Cyber Mark Order Includes Commissioners' Numerous Changes
The FCC released the Further NPRM added to an order on a voluntary cyber trust mark program that commissioners approved 5-0 last week (see 2403140034). The final order includes numerous other tweaks to the draft, addressing security and excluding motor vehicles and related equipment. The order and FNPRM were posted in Monday’s “Daily Digest.”
“We seek comment on whether we should require manufacturers to disclose to the Commission whether firmware and/or software were developed and manufactured in a ‘high-risk country,’ as well as where firmware and software updates will be developed and deployed from,” the FNPRM says. “We also seek comment on requiring manufacturers to disclose to the Commission whether the data collected by the product is stored in or transits a high-risk country or countries.”
The cyber mark label will appear on consumer IoT products accompanied by a QR code, comparable to the ENERGY STAR program, which certifies products as energy efficient. The program is based on National Institute of Standards and Technology criteria.
Other questions in the FNPRM probe the kind of information manufacturers would have to disclose. “Alternately, should the fact that software or firmware originates from such countries, that data will be stored in such countries, or that products can be remotely controlled by servers within such countries, make products ineligible for the label altogether?” Comment dates are to come in a Federal Register notice.
Commissioner Nathan Simington said last week he requested the questions be posed. Simington wants the program to cover “computers, smartphones, routers and non-consumer devices generally.”
The FCC made a change sought by the Alliance for Automotive Innovation (see 2403080047). The draft already excluded medical devices, on grounds that the Food and Drug Administration regulates them.
The final order excludes motor vehicles and motor vehicle equipment “given that the National Highway Traffic Safety Administration ‘has the authority to promulgate motor vehicle safety regulations on cybersecurity and has enforcement authority to secure recalls of motor vehicles and motor vehicle equipment with a safety-related defect, including one involving cybersecurity flaws.’”
Commissioners also added a security dimension to the five proposed elements a company must certify, under penalty of perjury, before displaying the mark. The three security elements include that the applicant “has taken every reasonable measure to create a securable product” and will, until the end of the disclosed support period, “diligently identify critical vulnerabilities” and “promptly issue software updates correcting them.” Other parts of the order were also tweaked, adding emphasis on support by device makers for updates addressing security vulnerabilities.
In another change, the order now directs the label administrator to “collaborate with Cybersecurity Label Administrators (CLAs) and other stakeholders (e.g., cyber experts from industry, government, and academia) as appropriate and recommend” changes to the FCC “within 45 days of publication of updates or changes to NIST guidelines, or adoption by NIST of new guidelines.”
The order clarifies that the program covers “data communications links” but excludes “external components and any external third-party components that are outside the manufacturer’s control.” The order cites CTIA advocacy for additional clarity (see 2403070033).
The order delegates authority to the FCC Public Safety Bureau to issue a notice seeking applications to serve as a CLA or as the lead administrator. Language was tweaked to direct the lead administrator to “provide equitable recommendations to the Commission to encourage the broadest possible participation of CLAs within the parameters of the FCC’s rules.” The final order directs the bureau to “adopt additional criteria and procedures in the event the Lead Administrator must be replaced or chooses to withdraw.”
The draft proposed that CLAs could charge a reasonable fee to cover the cost of reviewing applications and “the costs of conducting the other tasks the CLA would perform.” Moreover, the final order includes text delegating the Public Safety Bureau, working with the Office of Managing Director, “to review and reconsider, if necessary, whether the level and structure of the fees should be regulated by the Commission.”
Aggrieved parties would have 60 days to challenge a CLA decision. Commissioners added language saying CLAs “should respond within 10 business days to a request for review.” The order now directs the lead administrator to work with “stakeholders” on whether the cyber mark label design “should include the date the manufacturer will stop supporting the product as well as whether including other security and privacy information (e.g. sensor data collection) on the label would be useful to consumers.”