To print this article, all you need is to be registered or login on Mondaq.com.
The Federal Communications Commission (FCC) is providing a new
level of protection for consumers who are worried about potential
cybersecurity risks to connected consumer devices. Last week, the
agency adopted a voluntary labeling program
that manufacturers of “smart” wireless,
internet-connected consumer devices can follow to indicate to
consumers that the device meets certain cybersecurity
protections.
The FCC has set out the framework for an Internet of Things
(IoT) labeling program by which a manufacturer of eligible products
may mark a product with an FCC IoT Label that incorporates the
federal government’s Cyber Trust Mark. The goal, according to the
agency, is to “help consumers make better purchasing
decisions, raise consumer confidence with regard to the
cybersecurity of the IoT products they buy to use in their homes
and their lives, and encourage manufacturers of IoT products to
develop products with security-by-design principles in
mind.”
Eligible devices will need to demonstrate compliance with
cybersecurity criteria that follow those developed by the National
Institute of Standards and Technology (NIST), the federal agency
within the Department of Commerce that leads the research and
design of cybersecurity standards for government and industry. The
FCC will select at least one third-party administrator to act in
its stead. This lead administrator will be responsible for:
- Determining the precise standards and testing that eligible
devices must meet - Creating and overseeing a process that will ensure that the
label is appropriately used - Collaborating with stakeholders and reporting to the FCC
changes in NIST cybersecurity standards that may impact the FCC
program
To place an FCC IoT Label on a device, a manufacturer must
certify that it complies with the appropriate standards. Devices
also must have a CR code that will allow consumers to scan for
additional information regarding the product’s security.
Like the FCC’s equipment certification program,
manufacturers will need to put a device through a two-step process
where it is first tested by a test lab and then approved by a
Cybersecurity Label Administrator (CLA). Test labs accredited
according to certain standards (i.e., ISO/IEC 17025) may test
devices for compliance before the label is granted. CLAs may charge
manufacturers a fee for review of an application for use of the FCC
IoT Label.
Certain devices are specifically excluded from the program.
These include medical devices, motor vehicles, and “motor vehicle equipment” (defined by the
U.S. Code). Also excluded are external components, including
external third-party components that are outside a
manufacturer’s control. And devices on the FCC’s Covered List, which have been determined to be
a threat to national security, cannot obtain a label.
The FCC also issued a Further Notice of Proposed Rulemaking
(FNPRM) that considers imposing other national security
requirements on manufacturers, suggesting the agency may add to
these rules. One set of questions asks whether the FCC should
require that participating manufactures disclose whether firmware
and/or software was developed and manufactured in
“high-risk” countries and disclose the countries in which
firmware and software updates will be developed and deployed.
Another proposal would be to require manufacturers to reveal
whether the data collected by the product is stored in or transits
a “high-risk” country or countries. And the FCC asks
whether it should bar from participating in the program products
that can be remotely controlled by servers located in
“high-risk” countries, defined as those on the Department
of Commerce’s list of foreign adversaries.
The FCC’s actions here are just the first step in what is
likely to be at least a year-long process of assigning outside
administrator duties and developing all the many the details
underlying the requirements. Comments on the FNPRM proposals will
be due 30 days after the item is published in the Federal
Register.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Technology from United States
#Cyber #Protections #Internet #Consumer #Devices #FCC #Labels #Security
