Success of FCC’s IoT Cyber Trust Mark Depends Upon Meaningful Standards, Transparency, and Accountability

The Federal Communications Commission (FCC) has the opportunity to boost consumer confidence in the cybersecurity of Internet of Things (IoT) products through its voluntary U.S. Cyber Trust Mark program (Trust Mark), but only if the standards are meaningful, the process for earning a label is transparent, and those who assign and receive the Trust Mark label are held accountable to meet those standards.

What is the U.S. Cyber Trust Mark?

The Internet of Things is a term used to refer to consumer products that send and receive data through the internet with a sensor or actuator that interacts directly with the physical world, capable of emitting radiofrequency (RF) energy (e.g. Wi-Fi, Bluetooth), for example a smart doorbell that lets you remotely access and control cameras (sensors) and locks (actuators) for your home. IoT devices are not without significant privacy and security implications. The FCC has exempted connected cars, medical devices, and a few other types of IoT products from its Trust Mark program under the current rule.

The U.S. Cyber Trust Mark will be a label that IoT manufacturers can include on their products if they meet certain minimum cybersecurity standards. The FCC oversees this voluntary program, modeled in part after the ENERGY STAR label system and with standards based on an IoT cybersecurity framework developed by the National Institute for Standards and Technology (NIST). This project is also aligned with Strategic Objective 3.2 of the President’s National Cybersecurity Strategy. FCC Chair Rosenworcel announced the program in July 2023, and set a goal of having the program up and running by late 2024; a Notice of Proposed Rulemaking (NPRM) was released in August 2023, and the Report and Order and Further Notice of Proposed Rulemaking (FNPRM) was published in March 2024.

EPIC submitted comments at both the NPRM and FNPRM stages, urging the FCC to, among other things, require any company that wants to be eligible to put the Trust Mark on their products to include specific disclosures about how data is collected and used, including what types of sensors are used to collect data that is highly likely to be sensitive (e.g. audio, visual, biometric, and/or precise location sensors, as outlined by Carnegie Mellon University). The FCC does not currently require these disclosures.

Meaningful Standards Are Necessary Because IoT Cybersecurity Implicates Sensitive Consumer Data, with Disproportionate Impact on Marginalized Populations

The Trust Mark has the potential to raise the bar for cybersecurity standards, assuming that it sets the bar appropriately. EPIC has urged the FCC to ensure the Trust Mark makes accommodations for populations especially vulnerable to deficient cybersecurity practices. Encouragingly, the FCC will require an entire product and not merely a discrete device to be subjected to testing before it can earn the Trust Mark. The FCC has also indicated that it plans to rely heavily on NIST’s criteria but has not made a commitment to require Trust Mark recipients to disclose information about the sensors present on a device or about what types of data that device collects.

EPIC stressed to the FCC the importance of ensuring the processes for evaluating cybersecurity and for educating consumers does not leave out populations traditionally overlooked by the tech sector, for example persons with disabilities and survivors of domestic violence. EPIC urged the FCC to ensure the consumer disclosures required for a manufacturer to earn the Trust Mark are accessible and machine readable, and to require that they include information about risks related to device misuse by an abuser to surveil or control their intended victim. EPIC noted that the FCC is charged with protecting safety of life, which goes beyond national security concerns and includes personal safety concerns.

In order to determine whether a given product meets the requirements to bear the Trust Mark, the FCC will select a Lead Administrator to promulgate standards designed to represent NIST’s criteria and to establish the process by which Cybersecurity Label Administrators (CLAs) will evaluate whether those standards have been met. The FCC has required a two-step process for this evaluation regime: first an ISO/IEC-accredited lab will review the product and producing a report on its own test, and then second a device manufacturer will submit an application to an FCC-recognized CLA to certify the product is fully compliant.

The NIST IoT cybersecurity Core Baseline includes 10 criteria:

• asset identification;
• product configuration;
• data protection;
• interface access control;
• software update;
• cybersecurity state awareness; and the following IoT Product Developer Activities:
• documentation;
• information and query reception;
• information dissemination; and
• product education and awareness.

Significantly, the FCC rule will requires the entire product chain to be tested and not merely the discrete device offered by the manufacturer. This matters because, as EPIC and Consumer Reports noted, any cloud storage or backend apps that are necessary to use the device should also meet cybersecurity standards if the device is to be sold with the Trust Mark on it. Otherwise consumers could lose trust in the Trust Mark because insecure aspects of the product compromising their use of the device itself.

The Commission opted to implement a binary label (either the product has the Trust Mark or it doesn’t, there’s no gold/silver/bronze tiering), with layered disclosures via QR code that links to a registry with more detailed cybersecurity information. EPIC urged the Commission to implement a two-tiered label that is machine readable and in a traditional nutrition label format. This would include a primary label with high-level information about the types of data the device is capable of collecting (e.g. what sensors), and a more robust secondary label that provides consumers and advocates with more detailed information, such as whether a survivor of domestic violence can disable an abuser’s access to the device even if the survivor is not listed as the named owner of the device.

Next Steps in the Cyber Trust Mark Process: Transparency and Accountability in Earning the Label and Post-Market Auditing

The next step in this process is for the FCC to select a Lead Administrator for the Trust Mark, and to select other Cybersecurity Label Administrators (CLAs). These entities play a key role not only in evaluating devices for the label in the first place, but also in post-market auditing to ensure manufacturers who earn the Trust Mark continue the practices required to maintain it. The FCC has also made commitments regarding its enforcement of deficiencies found, and taken a position against the Trust Mark acting as a safe harbor for cybersecurity-related tort liability. The FCC has indicated that it will work with counterparts in Europe and in Japan to facilitate alignment (“ensure interoperability”) of cybersecurity requirements in IoT products originating from those regions as well.

The FCC has indicated that the Lead Administrator will be responsible for proposing a post-market surveillance program (in collaboration with the CLAs and other stakeholders), in addition to its responsibilities discussed above in developing standards and an evaluation system to determine whether those standards have been met. The Lead Administrator will be selected from among CLA applicants. The Lead Administrator will also be responsible for reviewing labs seeking accreditation. CLAs will be responsible for receiving and addressing complaints from the public about products that seem to fail to meet the Trust Mark’s requirements.

The FCC will allow a manufacturer acting in good faith 20 days to cure identified deficiencies before revoking their authorization to use the label on the offending product, which could include removing the Trust Mark from marketing materials and removing products still containing the Trust Mark from retail stores. The FCC left the details of this to its Public Safety and Homeland Security Bureau to determine. The FCC also declined to assert that being approved to use the Trust Mark would serve as a safe harbor from tort liability for cybersecurity deficiencies, although it noted that achieving the Trust Mark should serve as an indicium of reasonableness.

Looking ahead, the FCC must still select its Lead Administrator and its initial cohort of CLAs. The FCC plans to work in conjunction with the European Union and Japan to align strategies on technology and commerce as they relate to IoT cybersecurity, which may inform how the Lead Administrator establishes what the standards will be and what the process will look like for evaluating how those standards are met.

EPIC plans to continue to urge the FCC to ensure the standards are meaningful, the process for earning a label is transparent, and the recipients who fail to meet the Trust Mark’s minimum cybersecurity standards (and those labs who accredited those manufacturers) are held accountable for the resulting harm to consumers and to trust in the market.