FCC approves cyber labeling program for IoT devices

The Federal Communications Commission on Thursday voted to create a voluntary cybersecurity labeling program for Internet of Things devices and other consumer-facing products that rely on an internet connection.

The vote checks off a major component of a Biden administration-wide push to put labels on smart devices like fitness trackers, garage door openers and climate control gauges to help consumers shop for products that are less prone to cyberattacks.

Smart products covered by the rule that meet certain cybersecurity standards would bear a label akin to the ENERGY STAR marking that indicates a product is energy efficient. The FCC sought public comment last August on how to craft the rules and finalized the program based on that. Device compliance testing would be handled by accredited research labs, the agency said.

The FCC will also now seek feedback from the public on how certain software products developed in adversarial nations could pose security risks to the U.S., as well as whether customer data collected by those products would lead to security risks. The White House rolled out a related executive order on data transfers to countries of concern last month.

Entities placed on the commission’s “covered list” that designates internet and telecom providers deemed dangerous to U.S. national security are not eligible for the label, known as a Cyber Trust Mark, according to remarks from FCC Chairwoman Jessica Rosenworcel.

“How do we make sure the everyday connections in our homes are safe?” she said. “These are the right questions to ask. Because this increase in connection brings more than convenience. It brings cyber vulnerabilities,” Rosenworcel added. “After all, every device connected to the internet is a point of entry for the kind of attacks that steal our personal data and can compromise our safety.”

The logo would appear on IoT products that meet baseline cyber standards alongside a QR code for users to scan for more information on the product’s security features. That data may include the minimum security support period of the product and whether its manufacturer automatically releases updates or patches. The National Institute of Standards and Technology has also laid out baseline cyber standards for products used by consumers as part of the effort.

The Consumer Technology Association applauded the move.

“We are pleased to see a voluntary IoT cybersecurity labeling program based on the work of NIST that recognizes the need for international coordination and the importance of educating consumers about the label,” CTA CEO Gary Shapiro said in a statement to Nextgov/FCW.

Anne Neuberger, deputy national security advisor for cybersecurity and emerging technologies, announced at the CES conference in January that the European Union had signed on to the labeling scheme.

The labeling program is one of several sweeping steps taken by the Biden administration that’s focused on hardening U.S. cyberdefenses and improving the cyber posture of the industries overseen by federal agencies. Those include strict directives that require offices to report cyber incidents in a timely manner and develop methods to defend critical infrastructure and take down hackers.

Some 1.5 billion attacks were launched against IoT devices in 2021, the FCC said, citing unnamed outside research. It’s estimated that over 25 billion IoT products will be in use by the end of the decade, the federal telecom regulator added

Most Popular

To Top