The FCC’s “U.S. Cyber Trust Mark” Proposal: What It Means for the Security Industry
In July 2023, the Biden administration announced the creation of a voluntary cybersecurity labeling program for smart devices with the goal of protecting American tech consumers. Under the Notice of Proposed Rulemaking (NPRM) subsequently published in August, the new program would be administered by the Federal Communications Commission (FCC), operational as early as late 2024 and intended for consumer devices such as smart TVs, smart fitness trackers, smart home systems and more.
Key Elements of the U.S. Cyber Trust Mark Program
Much like the well-known “Energy Star” labeling program provides information on the energy efficiency of appliances, the purpose of the “U.S. Cyber Trust Mark” program is to provide American tech consumers with clear information about the security of their internet-connected devices (i.e., the Internet of Things, or IoT). This could, in turn, help them make better informed purchasing decisions, encourage manufacturers to provide devices with higher levels of cybersecurity and help distinguish reliable products in the marketplace.
What It Means for the Industry
The “U.S. Cyber Trust Mark” would be a distinct shield logo placed on products that meet new cybersecurity requirements, according to criteria developed by the National Institute of Standards and Technology. The NPRM seeks key input from industry on how to design the program in a way that aligns with the IoT marketplace. The NPRM’s questions on what products will be covered and what the standards will be, who will make the standards and how the standards will be administered and enforced will be critical to the program’s success. For security manufacturers, clarity with respect to product applicability and the standards-related processes involved will be important to making informed decisions on participation.
How SIA and the Industry Are Getting Involved
Public comments are currently due on Sept. 25, 2023, after an unusually brief 30-day period. SIA and several other technology-focused trade associations sent a joint letter to the FCC requesting a 30-day extension to allow our members to have sufficient time to assess the potential effects of the rulemaking and develop the appropriate comments for the FCC to take into consideration, given the scope of the proposal. Allowing more time for stakeholders to truly analyze and collect more accurate input on the proposed rule with be beneficial for both the government and industry alike.
Some key areas of interest to SIA members may include the scope of devices eligible for the program (consumer use only or commercial products intended for industrial or business use?), the registry structure and update process, the development of applicable IoT security standards, safeguards to prevent unauthorized use of cybersecurity labels and many other areas.
At SIA, we are excited that some of our member companies have already made voluntary commitments to increase the cybersecurity of their products. We are looking forward to working with the FCC on the IoT program. SIA encourages any interested members to submit comments and share thoughts on the proposal with SIA’s government relations team. For more information or to provide input, please contact George Sewell, SIA government relations coordinator, at gsewell@securityindustry.org.