The Biden Administration has announced the rollout of the “cybersecurity label for interconnected devices, known as the U.S. Cyber Trust Mark.” The voluntary program, which will allow providers of certain such devices to label their products with the Mark, comes after the Federal Communications Commission (FCC) approved final rules and implementing framework that will govern the procedures for obtaining and using the Mark’s distinctive shield logo.

What’s In Program Scope – Per the FCC, the program applies to consumer wireless Internet of Things (IoT) products – radio frequency devices clearly within its jurisdiction under Section 302 of the Communications Act. Examples of eligible products include internet-connected home security cameras, voice-activated shopping devices, smart appliances, fitness trackers, garage door openers, and baby monitors.

What Is Not – On the other hand, the program does not include items outside the FCC’s regulatory jurisdiction, such as medical devices regulated by the Food and Drug Administration and motor vehicles and equipment regulated by the National Highway Traffic Safety Administration. Also excluded are wired devices; products primarily used for manufacturing, industrial control or enterprise applications; equipment on the FCC’s Covered List and equipment produced by an entity on the covered list; IoT products from a company on other lists addressing national security; and IoT products produced by entities banned from Federal procurement.

Process And Standards – Products must be tested at an FCC-recognized accredited laboratory (CyberLAB) for evaluation against the program’s cybersecurity criteria. Those criteria are based on standards developed by the National Institute of Standards and Technology (NIST) and other expert guidance intended to ensure that certified devices have robust cybersecurity protections, including, for example, implementation of strong encryption protocols and requirements for user authentication before granting access to device settings or data.

Program Management and Compliance Enforcement – The FCC will manage the program but also rely on Cybersecurity Labeling Administrators (CLA), who will evaluate the post-testing applications for approval to use the Mark; the FCC has already approved a number of these CLAs.

Among other things, CLAs will be responsible for ensuring that users comply with applicable FCC rules. In adopting the regulatory framework for the program, the agency decided that it would “rely on a combination of administrative remedies and civil litigation to address non-compliance.” The FCC “direct[ed] the CLAs to conduct post-market surveillance…to ensure that the integrity of the Cyber Trust Mark is maintained.”

Further, “random audits” will be coupled with such surveillance. Identified products that fail to comply with applicable technical regulations for that product could be stripped of approval to display the Mark.

In the interest of the integrity of the Mark, the Commission also made clear that it will “pursue all available means to prosecute entities who improperly or fraudulently use the FCC IoT Label, which may include, but are not limited to, enforcement actions, legal claims of deceptive practices prosecuted through the FTC, and legal claims for trademark infringement or breach of contract.”

Further Notice of Proposed Rulemaking: National Security – In an ongoing effort to address potential hidden national security threats, the FCC’s Further Notice of Proposed Rulemaking focuses on such threats contained in consumer products bearing the IoT Label. To that end, the FCC seeks comments on “additional declarations intended to provide consumers with assurances that the products bearing the IoT Label do not contain hidden vulnerabilities from high risk countries [e.g., China], that data collected by the product does not sit within or transit high-risk countries and that products cannot be remotely controlled by servers located within high-risk countries.”

Incoming Chairman Carr, who has voiced a strong interest in addressing national security concerns, is sure to support these initiatives on an ongoing basis.