FCC Seeks Input on Cybersecurity Labeling Program

The Federal Communications Commission is seeking public input on its proposal to create a voluntary cybersecurity labeling program (the “Cyber Label Program”). Interested parties can file reply comments by November 10, 2023. Nearly 100 commenters offered their views during the initial round of comments.

The purpose of the Cyber Label Program will be to inform consumers about the relative security of the internet-connected devices (Internet of Things or IoT devices) they purchase. If the Cyber Label Program is established, the FCC will create a “U.S. Cyber Trust Mark” to be affixed to eligible products that meet the FCC’s IoT cybersecurity requirements.

The Cyber Trust Mark will be similar to the “Energy Star” logo that informs consumers which appliances are energy efficient. The Cyber Trust Mark will help consumers make informed choices when comparing IoT products. The FCC also expects the Cyber Label Program to bolster network safety, incentivize manufacturers to meet higher security standards, and encourage retailers to market secure devices. Participants in the Cyber Label Program will be required to ensure their IoT products comply with the program’s rules.

Proposed Cybersecurity Label Requirements

The FCC has requested feedback about how to build the most effective program. Specifically, the FCC wants to hear from the public regarding:

  • What types of IoT devices and products should be eligible to participate in the labeling program.
  • How IoT device security standards should be developed and if those standards should differ based on the type of device or product.
  • What entities should oversee and manage the Cyber Label Program.
  • How manufacturers will demonstrate compliance with the Cyber Trust Mark’s security standards.
  • How to protect the Cyber Trust Mark label from unauthorized use.
  • How to educate consumers about the new program.

If you have questions about the Cyber Label Program, please contact an attorney in our Broadband, Spectrum, and Communications Infrastructure or Privacy, Data Protection and Cybersecurity practice groups.