The Federal Communications Commission has created a voluntary cybersecurity labeling program, also known as the “U.S. Cyber Trust Mark program,” for wireless consumer Internet of Things (IoT) products. The FCC is seeking public comment on whether additional disclosure requirements are necessary, especially if the software or firmware for a product is developed or deployed by a company located in a high-risk country.
Through the U.S. Cyber Trust Mark program, the FCC seeks to encourage more robust cybersecurity participation by companies and provide consumers the opportunity to track company compliance with cybersecurity standards while offering assurance that the highest cybersecurity standards are being met.
Eligible Products
The U.S. Cyber Trust Mark program will be available to both “IoT devices” and “IoT products.” For purposes of the program:
- An “IoT device” is an internet-connected device that can wirelessly interact directly with the physical world, coupled with at least one network interface (for example, Wi-Fi or Bluetooth) for interacting with the digital world.
- An “IoT product” is defined as an “IoT device and any additional product components (g., backend, gateway, mobile app) that are necessary to use the IoT device beyond basic operational features, including data communications links to components outside this scope but excluding those external components and any external third-party components that are outside the manufacturer’s control.”
The U.S. Cyber Trust Mark program will initially apply only to consumer IoT products, such as home security cameras, smart thermostats, fitness trackers, and baby monitors. However, the FCC implied in its Order that mobile phones and general-purpose computing equipment, including routers, are excluded from the definition of IoT products covered under the program. The FCC also noted that the program may be extended in the future to include industrial or enterprise IoT products.
Medical devices, motor vehicles, and motor vehicle equipment that are regulated by other federal agencies are excluded from the FCC’s program. The FCC also excluded (i) any communications equipment on the “Covered List” maintained by the FCC pursuant to the Secure and Trusted Networks Act; (ii) any IoT device produced by an entity identified on the Covered List as producing “covered” equipment; and (iii) devices or products from a company on other lists maintained by other federal agencies pursuant to a national security review.
Application and Accreditation
The FCC will rely on public-private collaboration to roll out the labeling program. The FCC will provide administrative oversight, and approved third-party label administrators will manage product evaluations, authorize use of the label, and educate consumers.
To apply for the U.S. Cyber Trust Mark, applicants will first undergo testing of their products by an accredited lab. The FCC will rely on the criteria recommended by the National Institute of Standards and Technology (NIST) when testing product-focused cybersecurity capabilities. U.S. Cyber Trust Mark applicants must declare under penalty of perjury that they are eligible to receive a cyber trust mark and that they are otherwise in compliance with the program rules.
Once approved, companies can include the U.S. Cyber Trust Mark logo on their products, along with a QR code consumers can scan for further details about the security of the product. The FCC will issue a Public Notice announcing the start date of the program once the administrative and logistical steps necessary to implement it have been completed.