[Federal Register Volume 89, Number 58 (Monday, March 25, 2024)]
[Proposed Rules]
[Pages 20603-20605]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-06249]
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 8
[PS Docket Nos. 23-239; FR ID 210016]
Cybersecurity Labeling for Internet of Things
AGENCY: Federal Communications Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission (FCC
or Commission) adopts a voluntary cybersecurity labeling program for
wireless consumer Internet of Things, or IoT, products. The final rule
also requires applicant manufacturers to make certain disclosures
related to their product(s) for authorization to use the FCC IoT Label.
This is a summary of the Further Notice of Proposed Rulemaking (Further
Notice), in which the Commission proposes rules on additional national
security declarations for the IoT labeling program. These requirements
would further help consumers make safer purchasing decisions, raise
consumer confidence regarding the cybersecurity of the IoT products
they buy, and encourage manufacturers to develop IoT products with
security-by-design principles in mind.
DATES: Comments are due on or before April 24, 2024 and reply comments
are due on or before May 24, 2024. Written comments on the Paperwork
Reduction Act proposed information collection requirements must be
submitted by the public, Office of Management and Budget (OMB), and
other interested parties on or before May 24, 2024.
ADDRESSES: You may submit comments, identified by PS Docket No. 23-239,
by any of the following methods:
Federal Communications Commission's Website: https://www.apps.fcc.gov/ecfs/. Follow the instructions for submitting
comments.
Mail: Parties who choose to file by paper must file an
original and one copy of each filing. If more than one docket or
rulemaking number appears in the caption of this proceeding, filers
must submit two additional copies for each additional docket or
rulemaking number. Filings can be sent by commercial overnight courier,
or by first-class or overnight U.S. Postal Service mail. All filings
must be addressed to the Commission's Secretary, Office of the
Secretary, Federal Communications Commission. Commercial overnight mail
(other than U.S. Postal Service Express Mail and Priority Mail) must be
sent to 9050 Junction Drive, Annapolis Junction, MD 20701. U.S. Postal
Service first-class, Express, and Priority mail must be addressed to 45
L Street NE, Washington, DC 20554. Effective March 19, 2020, and until
further notice, the Commission no longer accepts any hand or messenger
delivered filings. This is a temporary measure taken to help protect
the health and safety of individuals, and to mitigate the transmission
of COVID-19. See FCC Announces Closure of FCC Headquarters Open Window
and Change in Hand-Delivery Policy, Public Notice, DA 20-304 (March 19,
2020). https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy.
People with Disabilities. To request materials in
accessible formats for people with disabilities (braille, large print,
electronic files, audio format), send an email to [email protected] or
call the Consumer & Governmental Affairs Bureau at 202-418-0530
(voice), 202-418-0432 (TTY).
FOR FURTHER INFORMATION CONTACT: For further information regarding
these proposed rules, please contact Zoe Li, Attorney Advisor,
Cybersecurity and Communications Reliability Division, Public Safety
and Homeland Security Bureau, (202) 418-2490, or by email to
[email protected].
For additional information concerning the Paperwork Reduction Act
information collection requirements contained in this document, send an
email to [email protected] or contact Nicole Ongele, Office of Managing
Director, Performance Evaluation and Records Management, 202-418-2991,
or by email to [email protected].
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's
Further Notice of Proposed Rulemaking (FNPRM), FCC 24-26, adopted March
14, 2024, and released March 15, 2024. The full text of this document
is available by downloading the text from the Commission's website at:
https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf.
Synopsis
Further Notice of Proposed Rulemaking
1. In this FNPRM, we seek comment on additional declarations
intended to provide consumers with assurances that the products bearing
the FCC IoT Label do not contain hidden vulnerabilities from high-risk
countries, that the data collected by the products does not sit within
or transit high-risk countries, and that the products cannot be
remotely controlled by servers located within high-risk countries.
Specifically, we seek comment on whether we should require
manufacturers to disclose to the Commission whether firmware and/or
software were developed and manufactured in a ``high-risk country,'' as
well as where firmware and software updates will be developed and
deployed from. We also seek comment on whether to require manufacturers
to disclose to consumers in the registry whether firmware and/or
software were developed and manufactured in a ``high-risk country,'' as
well as where firmware and software updates will be developed and
deployed from. We propose to include as high-risk countries those
foreign adversary countries defined by the Department of Commerce in 15
CFR 7.4. Are there other sources that the Commission should consider
for identifying high-risk countries? Specifically, we seek comment on
whether to require the applicant seeking to use the FCC IoT Label to
make one of the following declarations under penalty of perjury to
accompany its application to use the label:
a. No software or software update or part of any software or
software update that runs on or controls the product was or will be
developed or deployed from within a country on the Secretary of
Commerce's list of high-risk countries, except that this commitment
does not apply to the origin of open-source contributions not paid for
directly or indirectly by us or our direct or indirect partners in
offering this product; or
b. This device runs, or due to future software updates might run,
software developed within the Secretary of Commerce's list of high-risk
country or countries. Applicant is not aware of any backdoors or other
sabotage, or any reason to believe that there is a particular
heightened risk for such backdoors or sabotage relative other software
developed within such a country, but we inform purchasers and users
that the Department of Commerce has designated high-risk country or
countries as jurisdictions whose conduct is significantly adverse to
the national security of the United States or
[[Page 20604]]
security and safety of United States persons.
2. We also seek comment on requiring manufacturers to disclose to
the Commission whether the data collected by the product is stored in
or transits a high-risk country or countries. We also seek comment on
whether to require manufacturers to disclose to consumers in the
registry whether the data collected by the product is stored in or
transits a country or countries that are known to pose a national
security risk to the United States. Does the manufacturer have
sufficient knowledge of the data collected by the device to know where
the servers hosting the collected data are located or where the servers
remotely controlling the device will be located? Is it possible for the
location of stored data to be changed without the manufacturer's
knowledge? Are there other factors that would impact the manufacturer's
ability to make these declarations. Specifically, we seek comment on
requiring the applicant seeking to use the FCC IoT Label to make one of
the following declarations under penalty of perjury to accompany its
application to use the label:
a. No customer data collected by this product will be sent to
servers located on the Department of Commerce's list of high-risk
countries, defined at 15 CFR 7.4 or any successor regulation. No
servers that remotely control the device will be located in such a
country; or
b. Customer data collected by this product will be sent to servers
located in a high-risk country or countries. We inform purchasers and
users that the Secretary of Commerce has designated high-risk country
or countries as jurisdictions whose conduct is significantly adverse to
the national security of the United States or security and safety of
United States persons.
3. If a manufacturer must disclose one of these exposures or
potential exposures to a high-risk country, should it have to disclose
additional information as well? Should it have to disclose the identity
of the high-risk country or countries? Should it have to disclose the
specific hardware or software components or server activities that did,
will, or could originate from or take place in those countries? How
could such disclosures help purchasers make informed decisions about
product acquisitions? And what burdens would such additional
disclosures place on manufacturers? Should we require manufacturers to
include this information in the registry to inform consumers of these
issues?
4. Alternatively, should the fact that software or firmware
originates from such countries, that data will be stored in such
countries, or that products can be remotely controlled by servers
within such countries, make products ineligible for the label
altogether? Are there certain product components, such as cellular
interface modules, that pose elevated risks for which such a
prohibition might specifically be warranted?
5. With respect to these declarations proposed to require the
manufacturer to inform the Commission, would such information provide
meaning to consumers? Should we require manufacturers to include this
information in the registry to inform consumers of these issues? How
would manufacturers inform users who are not purchasers? In addition,
we seek comment on the possible costs and benefits of requiring any
additional language in the relevant product's registry page. Should
they encompass some or all of the same representations made in an
application for authorization to use the FCC label, or should they be
different or additional? Can such representations be made not just for
the benefit of the purchaser or user, but also extend to any third
parties who may be impacted by a security vulnerability in a labeled
product attributable to a failure of the manufacturer, and what would
the practical or legal implications of that be? How might this
influence manufacturer participation in the program? Could the federal
Magnuson-Moss Act be an additional legal overlay here, as well? How
should those state and federal laws inform whether and how the
Commission requires manufacturer or seller representations in the
product's registry page?
Procedural Matters
6. Paperwork Reduction Act. This document contains proposed new or
modified information collection requirements. The Commission, as part
of its continuing effort to reduce paperwork burdens, invites the
general public and the Office of Management and Budget (OMB) to comment
on the information collection requirements contained in this document,
as required by the Paperwork Reduction Act of 1995, Public Law 104-13.
In addition, pursuant to the Small Business Paperwork Relief Act of
2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), we seek specific
comment on how we might further reduce the information collection
burden for small business concerns with fewer than 25 employees. The
Bureau does not believe that the new or modified information collection
requirements we adopt here will be unduly burdensome on small
businesses.
7. In this present document, we have assessed the effects of the
operational framework for a voluntary IoT cybersecurity labeling
program. Since the IoT Labeling Program is voluntary, small entities
who do not participate in the IoT Labeling Program will not be subject
to any new or modified reporting, recordkeeping, or other compliance
obligations. Small entities that choose to participate in the IoT
Labeling Program by seeking authority to affix the Cyber Trust Mark on
their products will incur recordkeeping and reporting as well as other
obligations that are necessary to test their IoT products to
demonstrate compliance with the requirements we adopt today. We find
that, for the Cyber Trust Mark to have meaning for consumers, the
requirements for an IoT product to receive the Cyber Trust Mark must be
uniform for both small businesses and other entities. Thus, the
Commission continues to maintain the view we expressed in the IoT
Labeling NPRM, that the significance of mark integrity, and building
confidence among consumers that devices and products containing the
Cyber Trust Mark label can be trusted to be cyber secure, necessitates
adherence by all entities participating in the IoT Labeling Program to
the same rules regardless of size.
8. Regulatory Flexibility Act. The Regulatory Flexibility Act of
1980, as amended (RFA), requires that an agency prepare a regulatory
flexibility analysis for notice and comment rulemakings, unless the
agency certifies that ``the rule will not, if promulgated, have a
significant economic impact on a substantial number of small
entities.'' Accordingly, we have prepared a Final Regulatory
Flexibility Analysis (FRFA) concerning the possible impact of the rule
changes contained in this Report and Order on small entities. The FRFA
is set forth in Appendix B of the FCC's Report and Order and Further
Notice of Proposed Rulemaking, FCC 24-26, adopted March 14, 2024, at
this link: https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf.
9. We have also prepared an Initial Regulatory Flexibility Analysis
(IRFA) concerning the potential impact of rule and policy change
proposals on small entities in the FNPRM. The IRFA is set forth in
Appendix C of the FCC's Report and Order and Further Notice of Proposed
Rulemaking, FCC 24-26, adopted March 14, 2024, at this link: https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf. The Commission invites
the general public,
[[Page 20605]]
in particular small businesses, to comment on the IRFA. Comments must
be filed by the deadlines for comments on the FNPRM indicated on the
first page of this document and must have a separate and distinct
heading designating them as responses to the IRFA.
10. OPEN Government Data Act. The OPEN Government Data Act requires
agencies to make ``public data assets'' available under an open license
and as ``open Government data assets,'' i.e., in machine-readable, open
format, unencumbered by use restrictions other than intellectual
property rights, and based on an open standard that is maintained by a
standards organization. This requirement is to be implemented ``in
accordance with guidance by the Director'' of the OMB. The term
``public data asset'' means ``a data asset, or part thereof, maintained
by the Federal Government that has been, or may be, released to the
public, including any data asset, or part thereof, subject to
disclosure under the Freedom of Information Act (FOIA).'' A ``data
asset'' is ``a collection of data elements or data sets that may be
grouped together,'' and ``data'' is ``recorded information, regardless
of form or the media on which the data is recorded.'' We delegate
authority, including the authority to adopt rules, to the Bureau, in
consultation with the agency's Chief Data Officer and after seeking
public comment to the extent it deems appropriate, to determine whether
to make publicly available any data assets maintained or created by the
Commission within the meaning of the OPEN Government Act pursuant to
the rules adopted herein, and if so, to determine when and to what
extent such information should be made publicly available. Such data
assets may include assets maintained by a CLA or other third-party, to
the extent the Commission's control or direction over those assets may
bring them within the scope of the OPEN Government Act, as interpreted
in the light of guidance to be issued by OMB.\1\ In doing so, the
Bureau shall take into account the extent to which such data assets are
subject to disclosure under the FOIA.
---------------------------------------------------------------------------
\1\ OMB has not yet issued final guidance.
---------------------------------------------------------------------------
11. Ex Parte Rules--Permit-But-Disclose. The proceeding this
Further Notice of Proposed Rulemaking initiates shall be treated as a
``permit-but-disclose'' proceeding in accordance with the Commission's
ex parte rules. Persons making ex parte presentations must file a copy
of any written presentation or a memorandum summarizing any oral
presentation within two business days after the presentation (unless a
different deadline applicable to the Sunshine period applies). Persons
making oral ex parte presentations are reminded that memoranda
summarizing the presentation must (1) list all persons attending or
otherwise participating in the meeting at which the ex parte
presentation was made, and (2) summarize all data presented and
arguments made during the presentation. If the presentation consisted
in whole or in part of the presentation of data or arguments already
reflected in the presenter's written comments, memoranda or other
filings in the proceeding, the presenter may provide citations to such
data or arguments in his or her prior comments, memoranda, or other
filings (specifying the relevant page and/or paragraph numbers where
such data or arguments can be found) in lieu of summarizing them in the
memorandum. Documents shown or given to Commission staff during ex
parte meetings are deemed to be written ex parte presentations and must
be filed consistent with section 1.1206(b) of the Commission's rules.
In proceedings governed by Sec. 1.49(f) of the Commission's rules or
for which the Commission has made available a method of electronic
filing, written ex parte presentations and memoranda summarizing oral
ex parte presentations, and all attachments thereto, must be filed
through the electronic comment filing system available for that
proceeding, and must be filed in their native format (e.g., .doc, .xml,
.ppt, searchable .pdf). Participants in this proceeding should
familiarize themselves with the Commission's ex parte rules.
12. Comment Filing Procedures. Pursuant to Sec. Sec. 1.415 and
1.419 of the Commission's rules, 47 CFR 1.415, 1.419, interested
parties may file comments and reply comments on or before the dates
indicated on the first page of this document. Comments may be filed
using the Commission's Electronic Comment Filing System (ECFS). See
Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121
(1998).
13. Providing Accountability Through Transparency Act. Consistent
with the Providing Accountability Through Transparency Act, Public Law
118-9, a summary of this document will be available on https://www.fcc.gov/proposed-rulemakings.
Legal Basis
14. The proposed action is authorized pursuant to sections 1, 2,
4(i), 4(n), 302, 303(r), 312, 333, and 503, of the Communications Act
of 1934, as amended, 47 U.S.C. 151, 152, 154(i), 154(n), 302a, 303(r),
312, 333, 503; and the IoT Cybersecurity Improvement Act of 2020, 15
U.S.C. 278g-3a through 278g-3e.
Initial Regulatory Flexibility Analysis
15. An Initial Regulatory Flexibility Act (IRFA) Analysis for the
rules proposed in the FNPRM was prepared and can be found as Exhibit B
of the FCC's Second Report and Order and Further Notice of Proposed
Rulemaking, FCC 24-5, adopted January 26, 2024, at this link: https://docs.fcc.gov/public/attachments/FCC-24-26A1.pdf.
Federal Communications Commission.
Katura Jackson,
Federal Register Liaison Officer.
[FR Doc. 2024-06249 Filed 3-22-24; 8:45 am]
BILLING CODE 6712-01-P