FCC Publishes IoT Device Labeling NPRM
Today the Federal Communications Commission published a notice of proposed rulemaking (NPRM) in the Federal Register (88 FR 58211-58229) for “Cybersecurity Labeling for Internet of Things”. Today’s NPRM notice is a summary of the Commission's Notice of Proposed Rulemaking (NPRM), FCC 23–65, adopted August 6, 2023, and released August 10, 2023.
New Definition of IoT Device
In keeping with their regulatory focus on communications issues, the FCC is focusing this proposed program on “intentional radiators that generate and emit RF energy by radiation or induction”. This requires a reformation of the NIST definition of IoT devices for the purposes of this rulemaking. The FCC is proposing the definition for IoT devices eligible for the labeling program as: “(1) an internet-connected device capable of intentionally emitting RF energy that has at least one transducer (sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network interface (e.g.,Wi-Fi, Bluetooth) for interfacing with the digital world.”
Program Administration
The Commission proposes the creation of an FCC owned distinctive trademark to be used in a voluntary program for IoT cybersecurity labeling. The actual testing and administration of the program would be conducted by authorized third parties under the supervision of the FCC. The FCC would select one or more third-party organizations to act as administrators of the program.
Patterned on existing Telecommunications Certification Bodies (TCBs), the rulemaking proposes the creation of Cybersecurity Labeling Authorization Bodies (CyberLABs) to perform the actual testing of covered IoT devices and products.
The Commission is proposing that covered devices meeting the developed criteria would be able to carry a label attesting to their meeting the proposed standards. The FCC IoT label would include a QR code that contains consumer-friendly information that is available without internet connection in addition to a URL to the device's or product's registry page.
IoT Cybersecurity Criteria and Standards
The NPRM proposes that the FCC would adopt NIST's recommended IoT criteria. Those criterial include:
Asset identification,
Product configuration,
Data protection,
Interface access control,
Software update,
Cybersecurity state awareness, Documentation,
Information and query reception,
Information dissemination, and
Product education and awareness.
The rule further proposes that the IoT security standards be developed jointly with the industry and other stakeholders using the following process:
Collecting information,
Establishing requirements,
Developing the standards,
Reviewing and improving, and
Public Comments
The FCC is soliciting public comments on this proposed rulemaking. Comments may be submitted via the Commission’s website (https://www.apps.fcc.gov/ecfs/; PS Docket No. 23-239). Comments should be submitted by September 25th, 2023, with replies to comments submitted by October 24th, 2023.
Commentary
The FCC rulemaking process is slightly different than what is normally covered in this blog. Today’s NPRM sounds more like what other agencies call an advanced notice of proposed rulemaking, with the FCC outlining the scope of a potential rule and providing an outline of the information that the Commission is looking to receive from the public and regulated community.
The really odd thing about this rulemaking, however, is its focus on the control malicious RF emissions. This is certainly in keeping with the mandate of the Commission, but this limited focus could allow for otherwise vulnerable devices to receive approval under the proposed labeling scheme. I think that that could be detrimental to the IoT cybersecurity effort in general.
So..."(2) at least one network interface (e.g.,Wi-Fi, Bluetooth) for interfacing with the digital world." if the IoT device did not support wireless (i.e. classic ethernet connection, no wireless support) does the definition still apply?