Consumer Electronics Daily was a Warren News publication.

Window Opens Wednesday to Become Cyber Mark Administrator

The window for applying to be designated as a cybersecurity labeling administrator (CLA) or lead administrator under the new voluntary cyber-trust mark program will open Wednesday and close Oct. 1, the FCC Public Safety Bureau said Tuesday. The notice provides guidance on the application format, filing fees, selection criteria, the sharing of expenses, lead administrator neutrality and confidentiality and security requirements. The bureau declined imposing “selection criteria” beyond those in an order that commissioners approved 5-0 in March (see 2403140034). As discussed in the order, “authorizing one or more CLAs subject to Commission oversight to handle the routine administration of the program will help to ensure its timely and consistent rollout, and independent third-party CLAs will bring trust, consistency, and an impartial level playing field to the IoT Labeling Program and will provide the required expertise for the administration of the program,” the notice said. Applications will be treated as “presumptively confidential” and the FCC won't assess application fees “at this time,” the bureau said. CLAs will share the cost of a lead administrator, but the bureau declined to lay out how that would work. The commission will “rely on CLAs and the Lead Administrator to determine the sharing methodology, which should be reasonable and equitable and will be subject to ongoing oversight by the Commission,” the notice said. Each applicant must submit an “attestation that it already has created and implemented -- or upon selection will create and implement -- a cybersecurity risk management plan,” the bureau said: Each applicant must show it will comply with agency requirements, as well as demonstrate its “cybersecurity expertise and capabilities, knowledge of [the National Institute of Standards and Technology’s] cybersecurity guidance, and knowledge of federal law and guidance governing the security and privacy of information systems.” The program should be “narrowly tailored to cybersecurity so as not to dilute its effectiveness, confuse consumers, and deter manufacturer participation,” CTA and other groups said in a letter to the FCC. The letter warned against imposing a requirement on disclosures about IoT products and privacy. It was posted Tuesday in docket 23-239. “Expanding required disclosures from cybersecurity risks to privacy topics would dilute the effectiveness of the Mark, risk consumer confusion, and undermine the careful balance that the Commission has struck to provide simple and tailored educational cybersecurity information to consumers,” the filing said. Other groups signing the letter were CTIA, the Information Technology Industry Council and the National Electrical Manufacturers Association. The groups said the regulator should “treat as confidential” both cybersecurity label administrator and manufacturer applications to join the program.