The US Federal Communications Commission (FCC) has initiated a consultation process regarding its proposed cybersecurity labelling framework for IoT. This initiative seeks input and feedback from industry stakeholders, users, and the general public.
The FCC is suggesting the implementation of a cybersecurity labelling system for consumer IoT and smart devices. This system aims to empower consumers to select products that come with a cybersecurity assurance and regular security updates. The Commission anticipates that this new labelling approach will bolster consumer trust and confidence in the security of interconnected devices.
A comprehensive overview of this proposed framework can be found in the FCC 23-65A1 NPRM document.
It’s important to note that the US Cyber Trust Mark is a voluntary program, unlike similar mandatory schemes in Europe. Manufacturers who opt for this certification commit to maintaining the security and timely patching of their devices.
The FCC is currently deliberating various aspects of the proposed framework. One unresolved issue is the mechanism for enforcing compliance among Trust Mark holders who neglect to update their IoT device security. Presently, the FCC is considering civil litigation as a primary enforcement avenue but is also exploring alternative options.
Additionally, the scope of the Trust Mark is still under consideration. As of now, it encompasses smart home devices, fitness monitors, and select consumer gadgets. However, it is likely to expand to include Internet equipment such as routers.
Another area of uncertainty is the extent of data requirements imposed on manufacturers and the level of transparency expected regarding how companies utilise data collected from consumer devices. This encompasses not only the devices themselves but also smartphone applications, cloud platforms, and analytics.
The consultation period is open for initial comments until September 24th, with responses accepted until October 10th.