Background
IoT devices like smart speakers, fitness trackers, and connected appliances support us in many aspects of our daily lives, and the presence of these products is only expected to increase. However, there is also the risk that using these devices raises the potential for cybersecurity incidents and breaches that can disrupt services or even compromise personal data.
In an acknowledgment of the growing importance of IoT products in the modern world and the need to counter these risks, the FCC voted on March 14, 2024 to approve an R&O jumpstarting its voluntary Cybersecurity Labeling Program for wireless consumer IoT products. The FCC acknowledges that connected devices can benefit consumers in many aspects of their daily lives, such as personal convenience, health, recreation, and home safety. But IoT products are not immune from cybersecurity attacks, and the FCC is concerned about bad actors exploiting vulnerabilities in such devices, posing risks to both personal privacy and national security. By participating in the program and meeting its requirements, a company will be given authority to use the FCC IoT Label bearing the Cyber Trust Mark, which should provide additional reassurance to consumers that their product is secure.
The FCC also issued an FNPRM seeking further public comment on whether to require additional declarations under penalty of perjury to receive the FCC IoT Label. These declarations would confirm that the devices do not contain hidden vulnerabilities from high-risk countries, that the data collected by the products does not sit within or transit high-risk countries, and that the products cannot be remotely controlled by servers located within high-risk countries. Comments on the FNPRM will be due 30 days after publication in the Federal Register and reply comments due 60 days after publication.
Scope of Devices and Products
The new program applies to wireless consumer IoT products. The FCC defines these as: “IoT device[s] and any additional product components (e.g., backend, gateway, mobile app) that are necessary to use the IoT device beyond basic operational features.” “IoT device” is defined as “(1) an Internet-connected device capable of intentionally emitting radiofrequency energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.” Examples of IoT products and devices intended for consumer use include smart thermostats, lights, locks, cameras, and watches and fitness trackers.
The FCC expects the manufacturer seeking authority to affix the FCC IoT Label to secure the whole IoT product, including the product’s internal and external communication links. Manufacturers will not be responsible for third-party products or devices that are outside of their control. However, if a manufacturer allows third-party apps to connect to and control their IoT product, the manufacturer is responsible for the security of that connection link and the app, if such app resides on the IoT product.
Certain categories of devices are excluded from the program, including:
-
wired IoT devices;
-
communications equipment that has been found to pose an unacceptable risk to the national security of the U.S. (e.g., products produced by entities on the FCC’s “Covered List,” the Department of Commerce’s Entity List, and the Department of Defense’s List of Chinese Military Companies);
-
medical devices already regulated by the U.S. Food and Drug Administration (FDA); and
-
motor vehicles and motor vehicle equipment.
Despite the medical device exemption, industry participants will still want to carefully evaluate how the FCC’s regime intersects with existing regulatory requirements. The FCC excludes medical devices from the program due to a concern that inclusion could cause consumer confusion and potential conflicts in complying with the Cyber Trust Mark requirements and existing cybersecurity requirements under other federal laws (e.g., the Federal Food, Drug, and Cosmetic Act). But challenges navigating competing regimes may remain given the complexity of FDA’s regulation of internet-connected products based on their intended use. For example, manufacturers will need to consider how to navigate compliance for a product that can be marketed either as an FDA-regulated medical device or as an unregulated wellness product (such as a pulse oximeter for clinical care versus for exercise). There are also categories of products that are marketed under enforcement discretion granted by FDA and as such could be regulated by FDA, but are not, and therefore do not meet FDA standards. It is unclear whether the FCC regime may influence how companies that offer these types of products will navigate the labeling program going forward.
Resolving a topic of hot debate, the FCC opts to make the program voluntary in hopes that it results in strong stakeholder engagement and collaboration and eventually leads to widespread adoption. Commissioners Gomez, Starks, and Simington even stressed during the March 14th meeting the importance of the program being voluntary. The FCC chooses not to take a position on whether it has the authority to make this program mandatory. However, the nature of the program is always subject to change, and, even if it remains voluntary, parties may see a Cyber Trust Mark requirement become part of future agreements in the private sector or when contracting with the government.
The FCC recognizes that several other countries have already established IoT cyber labeling requirements and that global efforts on IoT security are progressing, including the European Union Agency for Cybersecurity’s development of a cybersecurity certification framework. The FCC aims to gain international recognition of its IoT label and mutual recognition of international labels, where appropriate.
IoT Labeling Program’s Administrative Structure
The Commission will act as “program owner,” responsible for the overall management and oversight of the program. Day to day, the program will be supported by Cybersecurity Label Administrators (CLAs), who will manage certain aspects of the program and authorize use of the FCC IoT Label, and a Lead Administrator selected by the FCC Public Safety and Homeland Security Bureau (PSHSB) from among the CLAs. The Lead Administrator’s duties will include, among potentially others: (i) being a point of contact between the CLAs and the FCC; (ii) working with stakeholders to identify or develop and recommend for FCC approval the IoT specific standards and testing procedures, procedures for post-market surveillance, and design and placement of the label; and (iii) working with stakeholders to develop a consumer education plan, submitting that plan to the PSHSB, and engaging in consumer education.
The FCC IoT Label & How to Obtain Authority to Use It
The FCC IoT Label will include the Commission’s Cyber Trust Mark, which indicates that the product or device has met the FCC’s baseline consumer IoT cybersecurity standards, and a scannable code (e.g., QR code) directing the consumer to a product registry containing more detailed information about that IoT product. Specifically, the registry will include consumer-friendly information about a product’s security, which the Commission hopes will allow customers to better understand the cybersecurity capabilities of their IoT devices.
The criteria for obtaining the label are drawn from NIST’s recommended IoT criteria (NIST Core Baseline) described in NISTIR 8425. The NIST criteria include IoT product capabilities related to the following topics: (1) asset identification; (2) product configuration; (3) data protection; (4) interface access control; (5) software update; and (6) cybersecurity state awareness. NIST’s criteria also includes the following IoT Product Developer Activities: (7) documentation; (8) information and query reception; (9) information dissemination; and (10) product education and awareness.
Manufacturers will be able to undergo a two-step process to seek authority to use the label. The first step includes product testing by an accredited and Lead Administrator-recognized lab, called Cybersecurity Testing Laboratories (CyberLABs), to confirm whether the IoT product complies with FCC rules and generate a report.
The second step involves submitting an application to a CLA to certify the product as fully compliant with all relevant FCC IoT Labeling Program rules. After receiving authority to use the FCC IoT Label, manufacturers will have to submit requests to renew that authority. The R&O indicates that the Lead Administrator, after collaborating with stakeholders, will recommend to the PSHSB how often a given class of IoT products must renew their request for authority to bear the FCC IoT Label. The renewal intervals may vary by product class, accounting for each class’s lifespan and risk level.
Enforcement
The FCC will rely on administrative remedies and civil litigation to address non-compliance with the labelling rules. A principal enforcement mechanism will be post-market surveillance of products receiving the label, conducted by CLAs. The FCC will give parties found to be noncompliant a 20-day cure period to correct the deficiencies before moving to termination of the grantee’s approval to display the label. Entities who improperly or fraudulently use the IoT Label will be prosecuted through “all available means,” including FCC enforcement actions, claims of deceptive practices prosecuted by the Federal Trade Commission, and legal claims for trademark infringement or breach of contract.
Further Notice of Proposed Rulemaking
Along with the R&O, the FCC released an FNPRM seeking comment on declarations intended to assure customers that products with the FCC IoT Label do not contain hidden vulnerabilities from high-risk countries, the data being collected by such products does not sit within or transit high-risk countries, and the products cannot be remotely controlled by servers located within high-risk countries. In this context, the FCC proposes to include as “high-risk countries” those defined by the Department of Commerce in 15 CFR § 7.4, which currently lists (1) The People's Republic of China, including the Hong Kong Special Administrative Region; (2) Republic of Cuba; (3) Islamic Republic of Iran; (4) Democratic People's Republic of Korea (North Korea); (5) Russian Federation; and (6) the regime of Venezuelan politician Nicolás Maduro.
The FCC asks, if a manufacturer does disclose a tie to a high-risk country, should it have to disclose additional information such as the identity of the country, and the specific software or hardware components or server activities that originate from or occur there? The FCC queries whether the fact that software or firmware originates from such countries, that data will be stored in such countries, or that products can be remotely controlled by servers within such countries, should render products ineligible for the label altogether. Notably, the FCC seeks comment on whether certain product components, such as cellular interface modules, pose elevated risks for which such a prohibition might specifically be warranted. It also asks which disclosures would be helpful for consumers and how mandating certain disclosures could impact manufacturer participation. Finally, the FCC inquires about additional sources for identifying “high-risk countries.”
Comments will be due 30 days after the FNPRM is published in the Federal Register, and reply comments will be due 60 days after the FNPRM publication date.
The FCC’s proposal comes on the heels of recent federal activity scrutinizing the level of access by countries of concern, including China, to the personal data of Americans. In February, President Biden issued an Executive Order (EO) intended to protect Americans’ sensitive personal data from exploitation by countries of concern. The EO directed the Department of Justice (DOJ) to issue regulations that prohibit, or otherwise restrict, certain categories of data transactions that pose an unacceptable risk to national security. DOJ issued an Advanced Notice of Proposed Rulemaking on this topic, describing the initial categories of transactions involving bulk sensitive personal data or certain U.S. Government-related data as outlined in the EO, and seeking public comment on issues including prohibitions on data brokerage and transfers of genomic data and restrictions on vendor, employment, and investment agreements. Comments on the DOJ rulemaking are due April 19, 2024.
Next Steps
Manufacturers of connected consumer devices will want to understand the scope of this program and evaluate whether they would like to participate in seeking the new IoT Label. And interested manufacturers should be aware of the processes and technical requirements for participation, as well as the potential benefits and risks of participation. In addition, manufacturers may want to consider how to navigate ongoing global developments in IoT security, in order to facilitate global market access.
Manufacturers and industry stakeholders should also consider whether to comment on the FNPRM, which may affect their existing supply chains and data practices. It will be critical to monitor the impacts and intersections among federal activity regarding the development of software and manufacture of devices in countries of concern, plus the increasing scrutiny of data handling, storage, and transactions in such countries. These trends are only expected to continue.
The Hogan Lovells team consisting of professionals from the Communications, Internet, and Media, Privacy and Cybersecurity, Global Products Law, and Medical Device and Technology practice groups regularly collaborate to assist manufacturers and retailers with the full spectrum of global regulatory matters. We are happy to answer questions about the FCC’s IoT Labeling Program or help companies navigate this new regime or draft FNPRM comments.
