Coming Soon: New Cyber Labeling Program for IoT Devices
By next year, consumers may be able to scan a QR code on their connected devices for information about cybersecurity protections that are built into their devices. Details on the program are still being worked out, but the general framework was announced this week at a kickoff event hosted by the White House, which featured statements from Federal Communications Commission (FCC) Chairwoman Rosenworcel and tech industry representatives, among others.
Specifically, on July 18, 2023, the Biden Administration and the FCC announced a new cybersecurity certification and labeling initiative—the U.S. Cyber Trust Mark program—that is intended to “enhance transparency and competition” for Internet of Things (IoT) devices. While there are still few public details about the new program, here is what we know so far.
- The program will be administered by the FCC, and other agencies will be engaged. While the FCC is taking the lead on administering the new U.S. Cyber Trust Mark Program, it plans to work with the U.S. Department of Justice (DOJ), the National Institute of Standards and Technology (NIST), the State Department, and other executive agencies to establish oversight and enforcement safeguards and to harmonize these standards both domestically and internationally across numerous industries.
- The program is intended to be voluntary. The FCC and the Biden Administration have emphasized that the program will be voluntary. However, the government’s clear goal is to incentivize participation as much as possible, for example by having participating retailers give preferences to compliant products. One key question for the FCC will be how to promote voluntary adoption of the program while addressing any concerns that might arise from participation.
- The scope of the program is intended to reach “connected devices,” but has yet to be clearly defined. Chairwoman Rosenworcel describes the Cyber Trust Mark Program as intended for “connected smart devices.” But the scope of devices to be included has not yet been determined. The scope—along with other details—is expected to be fleshed out in a forthcoming FCC rulemaking.
- While we have some insights into the FCC’s vision for the certification program and label, the details are still being decided. Based on Chairwoman Rosenworcel’s statements, we understand that the certification program will be based on existing NIST cybersecurity criteria, and that the Commission envisions its Cyber Mark labels as featuring QR codes to be included on packaging that consumers can scan to access “a national registry of certified devices to provide consumers with specific and comparable security information about these smart products.” The kickoff event also featured discussions that could inform the design and details of a forthcoming label—including discussions about the new label being modeled after the Energy Star initiative and a presentation from Cylab at Carnegie Mellon University, which has conducted research around the form and function of cybersecurity labels.
- The new program is expected next year. The White House has indicated that the program “is expected to be up and running in 2024.”
Looking ahead, more details are expected to emerge when the FCC adopts its Notice of Proposed Rulemaking (NPRM), which Chairwoman Rosenworcel reports that she has already circulated to her fellow FCC Commissioners for review. The NPRM is expected to lay out the broad strokes of the program and is likely to request comment on the scope of devices that should be included, the design and substance of the label, which agencies and/or bodies should be responsible for administering and ensuring compliance with the program’s standards, as well as raise other questions related to the program. One issue the FCC will likely address is how to promote participation in the program, while mitigating any potential liability or other issues that might arise for participants.
Companies that operate in the IoT device space—including but not limited to device manufacturers—will want to monitor the development of this program closely, as it represents a large shift in the federal approach to IoT cybersecurity.