FCC Issues Notice of Proposed Rulemaking on Voluntary Cybersecurity Labeling Program for Smart Devices

The U.S. Federal Communications Commission (FCC) has released a Notice of Proposed Rulemaking to create a voluntary cybersecurity labeling program for “Internet of Things" (IoT) or "smart" devices. Comments will be accepted until 30 days after publication in the Federal Register; reply comments will be accepted until 45 days after publication in the Federal Register.

The proposed program would allow qualifying products to bear a new U.S Cyber Trust Mark, helping consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards. The U.S. Cyber Trust Mark logo would appear on packaging alongside a QR code that could be scanned for more information. The QR code would link to a national registry of certified devices to allow for comparison of these devices and up-to-date security information about each.

Devices being addressed by the proposal include internet-enabled devices such as personal digital assistants, internet-connected home security cameras, voice-activated shopping devices, internet-connected appliances, fitness trackers, GPS trackers, medical devices, garage door openers, baby monitors, and more.

The voluntary cybersecurity labeling program would be based on criteria developed by the National Institute of Standards and Technology (NIST).

Comments are being accepted on how to make the program effective, including:

• The scope of devices or products for sale in the U.S. that should be eligible for inclusion in the labeling program
• Who should oversee and manage the program
• How to develop the security standards that could apply to different types of devices or products
• How to demonstrate compliance with those security standards
• How to safeguard the cybersecurity label against unauthorized use
• How to educate consumers about the program.

“This proposal builds on good work already done by government and industry because we will rely on the NIST-recommended criteria for cybersecurity to set the Cyber Trust Mark program up,” said FCC Chairwoman Jessica Rosenworcel. “That means we will use criteria device manufacturers already know, and, when they choose to meet these standards, they will be able to showcase privacy and security in the marketplace by displaying this mark. Over time, we hope more companies will use it—and more consumers will demand it.”

For more information, see the Notice of Proposed Rulemaking, the FCC Fact Sheet, and the FCC webpage on the proposal. Comments may be filed electronically using the Internet by accessing the FCC’s Electronic Comment Filing System (ECFS): https://www.fcc.gov/ecfs/