Consumer Electronics Daily was a Warren News publication.
Simington Questions

Some Changes Appear Likely in Proposed Cyber Mark Program

Industry officials expect changes in the cyber trust mark rules, set for a vote Thursday, though the extent is still evolving, said lawyers in the proceeding. One wildcard is whether the FCC will attach a further notice, asking questions about issues including the country of origin of security updates under the program. The item is expected to be approved 5-0, with Commissioner Nathan Simington getting some edits to reflect his initial concerns, officials said.

Simington in February urged the FCC to approve a mark that wasn’t overly easy to achieve. “Given how dismal the cybersecurity landscape is right now,” minimal changes to what companies are doing won’t be enough, he said at the time (see 2402050047): “We don’t lower the standards for USDA Prime to make sure more cuts of meat qualify.” Lawyers in the proceeding said the draft item also makes attempts to address those concerns.

The FCC has been under pressure to make changes.

In a filing, CTA said representatives spoke Monday with aides to Chairwoman Jessica Rosenworcel and Simington and answered their questions. Queries concerned a proposed requirement for manufacturers using the mark “to disclose the minimum period for which the manufacturer commits to supporting the IoT product bearing the Mark,” CTA said, posted in docket 23-239.

The manufacturer should be able to set the end date by which they indicate what the minimum guaranteed supported period is,” David Grossman, CTA vice president-regulatory affairs, told us. The FCC also needs to provide flexibility, he said. Some manufacturers, after they have set the end date, may decide they’re able to provide support for additional time “and there should be flexibility to allow for that,” he added.

Representatives of Carnegie Mellon University and Consumer Reports filed a letter at the FCC this week asking for changes that would make the program more consumer friendly. “The order makes no mention of the possibility of designing a label along the lines of the medium- or high-complexity labels preferred by consumers” in a CMU study, they said. The rules also “include basic information about the product and certification, but no information about security, privacy, or a dedicated contact point for security researchers to report vulnerabilities,” the filing said: “Research shows that 76% of IoT device manufacturers have no way for security researchers to contact them in case of a vulnerability, making it more relevant from a security standpoint than some of the basic information requested.”

Last week, the Alliance for Automotive Innovation asked the FCC to exclude motor vehicles from the definition of IoT product (see 2403080047). CTIA and NCTA were among other groups seeking tweaks (see 2403070033).

There’s general agreement that the program should be voluntary, based on National Institute of Standards and Technology criteria and with a consumer education focus, said lawyers active in the proceeding. But other questions remain, including who will pay for the education, how to pay for a lead administrator proposed in the draft and who will serve in that role.