FCC creates voluntary IoT security labelling programme

  • March 20, 2024
  • Steve Rogerson
FCC chair Jessica Rosenworcell.

The US Federal Communications Commission has voted to create a voluntary cyber-security labelling programme for wireless consumer IoT products.

Under the programme, qualifying consumer smart products that meet robust cyber-security standards will bear a label – including a new US Cyber Trust Mark – that will help consumers make informed purchasing decisions, differentiate trustworthy products in the marketplace, and create incentives for manufacturers to meet higher cyber-security standards.

With this action, the commission has adopted the rules and framework for the programme to move forward. Among programme highlights are:

  • The US Cyber Trust Mark logo will initially appear on wireless consumer IoT products that meet the programme’s cyber-security standards. 
  • The logo will be accompanied by a QR code that consumers can scan for easy-to-understand details about the security of the product, such as the support period for the product and whether software patches and security updates are automatic.
  • The voluntary programme will rely on public-private collaboration, with the FCC providing oversight and approved third-party label administrators managing activities such as evaluating product applications, authorising use of the label and consumer education.
  • Compliance testing will be handled by accredited labs.
  • Examples of eligible products may include home security cameras, voice-activated shopping devices, internet-connected appliances, fitness trackers, garage door openers and baby monitors.

The FCC is also seeking public comment on additional potential disclosure requirements, including whether software or firmware for a product is developed or deployed by a company in a country that presents national security concerns and whether customer data collected by the product will be sent to servers located in such a country.

There are a wide range of consumer IoT products on the market that communicate over wireless networks. These are made up of various devices, and are based on many technologies, each of which presents its own set of security challenges. Last August, the commission proposed and sought comment on developing the voluntary cyber-security labelling programme for IoT. The rules now adopted are based on that record.

According to one third-party estimate, there were more than 1.5 billion attacks against IoT devices in the first six months of 2021. Others estimate that there will be more than 25 billion connected IoT devices in operation by 2030.

The cyber-security labelling programme builds on the significant public and private sector work already underway on IoT cyber security and labelling, emphasising the importance of continued partnership so consumers can enjoy the benefits of this technology with greater confidence and trust.

“We are building the Cyber Trust Mark programme on the well-known cyber-security criteria developed by the National Institute of Standards & Technology,” said FCC (www.fcc.gov) chair Jessica Rosenworcell. “We are also building this effort on the existing model we have at this agency for authorisation of devices using radio frequency. So we have both a framework for standards and a framework for execution. To get it done, we will need expert partners. We will select third-party administrators, including a lead administrator, through a rigorous selection process that will work with us on the day-to-day details of the programme.”