FCC Introduces Cybersecurity Labeling Program for Wireless Consumer Products

From medical devices to baby monitors, today’s electronics market includes a wide range of smart products that communicate over networks. Along with enormous benefits, these products present a range of security challenges.

According to one third-party estimate, there were more than 1.5 billion attacks against smart devices in the first six months of 2021 alone. Meanwhile, the number of smart devices is skyrocketing, with some estimating that there will be more than 25 billion connected devices in operation by 2030.

Cybersecurity Testing & Labeling

To address growing cybersecurity concerns, in March 2024, the U.S. Federal Communications Commission (FCC) established a framework for a voluntary cybersecurity labeling program for wireless consumer Internet of Things (IoT) products. (IoT refers to a network of physical devices that can transfer data to one another without human intervention, commonly known as smart devices.) The National Institute of Standards and Technology’s (NIST’s) Core Baseline (8425) serves as the basis of the FCC's IoT Labeling Program.

The labeling program will provide information to consumers about the relative security of a smart device or product. Smart devices or products bearing the Commission’s IoT cybersecurity label would be recognized as adhering to certain cybersecurity practices for their devices.

To support the program, the Commission will authorize third-party Cybersecurity Labeling Administrators (CLAs) to certify the use of the FCC IoT Label by manufacturers whose products comply with the Commission’s IoT cybersecurity labeling program rules.

The FCC IoT Label is binary: products either qualify, or do not qualify, to bear the label. The IoT Label includes the U.S. Cyber Trust Mark and a QR code that links to a public registry with consumer-friendly information about the security of the product.

Key Roles

The program is supported by a Lead Administrator, Cybersecurity Labeling Administrators (CLAs), and CyberLABs, as described below.

• The Lead Administrator acts as a liaison between the commission and CLAs; conducts stakeholder outreach to identify, develop and recommend technical standards and testing procedures; and collaborates with CLAs, the FCC, and other stakeholders to develop and execute a consumer education campaign. The Lead Administrator must be accredited to ISO/IEC 17065 and the FCC’s program scope.
• Cybersecurity Label Administrators (CLAs) are responsible for day-to-day management of the program (e.g., accepting and reviewing applications and test reports and approving/denying use of the FCC IoT Label). CLAs must be accredited to ISO/IEC 17065 and the FCC’s program scope.
• CyberLABs are responsible for testing products to demonstrate compliance to the IoT Cybersecurity Label requirements. A CyberLAB may be a CLA-run testing lab, an independent testing lab, or a testing lab internal to the applicant; but all CyberLABS must be accredited to ISO/IEC 17025 and the FCC’s program scope and recognized by the Lead Administrator.

Organizations accrediting prospective CLAs and CyberLABs must be accredited to ISO/IEC 17011 (conformity assessment requirements for accreditation bodies).

Greater Global Cybersecurity

By looking for the U.S. Cyber Trust Mark logo, consumers will be able to easily identify smart devices and products that meet widely accepted security and privacy standards. The QR code that accompanies the logo will connect potential buyers to a national registry of certified devices, allowing them to make product comparisons and get the most up-to-date security information about each device.

While the program is completely voluntary, it allows manufacturers to demonstrate their commitment to privacy and security.

By helping to promote a common baseline standard for cybersecurity, the FCC program will help to elevate the overall global cybersecurity baseline for IoT and promote security-by-design approaches to smart products. The FCC Public Safety and Homeland Security Bureau and the Office of International Affairs will work with other federal agencies to develop international recognition of the Commission’s IoT Label and mutual recognition of international labels.