IoT
device beyond basic operational features. The Commission seeks comment
on this proposed definition of an IoT product eligible for an IoT
label.
13. Further, the Commission seeks comment on whether a program that
addresses products (as opposed to just devices) would be more consumer
friendly, as the public may find it easier to understand that the
product (as a whole) they are looking to purchase meets the IoT
security standards, rather than trying to parse which devices (i.e.,
parts of the product) meet applicable standards. Likewise, would
limiting the label to devices create confusion with consumers who may
not fully understand the label does not apply to the entire product? If
the program only encompasses devices, should the Commission
differentiate the labeling in situations where a product contains
multiple devices, and some devices are labeled and some are not? If so,
how could the Commission make this differentiation without causing
consumer confusion? How does the Commission mitigate consumer confusion
if a device label is used in a common packaging environment? The
Commission seeks comment on these issues.
14. The Commission also seeks comment on whether either definition
fully accounts not only for the IoT device or product itself, but also
the other components that make the IoT device functional and may be
vulnerable to attack. For example, there is a category of IoT devices
that do not connect directly to the customer's home Wi-Fi network;
instead, they connect to an intermediate communication device (i.e.,
Wi-Fi Gateway) which connects to the home Wi-Fi network. What are the
risks and vulnerabilities inherent in the communication between these
types of IoT devices or products and their environment? Are there other
IoT devices or products that similarly have vulnerabilities that would
be outside the scope of the Commission's proposed definition? Should
such concerns be considered when adopting a definition for devices and/
or products that would be eligible for the labeling program? If so,
how?
15. Finally, the Commission recognizes that IoT devices and
products have proliferated not only in the non-enterprise space, but
also in the workplace from office settings to field settings, from
medical settings to industrial settings. As such, the Commission seeks
comment on whether to focus the IoT labeling program on consumer IoT
devices or products intended for consumer use or include ``enterprise''
devices or products intended for industrial or business use, or to
otherwise tailor the scope of devices and products covered by the
labeling program based on their usage. If commenters propose that the
program include a broader array of devices or products beyond the non-
enterprise setting, what additional considerations should the
Commission take into account for these products or devices, including
the relative sophistication and specific needs of the purchasers of
these devices?
16. IoT Products Excluded from the Commission's Labeling Program.
Pursuant to the Secure and Trusted Communications Networks Act of 2019,
and the Commission's rules, the Commission's Public Safety and Homeland
Security Bureau (PSHSB) publishes and regularly updates a list of
communications equipment and services produced or provided by specified
entities (``Covered List''), which have been determined to pose an
unacceptable risk to the national security of the United States or the
security and safety of United States persons (``Covered List'').
Beginning on February 6, 2023, the Commission no longer permits
authorization of any applications for equipment certification of any
equipment that has been identified as ``covered'' equipment on the
Commission's Covered List. This decision did not, however, revoke any
previously authorized equipment that now constitutes ``covered''
equipment, although it may do so in the future. In this proceeding, the
Commission proposes to exclude from the labeling program any such
previously authorized ``covered'' equipment. The Commission seeks
comment on this proposal.
17. In light of this prohibition, the Commission similarly proposes
to exclude from the program any communications equipment that now, or
in the future, has been placed on the Covered List. The Commission
proposes to exclude any IoT device that is produced by an entity
identified on the Covered List as producing ``covered'' equipment.
Furthermore, the Commission proposes to exclude from the Commission's
labeling program any device or product from a company named on the
Department of Commerce's Entity List, the Department of Defense's List
of Chinese Military Companies or similar lists. See, e.g., Bureau of
Industry and Security, U.S. Department of Commerce, Supplement No. 4 to
Part 744--Entity List, https://
[[Page 58215]]
www.bis.doc.gov/index.php/documents/regulations-docs/2326-supplement-
no-4-to-part-744-entity-list-4/file (May 19, 2023); Entities Identified
as Chinese Military Companies Operating in the United States in
Accordance with Section 1260H of the William M. (``Mac'') Thornberry
National Defense Authorization Act for Fiscal Year 2021 (Pub. L. 116-
283), Tranche 2, U.S. Department of Defense, https://media.defense.gov/2022/Oct/05/2003091659/-1/-1/0/1260H%20COMPANIES.PDF (Oct. 5, 2022).
18. The cybersecurity label has the potential to convey important
information about a device or product's security. The Commission finds
it could be harmful to consumers to portray such a message on devices
or products made by companies that its sister agencies have identified
publicly as part of their national security review. The Commission
seeks comment on this proposal and on other government lists the
Commission should consider. How can the Commission ensure any such
proposed exclusion is implemented? Should applicants be required to
include a written and signed attestation that the particular equipment
for which they seek approval is not ``covered'' equipment (i.e., is not
communications equipment that has been identified and placed on the
Commission's Covered List)? Are there other products or categories of
products that the Commission should explicitly exclude from the
program?
E. Oversight and Management of the Proposed IoT Cybersecurity Labeling
Program
19. As discussed above, the Commission believes that close
partnership and collaboration between the federal government, industry,
and other stakeholders is vital to ensuring the success of the proposed
voluntary IoT cybersecurity labeling program. Moreover, a collaborative
environment that can leverage the expertise, incentives, and authority
of various constituencies in this context would allow for the swift
establishment and maturity of the program with broad industry and
consumer acceptance that could adapt to a rapidly evolving threat
landscape. As such, the Commission proposes a public-private
partnership in the oversight and administration of this labeling
program, subject to ultimate Commission supervision.
20. In seeking comment on the proposed IoT labeling program, the
Commission notes that NIST identified several key elements of a
potential labeling program. These include the use of certain
recommended baseline product criteria (including both technical product
criteria that promotes cybersecurity-related capabilities and non-
technical criteria providing important product information), the use or
development of requirements and/or standards that are informed by the
recommended product criteria, the establishment of a conformity
assessment program to assess whether particular products satisfy the
developed requirements and/or standards, and the creation of labeling
requirements for IoT products (a single label indicating that a product
has met the baseline standard, as well as a means to access additional
label information for the specific IoT product) that will aid in IoT
purchasing decisions by enabling comparisons among products and
providing important information about cybersecurity considerations.
NIST also noted that ``one size does not fit all,'' and that multiple
solutions might be offered.
21. The Commission proposes to establish a program where the
Commission would create and own a new distinctive trademark to be used
in a voluntary program for IoT cybersecurity labeling and would take
appropriate steps to authorize its overall use in a way that ensures
the integrity of the mark and the label. The Commission also proposes
to have third parties play integral roles in the management and
administration of the labeling program. These entities would, for
example, be authorized to conduct activities such as development of
requirements or standards for consideration by the Commission, and
assessment of IoT devices and products for conformity with those
requirements or standards subject to supervision of the Commission.
Subject to Commission oversight, third parties could evaluate and
authorize the use of the Commission's trademark on an IoT device or
product. In this regard, the Commission proposes to incorporate and
leverage the specialized expertise of third parties, where appropriate,
into its standards, application and review procedures.
22. Oversight and Management of the Labeling Program. In NIST's
White Paper on a cybersecurity labeling program for consumer IoT
products, it discussed the need for management and oversight of the
overall labeling program. Specifically, it contemplated that there
would be one entity (the ``labeling scheme owner'') that would manage
the labeling program, determine its structure and management, and
perform oversight to ensure that the program is functioning
consistently in keeping with overall objectives; further, this entity
would be responsible for defining the conformity assessment
requirements, developing the label and associated information, and
conducting consumer outreach and education.'' The Commission seeks
comment on the appropriate entity or entities to serve in the oversight
and management of the labeling program. Should the Commission be the
scheme owner to oversee as well as manage the labeling program? If the
Commission takes on the role of overseeing the labeling program, should
one or more third-party administrators, as detailed below, manage the
tasks identified above or some portion of them? Or, should one or more
third-party administrators be designated as the scheme owner(s), and if
so, how should the Commission retain and exercise its oversight
responsibilities?
23. Use of Third-Party Administrator(s). The Commission seeks
comment on how one or more third-party administrator(s) might be
utilized to manage some or all of the functions outlined above as NIST
ascribed to the labeling program scheme owner, or how such an entity,
or entities, might otherwise manage all or some elements of the
envisioned labeling program to ensure effectiveness, efficiency,
consistency, and timely implementation, subject to ultimate Commission
supervision. The Commission seeks comment on the best approach for
utilizing the respective levels of expertise that reside in the
Commission, other federal government entities, industry, and other
stakeholders. In particular, the Commission seeks comment on whether
there are existing stakeholders, public or private, who are well
situated to convene and develop the IoT security standards among
stakeholders as to a particular IoT device or product, or classes of
IoT devices or products, to ensure the consistency and fair
administration of the proposed labeling program. Further, could a
third-party administrator approve, or submit to the Commission for
approval, more specific standards for conformance assessment of the
proposed criteria, or for otherwise evaluating program applicants?
Could a third-party administrator set the requirements for testing
laboratories? Should the Commission consider designating a third-party
administrator or other outside entit(ies) to authorize the use of the
envisioned cybersecurity label, and if so, what oversight should it
exercise, for example, to ensure the integrity of the mark and label?
24. If the Commission were to utilize one or more third-party
administrator(s),
[[Page 58216]]
the Commission seeks comment on how it should select such
administrator(s). What qualifications should a third-party
administrator possess, and how should the Commission intake and
evaluate applications? What national security considerations are
relevant to such qualifications? Should a third-party administrator(s)
be required to have previous experience administering an IoT product or
similar conformity assessment program? Given the diversity in IoT
devices and products, would it be preferable for third party
administrators to have varying areas of expertise? What level of
control or oversight should the Commission retain, and what level of
guidance should be provided? Are there entities in this space that
should be considered for this role and, if so, why? Are there benefits
to utilizing multiple third-party administrators versus a single
administrator? If there are multiple administrators, how could the
Commission ensure standards are consistently applied across similar
devices and avoid conflict among administrators? How could the
Commission reconcile the functionalities of each administrator to avoid
conflict? Are there other attributes or qualities that the Commission
should require of an administrator? For example, should the
administrator be required to be a non-profit entity? Should the
administrator establish that it would be neutral and independent, with
no conflicts of interest (financial or organizational) on the part of
the organization or its officers, directors, employees, contractors, or
significant subcontractors? Should the Commission direct PSHSB,
coordinating with the Office of the Managing Director and the Office of
Engineering and Technology, to develop and implement a selection or
qualifications review process?
25. Cybersecurity Labeling Authorization Bodies. The Commission
seeks comment on how IoT devices or products can demonstrate compliance
with the IoT security standards, once they are developed. In the
context of the Commission's existing equipment authorization process,
Telecommunications Certification Bodies (TCBs), which are accredited
third parties recognized by the Commission, certify RF equipment based
in part on testing for compliance with applicable technical RF
requirements on behalf of the Commission and in accordance with the
Commission's rules and standards. TCBs may then be subject to
international Mutual Recognition Agreements which determine acceptance
of their conformity assessment results by other countries. The
Commission anticipates that it could draw from this type of program's
organizational structure to assess IoT devices and products for
compliance with the IoT cybersecurity standards, once they are
developed. In the context of IoT labeling, instead of RF-based testing
and certification, we envision that third parties with expertise in
security and compliance testing, as described below, could fill this
role. The Commission refers to these entities as Cybersecurity Labeling
Authorization Bodies (CyberLABs) for purposes of this discussion. The
Commission seeks comment on this proposal.
26. CyberLABs Accreditation or Recognition. The Commission proposes
that the Commission or one of its authorized third-party administrators
would evaluate, accredit, or recognize the CyberLABs based on their
qualifications, resources, and procedures. If the Commission were to
authorize third party administrators to evaluate, accredit or recognize
these entities, what oversight would the Commission exercise over these
entities or over the process? The Commission seeks to ensure that
CyberLABs have the necessary expertise and resources to properly test
and assess IoT devices and products compliance with the IoT security
standards. To become accredited or recognized for the proposed IoT
labeling program, the Commission proposes that a CyberLAB submit an
application demonstrating that it meets the following requirements:
Qualifications: The CyberLAB has technical expertise in
cybersecurity testing and conformity assessment of IoT devices and
products.
Resources: The CyberLAB has the necessary equipment,
facilities, and personnel to conduct cybersecurity testing and
conformity assessment of IoT devices and products.
Procedures: The CyberLAB has documented procedures for
conformity assessment.
Continued competence: Once accredited or recognized,
CyberLABs would be periodically audited and reviewed to ensure they
continue to comply with the IoT security standards and testing
procedures. In addition to periodic audits, the FCC or its third-party
administrator would also conduct random inspections of CyberLABs to
ensure that they are complying with the IoT security standards and
testing and label authorization procedures. Additionally, existing
standards, e.g., ISO/IEC 17025 could be leveraged for developing
qualifications for a CyberLAB. See General requirements for the
competence of testing and calibration laboratories, ISO/IEC 17025:2017
(Nov. 2017) (available at https://www.iso.org/standard/66912.html).
27. The Commission seeks comment on this proposed process and
accompanying qualifications. Are they an appropriate fit for the
Commission's objectives? Are there other options the Commission should
consider? For example, could device manufacturers be allowed to perform
testing and self-assessment subject to review by a third-party
administrator or other entity? What additional qualifications, if any,
should the Commission seek in a CyberLAB seeking to perform such as
testing and conformity assessments? What additional controls might be
necessary, if any, to ensure a CyberLAB remains impartial when testing
and assessing IoT devices and products with relevant standards? Should
the Commission take into account any national security considerations,
or adopt Character Qualifications for CyberLABs? If so, what should
these include? Would this accreditation or recognition process impact
the Commission's existing, or future, Mutual Recognition Agreements
and, if so, how might it be remedied to avoid such impact? Should
CyberLABs be located only in the United States? If the Commission
should consider CyberLABs located outside the United States, what
additional scrutiny, if any, should these entities be given during the
Commission's accreditation process? Given the sensitive information
that will be shared with CyberLABs, should accreditation or recognition
include reviewing CyberLABs internal security practices? If requested
by participating firms, should CyberLABs be required to provide
information on their own security or internal practices to firms?
F. Development of IoT Cybersecurity Criteria and Standards
28. Applying the Baseline NIST Criteria. The Commission seeks
comment on the adoption of the NIST's recommended IoT criteria as the
basis for the proposed labeling program. The NIST IoT criteria are
based on product-focused cybersecurity outcomes, rather than specific
requirements. NIST contemplates that ``the outcome-based approach
allows for the flexibility required by a diverse marketplace of IoT
products'' and the ``role of the scheme owner is critical to ensure
that supporting evidence demonstrates that the product meets the
expected outcomes.'' The NIST criteria include: (1) asset
identification; (2) product configuration; (3) data protection; (4)
[[Page 58217]]
interface access control; (5) software update; (6) cybersecurity state
awareness; (7) documentation; (8) information and query reception; (9)
information dissemination; and (10) product education and awareness.
NIST has noted that while the first six of these criteria generally
concern certain technical product criteria, the last four concern non-
technical product criteria. How could NIST's IoT criteria, such as
product configuration, interface access control, product education and
awareness, data production, asset identification, software updates,
cybersecurity state awareness, documentation, information and query
reception, etc., be leveraged to inform minimum IoT security
requirements and standards in a manner that is suitable for conformity
assessments (e.g., for technical-related testing and non-technical
verification) in appropriate circumstances, or for self-attestation in
others? Are there other criteria the Commission should consider? Are
there separate criteria that should be considered for higher risk IoT
devices or classes of devices?
29. Standards Development Based on NIST Criteria. The Commission
recognizes that this conformity assessment program must be based on IoT
security standards and testing requirements that the IoT devices and
product must satisfy to be eligible to receive and use the label. The
Commission proposes that the IoT security standards be developed
jointly with the industry and other stakeholders. In this regard, there
may be a number of expert Standards Development Organizations (SDOs),
industry groups and government agencies that have both the technical
expertise and other requisite experience to contribute to this task.
The Commission seeks comment on whether the Commission or an outside
entity is in the best position to convene these stakeholders, and to
timely develop the more specific detail that would allow the consistent
and replicable testing necessary to ensure the outcome based NIST IoT
labeling criteria are fulfilled. Would the Federal Advisory Committee
Act (FACA) limit the Commission's ability to convene these
stakeholders? The Commission seeks comment on this proposal.
30. The Commission proposes that the IoT security requirements and
standards would be developed and implemented through the following
process:
Collecting information: Conduct research, consult with
experts, and review existing standards such as those developed and in
use by international organizations.
Establishing requirements: Informed by the new data,
develop requirements that will help meet NIST core baseline criteria.
Develop the standard: With the requirements established,
the standard can be developed. This will involve creating a document
that outlines the requirements in a clear and concise manner and a
clear mapping between the standards and the device or product criteria.
Reviewing and improving: Ensure that the standard is
comprehensive, clear, and suitable for lab testing.
Implementation: Conduct training, testing, and monitoring
to ensure that the requirements are satisfied.
31. The Commission seeks comment on the scope of this work and on
this proposed process. What additional factors should be included or
otherwise factored into this process? How can the Commission ensure
that the views of small, women- and minority-owned businesses,
including small IoT manufacturers, are considered in this process?
Considering the amount of work that the industry, NIST, and
international community have already completed in this area, how could
this work be leveraged to promote the swift development of standards
for IoT cybersecurity labeling? How long might this work take to
complete? The Commission seeks comment on the shortest but most
thorough path to accomplishing this work and the minimum amount of time
it should take to develop the standards. The Commission recognizes
there are other IoT security standards already available and seek
comments on whether and why the Commission should consider their
adoption. Are there standards for particular IoT devices or classes of
IoT devices that are already sufficiently mature such that they could
be readily--or more quickly--adopted? Should the program start with
those devices or products?
32. The Commission recognizes that while the IoT cybersecurity
label would not constitute a guarantee that the participating IoT
product can withstand every single cyberattack, it should provide
meaningful assurance to consumers that the IoT devices and products
that display the label satisfy certain minimum cybersecurity standards
and have specific cyber capabilities that demonstrably reduce relevant
vulnerabilities appropriate to the class of device. As such, while
participation in the IoT labeling program would be voluntary, the
Commission proposes to require those who choose to participate to
adhere to the specific standards described above, and as recognized by
the Commission.
33. The Commission observes that in other contexts, it periodically
incorporates by reference various standards established by standards-
setting bodies including, but not limited to, the American National
Standards Institute (ANSI), Accredited Standards Committee C63 (ANSC
C63), and the International Organization for Standardization; and the
International Electrotechnical Commission. As the Commission has noted,
use of industry-based standards in this context is intended to ensure
the integrity of the measurement data associated with an equipment
authorization. The Commission recognizes that, in addressing
cybersecurity standards, timely adoption and speed are a prime benefit
of a multi-stakeholder, industry-led approach, which militate in favor
of a more streamlined process than the full Commission-level review
described above. Accordingly, the Commission proposes if standards are
developed by outside bod(ies), that they submit the IoT security
standards for acceptance by the Commission prior to utilization for
testing and other conformity evaluation. In this regard, the Commission
proposes to direct PSHSB to place the standards on Public Notice for
comment in accordance with the rulemaking requirements of the
Administrative Procedure Act and, subsequent to reviewing any comments
received, accept the standards as proposed or with amendments as
warranted by the record. Is this sufficient, or do commenters believe a
Commission-level rulemaking is needed? Alternatively, could an outside
body adopt the standards and attest their conformity with the broader
NIST criteria in a manner acceptable to the Commission, without the
need for further action by the Commission? What other streamlined
processes might be appropriate for prompt review and validation of IoT
security standards?
34. Conformity Assessments. The Commission seeks comment on the
process for assessing conformity of consumer IoT products and devices
under the Commission's IoT labeling program. While the Commission
expects that third-party assessment (testing and other required
assessment via CyberLAB, as discussed above) would provide an avenue
for conformity assessment, the Commission proposes that other
approaches also be considered. For example, NIST describes how
different IoT conformity assessment activities could be leveraged to
demonstrate that consumer IoT devices conform to technical
[[Page 58218]]
requirements, either exclusively or in combination. In addition to
third-party testing, assessment activities could also include the
supplier's declaration of conformity/self-attestation of the consumer
IoT device where a statement is issued based on a comprehensive review
that an IoT device or product comply with the IoT security standards.
While the Commission's equipment authorization program has evolved over
the years, as currently administered the program includes two
procedures for equipment authorizations--certification and Supplier's
Declaration of Conformity (SDoC). Relevant technical RF-based standards
listed in section 2.910 of the Commission's rules are incorporated by
reference in Part 2. The rules specify the obligations of the
``responsible party'' (e.g., the manufacturer or importer), including
warranting that each unit of equipment marketed under the grant of
certification or SDoC is materially identical to the unit that was
tested or measured. The Commission seeks comment on the extent to which
any of these same procedures may be appropriate for the IoT labeling
program. Are there other alternative procedures that are more suitable
for the IoT labeling program context?
35. Third-Party Compliance Testing and Assessment. The Commission
proposes that conformity assessments for IoT devices and products be
based on compliance assessment (any testing and other requisite
assessment) that includes supporting documentation and data submitted
by the manufacturer or importer of the IoT device or product in
question to a third-party such as a CyberLAB, and that the third party
administrator could authorize the use of the IoT security label only
for devices that meet the established IoT security standards. Should
all IoT devices or products be required to pursue third party
compliance assessment, or are there classes of IoT devices or products
that should allow for self-attestation?
G. Administering the IoT Labeling Program
36. Commission to Obtain Trademark. The Commission proposes that
the Commission utilize a certification mark to identify those products
that meet the Commission's IoT labeling requirements. A certification
mark is a type of trademark that is used to show consumers that
particular goods and/or services, or their providers, have met certain
requirements. Specifically, the mark indicates that: (1) the owner of
the mark controls who may use the mark; (2) the owner of the mark has
determined that the user complies with a specific standard described by
the owner of the mark; and (3) the owner of the mark does not itself
produce the goods or services covered by the mark. The Commission has
applied for a mark with the United States Patent and Trademark Office
(USPTO), and as the owner of the mark, should this proposal be adopted,
will ensure that the IoT products and devices bearing the mark meet
FCC-approved cybersecurity labeling program requirements. The
Commission also seeks comment on whether the Commission should permit
outside entities to authorize use of the mark where the terms of the
program are met and what measures are necessary to ensure that the
Commission is effectively controlling the use of the mark for purposes
of trademark law.
37. Commission IoT Label. The Commission proposes to implement a
single binary label with layering. Under a binary label construct,
products or devices will either qualify to carry the label or not
qualify (i.e., not be able to carry the label) and ``layers'' of the
label would include the Commission's IoT mark representing that the
product or device has met the Commission's baseline consumer IoT
cybersecurity standards and a scannable code (e.g., QR code) directing
the consumer to more detailed information of the particular IoT
product.
38. The Commission seeks comment on where authorized program
participants should affix the security IoT label. If the Commission's
program addresses devices (rather than products), should it be affixed
on each IoT device or on the product packaging? Should equipment that
includes a user display screen be permitted to display the label on the
user display screen rather than on the device itself? Should there be
limitations or prescriptions on how companies and third-party resellers
can use the mark in advertising or sales displays, products or
websites? The Commission also seeks comment on other approaches with
regard to what the label should display and where the label should be
placed.
39. Layered Information. The Commission seeks comment on the use of
a QR code or URL to enable consumers to access more detailed
information about the device or product, including specific security
information, such as the device manufacturers' level of support,
software update history, privacy policy, and similar information. To
provide consumers with uniform information and minimize the potential
for consumer confusion, the Commission proposes that there be a single
IoT device or product registry associated with the Commission's IoT
cybersecurity labeling program, and that any QR code or URL included
with the FCC IoT mark provide a link to the IoT product's specific web
page within this IoT registry. The Commission proposes to prohibit any
additional QR codes or URLs be placed in connection with the
Commission's IoT mark. The Commission believes that this would help
ensure the integrity of the Commission's IoT label. If third parties
are authorized by the Commission to grant use of the cybersecurity IoT
label, should the Commission also permit them to generate and specify
the QR code and the URL that can be placed next to the FCC IoT mark and
require them to prevent the program participants from affixing other QR
codes or URLs next to the FCC mark? Should the use of the IoT mark be
prohibited without the associated QR code or URL? What information must
a company include if they reference the IoT mark in product listings or
descriptions? What alternative approaches should the Commission
consider?
40. QR Code. The Commission proposes that the FCC IoT label include
a QR code that contains consumer-friendly information that is available
without internet connection in addition to a URL to the device's or
product's registry page, which is discussed below. (While the
Commission thinks the use of a QR code is appropriate in conjunction
with the layered labeling approach it is proposing here, the Commission
acknowledges that it previously rejected its use in other contexts,
such as the required labeling under its equipment authorization rules.
The Commission is not proposing to revisit those decisions in the
context of this proceeding. Similarly, the Commission intends its
proposals to operate distinct and separate from the provisions for the
electronic labeling of radiofrequency devices contained in its
equipment authorization rules (47 CFR 2.935), and seeks comment on
whether it needs to adopt or modify its rules accordingly.) In order to
prevent consumer confusion and allow for easy comparison among devices
or products, the Commission also proposes that the information
contained within the QR code for each certified device or product be
uniform and include information that is helpful to non-expert, home
users of IoT devices and products. In this way, the label would be able
to impact consumer purchasing decisions, which are oftentimes made
under time pressure while the consumer is at the store choosing between
products. The Commission proposes the QR code
[[Page 58219]]
include a description of the device's security (e.g., easy to
understand explanation of what security standards the device meets, and
how these standards protect the consumer). The Commission also proposes
the QR code include a statement that while the label indicates the
device or product meets certain cyber security criteria that reduce
risk, it does not eliminate risk entirely and the label does not imply
product endorsement by the label program and that the consumer is
encouraged to visit the product registry linked by the URL provided
therein to get the most up-to-date security and other information
related to the IoT device or product. The Commission seeks comment on
this proposal and what additional or other information should be
embedded in the QR code to be of benefit to consumers.
41. Given the static nature of the information stored in the QR
code, the Commission urges commenters to consider the types of
information that would be appropriate for consumer decision-making
without needing to have the information stored in the QR code updated.
Alternatively, the QR code could merely provide a link to the IoT
registry page for the device or product in question, discussed below.
42. The Commission proposes to require that the manufacturer
disclose the guaranteed minimum support period for an IoT device or
product, during which the manufacturer commits to identify and patch
security vulnerabilities in the product. See NIST, Recommended Criteria
for Cybersecurity Labeling for Consumer IoT Products, at 10 (Feb. 4,
2022), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.02042022-2.pdf.
While the Commission recognizes the length of such a support period is
at the discretion of the manufacturer, and may even be zero, the
Commission seeks comment on the benefits and drawbacks of requiring a
manufacturer to disclose, via the label or associated registry entry,
the length of time that an IoT device or product would be supported,
and the level of support provided. Should they also be required to
disclose whether all or only critical patches will be supported, the
regularity with which such patches are made available, whether they are
automatically deployed, or what additional steps a consumer may need to
take to remain secure when support ends? Should the Commission require
the manufacturer to provide notice when that support ends? How can the
Commission ensure this information is meaningful to consumers? The
Commission seeks comment on these options and any alternatives to help
provide consumers with necessary, accurate, and timely information.
43. IoT Registry. The Commission proposes the use of an IoT
registry where the public may access a catalog of devices or products
that are approved pursuant to the Commission's IoT labeling program.
This IoT registry would be accessible via the internet and serve as a
one-stop reference for the public to understand which products in the
market bear the IoT label (e.g., consumers could check the registry
before they shop). The IoT registry could contain IoT security-related
information that is sortable and searchable by manufacturer or brand,
device or product vendor, device or product name, model number,
firmware/software build version, and other identifying variables, such
as a unique asset identification number. The Commission seeks comment
on this approach. Are there any similar product registries that have
already been established or that are being initiated, and that might be
leveraged for these purposes? Should the Commission consider selecting
and overseeing a third-party IoT registry administrator, and if so, how
could such an administrator be funded? Should there be more than one
administrator or more than one registry, and if so, how should the
Commission ensure that accurate, up to date, and complete information
is contained in each of them? Should it be the same third-party
administrator contemplated to manage the other aspects of the labeling
program as described herein?
44. The QR code and/or the URL associated with the IoT label would
include a link to the IoT registry, which would provide detailed
information on the IoT product through the product's web page within
the IoT registry. The Commission seeks comment on what information
should be included within the IoT registry and associated with the QR
codes. If the URL is the sole piece of information associated with the
QR code, how should registry information be presented or organized to
ensure consumer-friendliness?
45. The Commission proposes that, among other information, the IoT
registry might provide the following information for each approved
device (or product): (1) how to operate the device securely (e.g.,
basic cyber hygiene to include changing default passwords) and, if
applicable, what level of security the device or product has achieved;
(2) whether the product's security settings are protected against
unauthorized changes, including disabling its security; (3) where the
device was manufactured; and (4) when the registry information for the
device was last updated. What other information should be included?
Would the information included in the CMU IoT Security and Privacy
Label (CMU Label) be an appropriate model for each IoT product's
listing provided within the IoT registry? CMU Labels are divided into
three major sections: (1) security mechanisms, (2) data practices, and
(3) more information, with various data fields under these sections
(e.g., security updates, access control, sensor type, privacy policy,
manufacturer contact information, and platform compatibility). CMU
Labels often link to external sites, such as manufacturers' websites,
to provide more detailed information. Would linking to external
websites, over which the Commission would have no oversight or control,
be appropriate for the Commission's IoT labeling program and the IoT
registry? How could the Commission ensure the content of the
information provided in the external links is accurate and up-to-date?
Are there additional exemplary labels that the Commission should
consider? What other additional details should be disclosed to inform
consumers of cybersecurity risks underlying the IoT product? What
details can potentially be omitted? How can the Commission otherwise
ensure the information provided in the IoT registry is meaningful and
understandable by consumers?
46. The Commission further asks whether such IoT registry might
also be used by retailers to assist them with choosing products that
carry the IoT label for sale in their stores and whether retailers may
use the registry to confirm that the products that they market
legitimately bear the FCC's IoT label. If so, should the registry
maintain different sets of information for general consumers and
retailers? What additional information would retailers want to see but
is not relevant to general consumers?
47. Updating Information. The Commission seeks comment on how to
ensure consumers are not misled by the meaning of the IoT label and can
obtain up-to-date information about their device or product. Unlike
other labeling programs, such as the Commission's Broadband Consumer
Label, or the ENERGY STAR label, the Commission's labeling program
addresses cybersecurity risk, which is constantly changing and requires
constant updating. For example, if a new vulnerability is discovered,
the product would remain unsecure until that newly discovered
vulnerability is patched. The Commission proposes that consumers
[[Page 58220]]
be made aware of any vulnerabilities or updated product information
through the IoT registry. That way, once the product's web page within
the IoT product registry is updated to indicate that the authorization
to use the mark is outdated, and/or the device is no longer maintained/
updated, the consumer can understand this information by accessing the
web page using the QR code and/or the URL provided next to the FCC IoT
label. Should the Commission impose a duty on manufacturers or
importers of the IoT devices and products to notify the IoT registry
operator when they become aware of an unpatched vulnerability that
poses security risks to their IoT devices and products? Are there other
events that should trigger IoT product manufacturers or importers to
notify the registry operator that their IoT registry device or product
page should be updated?
48. The Commission seeks comment on these proposals, and on any
other ways to ensure consumers have up-to-date information regarding
IoT devices or products labeled under the program, as well as have an
understanding that the FCC cybersecurity label is not a guarantee
against all cybersecurity threats. What additional information might be
warranted to help minimize the potential for customer confusion?
49. Application/Renewal. The Commission proposes that IoT label
applicants file for renewal each year, together with supporting
evidence that the products still meet the FCC's IoT requirements, as
tested and administered by the CyberLABs or as self-attested. In this
regard, the Commission seeks to ensure consumers have up-to-date
information regarding the participating device or product, and to
address end-of-life issues for devices previously approved, but that no
longer warrant continued authorization to use the label. Should the
label include the specific date, or the year, the label was awarded to
help notify consumers how fresh the authorization is? Should the FCC
IoT labels on the device or product have an expiration date? How does
the Commission ensure consumers are aware of when a device with an FCC
IoT label is no longer maintained and/or updated by manufacturers, and
may no longer meet up-to-date cybersecurity requirements?
50. The Commission seeks comment on this proposal to employ a
renewal process. Should the Commission consider other timeframes on a
shorter or longer basis? Should there be an event in the product's
life-cycle or a security event that should trigger the applicant to
file for an early renewal? When would such an event trigger early
renewal, versus filing updated information with the program
administrator and updating the IoT registry? Similarly, are there
incidents or developments that might warrant the removal of the IoT
cybersecurity label, and what might those circumstances be? After the
IoT device or product is authorized for the first time, what supporting
documents should the program participants provide to validate and renew
their authorization to use the label? Must it be retested annually? How
should the IoT registry reflect that an authorization to use the label
is out of date?
51. The Commission also seeks comment on the interplay between the
proposed IoT cybersecurity labeling program and its current equipment
authorization rules. Given that the review process for the proposed
program will likely not be administered in the same manner, and by the
same entities, as are involved in its equipment authorization program,
the Commission proposes that they generally operate in a distinct
manner. However, given that equipment subject to the requirements of
the Commission's equipment authorization rules must satisfy those rules
before they can be manufactured and sold in the United States, the
Commission proposes that approval be granted under the cybersecurity
labeling program only after any applicable requirements of the
equipment authorization rules have been satisfied for the relevant
device or product. The Commission seeks comment on these proposals and
on any other ways in which it should address the potential interplay
between the proposed IoT cybersecurity labeling program and its current
equipment authorization rules.
52. Costs. The Commission permits TCBs to establish and assess fees
for processing equipment authorization applications and conducting
other Commission-required tasks. The Commission anticipates that
similarly situated third parties in this program may wish to charge for
their services and seek comment on whether there is any oversight the
Commission needs to exercise over such charges. Further, the Commission
proposes, that when a proposed grant of labeling authority is submitted
to the Commission for action it should be accompanied by an application
fee pursuant to its authority under section 8 of the Communications
Act. The Commission proposes to follow the fee calculation methodology
adopted by the Commission in the 2020 Application Fee Report and Order.
The Commission seeks comment on this proposal and any changes or
modifications the Commission should consider here.
53. Investigation, Disqualification, and Enforcement. Ensuring that
the label remains a trusted and valuable resource to purchasers
requires that the integrity of the devices and products bearing the
label is maintained. As such, the Commission seeks comment on how to
enforce the labeling program requirements. To the extent that non-
Commission entities are better situated to perform, and receive
approval to perform, certain functions, should they also be required to
conduct a certain number of random audits of the certified IoT devices
and products to confirm that they are in compliance? Are there types of
market surveillance that should be conducted, and by whom? Should the
Commission allow consumer or third-party complaints? Should the
Commission or other entities accept and process such complaints? What
should the Commission's role be in audit and oversight? For any non-
compliance, the Commission could rely on a combination of enforcement
procedures such as administrative remedies under the Communications Act
(e.g., show cause orders, revocation proceedings, forfeitures, consent
decrees, cease and desist orders, and penalties) or civil litigation
for breach of contract or trademark infringement, in which the
Department of Justice (DOJ) would participate. As noted above, the
Commission also seeks comment on what, if any, additional measures are
necessary to ensure that the Commission is effectively controlling use
of the certification mark for purposes of trademark law. What
enforcement measures would be appropriate for firms that falsely put
the IoT certification mark or label on their products? How would it be
enforced if firms are outside of the United States? In the more
contractual context of the ENERGY STAR program, EPA has set out certain
Disqualification Procedures that it would apply if a product fails
third-party verification testing, or if it fails subsequent Department
of Energy (DOE) appliance testing or in the event of product
nonconformity. In particular, this process gives the ENERGY STAR
Partner notice and an opportunity to dispute the assessment with EPA
before a formal disqualification decision is made. The Disqualification
Procedures specify certain steps that ENERGY STAR Partners must take in
the event of a disqualification (e.g., removing references to ENERGY
STAR in the product labeling, marketing, etc.). Should the Commission
adopt a similar
[[Page 58221]]
disqualification procedure under its rules? What enforcement measures
would be appropriate in addition to revoking authorization to use the
IoT label? What procedures or consequences should apply where a device
or product was certified under one set of standards but is not capable
of meeting a new or updated standard adopted later? How should the
participants address the products that have the IoT security labels
affixed to their products when their products become non-compliant? If
an applicant is denied authority to use the Commission's IoT label,
should they be able to appeal that decision? The Commission also seeks
comment on any recordkeeping and audit requirements for compliance
review purposes.
54. Conversely, where a program participant has received
authorization to utilize the Commission's IoT Label and has
appropriately maintained the device's security measures, does this
represent an indicium of reasonableness that might serve as a defense
or safe harbor against liability for damages resulting from a cyber
incident, e.g., data breach, denial of service, malware? While the
Commission clarifies that it does not intend at this time for the
labeling program in and of itself to preempt otherwise existing law,
are there other affirmative measures that the Commission should
consider adopting that should be afforded to devices that have achieved
and maintained a Commission IoT security label?
55. Consumer Education. The Commission expects that the success of
this program will rely upon a robust education campaign with shared
responsibilities among the scheme owner, manufacturers, retailers,
industry, and non-profit security groups to promote label recognition,
brand trust, and transparency of what the Commission's IoT
cybersecurity label means. The Commission seeks comment on whether the
education campaign used should be comprised of the consumer education
materials recommended by NIST, which include providing consumers online
access to information addressing:
Intent and Scope: What the label does and does not mean,
including addressing potential misinterpretations (e.g., stating that
meeting the label security criteria reduces risk but does not eliminate
it entirely, and that labeled products are not necessary more secure
than unlabeled products); and a statement that the label does not imply
product endorsement by the Commission;
Product Criteria: The cybersecurity properties that must
be met for a device to have the Commission label and how and why these
properties were selected; including information on how the criteria
address security risks both to the consumer and to others for common
intended uses of the products;
A glossary of applicable technical terms written in plain
English;
General information about conformity assessment and how
cybersecurity properties are evaluated;
Declaration of Conformity: The device's specific
declaration of conformity to the IoT security standards, including the
date the label was last awarded;
Scope: The kinds of devices eligible for the label and an
easy way for consumers to identify labeled devices;
Changing Applicability: The current state of device
labeling as new cybersecurity threats and vulnerabilities emerge;
Security considerations for end-of-life IoT devices and
implications for functionality if the device is no longer connected;
Expectations for Consumers: The responsibility consumers
share in securing the device software and how their actions (or
inactions) can impact the device's software cybersecurity; and
Contact information for the labeling program and
information on how consumers can lodge a complaint regarding a product
label.
56. The Commission seeks comment on anticipated costs of such a
consumer education campaign particularly with regard to upfront costs
that will be incurred to start the program. The Commission also seeks
comment on mechanisms for conducting the outreach consistent with the
constraints on federal outreach and the possibility of public or
private partnerships that may facilitate a consumer education campaign.
57. Integrity of the National Government-based IoT Cybersecurity
Label. The Commission seeks comment on ways to avoid consumer confusion
between the government-based IoT cybersecurity label and existing and
future IoT cybersecurity labeling schemes such as UL and IoT Security
Trust Mark. What features and assurances can the Commission's label
provide to improve customer awareness of the security of a given IoT
device? Alternatively, should the FCC label act as an aggregator for
other labeling programs ensuring that these programs meet the IoT
security standards in addition to any wider or sector specific security
needs the scheme owners feel necessary. What about other labeling
programs in other countries? How should the Commission coordinate and
engage with other international bodies maintaining labeling programs to
develop recognition of the Commission's IoT Label, and where
appropriate, mutual recognition of those international labels? The
Commission's proposal seeks to implement this program for devices or
products for sale in the United States. What steps, if any, should the
Commission take to ensure the FCC label is not mistaken for compliance
with IoT security or RF-emission standards in other countries?
58. Accessibility. The Commission emphasizes its continued
commitment to ensuring that the labeling program is accessible and
usable by individuals with disabilities. With respect to the
Commission's Broadband Consumer Label, in 2022, the Commission noted
that the Consumer Advisory Committee (CAC) determined that
participating providers can best ensure accessibility to printed and
online information by relying on well-established legal requirements
included in the Americans with Disabilities Act and by following the
guidance developed by the Web Accessibility Initiative. The Commission
seeks comment on whether relying on these guidelines provides the best
likelihood of ensuring that consumers with disabilities will be able to
access necessary information about their IoT devices or products. The
Commission seeks comment on how best to ensure that any adopted IoT
cybersecurity label is accessible to persons with disabilities.
Legal Authority
59. The Commission tentatively concludes that it has authority to
adopt the proposed IoT labeling program. In particular, section 302(a)
of the Communications Act authorizes the FCC ``consistent with the
public interest, convenience, and necessity, [to] make reasonable
regulations (1) governing the interference potential of devices which
in their operation are capable of emitting radio frequency energy by
radiation, conduction, or other means in sufficient degree to cause
harmful interference to radio communications; . . .'' While this
program would be voluntary, entities that elect to participate would
need to do so in accordance with the regulations the Commission adopts
in this proceeding, including but not limited to the IoT security
standards, compliance requirements, and the labeling program's
operating framework. The Commission tentatively concludes that the
standards the Commission proposes to apply when administering the
proposed labeling program fall within the scope of ``reasonable
regulations . . . governing the interference potential
[[Page 58222]]
of devices. . . .'' The Commission seeks comment on this reasoning.
60. The Commission has exercised authority in other contexts to
secure both software and firmware to prevent unauthorized modification
that would compromise a device or the data it transmits. For example,
in adopting technical rules for the Citizens Broadband Radio Service
(CBRS), the Commission required end user devices to ``contain security
features sufficient to protect against modification of software and
firmware by any unauthorized parties'' and required that such devices
``be able to protect the communication data that are exchanged between
these elements.'' The Commission adopted a further obligation for
identified security vulnerabilities to be resolved on a going-forward
basis, and encouraged industry to develop best practices for end-to-end
security that can be validated through the certification process. By
way of further example, in the 5 GHz band, the Commission, noting the
potential for reprogramming of unlicensed national information
infrastructure (U-NII) devices to operate outside of authorized device
parameters, similarly adopted security measures requiring manufacturers
to prevent software changes that would result in this outcome.
Declining to mandate specific software security measures, the
Commission required manufacturers instead to document their methods. In
addition, the Commission's rules require security protocols and
procedures to ensure the integrity of transmission related between and
among white space devices and databases.
61. The Commission's proposed labeling program rules are intended
to ensure that IoT devices have implemented certain minimum
cybersecurity protocols to prevent their being hacked by bad actors who
could cause the devices to cause harmful interference to radio
communications. As noted above, in the 5 GHz context, the Commission
identified concerns about security vulnerabilities that could, if
exploited, lead equipment to operate outside established parameters,
with the associated risk that doing so could cause harmful
interference. As also noted above, interference issues also could arise
if security vulnerabilities were exploited to use a device as an
interference generator, or to transmit at times and intervals selected
by the attacker to interfere with other devices. The Commission
anticipates that this could be a more pervasive risk, and the
Commission seeks comment on that predictive judgment. Furthermore,
under the Act, the Commission's other obligations in this regard can
encompass not only the prevention of interference to other devices, but
the need to mitigate against the risk of interference to covered
equipment. In this regard, and in considering the potential need to
encompass not only devices but, ultimately, products in order to
adequately secure the IoT ecosystem and empower consumer choices, the
Commission believes such an approach is reasonable under sections 333
and 302(a) of the Act.
62. In particular, the Commission also seeks comment on the
authorities that would support including additional IoT products and
devices within the proposed IoT labeling Program. For example, section
302(a)(2) of the Act provides the Commission with the authority to
adopt reasonable regulations ``establishing minimum performance
standards for home electronic equipment and systems to reduce their
susceptibility to interference from radio frequency energy.'' Does this
authority support reasonable regulations that may include the
regulations proposed herein? Section 333 states: ``No person shall
willfully or maliciously interfere with or cause interference to any
radio communications of any station licensed or authorized by or under
this chapter or operated by the United States Government.'' Does this
authority, possibly coupled with other provisions, provide a basis for
the Commission's proposed action? Is the Commission's proposal
necessary or reasonably ancillary to the execution of its
implementation of any or all of these statutory responsibilities?
63. Is it reasonable for the Commission's labeling program to not
only guard against the risk that covered devices and products cause
harmful interference, but also to guard against other risks, including
the risk of interference to those covered devices and products
consistent with policy goals underlying sections 302(a)(2) and 333 of
the Act? For example, the Commission tentatively concludes that its
authority to adopt ``reasonable regulations'' to guard against harmful
interference under section 302 of the Act authorizes a labeling program
that applies a set of criteria or standards that address not only risks
of harmful interference from the products or devices subject to
labeling but also other harms, such as the risk of harmful interference
to such products or devices--particularly where the relevant criteria
or standards were designed or intended to be applied as a package or
collectively.
64. The Commission also tentatively concludes that its authority
under section 302(a)(1) of the Act to adopt reasonable regulations
consistent with the public interest to guard against interference
provides the Commission flexibility to tailor the proposed labeling
program in other ways. For example, the Commission believes that, in
adopting reasonable regulations consistent with the public interest
under section 302, the Commission has authority to exclude equipment
from the Covered List from participating in the voluntary labeling
program, consistent with the objectives of sections 2(a) and (d) of the
Secure and Trusted Communications Networks Act of 2019. The Commission
further tentatively concludes that its section 302 authority likewise
enables it to rely on third parties in carrying out the implementation
details of the proposed labeling program. In particular, section 302(e)
of the Act authorizes the Commission to delegate equipment testing and
certification to private laboratories, and the Commission notes in that
regard that it already has relied in part on third parties in carrying
out its equipment authorization rules. The Commission also seeks
comment on whether its authority to adopt reasonable regulations in the
public interest to carry out the objectives of section 302 authorizes
the Commission to rely on a third party IoT registry administrator as
well as rely on third parties to perform some of the functions
described above.
65. The Commission also seeks comment on whether section 301 of the
Act also provides the Commission with authority to include in its
labeling program IoT products and devices that might receive harmful
interference from an unauthorized cyber event. The Commission also
recognizes, for example, that cyberattacks utilizing IoT
vulnerabilities may not only give rise to harmful interference
concerns, but can also effectuate physical threats to the world around
us--degrading wireless networks, for example, changing service settings
on smart appliances, or--more catastrophically--shutting down an
industrial control system. Are there additional authorities that
support the inclusion of additional IoT products and devices that do
not emit RF externally for purposes of communications, such as
unintentional or incidental radiators, or wired-only IoT?
66. The Commission seeks comment broadly its legal authority under
the Communications Act, or any other source, to implement the proposed
voluntary IoT labeling program, including its authority pursuant to
Titles II and III as well as its authority
[[Page 58223]]
under section 4(i) of the Communications Act, as amended, to ``perform
any and all acts, make such rules and regulations, and issue such
orders, not inconsistent with this chapter, as may be necessary in the
execution of its functions'' which includes ``the purpose of promoting
safety of life and property.''
67. The Commission further seeks comment on how it may utilize
enforcement authorities under the Act, including the potential
imposition of penalties under section 503 and cease and desist orders
under section 312 for those entities that voluntarily participate in
the labeling program, but fail to continue to comply with the
Commission's regulations. Would participants in the labeling program
already be holders of authorizations within the meaning of section
503(b)(5) of the Act, or are there steps the Commission should take to
structure the labeling program so that participation would itself
satisfy that provision? Are there any additional avenues for
enforcement or oversight of the program's participants or of a third-
party security certifying body? What trademark remedies are available
to the Commission? Are there other agencies that might contribute to
program enforcement?
Promoting Digital Equity
68. The Commission, as part of its continuing effort to advance
digital equity for all,\84\ including people of color, persons with
disabilities, persons who live in rural or Tribal areas, and others who
are or have been historically underserved, marginalized, or adversely
affected by persistent poverty or inequality, invites comment on any
equity-related considerations \85\ and benefits (if any) that may be
associated with the proposals and issues discussed herein.
Specifically, the Commission seeks comment on how its proposals may
promote or inhibit advances in diversity, equity, inclusion, and
accessibility, as well as the scope of the Commission's relevant legal
authority.
Appendix A
69. Within the scope of a consumer IoT product, the following
baseline product criteria are recommended by NIST to define the
cybersecurity outcomes expected of IoT products and IoT product
developers as part of a consumer IoT product labeling program. Most
criteria concern the IoT product directly and are expected to be
satisfied by software and/or hardware means implemented in the IoT
product. Some criteria apply to the IoT product developer rather than
to the IoT product directly. These criteria are expected to be
satisfied through actions and supported by assertions and evidence from
the developer rather than from the IoT product itself.
70. Product criteria are recommended to apply to the IoT product
overall, as well as to each individual IoT product component (e.g., IoT
device, backend, companion app), as appropriate. (Given the nature of
consumer IoT product, it is expected that all IoT products should
satisfy all technical product criteria since they will, in most cases,
be finished products intended for direct plug-and-play use. Individual
IoT product components, though, may be more likely to not require
certain criteria (e.g., based on lack of applicability). A scheme owner
has the flexibility to adapt the product criteria and determine
appropriate supporting evidence. Though NIST recommends that all
criteria apply to every IoT product, some components may not be able or
need to support all criteria. That might be the case due to product
risk considerations, product development (e.g., cybersecurity tasks
delegated via contracts and supply chain), nature of the components to
form the product (e.g., backends may be highly distributed), or
limitations of IoT components (e.g., devices may be constrained,
companion software apps may have limited access and functionality).
Asset Identification: The IoT product is uniquely identifiable and
inventories all of the IoT product's components.
The IoT product can be uniquely identified by the customer
and other authorized entities (e.g., the IoT product developer).
The IoT product uniquely identifies each IoT product
component and maintains an up-to-date inventory of connected product
components.
Cybersecurity utility: The ability to identify IoT products and
their components is necessary to support asset management for updates,
data protection, and digital forensics capabilities for incident
response.
Product Configuration: The configuration of the IoT product is
changeable, there is the ability to restore a secure default setting,
and any and all changes can only be performed by authorized
individuals, services, and other IoT product components.
The customer can change the configuration settings of the
IoT product via one or more IoT product components.
The IoT product applies configuration settings to
applicable IoT components.
Cybersecurity utility: The ability to change aspects of how the IoT
product functions can help customers tailor the IoT product's
functionality to their needs and goals. Customers can configure their
IoT products to avoid specific threats and risk they know about based
on their risk appetite.
Data Protection: The IoT product and its components protect data
stored (across all IoT product components) and transmitted (both
between IoT product components and outside the IoT product) from
unauthorized access, disclosure, and modification.
Each IoT product component protects data it stores via
secure means, including the ability to delete or render inaccessible
data stored that is either collected from or about the customer, home,
family, etc.
When data is sent between IoT product components or
outside the product, protections are used for the data transmission.
Cybersecurity utility: Maintaining confidentiality, integrity, and
availability of data is foundational to cybersecurity for IoT products.
Customers will expect that data is protected and that protection of
data helps to ensure safe and intended functionality of the IoT
product.
Interface Access Control: The IoT product and its components
restrict logical access to local and network interfaces--and to
protocols and services used by those interfaces--to only authorized
individuals, services, and IoT product components.
Each IoT product component controls access (to and from)
all interfaces (e.g., local interfaces, network interfaces, protocols,
and services) in order to limit access to only authorized entities. At
a minimum, the IoT product and its components shall:
a. Use and have access only to interfaces necessary for the IoT
product's operation. All other channels and access to channels are
removed or secured.
b. For all interfaces necessary for the IoT product's use, access
control measures are in place (e.g., unique password-based multifactor
authentication).
c. For all interfaces, access and modification privileges are
limited.
The IoT product executes means via some, but not
necessarily all, components to protect and maintain interface access
control. At a minimum, the IoT product shall:
a. Validate that data sent to other product components matches
specified definitions of format and content.
b. Prevent unauthorized transmissions or access to other product
components.
[[Page 58224]]
c. Maintain appropriate access control during initial connection
(i.e., on-boarding) and when reestablishing connectivity after
disconnection or outage.
Cybersecurity utility: Inventorying and controlling access to all
internal and external interfaces to the IoT product will help preserve
the confidentiality, integrity, and availability of the IoT product,
its components, and data by helping prevent unauthorized access and
modification.
Software Update: The software of all IoT product components can be
updated by authorized individuals, services, and other IoT product
components only by using a secure and configurable mechanism, as
appropriate for each IoT product component.
Each IoT product component can receive, verify, and apply
verified software updates.
The IoT product implements measures to keep software on
IoT product components up to date (i.e., automatic application of
updates or consistent customer notification of available updates via
the IoT product).
Cybersecurity utility: Software may have vulnerabilities discovered
after the IoT product has been deployed; software update capabilities
can ensure secure delivery of security patches.
Cybersecurity State Awareness: The IoT product supports detection
of cybersecurity incidents affecting or affected by IoT product
components and the data they store and transmit.
The IoT product captures and records information about the
state of IoT components that can be used to detect cybersecurity
incidents affecting or affected by IoT product components and the data
they store and transmit.
Cybersecurity utility: Protection of data and ensuring proper
functionality can be supported by the ability to alert the customer
when the device starts operating in unexpected ways, which could mean
that unauthorized access is being attempted, malware has been loaded,
botnets have been created, device software errors have happened, or
other types of actions have occurred that was not initiated by the IoT
product user or intended by the developer.
Documentation: The IoT product developer creates, gathers, and
stores information relevant to cybersecurity of the IoT product and its
product components prior to customer purchase, and throughout the
development of a product and its subsequent lifecycle.
Throughout the development lifecycle, the IoT product
developer creates or gathers and stores information relevant to the
cybersecurity of the IoT product and its product components, including:
a. Assumptions made during the development process and other
expectations related to the IoT product, including:
i. Expected customers and use cases.
ii. Physical use, including security of the location of the IoT
product and its product components (e.g., a camera for use inside the
home that has an off switch on the device vs. a security camera for use
outside the home that does not have an off switch on the device), and
characteristics.
iii. Network access and requirements (e.g., bandwidth
requirements).
iv. Data created and handled by the IoT product.
v. Any expected data inputs and outputs (including error codes,
frequency, type/form, range of acceptable values, etc.).
vi. The IoT product developer's assumed cybersecurity requirements
for the IoT product.
vii. Any laws and regulations with which the IoT product and
related support activities comply.
viii. Expected lifespan and anticipated cybersecurity costs related
to the IoT product (e.g., price of maintenance), and length and terms
of support.
b. All IoT components, including but not limited to the IoT device,
that are part of the IoT product.
c. How the baseline product criteria are met by the IoT product
across its product components, including which baseline product
criteria are not met by IoT product components and why (e.g., the
capability is not needed based on risk assessment).
d. Product design and support considerations related to the IoT
product, for example:
i. All hardware and software components, from all sources (e.g.,
open source, propriety third-party, internally developed) used to
create the IoT product (i.e., used to create each product component).
ii. IoT platform used in the development and operation of the IoT
product, its product components, including related documentation.
iii. Protection of software and hardware elements implemented to
create the IoT product and its product components (e.g., secure boot,
hardware root of trust, and secure enclave).
iv. Consideration of the known risks related to the IoT product and
known potential misuses.
v. Secure software development and supply chain practices used.
vi. Accreditation, certification, and/or evaluation results for
cybersecurity- related practices.
vii. The ease of installation and maintenance of the IoT product by
a customer (i.e., the usability of the product).
e. Maintenance requirements for the IoT product, for example:
i. Cybersecurity maintenance expectations and associated
instructions or procedures (e.g., vulnerability/patch management plan).
ii. How the IoT product developer identifies authorized supporting
parties who can perform maintenance activities (e.g., authorized repair
centers).
iii. Cybersecurity considerations of the maintenance process (e.g.,
how customer data unrelated to the maintenance process remains
confidential even from maintainers).
f. The secure system lifecycle policies and processes associated
with the IoT product, including:
i. Steps taken during development to ensure the IoT product and its
product components are free of any known, exploitable vulnerabilities.
ii. The process of working with component suppliers and third-party
vendors to ensure the security of the IoT product and its product
components is maintained for the duration of its supported lifecycle.
iii. Any post end-of-support considerations, such as the discovery
of a vulnerability which would significantly impact the security,
privacy, or safety of customers who continue to use the IoT product and
its product components.
g. The vulnerability management policies and processes associated
with the IoT product, including:
i. Methods of receiving reports of vulnerabilities (see Information
and Query Reception below).
ii. Processes for recording reported vulnerabilities.
iii. Policy for responding to reported vulnerabilities, including
the process of coordinating vulnerability response activities among
component suppliers and third-party vendors.
iv. Policy for disclosing reported vulnerabilities.
v. Processes for receiving notification from component suppliers
and third- party vendors about any change in the status of their
supplied components, such as end of production, end of support,
deprecated status (e.g., the product is no longer recommended for use),
or known insecurities.
Cybersecurity utility: Generating, capturing, and storing important
information about the IoT product and its development (e.g., assessment
of the IoT product and development practices used to create and
maintain it) can help inform the IoT product developer
[[Page 58225]]
regarding the product's actual cybersecurity posture.
Information and Query Reception: The ability of the IoT product
developer to receive information relevant to cybersecurity and respond
to queries from the customer and others about information relevant to
cybersecurity.
The IoT product developer can receive information related
to the cybersecurity of the IoT product and its product components and
can respond to queries related to cybersecurity of the IoT product and
its product components from customers and others, including:
a. The ability of the IoT product developer to identify a point of
contact to receive maintenance and vulnerability information (e.g., bug
reporting capabilities and bug bounty programs) from customers and
others in the IoT product ecosystem (e.g., repair technician acting on
behalf of the customer).
b. The ability of the IoT product developer to receive queries from
and respond to customers and others in the IoT product ecosystem about
the cybersecurity of the IoT product and its components.
Cybersecurity utility: As IoT products are used by customers, those
customers may have questions or reports of issues that can help improve
the cybersecurity of the IoT product over time.
Information Dissemination: The IoT product developer broadcasts
(e.g., to the public) and distributes (e.g., to the customer or others
in the IoT product ecosystem) information relevant to cybersecurity.
The IoT product developer can broadcast to many/all
entities via a channel (e.g., a post on a public channel) to alert the
public and customers of the IoT product about cybersecurity relevant
information and events throughout the support lifecycle. At a minimum,
this information shall include:
a. Updated terms of support (e.g., frequency of updates and
mechanism(s) of application) and notice of availability and/or
application of software updates.
b. End of term of support or functionality for the IoT product.
c. Needed maintenance operations.
d. New IoT device vulnerabilities, associated details, and
mitigation actions needed from the customer.
e. Breach discovery related to an IoT product and its product
components used by the customers, associated details, and mitigation
actions needed from the customer (if any).
The IoT product developer can distribute information
relevant to cybersecurity of the IoT product and its product components
to alert appropriate ecosystem entities (e.g., common vulnerability
tracking authorities, accreditors and certifiers, third-party support
and maintenance organizations) about cybersecurity relevant
information, for example:
a. Applicable documentation captured during the design and
development of the IoT product and its product components.
b. Cybersecurity and vulnerability alerts and information about
resolution of any vulnerability.
c. An overview of the information security practices and safeguards
used by the IoT product developer.
d. Accreditation, certification, and/or evaluation results for the
IoT product developer's cybersecurity-related practices.
e. A risk assessment report or summary for the IoT product
developer's business environment risk posture.
Cybersecurity utility: As the IoT product, its components, threats,
and mitigations change, customers will need to be informed about how to
securely use the IoT product.
Product Education and Awareness: The IoT product developer creates
awareness of and educates customers and others in the IoT product
ecosystem about cybersecurity-related information (e.g.,
considerations, features) related to the IoT product and its product
components.
The IoT product developer creates awareness and provides
education targeted at customers about information relevant to
cybersecurity of the IoT product and its product components, including:
a. The presence and use of IoT product cybersecurity capabilities,
including at a minimum:
i. How to change configuration settings and the cybersecurity
implications of changing settings, if any.
ii. How to configure and use access control functionality (e.g.,
set and change passwords).
iii. How software updates are applied and any instructions
necessary for the customer on how to use software update functionality.
iv. How to manage device data including creation, update, and
deletion of data on the IoT product.
b. How to maintain the IoT product and its product components
during its lifetime, including after the period of security support
(e.g., delivery of software updates and patches) from the IoT product
developer.
c. How an IoT product and its product components can be securely
re-provisioned or disposed of.
d. Vulnerability management options (e.g., configuration and patch
management and anti-malware) available for the IoT product or its
product components that could be used by customers.
e. Additional information customers can use to make informed
purchasing decisions about the security of the IoT product (e.g., the
duration and scope of product support via software upgrades and
patches).
Cybersecurity utility: Customers will need to be informed about how
to securely use the device to lead to the best cybersecurity outcomes
for the customers and the consumer IoT product marketplace.
Procedural Matters
Initial Paperwork Reduction Act of 1995 Analysis
This document seeks comment on potential new or revised proposed
information collection requirements. Therefore, the Commission seeks
comment on potential new or revised collections subject to the
Paperwork Reduction Act of 1995. If the Commission adopts any new or
revised final information collection requirements when the final rules
are adopted, the Commission will publish a notice in the Federal
Register inviting further comments from the public on the final
information collection requirements, as required by the Paperwork
Reduction Act of 1995, Public Law 104-13 (44 U.S.C. 3501-3520). The
Commission, as part of its continuing effort to reduce paperwork
burdens, invites the general public to comment on the information
collection requirements contained in this document, as required by the
PRA. Public and agency comments on the PRA proposed information
collection requirements are due October 24, 2023. Comments should
address: (a) whether the proposed collection of information is
necessary for the proper performance of the functions of the
Commission, including whether the information shall have practical
utility; (b) the accuracy of the Commission's burden estimates; (c)
ways to enhance the quality, utility, and clarity of the information
collected; (d) ways to minimize the burden of the collection of
information on the respondents, including the use of automated
collection techniques or other forms of information technology; and (e)
way to further reduce the information collection burden on small
business concerns with fewer than 25 employees. In addition, pursuant
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198,
see 44 U.S.C. 3506(c)(4), the Commission seeks specific comment on how
it might
[[Page 58226]]
``further reduce the information collection burden for small business
concerns with fewer than 25 employees.''
Initial Regulatory Flexibility Analysis
71. As required by the Regulatory Flexibility Act of 1980, as
amended (RFA), the Commission has prepared an Initial Regulatory
Flexibility Analysis (IRFA) of the possible significant economic impact
on a substantial number of small entities by the policies and rules
proposed in the document. The IRFA is set forth in Appendix B of the
document. Written public comments are requested on this IRFA. Comments
must be identified as responses to the IRFA and must be filed by the
deadlines for comments on the document, including this IRFA, to the
Chief Counsel for Advocacy of the Small Business Administration (SBA).
In addition, the document and IRFA (or summaries thereof) will be
published in the Federal Register.
A. Need for, and Objectives of, the Proposed Rules
72. The document proposes a voluntary cybersecurity labeling
program for the Internet of Things (IoT) to improve consumer confidence
and understanding of security for IoT devices and/or products. Such IoT
devices and products are susceptible to a wide range of security
vulnerabilities, which can be exploited by attackers to gain
unauthorized access to an IoT device or IoT product and its data.
Accordingly, providing consumers with a label certifying that an IoT
device and/or product satisfies certain baseline cybersecurity
standards and has specific cybersecurity capabilities allows a consumer
to understand the relative security risk that an IoT device and/or
product may pose when making a purchase. The document seeks comments on
the scope of the proposed cybersecurity labeling program, including
comments on proposed definitions of an IoT device and an IoT product.
It also seeks comments on specific technical criteria for the
cybersecurity labeling program, including whether other criteria in
addition to the IoT Criteria developed by the National Institute of
Standards and Technology (NIST), should be considered, and whether and
how to develop administrable standards. Finally, the document invites
comments on how to administer the cybersecurity labeling program, the
appropriate means to fund the costs of running the program, and what
program auditing, enforcement, disqualification and certification
revocation processes and procedures should be put in place to ensure
that the labeling program is a trusted and valuable resource that
consumers can reply upon to assess the security of the IoT devices and/
or products that exhibit the label.
B. Description and Estimate of the Number of Small Entities to Which
the Proposed Rules Will Apply
73. The RFA directs agencies to provide a description of, and where
feasible, an estimate of the number of small entities that may be
affected by the proposed rules and policies, if adopted. The RFA
generally defines the term ``small entity'' as having the same meaning
as the terms ``small business,'' ``small organization,'' and ``small
governmental jurisdiction.'' In addition, the term ``small business''
has the same meaning has the term ``small business concern'' under the
Small Business Act. A ``small business concern'' is one which: (1) is
independently owned and operated; (2) is not dominant in its field of
operation; and (3) satisfies any additional criteria established by the
SBA.
74. Small Businesses, Small Organizations, and Small Governmental
Jurisdictions. The Commission's actions, over time, may affect small
entities that are not easily categorized at present. The Commission
therefore describes here, at the outset, three broad groups of small
entities that could be directly affected herein. First, while there are
industry specific size standards for small businesses that are used in
the regulatory flexibility analysis, according to data from the Small
Business Administration's (SBA) Office of Advocacy, in general a small
business is an independent business having fewer than 500 employees.
These types of small businesses represent 99.9% of all businesses in
the United States, which translates to 30.7 million businesses.
75. Next, the type of small entity described as a ``small
organization'' is generally ``any not-for-profit enterprise which is
independently owned and operated and is not dominant in its field.''
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000
or less to delineate its annual electronic filing requirements for
small exempt organizations. Nationwide, for tax year 2020, there were
approximately 447,689 small exempt organizations in the U.S. reporting
revenues of $50,000 or less according to the registration and tax data
for exempt organizations available from the IRS.
76. Finally, the small entity described as a ``small governmental
jurisdiction'' is defined generally as ``governments of cities,
counties, towns, townships, villages, school districts, or special
districts, with a population of less than fifty thousand.'' U.S. Census
Bureau data from the 2017 Census of Governments indicate that there
were 90,075 local governmental jurisdictions consisting of general
purpose governments and special purpose governments in the United
States. Of this number there were 36,931 general purpose governments
(county, municipal and town or township) with populations of less than
50,000 and 12,040 special purpose governments--independent school
districts with enrollment populations of less than 50,000. Accordingly,
based on the 2017 U.S. Census of Governments data, the Commission
estimates that at least 48,971 entities fall into the category of
``small governmental jurisdictions.''
77. Radio Frequency Equipment Manufacturers (RF Manufacturers).
There are several analogous industries with an SBA small business size
standard that are applicable to RF Manufacturers. These industries are
Fixed Microwave Services, Other Communications Equipment Manufacturing,
Radio and Television Broadcasting and Wireless Communications Equipment
Manufacturing. A description of these industries and the SBA small
business size standards are detailed below.
78. Fixed Microwave Services. Fixed microwave services include
common carrier, private-operational fixed, and broadcast auxiliary
radio services. They also include the Upper Microwave Flexible Use
Service (UMFUS), Millimeter Wave Service (70/80/90 GHz), Local
Multipoint Distribution Service (LMDS), the Digital Electronic Message
Service (DEMS), 24 GHz Service, Multiple Address Systems (MAS), and
Multichannel Video Distribution and Data Service (MVDDS), where in some
bands licensees can choose between common carrier and non-common
carrier status. Wireless Telecommunications Carriers (except Satellite)
is the closest industry with an SBA small business size standard
applicable to these services. The SBA small size standard for this
industry classifies a business as small if it has 1,500 or fewer
employees. U.S. Census Bureau data for 2017 show that there were 2,893
firms that operated in this industry for the entire year. Of this
number, 2,837 firms employed fewer than 250 employees. Thus, under the
SBA size standard, the Commission estimates that a majority of fixed
microwave service licensees can be considered small.
79. The Commission's small business size standards with respect to
fixed
[[Page 58227]]
microwave services involve eligibility for bidding credits and
installment payments in the auction of licenses for the various
frequency bands included in fixed microwave services. When bidding
credits are adopted for the auction of licenses in fixed microwave
services frequency bands, such credits may be available to several
types of small businesses based average gross revenues (small, very
small and entrepreneur) pursuant to the competitive bidding rules
adopted in conjunction with the requirements for the auction and/or as
identified in Part 101 of the Commission's rules for the specific fixed
microwave services frequency bands.
80. In frequency bands where licenses were subject to auction, the
Commission notes that as a general matter, the number of winning
bidders that qualify as small businesses at the close of an auction
does not necessarily represent the number of small businesses currently
in service. Further, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated. Additionally, since the
Commission does not collect data on the number of employees for
licensees providing these services, at this time the Commission is not
able to estimate the number of licensees with active licenses that
would qualify as small under the SBA's small business size standard.
81. Other Communications Equipment Manufacturing. This industry
comprises establishments primarily engaged in manufacturing
communications equipment (except telephone apparatus, and radio and
television broadcast, and wireless communications equipment). Examples
of such manufacturing include fire detection and alarm systems
manufacturing, Intercom systems and equipment manufacturing, and
signals (e.g., highway, pedestrian, railway, traffic) manufacturing.
The SBA small business size standard for this industry classifies firms
having 750 or fewer employees as small. For this industry, U.S. Census
Bureau data for 2017 shows that 321 firms operated for the entire year.
Of that number, 310 firms operated with fewer than 250 employees. Based
on this data, the Commission concludes that the majority of Other
Communications Equipment Manufacturers are small.
82. Radio and Television Broadcasting and Wireless Communications
Equipment Manufacturing. This industry comprises establishments
primarily engaged in manufacturing radio and television broadcast and
wireless communications equipment. Examples of products made by these
establishments are: transmitting and receiving antennas, cable
television equipment, GPS equipment, pagers, cellular phones, mobile
communications equipment, and radio and television studio and
broadcasting equipment. This industry comprises establishments
primarily engaged in manufacturing communications equipment (except
telephone apparatus, and radio and television broadcast, and wireless
communications equipment). Examples of such manufacturing include fire
detection and alarm systems manufacturing, Intercom systems and
equipment manufacturing, and signals (e.g., highway, pedestrian,
railway, traffic) manufacturing. The SBA small business size standard
for this industry classifies firms having 750 or fewer employees as
small. For this industry, U.S. Census Bureau data for 2017 shows that
321 firms operated for the entire year. Of that number, 310 firms
operated with fewer than 250 employees. Based on this data, the
Commission concludes that the majority of Other Communications
Equipment Manufacturers are small.
C. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities
83. The voluntary cybersecurity labeling program for IoT devices
and/or products to provide consumers with accessible information on the
relative security of these IoT devices and/or products that the
Commission proposes in the document may impose new reporting,
recordkeeping, notice or other compliance requirements on small
entities that choose to participate in the program. The requirements
may include application or other conformance reporting, licensing,
certification and/or other reporting obligations.
84. The proposals in the document build upon other actions the
Commission has taken to protect and secure public safety. Accordingly,
the proposals being made in this document may require additional
analysis and mitigation activities by small and other IoT manufacturers
in order to satisfy certain technical criteria or standards for the
ability to display an IoT cybersecurity label. At this time, the
Commission is not in a position to determine whether the requirements
that may be adopted for participants in the proposed cybersecurity
labeling program will require small entities to hire professionals in
order to comply and cannot quantify the cost of compliance with the
potential requirements and obligations that may result in this
proceeding. Among other things considered, the Commission inquires
about the options for it to address the costs of running and
administering the labeling program including whether there may be
application fees charged by third-parties administering the program and
whether there is oversight the Commission should exercise over such
charges. The Commission seeks comment on these issues and anticipate
that the information it receives in comments will address these matters
and any broader cost issues for small entities that may choose to
participate in the proposed labeling program.
85. In light of the importance of mark integrity and the need to
build consumer confidence and trust in the security of IoT devices and
products that will display the Commission's IoT label, regardless of
the size of the entity seeking to participate in the proposed
cybersecurity labeling program, adherence by all participants to the
same Commission rules is necessary. However, the Commission expects
that the comments it receives will help it identify and evaluate
relevant matters for small entities before adopting final rules for the
labeling program, including any compliance costs and burdens that may
result from the proposals and other matters discussed in the document.
D. Steps Taken To Minimize the Significant Economic Impact on Small
Entities, and Significant Alternatives Considered
86. The RFA requires an agency to describe any significant,
specifically small business, alternatives that it has considered in
reaching its proposed approach, which may include the following four
alternatives (among others): ``(1) the establishment of differing
compliance or reporting requirements or timetables that take into
account the resources available to small entities; (2) the
clarification, consolidation, or simplification of compliance or
reporting requirements under the rule for such small entities; (3) the
use of performance rather than design standards; and (4) an exemption
from coverage of the rule, or any part thereof, for such small
entities.''
87. The Commission's development of a voluntarily cybersecurity
labeling program for the IoT products and devices builds on the work of
the National Institute of Standards and Technology (NIST) which
produced labeling criteria for cybersecurity capabilities of IoT
consumer devices. Using the work of NIST as a foundation has the
potential to minimize the
[[Page 58228]]
economic impact on small entities for several reasons. First, NIST took
into account existing consumer product labeling programs and
information provided by diverse stakeholders. Next, two of the key
elements NIST identified for labeling were encouraging innovation, and
being practical and not burdensome. Further, the Commission believes
building on the approach NIST developed for IoT cybersecurity labeling
will provide a level of consistency with the requirements it
establishes for the entities subject to Commission regulation that
choose to participate in the Commission's cybersecurity IoT labeling
program.
88. In the document, the Commission considers and seeks comment on
various compliance requirements that it could consider in advancing a
voluntary cybersecurity labeling program. More specifically, the
Commission considered the NIST definition for IoT devices which defines
IoT devices as devices that have at least one transducer (sensor or
actuator) for interacting directly with the physical world and at least
one network interface (e.g., Ethernet, Wi-Fi, Bluetooth) for
interfacing with the digital world, and determined that it should
propose an alternative definition. The Commission's proposed definition
modifies the NIST definition to add ``internet-connected'' because a
key element of the IoT is the usage of standard internet protocols for
functionality, which exposes IoT devices to the security threats and
challenges related to being connected to the internet. The Commission's
proposed definition also includes the requirement that devices must be
capable of intentionally emitting radio frequency energy because the
relevant scope of Commission's statutory authorities focus on devices
that intentionally emit radio frequency energy.
89. Although the Commission includes in its definition devices that
intentionally emit radio frequency energy, it considered whether there
are unintentional radiators or incidental radiators that should be
included in the program, and if so whether the Commission should revise
the definition to omit the word ``intentional.'' Alternatively, the
Commission inquires if it should consider adding unintentional or
incidental radiating devices to the program at a later date. In
addition, while the Commission refers to devices and products in the
document, it inquires whether it should expand the proposed scope of
the cybersecurity labeling program and definition of devices beyond IoT
devices to apply to IoT products. Under this expanded alternative the
Commission could define an IoT product as an IoT device and any
additional product components (e.g., backend, gateway, mobile App) that
are necessary to use the IoT device. A further alternative the
Commission considered, is whether to limit the IoT labeling program to
consumer IoT devices or products intended for personal use, or to
include ``enterprise'' devices or products intended for industrial or
business uses and any additional considerations that would need to be
accounted for with such devices or products. The Commission seeks
comment on these inquiries and alternatives in the document, in
addition to comments on the proposed definition.
90. Regarding the content and updating of the IoT label on the
physical device, product, or packaging, the Commission believes the
simple approach proposed in the document will result in cost savings
which could minimize the impact of these requirements for small
entities. The Commission's proposal is to have the physical device,
product, or packaging simply indicate that the manufacturer
participates in the FCC's labeling program by having the FCC mark along
with the related QR Code and/or the URL to the IoT registry. The
detailed information on the IoT device or product will be made
available on the device or product's web page within the IoT registry
using an QR Code and/or a URL. When the device or product's web page
within the IoT registry is updated to indicate for example, that the
device or product's authorization is outdated, and/or the device or
product is no longer maintained or updated, using the QR Code and/or
the URL provided next to the FCC mark the information can be accessed
on the device or product's web page within the IoT registry. Updating
requirements for the device or product's web page within the IoT
registry could alleviate the need for the Commission to adopt
additional notification requirements which would increase costs for
small entities.
91. The Commission also considered and seeks comment on
alternatives on how to address the end-of-life issues for devices
previously receiving authorization under the program. For example, the
Commission considered whether the label should include the specific
date, or the year the authorization was awarded, or an expiration date.
Further, the Commission considered whether it would be sufficient to
provide consumers with additional information via the QR Code regarding
the current security status of a device, and whether the QR Code-linked
website should indicate when the label was issued by the Commission,
and when the information on the web page last updated.
92. In the area of accessibility, to ensure that any IoT
cybersecurity label information the Commission adopts is accessible to
persons with disabilities, the Commission considered an alternative
that would alleviate the need for the Commission to establish and
impose new accessibility requirements on small entities and other
participants in the labeling program. Consistent with its approach with
broadband consumer labels in 2022, in the document the Commission
considered and seeks comment on relying on the existing legal
requirements in the Americans with Disabilities Act (ADA) and following
the guidance developed by the Web Accessibility Initiative, which the
Consumer Advisory Committee (CAC) determined is the best method to
ensure accessibility to printed and online information is made
available by providers.
93. Further, rather than proposing rules at this juncture, in the
document the Commission seeks comment on costs associated with the
proposed cybersecurity IoT labeling program, and on investigation,
disqualification and enforcement processes to maintain the integrity of
the devices or products that will be labeled under the program. The
Commission's actions on all of these matters have the potential to
minimize the impact of the cybersecurity IoT labeling program the
Commission adopts on small entities.
94. Regarding investigation, disqualification and enforcement, as
discussed in the document, the Commission considered and seeks comment
on whether to have random audits of IoT devices or products to confirm
continued compliance; whether the Commission should adopt
disqualifications procedures similar to those adopted for the ENERGY
STAR program by the Environmental Protection Agency (EPA); what
additional non-compliance or disqualification measures would be
appropriate in addition to authorization revocation, and whether there
should be an appeal process available to applicants that are denied
authority to use the IoT label. Additionally, the Commission seeks
comment on what recordkeeping and audit requirements could be adopted
for purposes of compliance review.
95. The Commission expects to more fully consider the economic
impact and alternatives for small entities following
[[Page 58229]]
the review of comments filed in response to the document. Having input
from interested parties will allow the Commission to better evaluate
options and alternatives to minimize any significant economic impact on
small entities that may result from the proposed cybersecurity IoT
labeling program and the inquiries and alternatives discussed in the
document. The Commission's evaluation of this information will shape
the final alternatives it considers to minimize any significant
economic impact that may occur on small entities, the final conclusions
it reaches and any final rules it promulgates in this proceeding.
E. Legal Basis
96. The proposed action is taken under authority found in sections
1, 2, 4(i), 4(n), 301, 302, 303(b), 312, 333, and 503 of the
Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 154(i),
154(n), 301, 302a, 303(b), 312, 333, 503; and the IoT Cybersecurity
Improvement Act of 2020, 15 U.S.C. 278g-3a to 278g-3e.
F. Federal Rules That May Duplicate, Overlap, or Conflict With the
Proposed Rules
97. None.
Federal Communications Commission.
Katura Jackson,
Federal Register Liaison Officer.
[FR Doc. 2023-18357 Filed 8-24-23; 8:45 am]
BILLING CODE 6712-01-P