As we explained in an August 2023 client alert, the US Cyber Trust Mark program will provide consumers with information about the relative security of an Internet of Things (IoT) device or product. The Federal Communications Commission (FCC) recently took the next step in establishing the US Cyber Trust Mark program when it released a notice of proposed rulemaking (NPRM) seeking input about the rules and processes that will govern the program. This is the last step the FCC must take prior to setting final rules.
In the NPRM, the FCC asks for comment on which devices or products should be eligible for the US Cyber Trust Mark program, how the program should be managed and administered, and whether it should be managed or administered by the FCC or third parties. The FCC also seeks comment on the criteria and standards a device or product must satisfy to be eligible to display the US Cyber Trust Mark’s logo. While participation in the program will be voluntary, parties choosing to participate must adhere to the program’s standards, and the FCC is asking what enforcement measures should be adopted to ensure compliance by program participants. The FCC proposes that program participants file for renewal each year, and it asks how the program can ensure consumers have access to up-to-date information regarding the participating device or product.
The FCC proposes to develop the qualifying standards jointly with industry groups and other stakeholders, and it seeks comment on whether the FCC or an outside entity is in the best position to convene stakeholders and timely establish the details of a testing program. The FCC proposes that the standards be based on cybersecurity criteria developed by the National Institute of Standards and Technology (NIST), but it also asks whether other criteria should be considered. The FCC notes that NIST already has identified the key elements of a labeling program, and it seeks comment on various aspects of the NIST standards.
Comments on the FCC’s proposals are due on September 25, 2023, and reply comments are due on October 10, 2023. We expect the FCC will prioritize this proceeding – meaning that the new program could be launched as soon as the second half of 2024. For more information about the US Cyber Trust Mark program and the FCC’s proposed implementation, please reach out to one of the Cooley lawyers listed below.