FCC to consider IoT security labeling program

WASHINGTON – Federal Communications Commission Chairwoman Jessica Rosenworcel debuted a proposal with her fellow Commissioners to create a voluntary cybersecurity labeling program that would provide consumers with clear information about the security of their Internet-enabled devices, commonly called "Internet of Things" or "smart" devices. The proposed program—where qualifying products would bear a new U.S Cyber Trust Mark—would help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cybersecurity standards.

The draft proposal, called a Notice of Proposed Rulemaking (NPRM), outlines a voluntary cybersecurity labeling program that would be established under the FCC's authority to regulate wireless communications devices based on cybersecurity criteria developed by the National Institute of Standards and Technology (NIST). If the proposal is adopted by a vote of the Commission, it would be issued for public comment, and could be up and running by late 2024.

The proposal seeks input on issues including the scope of devices for sale in the U.S. that should be eligible for inclusion in the labeling program, who should oversee and manage the program, how to develop the security standards that could apply to different types of devices, how to demonstrate compliance with those security standards, how to safeguard the cybersecurity label against unauthorized use, and how to educate consumers about the program. The Commission today also unveiled the proposed U.S. Cyber Trust Mark logo, which would appear on packaging alongside a QR code that consumers can scan for further information, pending a certification mark approval by the U.S. Patent and Trademark Office.

There are a wide range of consumer Internet of Things (or "IoT") products on the market that communicate over networks. These products are made up of various devices, and are based on many technologies, each of which presents a set of security challenges. According to one third party estimate, there were more than 1.5 billion attacks against IoT devices in the first six months of 2021 alone. Others estimate that there will be more than 25 billion connected IoT devices in operation by 2030. The proposal announced today builds on the significant public and private sector work already underway on IoT cybersecurity and labeling, emphasizing the importance of continued partnership so that consumers can enjoy the benefits of this technology with greater confidence in and knowledge of their devices' security.

Read the full press release here.

FCC