U.S IoT Cybersecurity Trust Mark Label

Last month, the Federal Communications Commission (FCC) officially voted to pass the "Cybersecurity Labeling for Internet of Things" initiative. This is a voluntary U.S. Cyber Trust Mark cybersecurity labeling program aimed at "wireless consumer IoT products." It provides consumers with an easy-to-understand and quickly identifiable FCC IoT label, including a U.S. government certification mark (the Cyber Trust Mark). This mark indicates that the product meets the plan’s requirements and the FCC's minimum cybersecurity standards. It also includes a QR code that directs consumers to a registry containing specific information about the IoT product. This program will help consumers make better purchasing decisions, boost their confidence in the cybersecurity of the IoT products they buy for home and life, and encourage IoT product manufacturers to consider security design principles when developing products.

In August 2023, the FCC issued a Notice of Proposed Rulemaking (NPRM) for the IoT Labeling initiative, proposing this voluntary program and widely soliciting opinions from various parties. In the recently passed "Cybersecurity Labeling for IoT" vote, the FCC released the Final Rule, and before the text of the Final Rule, a detailed "Introduction" was provided, addressing and discussing the responses and arguments made regarding the NPRM. These responses and discussions further our understanding of the reasons and specific implications behind the Final Rule.

Key Contents of the "Cybersecurity Labeling for IoT"

1. Nature of the Program

The program is a voluntary cybersecurity labeling initiative established by the FCC for wireless consumer IoT products. Although participation is voluntary, those who choose to participate must comply with the program's requirements to obtain permission to use the FCC IoT label with the Cyber Trust Mark.

2. Scope of the Program

The "Introduction" indicates that the program applies to "wireless consumer IoT products," with a detailed description provided for the definition.

1. Applicable to "Wireless" Not Covering "Wired"

   The initial IoT labeling program will focus on wireless consumer IoT devices, thus excluding wired-only IoT devices. However, future inclusion of wired consumer IoT products is not ruled out.

2. Applicable to "Consumer" Not Involving "Enterprise or Industrial"

   The FCC supports an IoT labeling program that includes consumer-centric IoT products, focusing on consumer IoT products rather than enterprise or industrial IoT products. The following devices are not included in the FCC IoT labeling program:

   - Medical devices regulated by the U.S. Food and Drug Administration (FDA);

   - Motor vehicles and motor vehicle equipment regulated by the U.S. National Highway Traffic Safety Administration (NHTSA);

   - Devices/products produced by certain entities.

3. Applicable to "IoT Products" Not Limited to "IoT Devices"

IoT Products

The Final Rule adopts the National Institute of Standards and Technology (NIST) definition for "IoT Products": IoT devices and any additional product components necessary for the use of IoT devices beyond basic operational functions (e.g., backend, gateway, mobile applications), including data communication links with components outside this scope but excluding any external third-party components beyond the manufacturer's control.

IoT Devices

The Final Rule adopts a revised version of the NPRM's NIST definition: (1) connected devices capable of intentionally emitting radiofrequency energy, having at least one sensor for direct interaction with the physical world, and (2) at least one network interface (e.g., Wi-Fi, Bluetooth) for connecting to the digital world.

Consumer IoT Product Standards

The FCC did not specify the product standards for obtaining the label in the Final Rule. In the Introduction, the FCC stated the necessity of establishing standards to manage the IoT labeling program fairly and justly, ensuring that products bearing the FCC IoT label have undergone testing according to the same standards, giving consumers confidence in the robust cybersecurity of labeled products.

Label Application Process

The FCC adopts a two-step process for manufacturers seeking authorization to use the Cyber Trust Mark:

1. Test the IoT product for compliance with FCC rules using certified and lead administrator-recognized laboratories, and generate a test report;

2. Submit an application to the CLA to prove the product fully complies with all relevant FCC IoT labeling program rules.

Label

1. Cyber Trust Mark

   The FCC implements the IoT labeling program using a binary label structure where products either qualify to carry the label or do not.

2. QR Code

   The FCC requires products with the Cyber Trust Mark to also include a QR code that directs consumers to a registry containing specific information about the IoT product.

3. Registry

   The registry provides information on consumer IoT products that meet the labeling program requirements, accessible via the QR code on the FCC IoT label.

Ongoing Obligations

The FCC emphasizes in the Introduction that entities authorized to use the FCC IoT label must ensure that products continue to comply with the program’s requirements.

Analysis and Recommendations

The FCC's primary reasons for the decisions in the "Introduction" were to reduce obstacles to the labeling program and expedite its market introduction. However, the FCC's stringent stance on specific provisions, such as requiring testing through certified and recognized laboratories rather than simple self-certification or third-party certification, indicates its commitment to the program.

The FCC's proposed IoT security labeling program, although voluntary, received agreement from many enterprises during the consultation phase. Despite its voluntary nature, consumer demand will drive widespread adoption of the program, as consumers will likely prefer IoT products with the label. We recommend that domestic enterprises view this program as a strategic move to enhance product competitiveness and incorporate its requirements into product security design in advance, especially paying attention to NIST standards.

We will continue to monitor the specific conclusions of these substantive matters. China JJR Laboratory provides this service, welcome to consult!