Public Safety and Homeland Security Bureau Announces 15-Business Day Filing Window for Cybersecurity Labeling Administrator and Lead Administrator Applications

SUPPLEMENTARY INFORMATION:

This is a summary of the Commission's document in PS Docket No. 23-239, released September 10, 2024. The full text of this document is available by downloading the text from the Commission's website at: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.

The Commission has determined, and the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, concurs, that this rule is “non-major” under the Congressional Review Act, 5 U.S.C. 804(2). The Commission will send a copy of this Report & Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. 801(a)(1)(A).

Synopsis

1. By this document, the Federal Communications Commission's (FCC or Commission) Public Safety and Homeland Security Bureau (Bureau) announces a 15-business day filing window for applications from entities seeking designation by the Commission as a Cybersecurity Labeling Administrator (CLA) and Lead Administrator. The Bureau also provides determinations regarding application format, filing fees, selection criteria, sharing of expenses, Lead Administrator neutrality, and confidentiality and security requirements in this document.

I. Background

2. In March 2024, the Commission established a framework for a voluntary cybersecurity labeling program for consumer wireless Internet of Things (IoT) products (IoT Labeling Program), which includes selecting third party administrators to support the program. The Commission delegated authority to the Bureau to open an initial filing window to receive applications from entities seeking authority to be recognized as a CLA and those seeking to be recognized as the Lead Administrator (see Cybersecurity Labeling for Internet of Things, 89 FR 61242 (July 30, 2024) ( IoT Labeling Order )). CLAs will be authorized by the Commission to certify use of the FCC IoT Label, which includes the U.S. government certification mark (U.S. Cyber Trust Mark), by manufacturers whose products are found to be in compliance with the Commission's IoT cybersecurity labeling program rules. The Lead Administrator will, among other duties, act as liaison between the Commission and CLAs, conduct stakeholder outreach to identify and/or develop and recommend to the Bureau technical standards and testing procedures for at least one class of IoT products, and in collaboration with CLAs, the FCC, and other stakeholders, develop and execute a plan for a consumer education campaign.

II. CLA and Lead Administrator Applications

A. Format of CLA and Lead Administrator Applications

3. In a public notice released in June, 2024 the Bureau proposed that applications be submitted in narrative format via email and sought comment on this tentative determination (see Public Safety and Homeland Security Bureau Requests Comment on Implementation of the Cybersecurity Labeling for Internet of Things Program, 89 FR 58312 (July 18, 2024), at 58313 ( June 2024 IoT Labeling Public Notice)). We continue to believe that the information to be submitted by entities applying to be a CLA or Lead Administrator lends itself to a narrative discussion of their qualifications and adopt the narrative format proposed. While ioXt argues that a fillable form would better ensure uniformity among applications, we believe the evaluation criteria and CLA/Lead Administrator responsibilities in the IoT Labeling Order are specific enough to allow for tailored applicant responses and comparative evaluation by the Commission at this time. In addition, as outlined by the Wi-Fi Alliance, “. . . a narrative format will better allow CLA applicants to describe in detail their expertise, the types of cybersecurity assessments in which they are involved, and how those activities and other qualifications will enable them to perform the CLA role. Because all these attributes are imperative to the performance of CLA responsibilities, a narrative will best allow the Commission to assess applicant qualifications.” UL Solutions also supports a narrative-format application, noting that this format will allow applicants to provide the detailed information needed to support their applications. TÜV SÜD also commented that email is functional, and that a fillable form, while helpful for clarification, should also include a narrative text field so applicants can add relevant information. One commenter, ioXt, expressed concern that a “narrative email” may require additional communication between staff and applicants to obtain all necessary information to evaluate an application. We note that an enumeration of the evaluation criteria, and additional application instructions, including a “Frequently Asked Questions” link, are also provided below in this document and will provide further guidance to applicants. Further, the Bureau has considered and anticipates that staff may need to respond to applicant questions during the application review process and has designated staff for that purpose below.

4. Entities applying to be a CLA or the Lead Administrator must file a narrative explanation of their qualifications to the Office of the Secretary. Consistent with the record, we determine that CLA and Lead Administrator applications and supporting documentation shall be treated as presumptively confidential. Each page of the application must be clearly and conspicuously labeled “CONFIDENTIAL, NOT FOR PUBLIC INSPECTION.” As we expect applications will contain commercially sensitive and proprietary information that the Commission routinely treats as confidential, applications shall remain presumptively confidential, regardless of disposition of the application. We decline to publish applications as a matter of course, including for those entities selected as CLAs or the Lead Administrator. We disagree with commenters who argue that the value of understanding CLA methodologies outweighs confidentiality protections, as Commission evaluators will still have the opportunity to review the applicant's testing methodologies submitted to the agency. Maintaining the presumptive confidentiality of CLA and Lead Administrator applications, including those applications that are approved by the Bureau, will provide applicants with assurances that the commercially sensitive business information they submit in conjunction with their voluntary participation in the FCC's Program will not be publicly disclosed. We believe maintaining the presumptive confidentiality of these applications will encourage additional entities to submit applications for these voluntary roles. Thus, in announcing the entities selected as CLAs and Lead Administrator, we only plan to make public the entity's name and their contact information.

5. While the Bureau will review the narrative applications received via email, we seek to leverage existing procedures, including records management, by building on a framework for the filing of confidential materials that the Commission has used in the past. Consistent with that historical approach, applicants must file the application and supporting materials with the Office of the Secretary either via hand or messenger delivery, by commercial overnight courier, or First-Class or overnight U.S. Postal Service mail. A copy must be sent to the Bureau via email as a password protected .pdf file to CyberTrustMark@fcc.gov. Additional instructions on submitting applications are provided below.

B. FCC Filing Fees for CLA and Lead Administrator Applications

6. In the June 2024 IoT Labeling Public Notice, the Bureau sought comment on whether a filing with the Commission by an entity that is seeking to be a CLA or Lead Administrator constitutes an application under section 8 of the Communications Act, and if so, whether an existing FCC fee category would cover such applications or if a new application fee category should be established. In addition, the Bureau sought comment on what fee the Commission should charge in connection with such a filing, if applicable. Commenters do not opine on whether it is appropriate to charge application fees. The Association of Home Appliance Manufacturers (AHAM), however, explains that if fees are charged, they “should not be cost prohibitive to the point where it unnecessarily limits those entities that wish to apply.” TÜV SÜD does not comment on whether a fee should be assessed, but does indicate that if a fee is assessed, the Commission should set a new fee category.

7. In this instance, our IoT Labeling Program derives in part from our authority to hold and utilize a registered certification mark. In reviewing applications to be a CLA or Lead Administrator, we therefore are not acting solely under our Communications Act authority, but also to protect our registered certification mark. Given this dual role, at this time, we do not believe that the nature of our review of the applications is such that they should be subject to an application fee. We recognize that the process for applying to be a CLA or Lead Administrator may evolve with time. As such, we do not wholly foreclose adopting application fees in the future. Given these facts coupled with the lack of support in the record, the Bureau will not assess FCC application fees on CLA and Lead Administrator applications at this time.

C. Bureau Selection of Cybersecurity Label Administrators and the Lead Administrator

8. The Bureau declines to expand the CLA and Lead Administrator selection criteria beyond what is set out in the IoT Labeling Order. In the June 2024 IoT Public Notice, the Bureau sought comment on whether there are additional areas of expertise or specific requirements a CLA applicant should be required to demonstrate in addition to those listed in the Order. The Bureau also asked what additional criteria, if any, the Bureau should take into consideration during the Lead Administrator selection process, as well as safeguards the Bureau might adopt to ensure the stakeholder process remains competitively neutral and whether all selection criteria should be weighted the same.

9. NCTA suggests that “when selecting a Lead Administrator, the Bureau should consider candidates' ability to maintain the Program's integrity when translating the substantive technical security requirements into recommended standards and test procedures, and do so without creating unnecessary deterrents for manufacturer participation in the Program.” We agree that a Lead Administrator's maintenance of the Program's integrity during the 90-day stakeholder process and resulting recommendations is very important to the success of the Program. However, the Bureau finds that the criteria outlined in the IoT Labeling Order are sufficient to ensure the selected Lead Administrator has the technical experience and the high integrity expected of an entity supporting an FCC program. This position is supported by UL Solutions, which states the “[ IoT Labeling Order] did not neglect any important considerations for assessing the qualifications of organizations to serve as CLAs or as the Lead Administrator.” We believe that the public/private partnership and close collaboration between industry and other stakeholders contemplated in the IoT Labeling Order, along with the Commission's oversight, will ensure that there are adequate guardrails to maintain the Program's integrity in this regard.

10. NCTA also encourages the Bureau to evaluate Lead Administrator applications for their ability to avoid conflicts of interest, including any relationships the Lead Administrator applicant may have that could create the appearance of impropriety or a conflict of interest, such as complaints from manufacturers, and suggests evaluating whether Lead Administrator applicants have the financial resources to avoid such conflicts going forward. We disagree that it is necessary to take additional measures when evaluating applications for this purpose. Existing application criteria require an applicant to describe their organization structure, including an explanation of how it will avoid personal and organizational conflict when processing applications, and demonstrate implementation of controls to eliminate actual or potential conflicts of interests (both personal and organizational), to remain impartial and unbiased. In addition, the Future of Privacy Forum urges the Bureau to “consider requiring program administrators to possess relevant privacy expertise as well as cybersecurity expertise.” We agree that privacy is an integral aspect of cybersecurity, and note that existing application criteria require applicants to possess both privacy and cybersecurity expertise, including demonstrated expert knowledge of the National Institute of Standards and Technology (NIST) cybersecurity guidance and recommended criteria and labeling program approaches, which include privacy among their core cybersecurity capabilities.

11. We also note that the Wi-Fi Alliance recommends that in addition to demonstrating their “[e]xpert knowledge of FCC rules and procedures associated with product compliance testing and certification,” CLA applicants also demonstrate their experience in this area. Wi-Fi Alliance recognizes that while a lack of current experience with developing and implementing security standards should not be disqualifying, it would serve the public interest for the Bureau to include this “additional requirement, particularly concerning specific IoT products where cybersecurity standards have already been developed and tested.” The Wi-Fi Alliance encourages the Bureau to give a preference to CLA applicants with this experience. The Bureau declines to require applicants to demonstrate previous experience with FCC rules and procedures associated with product compliance testing and certification as a condition precedent to being an approved CLA or give preference to CLA applicants with this experience. In particular, applicants are always encouraged to provide any additional information that helps demonstrate their expertise or experience under the relevant criteria and, providing examples of an applicant's experience where applicable, in general, will provide more information from which the Bureau can evaluate an application. Additionally, CTIA proposes criteria for evaluating CLA applications to include a minimum of 5-10 years of experience managing a cyber certification program and proven experience in running or participating in a working group on cybersecurity standards. While we agree that this set of criteria can be useful to demonstrate a “proven track record,” we are concerned that requiring such specific criteria may unnecessarily exclude applicants that otherwise may have appropriate knowledge and expertise. Therefore, we decline to adopt this recommendation.

12. We conclude that we will maintain the criteria as set out in the IoT Labeling Order for the initial round of CLA and Lead Administrator applications. The Bureau, jointly with OMD and, to the extent necessary, Office of General Counsel, will receive and review administrators' applications for compliance with each criteria set forth in the IoT Labeling Order and to best ensure the success of the program. We note that UL Solutions recommends certain requirements be defined in greater detail to avoid subjective determinations, but we believe that the IoT Labeling Order provided a comprehensive list of required criteria that covers the breadth of expertise and capabilities necessary to select a CLA and Lead Administrator at this early stage of the program and is neutral toward applicants. Further, as noted above, applicants are not limited to providing the required criteria listed in the IoT Labeling Order, but have the flexibility to offer additional expertise or selection criteria they believe are pertinent and support their application ( e.g., expected costs/budget for Lead Administrator to carry out their responsibilities, information to support their ability to carry out the respective responsibilities, etc.). Should the Bureau conclude that it would be appropriate to open subsequent filing windows, we may seek comment on, and consider adoption of, additional selection criteria at that time.

13. As discussed in the IoT Labeling Order, authorizing one or more CLAs subject to Commission oversight to handle the routine administration of the program will help to ensure its timely and consistent rollout, and independent third-party CLAs will bring trust, consistency, and an impartial level playing field to the IoT Labeling Program and will provide the required expertise for the administration of the program. Leveraging the expertise of multiple existing program managers and using pre-existing systems and processes that meet our program specifications will minimize administrative delay and ensure the Commission effectively utilizes the expertise of those entities who have made investments in their own cybersecurity labeling programs. Entities that have experience working with manufacturers and IoT conformity and standards testing, as required in the criteria adopted in the IoT Labeling Order, will also best be able to promote an efficient and timely rollout of the IoT Labeling Program.

14. We disagree with CTIA's suggestion that the Bureau adopt a flexible approach with respect to International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17065 accreditation requirements for CLAs with a certain level of experience to avoid unnecessary costs and delays. CTIA posits that “[accreditation] can be costly and time-consuming to obtain and is unnecessary for prospective CLAs that have demonstrated track records in managing similar certification programs.” Instead, CTIA proposes for entities with at least 5-10 years of experience running certification programs, ISO/IEC 17065 accreditation should be optional. In contrast, A2LA submits that the “ISO/IEC 17065 accreditation requirement will be of benefit to the FCC and the consumers it serves by providing necessary risk mitigation . . . Claiming a certain number of years' experience is not equivalent to demonstrating technical competence or compliance.” The IoT Labeling Order and accompanying rules require that all CLAs obtain ISO/IEC 17065 accreditation to the Commission's scope within six months of the effective date of the adopted standards and testing procedures. The Commission previously determined that “leveraging accredited industry bodies to perform conformity assessments will `speed the establishment of the program and increase the program's ultimate quality.' ” As such, we decline to adopt CTIA's suggested exemption. Alternatively, CTIA recommends an 18-month grace period to obtain such accreditation, for entities that have a proven track record of successfully managing a certification program. The Commission recognized it would take time for selected CLAs to obtain ISO/IEC 17065 accreditation and for that reason found it appropriate to conditionally approve CLAs and allow an additional six months for selected administrators to obtain accreditation. While we decline to adopt a blanket 18-month grace period, we are mindful that some entities may require more than six months to obtain accreditation. We think the Commission's existing rule waiver procedure is an appropriate and sufficient vehicle for CLAs that cannot meet the accreditation deadline to request a waiver of the rule along with their requested extension period.

15. We also disagree with CTA's suggestion that conditional approval of CLA applications will allow CLAs to certify products to use the FCC IoT Label before obtaining ISO/IEC 17065 accreditation to the Commission's scope. The Commission indicated that CLA applications will be conditionally approved in order to expedite initial deployment of the FCC's program. However, CLAs that have not demonstrated that they have received ISO/IEC 17065 accreditation to the Commission's scope will not be recognized and approved by the Bureau to receive applications or otherwise approved to authorize use the FCC IoT Label.

16. It is premature for the Bureau to address the specific scope of the Commission's accreditation program as the standards and testing procedures have not yet been adopted. However, we emphasize that each CLA will be required to obtain ISO/IEC 17065 accreditation to the FCC scope before it will be recognized by the Commission as an entity authorized to certify a product as being compliant with FCC IoT Labeling Program rules and authorize use of the FCC IoT Label consistent with the IoT Labeling Order.

D. Lead Administrator Expenses Shared Among CLAs

17. The June 2024 IoT Labeling Public Notice sought recommendations for an effective mechanism for CLAs to share the Lead Administrator's expenses. Parties are generally in agreement that Lead Administrator startup costs will be higher than the Lead Administrator's ongoing costs once the program is stood up and should be reflected in the CLA's cost sharing obligations. UL Solutions recommends an initial standup fee for the Lead Administrator and a per-certificate fee going forward. The Wi-Fi Alliance recommends the Lead Administrator submit to the Bureau a claim for expenses incurred in the performance of its duties, which if approved, would be shared proportionally among the CLAs, with the proportionality being based on the annual number of products the CLA certifies to use the FCC IoT Label. The Wi-Fi Alliance notes that Lead Administrator expenses subject to sharing by the CLAs should be limited to those “that are unique to the Lead Administrator as Lead Administrator,” and not related to its activities as a CLA.

18. The Bureau recognizes that the Lead Administrator's expenses incurred as a result of the performance of its duties under this program must be reasonable and accurately reflect its actual costs. In addition, it is also important to ensure each CLA shares in the Lead Administrator's costs as required by the IoT Labeling Order and that the costs shared reflect the Lead Administrator's actual and reasonable expenses incurred as a result of performance of its Lead Administrator duties and only those expenses incurred in its capacity as Lead Administrator. To ensure this occurs, the Lead Administrator is required to implement internal controls adequate to ensure its operations maintain best practices to protect against improper payments and to prevent fraud, waste, and abuse in its handling of funds. Once selected, the Lead Administrator will also submit to the Bureau and OMD, an estimate of its forward-looking costs including, separately, program stand-up costs and ongoing program costs to perform the Lead Administrator duties for the Lead Administrator's upcoming calendar year, which will be reviewed by CLAs, PSHSB, and OMD for reasonableness, and if determined to be reasonable by PSHSB and OMD, will be used to estimate the overall CLA cost sharing obligation.

19. Consistent with the IoT Labeling Order, each CLA will share in these Lead Administrator costs, however, we decline to establish the methodology for such cost sharing and instead rely on CLAs and the Lead Administrator to determine the sharing methodology, which should be reasonable and equitable and will be subject to ongoing oversight by the Commission. Further, we require the Lead Administrator to submit to the Bureau and OMD, an annual, independently audited, statement of program expenditures and monies received from the CLAs due before the end of the calendar year. The Bureau will provide further guidance on CLA cost sharing once the CLAs and the Lead Administrator have been selected.

E. Lead Administrator Neutrality

20. Neutral Treatment of CLAs and Other Stakeholders. In the IoT Labeling Order, the Commission recognized the competitive implications of an entity being both the Lead Administrator and a CLA. The June 2024 IoT Labeling Public Notice sought comment on what safeguards, if any, the Bureau should adopt to ensure Lead Administrator neutrality as a potential competitor of other CLAs. The Bureau also asked whether there are additional safeguards, beyond those contemplated in the IoT Labeling Order, the Bureau should adopt to ensure the stakeholder engagement process and related recommendations the Lead Administrator makes to the Commission ( e.g., standards and testing criteria and label design) are consensus-based and competitively neutral.

21. Commenters emphasize the importance of ensuring Lead Administrator neutrality to prevent actual, as well as perceptions of, unfair economic advantage by the Lead Administrator over other CLAs, and support adopting reasonable safeguards to do so. We share ioXt's concern that if the Lead Administrator gained an economic advantage by passing on fees to other CLAs, for example, CLAs would have to raise their prices, which would pass on the costs to the manufacturers, and then on to consumers. In order to ensure impartiality, A2LA recommends considering ISO/IEC 17065 requirements, which describe a mechanism (often a committee) for safeguarding impartiality and assuring a competitively neutral environment between the Lead Administrator, CLAs, and other stakeholders. TÜV SÜD also recommends that Lead Administrator neutrality be evaluated on a yearly basis, with the possibility of triggering an investigation by the Commission and revocation of Lead Administrator designation. Infineon suggests requiring a “firewall” to separate the Lead Administrator from its role as CLA, similar to those instituted by law firms to avoid conflicts between multiple clients' interests. Somos, Inc. recommends applying relevant rules from its role as the North American Numbering Plan Administrator to the Lead Administrator, including impartial allocation of resources, transparency, non-discrimination, avoidance of conflicts of interest, and compliance with regulations.

22. We agree that ensuring Lead Administrator neutrality “is critical to maximizing the Program's credibility and fostering trust among stakeholders,” and we believe the IoT Labeling Order sufficiently addresses the concerns raised in the record. We note that the requirement that the Lead Administrator be accredited to ISO/IEC 17065 will ensure that the entity is appropriately aligned with those impartiality mechanisms. Further, we require all CLA applicants, including those applying to be the Lead Administrator, to demonstrate implementation of controls to eliminate actual or potential conflicts of interests, including remaining impartial and unbiased. The Bureau will evaluate such applications to ensure rigorous compliance with these criteria. We also note that approval of the Lead Administrator may be subject to withdrawal by the Commission upon a determination of just cause, and this includes failing to follow those impartiality requirements. The Lead Administrator must be committed to neutrality and impartiality, consistent with the IoT Labeling Order. Because we anticipate those measures will be sufficient, we are not persuaded of the need to adopt additional requirements at this time.

23. Finally, CTA proposes asking prospective CyberLABs and CLAs to attest that they meet the requirements in the (draft) CTA-2119 Scheme Assessment Framework, as an industry consensus standard to preserve neutrality when assessing applicant entities. We decline to adopt this requirement at this time, given that the draft CTA-2119 Framework has not undergone public notice and comment. However, we may reconsider this proposal at a later date, once the Labeling Program's standards and testing procedures have been finalized.

24. Transparency in 90-day Stakeholder Process. As an initial matter, we emphasize that the IoT Labeling Order requires the Lead Administrator to “provide equitable recommendations to the Commission to encourage the broadest possible participation of CLAs within the parameters of the FCC's rules.” Therefore, while we believe it is premature to adopt additional rules in this regard, we note that UL Solutions emphasizes the importance of transparency in the stakeholder collaboration process, stating that the Lead Administrator should invite a wide variety of stakeholders and ensure they all have sufficient opportunity to have their views heard and participate in manageable working groups. Further, UL Solutions states that recommendations made to the Commission should also include dissenting views and how those dissenting views were addressed, which would be considered in the final rules adopted by the Commission. UL Solutions also recommends the importance of a clear and transparent process to shield the Lead Administrator from accusations or perceptions of bias when recognizing accredited CyberLABs. TÜV SÜD similarly proposes safeguards, such as a mandatory consultation round before making critical decisions regarding recommendations to the Commission.

25. While we do not adopt additional guardrails at this stage, we reiterate the position in the IoT Labeling Order that the Lead Administrator should ensure participation from a wide variety of stakeholders and consider various resources when developing the IoT Labeling Program recommendations. As noted above, ISO/IEC 17065 accreditation is required for all CLAs, including the Lead Administrator, and adherence to that standard requires the convener of working groups to develop recommendations (here, the Lead Administrator), and achieve a balanced representation of interests, such that no single interest predominates. We agree that transparency in the 90-day stakeholder process is of the highest importance and the Bureau expects to provide additional guidelines on that process when it announces the selection of CLAs and the Lead Administrator.

F. Confidentiality and Security Requirements

26. The Bureau adopts its proposal from the June 2024 IoT Labeling Public Notice that manufacturer applications submitted to CLAs are presumptively confidential and CLAs are required to maintain this confidentiality. CLAs will be required to maintain the confidentiality of non-public information received as part of an application for authority to use the FCC IoT Label, and must implement appropriate administrative, technical, procedural, and physical safeguards to protect the confidentiality of information received by the CLA and protect against the unauthorized disclosure and unauthorized use of non-public information received as a result of its participation in the FCC IoT Labeling Program.

27. We agree with commenters that the program would benefit from a presumption of confidentiality for filings and related information provided to CLAs from applicants seeking use of the FCC IoT Label, which would encourage manufacturer participation and protect proprietary technology and trade secrets. We disagree with commenters that such a presumption of confidentiality is not necessary due to the public-facing nature of the label. While this is true for product information required to be disclosed in the registry if approval is granted, this would not be the case for products that are denied authorization to bear the FCC IoT Label. In addition, as discussed above, we expect that applications submitted to the Commission by CLAs will also continue to be treated as presumptively confidential. We emphasize here that information submitted by manufacturers to CLAs, the Lead Administrator, and/or CyberLABs, in the course of seeking authority to use the FCC IoT Label, including but not limited to applications and test reports, and information submitted to the Lead Administrator by a lab seeking recognition as a CyberLAB ( i.e., authorized to conduct conformance testing under the Commission's IoT Labeling Program) are not agency records of the Commission. Only information submitted to the Commission, such as submissions in furtherance of applications by entities seeking authority from the Commission to be a CLA and/or Lead Administrator, are records of the Commission.

28. In the June 2024 IoT Labeling Public Notice, the Bureau tentatively concluded that the requirements of the Federal Information Security Modernization Act of 2014 (FISMA) apply to the Lead Administrator and CLAs. Some commenters oppose a FISMA requirement, stating that it would “strongly discourage CLAs from applying to the program,” and that FISMA has not been applied by other agencies supporting analogous programs, such as the Health and Human Services Department's Office of the National Coordinator's (ONC) certification program for health IT products. While we acknowledge these concerns, alone, they are not dispositive for not applying FISMA.

29. FISMA was enacted to ensure that each federal agency develops, documents, and implements an agency-wide program to secure federal information systems from unauthorized access, use, disclosure, disruption, modification, or destruction. Given this scope, we reconsider our tentative conclusion to apply FISMA to CLAs and the Lead Administrator and determine that, as presently contemplated, neither the CLAs nor the Lead Administrator will operate an information system on behalf of the agency. That is so because the Commission has no plans to establish any interconnection between its systems and the Lead Administrator's or CLA's information systems; indeed, the FCC does not expect to routinely request, obtain access to, otherwise collect, use, process, or maintain the data or information held by the Lead Administrator or the CLAs, excepting for investigative purposes. Moreover, although the Lead Administrator will receive information from CLAs and applicant manufacturers necessary for it to carry out its responsibilities under the FCC's program, and CLAs will receive and evaluate applications and supporting data from applicant manufacturers, this, without more, does not mean that the Lead Administrator or CLAs are managing their information systems “on behalf of” the FCC.

30. Nevertheless, we agree with NCTA that “[c]lear guidelines, safeguards, and protocols for handling confidential information should be established to prevent unauthorized disclosure” and believe that other mature security frameworks may be applied to CLAs and the Lead Administrator to reduce the risk of unauthorized access, use, disclosure, disruption, modification, or destruction of program data. Accordingly, we require that all CLAs and the Lead Administrator create, update, and implement cybersecurity risk management plans. Such a cybersecurity risk management plan must identify the cyber risks that the entity faces, the controls used to mitigate those risks, and the steps taken to ensure that these controls are applied effectively to their operations. The plans must also describe how each entity employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of its information and information systems. These requirements are consistent with the National Cyber Strategy and are in keeping with a whole-of-government effort to “establish cybersecurity requirements to support national security and public safety.” We expect that creating, updating, and implementing a cybersecurity risk management plan will help protect each CLA and the Lead Administrator from serious national security threats.

31. We note that, under this approach, each entity has flexibility to structure its cybersecurity risk management plan in a manner that is tailored to its operations after consideration of a variety of factors, provided that the plan demonstrates that the entity is taking affirmative steps to analyze security risks and improve its security posture. We further note that an entity could successfully demonstrate satisfaction with this requirement by following an established risk management framework, such as the NIST Cybersecurity Framework (CSF) or Risk Management Framework (RMF). CLAs and the Lead Administrator security plans should be informed by established cybersecurity best practices such as the standards and controls set forth in the Cybersecurity and Infrastructure Security Agency (CISA) Cybersecurity Cross-sector Performance Goals and Objectives (CISA CPGs), ISO/IEC 27001, NIST Special Publication 800-53 (rev 5), or the Center for Internet Security Critical Security Controls (CIS Controls) version 7.1 or later. These frameworks are designed to be scalable and adaptable to the needs and capabilities of companies both large and small, are well understood by industry, and are flexible. CTIA and CTA argue compliance with a commercial equivalent framework to FISMA, such as ISO 27001 can “take a year or more at a cost upwards of $100,000.” However, these cost and timelines would not apply to this program, because while we require entities to implement security plans reflecting standards and controls, such as ISO/IEC 27001, we do not specifically require a CLA or the Lead Administrator to be certified to ISO/IEC 27001. Moreover, we expect that many entities in the industry that might seek to be CLAs or the Lead Administrator will have adopted plans along the lines we require here and may have obtained such certifications in the ordinary course of business. And in any event, we find that any costs that might be incurred by an entity seeking to be a CLA or Lead Administrator are outweighed by the benefits that will redound to such entities themselves, the industry more broadly, and U.S. national security from our requiring such entities to take these steps to protect the confidentiality, integrity, and availability of the information they hold—including from other entities in the industry—and the information systems they maintain. We expect risk management plans to contribute to the CLAs' and the Lead Administrator's existing internal security practices that maintain the confidentiality, integrity, availability of all information received in support of this program without significantly increasing the time or costs of participation.

32. We additionally require each applicant seeking to serve as a CLA or Lead Administrator to submit with its application an attestation that it already has created and implemented—or upon selection will create and implement—a cybersecurity risk management plan as described above—which will demonstrate compliance with these requirements as well as the entity's cybersecurity expertise and capabilities, knowledge of NIST's cybersecurity guidance, and knowledge of federal law and guidance governing the security and privacy of information systems. We also require that CLAs and the Lead Administrator make such cybersecurity risk management plans available to the Commission upon request. Access to cybersecurity risk management plans will allow the Commission to confirm whether plans are being regularly updated, to review a specific plan as needed, or to proactively review a sample of plans to confirm they sufficiently identify the cybersecurity risks to the Lead Administrator and CLAs in this program. In such circumstances, cybersecurity risk management plans would be presumptively confidential.

III. Who May Apply

33. Any domestic, independent, non-governmental entity eligible to enter into a licensing agreement with the FCC may apply for the role of CLA and/or Lead Administrator; however, an applicant cannot be owned or controlled by, or affiliated with, any entity that produces equipment on the FCC Covered List or is otherwise prohibited from participating in the IoT Labeling Program, to include companies named on the Department of Commerce's Entity List and the Department of Defense's List of Chinese Military Companies.

IV. Application Procedures

A. Applications for Cybersecurity Label Administrator (CLA)

34. Applicants seeking the role of CLA must demonstrate the following:

a. Applicant is not owned or controlled by or affiliated with any entity identified on the Commission's Covered List, or is otherwise prohibited from participating in the IoT Labeling Program, including being an entity identified on the Department of Commerce's Entity List or on the Department of Defense's List of Chinese Military Companies;

b. Applicant is not owned or controlled by or affiliated with any person or entity that has been suspended or debarred from receiving federal procurements or financial awards, to include all entities and individuals published as ineligible for award on the General Service Administration's System for Award Management;

c. Description of Applicant's organization structure;

d. Implementation of controls to eliminate actual or potential conflicts of interests (both personal and organizational), particularly with regard to commercially sensitive information, to include but not limited to, remaining impartial and unbiased and prevent Applicant from giving preferential treatment to certain applications particularly with regard to applicants from entities with whom the CLA has a business relationship ( e.g., application line jumping or same level of scrutiny when reviewing the application) and from implementing heightened scrutiny of applications from entities not members or otherwise aligned with the CLA;

e. Description of the process(es) Applicant will use to evaluate applications seeking authority to use the FCC IoT Label;

f. Cybersecurity expertise and capabilities, in addition to industry knowledge of IoT generally, and IoT Labeling requirements;

g. Expert knowledge of NIST's cybersecurity guidance, including but not limited to NIST's recommended criteria and labeling program approaches for cybersecurity labeling of consumer IoT products;

h. Expert knowledge of FCC rules and procedures associated with product compliance testing and certification;

i. Knowledge of Federal law and guidance governing the security and privacy of agency information systems; and

j. The ability to securely handle large volumes of information, including a description of Applicant's related internal security practices.

35. Applicants seeking the role of CLA must also commit to complying with the obligations of CLAs under the IoT Labeling Order and the Commission's rules, including but not limited to the following:

a. Obtaining accreditation pursuant to all of the requirements associated with ISO/IEC 17065 with the forthcoming FCC program scope;

b. The ability ( e.g., appropriate testing equipment, and personnel with the necessary technical expertise and training) to conduct post-market surveillance activities, such as audits, in accordance with ISO/IEC 17065;

c. Implementation of a process for receiving complaints alleging an IoT product does not support the cybersecurity criteria conveyed by the Cyber Trust Mark and referring those complaints to the Lead Administrator;

d. Collaborating with the Lead Administrator and other stakeholders to develop those items to be submitted to the Commission within 90 days of election of the Lead Administrator, and listed in 47 CFR 8.221(a)(4); and

e. Being an active participant in the consumer education campaign led by and in coordination with the Lead Administrator.

36. In addition to the above requirements for CLA applications, Lead Administrator applicants must demonstrate the following:

a. Description of Applicant's previous experience in IoT cybersecurity;

b. Description of Applicant's previous roles, if any, in IoT labeling;

c. Description of Applicant's capacity ( e.g., available resources, systems, infrastructure etc.), and commitment to execute the following Lead Administrator duties:

i. Interfacing with the Commission on behalf of CLAs, which includes but is not limited to, submitting to the Bureau all complaints alleging a product bearing the FCC IoT Label does not meet the requirements of the Commission's labeling program;

ii. Conducting stakeholder outreach, coordinating with CLAs and other stakeholders, and moderating stakeholder meetings;

iii. Accepting, reviewing, and approving or denying applications from labs seeking recognition as a lab authorized to perform the conformity testing necessary to support an application for authority to affix the FCC IoT Label, and maintaining a publicly available list of Lead Administrator-recognized labs and a publicly available list of labs that have lost their recognition;

iv. Within 90 days of selection as Lead Administrator, in collaboration with the CLAs and other stakeholders ( e.g., cyber experts from industry, government, and academia) submitting to the Bureau:

(a) Recommendations identifying and/or developing the technical standards and testing procedures for the Commission to consider with regard to at least one class of IoT products eligible for the IoT Labeling Program;

(b) A recommendation on how often a given class of IoT products must renew their request for authority to bear the FCC IoT Label, which may be dependent on the type of product, and that such a recommendation be submitted in connection with the relevant standards recommendations for an IoT product or class of IoT products;

(c) A recommendation on procedures for post market surveillance by the CLAs;

(d) Recommendations on the design of the FCC IoT Label, including but not limited to labeling design and placement ( e.g., size and white spaces, product packaging) and whether to include the product support end date on labels for certain products or category of products; and

(e) Recommendations with regard to updates to the registry including whether the registry should be in additional languages, and if so, to recommend specific languages for inclusion.

d. Recommending appropriate modifications to the IoT Labeling Program standards and testing procedures within 45 days of publication of updates or changes to the NIST guidelines, or adoption by NIST of new guidelines, to stay aligned with NIST guidelines;

e. Developing, in collaboration with CLAs and other stakeholders, a consumer education campaign, submitting the consumer education plan to the Bureau, and participating in consumer education;

f. Receiving complaints about the Labeling Program, including but not limited to consumer complaints about the registry and coordinating with manufacturers to resolve any technical problems associated with consumers accessing the information in the registry;

g. Facilitating coordination between CLAs; and

h. Submitting to the Commission any other reports upon request of the Commission or as required by Commission rule.

i. Any additional information Applicant believes demonstrates why they should be designated the Lead Administrator.

C. Required Certification Statements

37. All applications MUST include the following certification statements under penalty of perjury or they will be dismissed:

a. Applicant certifies that all statements made in this application and in the exhibits, attachments, or documents incorporated by reference are material, are part of this application, and are true, complete, correct, and made in good faith, see 47 CFR 1.17, 8.220, 8.221.

b. Applicant certifies that neither the Applicant nor any other party to the application is subject to a denial of Federal benefits pursuant to § 5301 of the Anti-Drug Abuse Act of 1988, 21 U.S.C. 862, because of a conviction for possession or distribution of a controlled substance. See47 CFR 1.2002(b) for the definition of “party to the application” as used in this certification.

c. The Applicant certifies that it is not delinquent on any debts to the Commission, see 47 CFR 1.1910.

d. Applicant acknowledges that willful false statements made on the application or on any attachments are punishable by fine and/or imprisonment (18 U.S.C. 1001) and/or forfeiture (47 U.S.C. 503).

D. The Application Must Be Signed and Dated

38. The Application must be signed and dated by the individual authorized to sign on behalf of the Applicant. FAILURE TO SIGN THE APPLICATION MAY RESULT IN DISMISSAL OF THE APPLICATION.

E. Application Submission

39. The Bureau expects CLA and Lead Administrator applications and supporting documentation to be filed confidentially. Each page of the application must be clearly and conspicuously labeled “CONFIDENTIAL, NOT FOR PUBLIC INSPECTION.” Applicant must file an original and one copy of each filing and supporting materials with the Office of the Secretary. All filings must reference PS Docket No. 23-239 and be addressed to the Commission's Secretary, Office of the Secretary, Federal Communications Commission. Filings can be sent by hand or messenger delivery by commercial overnight courier, or First-Class or overnight U.S. Postal Service mail.

• All hand-delivered or messenger-delivered paper filings for the Commission's Secretary are accepted between 8:00 a.m. and 4:00 p.m. at 9050 Junction Drive, Annapolis Junction, MD 20701. All hand deliveries must be held together with rubber bands or fasteners. Any envelopes and boxes must be disposed of before entering the building.
• Commercial overnight deliveries (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701.
• U.S. Postal Service First-Class, Express, and Priority mail must be sent to 45 L Street NE, Washington, DC 20554.

40. An electronic version of the application and supporting material is required to be submitted to FCC staff as a .pdf file via email to CyberTrustMark@fcc.gov. The document must be password protected and the password communicated in a separate email to CyberTrustMark@fcc.gov. Submissions may be broken into multiple emails when necessary.

41. Applications should be received by the Commission as soon as possible, but no later than October 1, 2024. Applicants requiring additional time may request an extension of time for up to 10 additional calendar days to complete their applications. Applications received after October 1, 2024 from an entity that has not been approved an extension of time, will not be accepted and will be dismissed. Procedures for submitting applications are set forth below.

F. Additional Instructions To Assist With CLA and/or Lead Administrator Applications

• Instructions. General filing instructions can be found in Appendix A of the Commission's Public Notice, DA-24-900, released September 10, at this link: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.
• Frequently Asked Questions (FAQs). The FAQs are available at https://www.fcc.gov/CyberTrustMark.
• FCC Notice Required by the Paperwork Reduction Act. The FCC Notice Required by the Paperwork Reduction Act can be found in Appendix D of the Commission's Public Notice, DA-24-900, released September 10, at this link: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.
• Privacy Act Statement. The Privacy Act Statement can be found in Appendix E of the Commission's Public Notice, DA-24-900, released September 10, at this link: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.
• Requirement for an FCC Registration Number (FRN). We remind all applicants that they must have an FRN to file their applications. An FRN is the 10-digit number assigned to all individuals and entities that transact business with the Commission, and it must be provided any time an applicant submits or updates their application.
• Applicant Does Not Have an FRN. If an applicant does not have an FRN, the applicant must obtain an FRN through the Commission Registration System (CORES) web page at https://apps.fcc.gov/cores/userLogin.do.

○ For additional assistance, submit a help request at https://www.fcc.gov/wireless/available-support-services or call the FRN Help Desk at (877) 480-3201 (Monday-Friday, 8 a.m.-6 p.m. ET).

○ If the applicant has further questions, an email can be sent to CyberTrustMark@FCC.gov.

• Applicant has an FRN. If an applicant has an FRN, the applicant must use that FRN with its application.

○ The applicant should not obtain a new FRN if Applicant already has an FRN.

○ An applicant can identify its FRN by accessing records the Commission's Registration Systems (CORES) and click “Search”. Individuals can search by name, or contact related information. Business organizations can search by name, Employer Identification Number (EIN), or contact-related information.

V. Next Steps

42. After the application filing window closes October 1, 2024, the Bureau will review and evaluate properly filed applications. The Bureau's selection of CLAs and a Lead Administrator will be announced by public notice. The Public Notice will describe the next steps for selected entities, including but not limited to the execution of a licensing agreement and/or other appropriate documentation governing the details of the CLAs' and Lead Administrator's responsibilities and relationship to the Commission.

VI. Procedural Matters

43. Regulatory Flexibility Act. The Regulatory Flexibility Act of 1980, as amended (RFA), requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that “the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities.” Accordingly, we have prepared a Supplemental Final Regulatory Flexibility Analysis (Supplemental FRFA) concerning the possible impact of the rule changes contained in this document on small entities. The Supplemental FRFA is set forth in Appendix C the Commission's Public Notice, DA-24-900, released September 10, at this link: https://docs.fcc.gov/public/attachments/DA-24-900A1.pdf.

44. Paperwork Reduction Act. This document contains modified information collection requirements subject to the Paperwork Reduction Act of 1995 (PRA), Public Law 104-13. It will be submitted to the Office of Management and Budget (OMB) for review under Section 3507(d) of the PRA. OMB, the general public, and other Federal agencies will be invited to comment on the new or modified information collection requirements contained in this proceeding. In addition, we note that pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see44 U.S.C. 3506(c)(4), we previously sought specific comment on how the Commission might further reduce the information collection burden for small business concerns with fewer than 25 employees.

45. In this present document, we have assessed the effects of requiring CLAs to develop and implement a cybersecurity risk management plan identifying the cyber risks that the entity faces, the controls used to mitigate those risks, and the steps taken to ensure that these controls are applied effectively to their operations. The plans must also describe how the CLA employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of its information and information systems and find that Since applying to be a CLA is voluntary, small entities who do not apply to be a CLA will not be subject to any new or modified reporting, recordkeeping, or other compliance obligations. Small entities that choose to apply to be a CLA, and whose applications are approved by the Bureau, will incur recordkeeping and reporting as well as other obligations to comply with the requirements we adopt in this document. We find that, for the FCC's IoT Labeling Program to have meaning for consumers, CLA requirements must be uniform for both small businesses and other entities. Thus, significance of program integrity, and building confidence among consumers that devices and products containing the Cyber Trust Mark label can be trusted to be cyber secure, necessitates adherence by all entities participating in the IoT Labeling Program to the same rules regardless of size.

VII. Ordering Clauses

46. Accordingly, it is ordered that pursuant to the authority contained in sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503 of the Communications Act of 1934, as amended, this document is hereby adopted.

47. It is further ordered that the amendments of the Commission's Rules as set forth in Appendix B are adopted, effective 30 days after publication in the Federal Register , except for the amendment to 47 CFR 8.220(f)(14). The amendment to 47 CFR 8.220(f)(14), which may contain modified information collection requirements, will not become effective until OMB completes any review that the Public Safety and Homeland Security Bureau determines is required under the Paperwork Reduction Act. The Public Safety and Homeland Security Bureau will announce effective dates for this section by publication in the Federal Register and by subsequent Public Notice.

48. It is further ordered that the Commission's Office of the Secretary shall send a copy of this document, including the Supplemental Final Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration.

49. It is further ordered that the Office of the Managing Director, Performance Program Management, shall send a copy of this document in a report to be sent to Congress and the Government Accountability Office pursuant to the Congressional Review Act, see5 U.S.C. 801(a)(1)(A).

Final Rule

For the reasons set forth above, part 8 of title 47 of the Code of Federal Regulations is amended as follows:

1. The authority citation for part 8 continues to read as follows:

Authority: 47 U.S.C. 151, 152, 153, 154, 163, 201, 202, 206, 207, 208, 209, 216, 217, 257, 301, 302a, 303, 304, 307, 309, 312, 316, 332, 403, 501, 503, 522, 1302, 1753.

2. Amend § 8.220 by adding paragraphs (f)(12) and (13) to read as follows:

3. Delayed indefinitely, amend § 8.220 by adding paragraph (f)(14) to read as follows:

4. Amend § 8.221 by adding paragraphs (a)(11) through (14) to read as follows:

[FR Doc. 2024-23844 Filed 10-18-24; 8:45 am]

BILLING CODE 6712-01-P