Current through October 31, 2024
Section 8.220 - [Effective on indefinitely delayed date ] Requirements for CLAs(a)In general. CLAs designated by the Commission, or designated by another authority recognized by the Commission, shall comply with the requirements of this section. Each entity seeking authority to act as a CLA must file an application with the Commission for consideration by PSHSB, which includes a description of its organization structure, an explanation of how it will avoid personal and organizational conflict when processing applications, a description of its processes for evaluating applications seeking authority to use the FCC IoT Label, and a demonstration of expertise that will be necessary to effectively serve as a CLA including, but not limited to, the criteria in paragraph (c) of this section.(b)Methodology for reviewing applications.(1) A CLA's methodology for reviewing applications shall be based on type testing as identified in ISO/IEC 17065 (incorporated by reference, see § 8.201).(2) A CLA's grant of authorization to use the FCC IoT Label shall be based on the application with all the information specified in this part. The CLA shall review the application to determine compliance with the Commission's requirements in this subpart and shall issue a grant of product cybersecurity certification in accordance with § 8.208.(c)Criteria for designation.(1) To be designated as a CLA under this section, an entity shall demonstrate cybersecurity expertise and capabilities in addition to industry knowledge of IoT and IoT labeling requirements.(2) The entity shall demonstrate expert knowledge of National Institute of Standards and Technology's (NIST) cybersecurity guidance, including but not limited to NIST's recommended criteria and labeling program approaches for cybersecurity labeling of consumer IoT products.(3) The entity shall demonstrate expert knowledge of FCC rules and procedures associated with product compliance testing and certification.(4) The entity shall demonstrate knowledge of Federal law and guidance governing the security and privacy of agency information systems.(5) The entity shall demonstrate an ability to securely handle large volumes of information and demonstrate internal security practices.(6) To expedite initial deployment of the FCC labeling program, the Commission will accept and conditionally approve applications from entities seeking to be designated as a CLA provided they commit to obtain accreditation pursuant to all the requirements associated with ISO/IEC 17065 with the appropriate scope within six (6) months of the effective date by the adopted standards and testing procedures and otherwise meet the FCC's IoT Labeling Program requirements. The entity must also demonstrate implementation of controls to eliminate actual or potential conflicts of interests (including both personal and organizational), particularly with regard to commercially sensitive information. The Bureau will finalize the entity's application upon receipt and demonstration of ISO/IEC 17065 accreditation with the appropriate scope.(7) The entity is not owned or controlled by or affiliated with any entity identified on the Commission's Covered List, listed sources of prohibition under § 8.204, or of it, its affiliate, or subsidiary is owned or controlled by a foreign adversary country defined by the Department of Commerce in 15 CFR 7.4 .(8) The entity must demonstrate it has implemented controls to eliminate actual or potential conflicts of interests (including both personal and organizational), particularly with regard to commercially sensitive information, to include but not limited to, remaining impartial and unbiased and prevent them from giving preferential treatment to certain applications (e.g., application line jumping) and from implementing heightened scrutiny of applications from entities not members or otherwise aligned with the CLA.(d)External resources.(1) In accordance with the provisions of ISO/IEC 17065 the evaluation of a product, or a portion thereof, may be performed by bodies that meet the applicable requirements of ISO/IEC 17025, in accordance with the applicable provisions of ISO/IEC 17065 for external resources (outsourcing). Evaluation is the selection of applicable requirements and the determination that those requirements are met. Evaluation may be performed using internal CLA resources or external (outsourced) resources.(2) A CLA shall not outsource review or decision activities.(3) When external resources are used to provide the evaluation function, including the testing of products subject to labeling, the CLA shall be responsible for the evaluation and shall maintain appropriate oversight of the external resources used to ensure reliability of the evaluation. Such oversight shall include periodic audits of products that have been tested and other activities as required in ISO/IEC 17065 when a CLA uses external resources for evaluation.(e)Commission approves a CLA.(1) The Commission will approve as a CLA:(i) Any entity in the United States that meets the requirements of this section.(ii) The Commission will not approve as a CLA any organization, its affiliates, or subsidiaries listed in the listed sources of prohibition under § 8.204.(2) The Commission will withdraw its approval of a CLA if the CLA's designation or accreditation is withdrawn, if the Commission determines there is just cause for withdrawing the approval, or upon request of the CLA. The Commission will limit the scope of products that can be certified by a CLA if its accreditor limits the scope of its accreditation or if the Commission determines there is good cause to do so. The Commission will notify a CLA in writing of its intention to withdraw or limit the scope of the CLA's approval and provide at least 60 days for the CLA to respond.(3) The Commission will notify a CLA in writing when it has concerns or evidence that the CLA is not carrying out its responsibilities under the labeling program in accordance with the Commission's rules in this subpart and policies and request that it explain and correct any apparent deficiencies.(4) The Public Safety and Homeland Security Bureau shall provide notice to the CLA that the Bureau proposes to terminate the CLA's authority and provide the CLA a reasonable opportunity to respond (not more than 20 days) before reaching a decision on possible termination.(5) If the Commission withdraws its recognition of a CLA, all grants issued by that CLA will remain valid unless specifically set aside or revoked by the Commission.(6) A list of recognized CLAs will be published by the Commission.(f)Scope of responsibility.(1) A CLA shall receive and evaluate applications and supporting data requesting authority to use the FCC IoT Label on the product subject to the application.(2) A CLA shall grant authorization to use the FCC IoT Label with a complying consumer IoT product in accordance with the Commission's rules in this subpart and policies.(3) A CLA shall accept test data from any Lead Administrator-recognized accredited CyberLAB, subject to the requirements in ISO/IEC 17065 and shall not unnecessarily repeat tests.(4) A CLA may establish and assess fees for processing applications and other Commission-required tasks.(5) A CLA may only act on applications that it has received or which it has issued a certification authorizing use of the FCC IoT Label.(6) A CLA shall dismiss an application that is not in accordance with the provisions of this subpart or when the applicant requests dismissal, and may dismiss an application if the applicant does not submit additional information or test samples requested by the CLA.(7) A CLA shall ensure that manufacturers make all required information accessible to the IoT registry.(8) A CLA shall participate in a consumer education campaign in coordination with the Lead Administrator.(9) A CLA shall receive complaints alleging a product bearing the FCC IoT Label does not support the cybersecurity criteria conveyed by the Cyber Trust Mark and refer these complaints to the Lead Administrator which will notify the Public Safety and Homeland Security Bureau.(10) A CLA may not:(i) Make policy, interpret unclear provisions of the statute or rules, or interpret the intent of Congress;(ii) Grant a waiver of the rules in this subpart; or(iii) Take enforcement actions.(11) All CLA actions are subject to Commission review.(12) A CLA shall share the Lead Administrator's expenses incurred as a result of the Lead Administrator's performance of its duties under the FCC IoT Labeling Program. (i) The Lead Administrator expenses subject to sharing by CLAs are those expenses determined to be reasonable by the Public Safety and Homeland Security Bureau and the Office of Managing Director.(ii) A CLA shall share Lead Administrator expenses pursuant to a methodology agreed to by the CLAs and the Lead Administrator subject to ongoing oversight by the Commission.(13) A CLA shall maintain the confidentiality of non-public information received as part of an application for authority to use the FCC IoT Label, and will implement appropriate administrative, technical, procedural, and physical safeguards to protect the confidentiality of information received by the CLA and protect against the unauthorized disclosure and unauthorized use of non-public information received as a result of its participation in the FCC IoT Labeling Program.(14) A CLA shall create, update, and implement a cybersecurity risk management plan identifying the cyber risks that the entity faces, the controls used to mitigate those risks, and the steps taken to ensure that these controls are applied effectively to their operations. The plan must also describe how the CLA employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of its information and information systems. The CLA's cybersecurity risk management plan must be available to the Commission upon request.(g)Post-market surveillance requirements.(1) In accordance with ISO/IEC 17065, a CLA shall perform appropriate post-market surveillance activities. These activities shall be based on type testing a certain number of samples of the total number of product types for which the CLA has certified use of the Label.(2) PSHSB may request that a grantee of authority to use the FCC IoT Label submit a product sample directly to the CLA that evaluated the grantee's application as part of the post market surveillance. Any product samples requested by the Commission and tested by the CLA will be counted toward a minimum number of samples that the CLA must test to meet its post market surveillance requirements.(3) A CLA may also request a grantee submit samples of products that the CLA has certified to use the FCC IoT Label directly to the CLA.(4) If during post market surveillance of a complying consumer IoT product, a CLA determines that the product fails to comply with the technical regulations (or other FCC requirements) for that product, the CLA shall immediately notify the grantee and the Commission in writing of its findings. The grantee shall provide a report to the CLA describing the actions taken to correct the situation, as provided in § 8.216, and the CLA shall provide a report of these actions to the Commission within 30 days.(5) CLAs shall submit periodic reports to the Commission of their post-market surveillance activities and findings in a format and by a date specified by the Commission. 89 FR 61272 , 8/29/2024; 89 FR 84095 , 11/20/2024; 89 FR 84096 , effective date to be determined