FCC Approves IoT Voluntary IoT Device Labeling, Aims to Impact Market Choice

The U.S. Federal Communications Commission (FCC) approved a voluntary Cyber Trust Mark labeling scheme that aims to offer deeper insight into the security of Internet of Things (IoT) devices. The plan is modeled after the Energy Star labeling system by the U.S. Environmental Protection Agency (EPA) and the U.S. Department of Energy (DOE) where appliances are certified for their energy efficiency. Similarly, the IoT certification program envisions a user-friendly label that validates that an IoT device meets the standard security measures developed by the U.S. National Institute of Standards and Technology (NIST). Based on the plan, IoT device compliance verification will be handed over to accredited third-party labs. The FCC is also seeking further public suggestions about the plan, and whether it should require more security standards. For example, at the moment, the requirements do not include encryption, reporting vulnerabilities, or privacy disclosures of devices. This could change as more comments and feedback come in and the program expands its outreach. The program was an anticipated move by the U.S. government, given that many other countries such as the United Kingdom and  European Union (EU) member states have passed their own IoT security laws.

The U.S. Cyber Trust Mark hopes to raise user cybersecurity awareness, while compelling IoT device manufacturers to address their cybersecurity flaws, especially in small connected home appliances where security is usually an afterthought. Many small IoT appliances, including connected coffee machines, garage door openers, baby monitors, health trackers and many other home appliances, have almost no security features and can easily be infiltrated and used as a point of access to larger networks of devices.

The plan aims to influence manufacturing security designs via customers who will make informed purchasing decisions based on the labels. The IoT cybersecurity logo will be affixed on devices that meet the program’s standards, and will be accompanied by a QR code that when scanned, reveals more details about the security features of the product. The FCC program requires manufacturers to indicate, among other things, expected software updates, whether default device passwords can be changed, the support period of a device, and whether a Software Bill of Materials (SBOM) has been issued for the device. Therefore, the initiative addresses both the device and the software components of IoT devices.

While it is too soon to judge the efficacy of the program at this early stage, the Trust Mark label on a device could differentiate a device in a market where security features are a second priority compared with technical features and speed to market for manufacturers. The scheme also provides new market avenues for attestation bodies, while cybersecurity firms can also seize the opportunity to help Original Equipment Manufacturers (OEMs) and industrial manufacturers meet the required guidelines. However, the program will probably face challenges such as a lower understanding of security features among consumers compared with energy labels, and the fact that many IoT devices are bought online, where a physical tag like the Energy Star rating affixed to physical appliances does not exist.

If the program is successful, it has the potential to become law. Because most IoT devices in the United States are imported, this could also negatively impact foreign manufacturers shipping devices to the United States. This could especially impact Chinese IoT device manufacturers such as Huawei or ZTE, or any subsidiaries or affiliates that are on the FCC’s “Covered List.” Companies under the covered list are prohibited from “obtaining an equipment authorization,” meaning that they also cannot apply for the Trust Mark label.