With a unanimous vote on March 14, 2024, the Federal Communication Commission (“FCC”) adopted its proposed order to launch a voluntary cybersecurity labeling program (“Program”) for Internet-connected smart devices. As discussed in our August 2023 blog, this cybersecurity labeling Program could put the FCC front-and-center in advancing consumer-facing disclosures about the security of smart devices. The Program is a response to the growing number of cyberattacks involving connected devices; the FCC cites estimates of more than 1.5 billion attacks against Internet of Things (“IoT”) devices in the first six months of 2021.
Labeling Program
The Program will allow manufacturers to demonstrate their devices meet certain cybersecurity criteria developed by the National Institute of Standards and Technology (“NIST”) through a two-step process. Manufacturers must first submit to product testing by an accredited and recognized lab, and then obtain a product label certification from a designated Cybersecurity Lead Administrator (“CLA”). The Program does not permit self-certification.
- Manufacturers that meet the standards can display the U.S. Cyber Trust Mark label (“Cyber Mark”), along with a QR code that would enable consumers to access current information on the security features of the device.
- The Program will establish a registry of products and devices that are authorized to use the Cyber Mark.
- The FCC will oversee the Program, leveraging third parties to facilitate compliance through reviewing applications, authorizing label use, and providing consumer education.
The Program relies on a combination of administrative remedies and civil litigation for enforcement. CLAs are directed to conduct post-market surveillance and random auditing of accredited products, such as product surveillance in retail stores. Manufacturers that fail to correct identified technical deficiencies after a twenty (20) day cure period may be “disqualified” from the Program. Further, the Order outlines additional administrative remedies including orders, forfeitures, consent decrees, cease and desist orders, and penalties for lack of compliance. The Program declined to create a safe harbor, does not intend to preempt state law and enforcement authority is not restricted to only the Commission. Accordingly, consumers could bring claims in state court against Program participants for, inter alia, product liability, unfairness or deception.
In its current form, the Program is limited to wireless consumer IoT products (i.e., devices using wireless spectrum that is regulated by the FCC), excluding wired devices and enterprise or industrial IoT products. Not all wireless consumer IoT products will qualify for the Program. In particular, IoT devices manufactured by companies named on the Department of Commerce’s “Entity List,” named on the Department of Defense’s List of Chinese Military Companies, or suspended or debarred from receiving federal procurements or financial awards will not be authorized to display the Cyber Mark. The Program will also exclude medical devices regulated by the Food and Drug Administration.
Further Public Comment
The FCC is seeking further comment on potential disclosure requirements which could include: 1) where the products are manufactured, developed, or mainly deployed; 2) whether a manufacturing company is located in a country that poses national security concerns; and 3) whether customer data is collected in connection with the use of such devices. This Further Notice of Proposed Rulemaking will be posted in the Federal Register and comments will likely be due around the end of April.
Should I Participate?
The FCC expects that the Program will be available starting in late 2024. Once it launches, device manufacturers will need to consider the feasibility of compliance and value of the label before deciding whether to submit their devices for certification.
The ZwillGen team can help you to weigh the benefits and potential exposure that may come from participation in the Program.