Despite the coming transition in agency leadership, the FCC’s Internet of Things (IoT) Cybersecurity Labeling Program (the IoT Program) hit some major milestones this month, as the agency pushes ahead with this novel program. On December 4, 2024, the Federal Communications Commission’s (FCC or Commission) Public Safety and Homeland Security Bureau (Bureau) issued a Public Notice announcing that it had selected UL LLC (UL Solutions) to serve as both the Lead Administrator (LA) and as a Cybersecurity Label Administrator (CLA) as part of the FCC’s IoT Program, which includes the U.S. government certification mark (U.S. Cyber Trust Mark). One week later, on December 11, 2024, the Bureau issued a second Public Notice announcing the selection of 10 additional entities to serve as CLAs. These CLAs now have to meet obligations created by the FCC over the past year, and the agency still has a lot of work to do to get the program off the ground.
We have provided additional context and detail on these announcements below.
Background
As we have covered in greater detail in previous alerts (see here and here), in March 2024, the Commission issued a Report and Order (Order) establishing a voluntary labeling program for IoT products, pursuant to which eligible products may be authorized to display an FCC IoT Label, which includes the U.S. Cyber Trust Mark, to indicate conformance with baseline cybersecurity standards. The White House originally announced the IoT Program in July 2023 after several years of federal work in this area, including guidance documents and pilot programs by the National Institute of Standards and Technology (NIST) pursuant to a 2021 Executive Order on Improving the Nation’s Cybersecurity (14028) and direction from Congress, as well as significant privacy and cybersecurity enforcement by the Federal Trade Commission (FTC) under Section 5 of the FTC Act.
Recognizing that close partnership between the federal government, industry, and other stakeholders is essential for the IoT Program to succeed, the Order established that, while the Commission will oversee and retain ultimate control over the IoT Program, the Commission will rely on multiple CLAs – led by a single LA – to manage certain aspects of the program and authorize the use of the FCC’s IoT Label. The Bureau subsequently issued a Public Notice calling for LA and CLA applications in September 2024.
UL Solutions and Its Duties
UL Solutions will serve as both the LA as well as a CLA. According to the Bureau, “UL Solutions describes itself as a global leader in applied safety science with a distinguished heritage and long history of operating at the forefront of safety science enhancing consumer safety.”
As the LA, UL Solutions will, among other tasks:
- Act as liaison between the Commission and the CLAs.
- Lead a 90-day stakeholder process, which is called for in the Order. Through this process, UL Solutions will, in collaboration with the CLAs and other stakeholders like cyber experts from industry, government, and academia, submit recommendations to the Bureau on:
- Technical standards and testing procedures to determine that a product meets the NISTIR 8425 criteria for each class of products identified by the stakeholder working group;
- How often a given class of IoT products must renew their request for authority to bear the FCC IoT Label;
- Procedures for post market surveillance by the CLAs;
- Updates to the registry that will contain information about Cyber Trust Mark-approved products; and
- Design of the FCC IoT Label.
- Develop a consumer outreach campaign in collaboration with stakeholders.
- Submit to the Bureau and the Office of the Managing Director (OMD) an estimate of its forward-looking costs, including, separately, program stand-up costs and ongoing program costs to perform its LA duties, which will be reviewed by the CLAs, the Bureau, and OMD for reasonableness.
- Determine a sharing methodology with the CLAs for the costs that UL Solutions will incur.
The CLAs and Their Duties
The Bureau also conditionally approved the following 10 entities to serve as CLAs, along with UL Solutions:
- CSA America Testing & Certification, LLC
- CTIA Certification LLC
- DEKRA Certification Inc.
- Intertek Testing Services NA, Inc.
- ioXt Alliance
- Palindrome Technologies
- SGS North America Inc.
- Telecommunications Industry Association
- TÜV Rheinland of N.A.
- TÜV SÜD America
These entities’ responsibilities will include:
- Certifying the use of the FCC IoT Label and the U.S. Cyber Trust Mark and managing the IoT Program on a day-to-day basis.
- Sharing the costs that UL Solutions incurs in performing its duties on behalf of the IoT Program.
- Participating in the 90-day stakeholder process.
- Participating in the development and execution of the LA’s consumer outreach campaign.
- Developing a cybersecurity risk management plan.
- Performing post-market surveillance activities, including audits.
Next Steps
The 90-day stakeholder process established by the Order should provide opportunity for industry involvement as the IoT Program gets underway in earnest, though it remains to be seen which stakeholders the Bureau, UL Solutions, and the CLAs will bring into the fold. However, there may be room for additional stakeholder involvement moving forward. The Order provides that, should NIST publish any updates or changes to its IoT-related guidelines, UL Solutions must, within 45 days of NIST’s publication, recommend any appropriate modifications for the IoT Program to the FCC, and the Order contemplates that this process will involve stakeholder collaboration as well.
It is also important to note that the Bureau’s approval of UL Solutions and the CLAs is conditioned upon these entities’ execution of a Trademark Use Agreement with the FCC, as well as their commitment to obtain ISO/IEC 17065 accreditation with the appropriate FCC program scope within six months of the effective date of the Commission’s adoption of IoT cybersecurity labeling standards and testing procedures. As a result, UL Solutions and the CLAs will not be authorized to approve the use of the U.S. Cyber Trust Mark until UL Solutions and the CLAs have completed these tasks and demonstrated compliance with their other requirements (e.g., the development of a cybersecurity risk management plan).
[View source.]