[Federal Register Volume 89, Number 138 (Thursday, July 18, 2024)] [Proposed Rules] [Pages 58312-58323] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2024-15379] ======================================================================= ----------------------------------------------------------------------- FEDERAL COMMUNICATIONS COMMISSION 47 CFR Part 8 [PS Docket No. 23-239; DA 24-617; FR ID 229959] Public Safety and Homeland Security Bureau Requests Comment on Implementation of the Cybersecurity Labeling for Internet of Things Program AGENCY: Federal Communications Commission. ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: In this document, the Federal Communications Commission (Commission or FCC) seeks comment on additional items to further the efficient and timely rollout of the IoT Labeling program. These items include the format of Cybersecurity Label Administrator (CLA) and Lead Administrator applications; filing fees for CLA applications; criteria for selecting CLAs and the Lead Administrator; CLA sharing of Lead Administrator expenses; Lead Administrator neutrality; processes for withdrawal of CLA and Lead Administrator approvals; recognition of CyberLABs outside the United States; complaint processes; confidentiality and security requirements; and the IoT registry. DATES: Comments are due on or before August 19, 2024; reply comments are due on or before September 3, 2024. Comments on section II.B are due on or before August 19, 2024. ADDRESSES: Pursuant to Sec. Sec. 1.415 and 1.419 of the Commission's rules, 47 CFR 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission's Electronic Comment Filing System (ECFS). You may submit comments, identified by PS Docket No. 23-239, by any of the following methods:Electronic Filers: Comments may be filed electronically using the internet by accessing the ECFS: https://www.fcc.gov/ecfs/. Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. Filings can be sent by hand or messenger delivery, by commercial courier, or by the U.S. Postal Service. All filings must be addressed to the Secretary, Federal Communications Commission. Hand-delivered or messenger-delivered paper filings for the Commission's Secretary are accepted between 8:00 a.m. and 4:00 p.m. by the FCC's mailing contractor at 9050 Junction Drive, Annapolis Junction, MD 20701. All hand deliveries must be held together with rubber bands or fasteners. Any envelopes and boxes must be disposed of before entering the building. Commercial courier deliveries (any deliveries not by the U.S. Postal Service) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701. Filings sent by U.S. Postal Service First-Class Mail, Priority Mail, and Priority Mail Express must be sent to 45 L Street NE, Washington, DC 20554. People with Disabilities: To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an email to [email protected] or call the Consumer & Governmental Affairs Bureau at 202-418-0530. FOR FURTHER INFORMATION CONTACT: Tara B. Shostek, Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau, (202) 418-8130, or by email to [email protected]. For additional information concerning the Paperwork Reduction Act information collection requirements contained in this document, contact Nicole Ongele, Office of Managing Director, Performance and Program Management, 202-418-2991, or by email to [email protected]. SUPPLEMENTARY INFORMATION: This is a summary of the Commission's document in PS Docket No. 23-239, DA 24-617; released on June 27, 2024. The full text of this document is available at https://docs.fcc.gov/public/attachments/DA-24-617A1.pdf. Paperwork Reduction Act. The document may contain new or modified information collection(s) subject to the Paperwork Reduction Act of 1995. All such new or modified information collection requirements will be submitted to OMB for review under section 3507(d) of the PRA. OMB, the general public, and other Federal agencies are invited to comment on any new or modified information collection requirements contained in this proceeding. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, we seek specific comment on how we might ``further reduce the information collection burden for small business concerns with fewer than 25 employees.'' Providing Accountability Through Transparency Act. Consistent with the Providing Accountability Through Transparency Act, Public Law 118- 9, a summary of this document will be available on https://www.fcc.gov/proposed-rulemakings. [[Page 58313]] Ex Parte Rules--Permit but Disclose. This proceeding shall be treated as a ``permit-but-disclose'' proceeding in accordance with the Commission's ex parte rules. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter's written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission's ex parte rules. Confidential Treatment. Parties wishing to file materials with a claim of confidentiality should follow the procedures set forth in Sec. 0.459 of the Commission's rules. Casual claims of confidentiality are not accepted. Confidential submissions may not be filed via ECFS but rather should be filed with the Secretary's Office following the procedures set forth in 47 CFR 0.459. Redacted versions of confidential submissions may be filed via ECFS. Parties are advised that the FCC looks with disfavor on claims of confidentiality for entire documents. When a claim of confidentiality is made, a public, redacted version of the document should also be filed. Digital Equity and Inclusion. The Commission, as part of its continuing effort to advance digital equity for all,\1\ including people of color, persons with disabilities, persons who live in rural or Tribal areas, and others who are or have been historically underserved, marginalized, or adversely affected by persistent poverty or inequality, invites comment on any equity-related considerations \2\ and benefits (if any) that may be associated with the proposals and issues discussed herein. Specifically, we seek comment on how our proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well the scope of the Commission's relevant legal authority. --------------------------------------------------------------------------- \1\ Section 1 of the Communications Act of 1934 as amended provides that the FCC ``regulat[es] interstate and foreign commerce in communication by wire and radio so as to make [such service] available, so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex.'' 47 U.S.C. 151. \2\ The term ``equity'' is used here consistent with Executive Order 13985 as the consistent and systematic fair, just, and impartial treatment of all individuals, including individuals who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. See Exec. Order No. 13985, 86 FR 7009, Executive Order on Advancing Racial Equity and Support for Underserved Communities Through the Federal Government (January 20, 2021). --------------------------------------------------------------------------- Synopsis 1. In March 2024, the Federal Communications Commission (FCC or Commission) adopted a Report and Order and Further Notice of Proposed Rulemaking (IoT Labeling Order) establishing the framework for the Commission's voluntary cybersecurity labeling program for consumer wireless Internet of Things (IoT) products (IoT Labeling Program). Recognizing the additional work that would need to be done to implement the framework, the Commission delegated authority to the Public Safety and Homeland Security Bureau (PSHSB or Bureau), in coordination with the Office of the Managing Director (OMD), to seek comment on certain additional items to further the efficient and timely rollout of the program. Accordingly, with this document, the PSHSB and OMD request comment on: the format of Cybersecurity Label Administrator (CLA) and Lead Administrator applications; filing fees for CLA applications; criteria for selecting CLAs and the Lead Administrator; CLA sharing of Lead Administrator expenses; Lead Administrator neutrality; processes for withdrawal of CLA and Lead Administrator approvals; recognition of CyberLABs outside the United States; complaint processes; confidentiality and security requirements; and the IoT registry.\3\ --------------------------------------------------------------------------- \3\ We note that this documentis not meant to address all outstanding implementation issues in connection with the IoT Labeling Program; there are additional implementation matters and specific delegations of authority from the IoT Labeling Order that the Bureau will be addressing in subsequent documents. --------------------------------------------------------------------------- Discussion A. Format of CLA and Lead Administrator Applications 2. The IoT Labeling Order provides that the Commission will accept applications for entities seeking to qualify as CLAs and those applicants seeking the position of Lead Administrator, but did not specify the format these applications should take. The Bureau believes that CLA/Lead Administrator applications should be submitted in narrative format via email and seeks comment on this tentative determination and any alternative methods or formats for submission. While the Bureau recognizes the organizational value of a fillable form, the information to be submitted by entities seeking to be a CLA/ Lead Administrator seemingly lends itself to a narrative discussion of the qualifications and strengths the applicant possesses to support the FCC's IoT Labeling Program. The Bureau still could re-evaluate the need for a fillable form after it has processed and reviewed the initial CLA/Lead Administrator applications and seek comment on a proposed format for such a form. We seek comment on these issues. B. FCC Filing Fees for CLA and Lead Administrator Applications 3. The IoT Labeling Order directs the Bureau, in conjunction with OMD, to adopt procedures and take additional steps, including applicable fees (pursuant to any required public notice and comment), as necessary to ensure compliance with the Communications Act with respect to any rules adopted therein that contemplate the filing of applications directly with the Commission.\4\ Section 8 of the Communications Act requires the Commission to assess and collect [[Page 58314]] application fees to cover the costs of the Commission to process applications. Although the Commission has assessed and collected application fees pursuant to section 8 of the Communications Act since 1986,\5\ in 2018, Congress modified section 8 of the Communications Act to change the application fee program from a statutory schedule of application fees to a requirement that the Commission update and amend the existing schedule of application fees by rule to recover the costs of the Commission to process applications.\6\ Section 8(c) of the Act also requires the Commission to, by rule, amend the application fee schedule if the Commission determines that the schedule requires amendment to ensure that: (1) such fees reflect increases or decreases in the costs of processing applications at the Commission or (2) such schedule reflects the consolidation or addition of new categories of applications. --------------------------------------------------------------------------- \4\ The IoT Labeling Order directs manufacturers to file applications directly with CLAs to use the U.S. Cyber Trust Mark and, as such, those fees are not contemplated in this inquiry. \5\ While the 1986 schedule adopted by Congress was accurate at the time adopted because it was based on cost information provided by the Commission to Congress, the framework did not allow the fee schedule to change as a result of advancements in technology and corresponding changes in Commission procedures and rules. Notably, the Commission was constrained from adding, removing, or otherwise changing the structure or levels of application fees prior to the RAY BAUM'S Act, outside of a ministerial biannual order adopting without notice and comment changes to fees based on the Consumer Price Index. \6\ The Repack Airwaves Yielding Better Access for Users of Modern Services Act of 2018, or the RAY BAUM'S Act of 2018, amended sections 8 and 9 and added section 9A to the Communications Act of 1934, as amended and provided that such provisions would become effective on October 1, 2018. Consolidated Appropriations Act, 2018, Public Law 115-141, 132 Stat. 1084, Division P--RAY BAUM'S Act of 2018, Title I, section 103 (2018). 47 U.S.C. 158. Congress provided, however, that application fees in effect prior to the effective date of the new section 8 would remain in effect until the Commission adjusts or amends such fee. RAY BAUM'S Act of 2018, Title I, section 103(d) (uncodified provisions entitled ``Transitional Rules''). --------------------------------------------------------------------------- 4. In the 2020 Application Fee Order, the Commission explained that in accordance with the RAY BAUM'S Act, application fees are based on the ``costs of the Commission to process applications.'' Specifically, the Commission establishes an application fee based on direct labor costs of processing a particular application, which are calculated ``by multiplying an estimate of the number of hours needed for each task, up through first-level supervisory tasks required to process the application, by an estimate of the labor cost per hour for the employee performing the task and by an estimate of the probability that the task needed to be performed.'' In the 2020 Application Fee Order, the Commission adopted five functional categories of fees: Wireless Licensing Fees, Media Licensing Fees, Equipment Approval Fees, Domestic Service Fees, and International Service Fees. 5. The Bureau seeks comment on whether applications filed with the Commission by entities seeking qualification as a CLA or seeking the position of Lead Administrator constitute an application under section 8 of the Act. If so, is there an existing fee category that would cover such applications? If there are no existing fee categories that are applicable, should new application fee categories, ``Cybersecurity Label Administrator'' and ``Lead Administrator,'' be established? We seek comment on the legal and factual basis for assessing a fee pursuant to section 8 of the Communications Act on these applications. 6. If we conclude that a filing with the Commission seeking to be a CLA or to be the Lead Administrator constitutes an application under section 8 of the Act, then we must consider the cost of processing such a filing to inform what fee the Commission would charge in connection with such a filing. We note that the agency has narrowly construed the scope of what constitutes processing for applications subject to fees. Applying the Commission's framework for the costs of processing applications adopted in the 2020 Application Fee Order, we believe that the processing of CLA applications, including the initial conditional approval and subsequent review required after the CLA notifies the Commission that it has obtained the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) 17065 accreditation, consists of engineer and engineer supervisory review, and attorney and attorney supervisory review. 7. As detailed below, the Bureau estimates that the time it will take to process each CLA application will be 15 hours and the time it will take to process each Lead Administrator application will be 8 hours. We estimate the labor cost per hour for the various 2024 general schedule pay grades of the employees that process applications based on the current pay table for Washington, DC, at the step 5 level, we estimate overhead costs as 20% of the salary level also per that rule, and we estimate each employee works 2,087 hours in one year. We also round the fee to the nearest $5.00 increment as required by section 8 as amended. We seek comment on this approach. 8. The Bureau estimates that each CLA application will require 10 hours of engineering review at the GS-15 level, 2 hours of engineering supervisory review at the GS-15 level; 2 hours of attorney application review at the GS-12 level, and 1 hour of attorney supervisory review at the GS-15 level. The estimated total labor costs (including 20% overhead) for the engineering review (GS-15, step 5) of each CLA application is $1,282.20 (12 engineering hours * 106.85 = 1,282.20).\7\ The estimated labor costs (including 20% overhead) for the attorney application review (GS-12, step 5) for each CLA application is $129.28 (2 hours * $64.64 = $129.28).\8\ The estimated total labor costs (including 20% overhead) for the attorney supervisory review (GS-15, step 5) for each CLA application is $106.85 (1 hour * 106.85 = 106.85).\9\ The total labor costs per CLA application is $1,518.33 (1,282.20 + 129.28 + 106.85). Based on these hourly rates and the estimated time for processing each CLA application, the Bureau proposes that the filing fee for a CLA application is $1,520 and we seek comment on this proposal. --------------------------------------------------------------------------- \7\ The annual pay for a GS-15, step 5 in the Washington- Baltimore-Arlington, DC-MD-VA-WV-PA Locality Pay area is $185,824. Overhead costs are $37,164.80 (20% * 185,824 = 37,164.80). The hourly rate of a GS-15, Step 5 including overhead costs based on 2,087 annual hours is $106.85 (185,824 + 37,164.80 = 222,988.80; 222,988.80/2,087 hours = 106.85). The Bureau estimates that each CLA application will require 12 hours of engineering review at the GS- 15, step 5 level. \8\ The annual pay for a GS-12, step 5 in the Washington- Baltimore-Arlington, DC-MD-VA-WV-PA Locality Pay area is $112,425. Overhead costs are $22,485.00 (20% * 112,425 = 22,485). The hourly rate of a GS-12, step 5 including overhead costs based on 2,087 annual hours is $64.64 (112,425 + 22,485 = 134,910; 134,910/2,087 64.64). The Bureau estimates that each CLA application will require 2 hours of attorney review at the GS-12, step 5 level. \9\ The hourly rate of a GS-15, step 5 attorney is the same as the hourly rate of a GS-15, step 5 engineer, which is $106.85. The Bureau estimates that each CLA application will require 1 hour of attorney review at the GS-15, step 5 level. --------------------------------------------------------------------------- 9. Some entities seeking to qualify as a CLA may include additional information in their application seeking the position of Lead Administrator, which will similarly require additional engineering and engineering supervisory review, and attorney application and attorney supervisory review. The Bureau estimates that each Lead Administrator application, which occurs after the CLA application has already been reviewed, will require 4 hours of engineering review at the GS-15 level, 1 hour of supervisory engineering review at the GS-15 level, 2 hours of attorney application review at the GS-12 level, and 1 hour of attorney supervisory review at the GS-15 level. [[Page 58315]] 10. We propose that applications for Lead Administrator must include an additional fee of $770 to cover the FCC's costs of processing Lead Administrator applications. The Bureau seeks comment on this determination. The Bureau estimates that each Lead Administrator application will require 5 hours of engineering application review at the GS-15, step 5 level at an hourly rate of $106.85 (5 * 106.85 = 534.25), 2 hours of attorney application review at the GS-12, step 5 level at an hour rate of $64.64 (2 * 64.64 = 129.28) and 1 hour of attorney supervisor review at the GS-15, step 5 level at an hourly rate of $106.85 (1 * 106.85 = 106.85) for a total of $770.38 (534.25 + 129.28 + 106.85). The Bureau seeks comment on the estimation of time to process the Lead Administrator applications and the proposed fee for processing the application. Our proposals for processing fees are based on averages. Given that these are new categories of applications, at this time, we do not believe we have a factual basis to assess fees for administrative updates, minor changes or updates to a CLA application, or for entities seeking to withdraw as a CLA. We also do not believe we have a factual basis to assess fees for administrative updates, minor changes, or updates to a Lead Administrator application, or for an entity seeking to withdraw a Lead Administrator. Until we have experience with processing these new types of applications, it would be difficult to calculate identifiable direct costs beyond those included in the calculation of the initial application fee. For both the CLA and Lead Administrator applications, we seek comment on whether we have included in our estimates the appropriate steps under the Commission's 2020 Application Fee Order framework to determine processing costs. If commenters view our estimates to be over or under inclusive, to the extent practicable, commenters should explain their views by including reference to any application fees adopted in the 2020 proceeding that the commenter considers analogous to the CLA and/or Lead Administrator application. C. Bureau Selection of Cybersecurity Label Administrators and the Lead Administrator 11. The IoT Labeling Order provides that the Bureau will release a public notice opening a filing window for the acceptance of CLA applications, which will include an option for CLA applicants to indicate they also seek the role of Lead Administrator.\10\ The IoT Labeling Order specifies the expertise and qualifications each applicant for CLA and Lead Administrator must demonstrate and delegates to the Bureau the authority to adopt additional criteria and administrative procedures necessary to efficiently select one or more independent, non-governmental entities to act as CLA(s) and Lead Administrator. The Bureau seeks comment on whether there are additional areas of expertise or specific requirements a CLA applicant should be required to demonstrate in addition to those listed in the Order.\11\ The Bureau seeks comment on what additional criteria, if any, the Bureau should take into consideration during the Lead Administrator selection process. What additional criteria would help us ensure that CLA(s) and the Lead Administrator are able to advance the Commission's policy objective to raise consumer confidence with regard to the cybersecurity of consumer wireless IoT products while strengthening the nation's cybersecurity posture? How should the Bureau differentiate between Lead Administrator candidates for selection? Should all selection criteria be weighted the same? If not, which criteria should carry more? --------------------------------------------------------------------------- \10\ The Bureau, in coordination with OMD and OGC will review these applications and determine which applications meet the CLA requirements and which CLA applicant best meets the requirements of Lead Administrator. \11\ The IoT Labeling Order contemplates the acceptance of applications for CLAs located outside the United States after appropriate international agreements or other appropriate prerequisites are in place. --------------------------------------------------------------------------- D. Lead Administrator Expenses Shared Among CLAs 12. The IoT Labeling Order ``expect[ed]'' that the Lead Administrator's expenses ``in performing its duties on behalf of the program as a whole'' will be ``shared among CLAs as a whole,'' but does not provide a mechanism or details for such sharing. The Bureau seeks comment on the most effective mechanism for CLAs to share the Lead Administrator's expenses, including whether and how to distinguish costs associated with identified Lead Administrator responsibilities, potential changes in the Lead Administrator, and the timing of reimbursement for such expenses. Commenters should also consider whether and how any cost sharing mechanism might change after the initial rollout of the program, including any rationale for doing so. Alternatively, we seek comment on whether the Lead Administrator is in the best position to propose how costs should be shared among CLAs. To the extent commenters have estimates of the Lead Administrator's expenses, we invite them to share such estimates. In addition, we seek comment on the categories of expenses that should be attributable to the Lead Administrator's responsibilities under this program. What auditing requirements should be required of the Lead Administrator? Are there financial controls, or other controls, the Commission has adopted in the case of other program administrators that it relies on that would be appropriate in this context? We note that the IoT Labeling Order does not contemplate other funding sources for the Lead Administrator's expenses, beyond sharing ``among CLAs as a whole.'' E. Lead Administrator Neutrality 13. The Commission recognized the competitive implications of an entity being both the Lead Administrator and a CLA and, as such, delegated authority to the Bureau to review, seek public comment on, and approve/disapprove the Lead Administrator recommendations. We seek comment on whether there are safeguards the Bureau might adopt to ensure the stakeholder process remains competitively neutral and the recommendations the Lead Administrator makes to the Commission (e.g., standards and testing criteria and label design) are stakeholder consensus-based and competitively neutral. For example, are there additional or different safeguards the Commission has adopted in the case of other program administrators that it relies on that would be appropriate in this context? We seek comment on whether the Bureau should adopt additional safeguards to ensure fulsome and broad stakeholder engagement in this process. Are there other safeguards the Bureau should adopt to ensure the Lead Administrator, who is potentially a competitor of other CLAs, does not have an unfair economic, or other, competitive advantage? F. Withdrawal of CLA and Lead Administrator Approval 14. The IoT Labeling Order provides that the Commission will withdraw its approval of a CLA if the CLA's designation or accreditation is withdrawn, if there is just cause for withdrawing approval, or upon request of the CLA. The Commission will notify a CLA in writing of its intention to withdraw or limit the scope of the CLA's approval and provide at least 60 days for the CLA to respond. The Bureau will announce the withdrawal of [[Page 58316]] a CLA approval by public notice. The IoT Labeling Order also delegates authority to the Bureau to ``manage changes in the Lead Administrator.'' We believe the same processes should be applied to the withdrawal of the Lead Administrator. We seek comment on this tentative determination. The Bureau also seeks comment on steps that should be taken to replace the Lead Administrator. Should a replacement Lead Administrator be chosen by the Bureau from among the remaining accredited and recognized CLAs based on the same criteria and procedures used to select the original Lead Administrator? Should the Commission open a new filing window for CLAs seeking to be Lead Administrator? What other procedures, if any, should the Commission adopt to ensure the efficient replacement of a Lead Administrator? Should the Bureau set a term for the Lead Administrator and at the end of this term open the position up to new applications? If yes, what term is appropriate? Commenters may provide any other additional information that is pertinent to this inquiry. G. Recognition of CyberLABs by Lead Administrator Located Outside the United States 15. The IoT Labeling Order provides that CyberLABs may be located outside the United States provided they are accredited to ISO/IEC 17025 and the FCC's program scope and delegates authority to the Bureau to adopt any additional criteria or procedures necessary with respect to their use. We seek comment on whether there are additional procedures or criteria that should be considered when the Lead Administrator recognizes labs located outside the United States. Are there existing international frameworks in other areas that might provide an appropriate model to allow for recognition of a lab located outside of the United States? H. Complaints 16. The Commission is the ultimate arbiter of complaints submitted, whether directly to the Commission, CLAs, the Lead Administrator, CyberLABs, or any other third-party entity, alleging improper, nonconforming, and/or unauthorized use of the U.S. Cyber Trust Mark. The Commission will actively and diligently enforce the IoT Labeling Program's requirements to maintain the integrity of the FCC IoT Label, the U.S. Cyber Trust Mark, and the program. The IoT Labeling Order emphasized that deceptive or misleading use of the FCC IoT Label or U.S. Cyber Trust Mark are prohibited, and set out a 20-day cure period for grantees to investigate complaints of non-compliance and report the results to the Bureau. The IoT Labeling Order also determined that the Commission and CLAs will receive complaints of noncompliant displays of the Cyber Trust Mark and delegated authority to the Bureau, in coordination with the Consumer and Governmental Affairs Bureau, to determine the process for receiving and responding to complaints. The Lead Administrator will receive complaints about the registry and coordinate with manufacturers to resolve any associated technical problems, and the Lead Administrator is also responsible for interfacing with the Commission on behalf of CLAs, including as it relates to complaints. We seek comment on the specific processes for receiving and responding to complaints associated with the IoT Labeling Program. Should entities file complaints with the Bureau, in addition to submitting them directly to a CLA, including the Lead Administrator? If complaints are filed with the Commission, should complaints associated with grantees that applied for authorization to use the FCC IoT Label be initially referred to the CLA that reviewed the original application for investigation and a determination of whether the application was approved or denied? Should these processes be different if the complaint involves a CyberLAB located outside of the United States? If so, what is the legal basis for these differences? In situations where there is no associated CLA, such as when a product displays the mark without permission, we believe that complaints of fraudulent or deceptive use of the Cyber Trust Mark by those entities that never applied for authorization (i.e., where there is no applicable CLA) should be filed directly with the Commission. We seek comment on this belief. The Commission determined in the IoT Labeling Order that a grant of authorization to use the FCC IoT Label is automatically terminated upon notice by the Bureau following submission of a complaint of non-compliance, if that non-compliance has not been adequately corrected or addressed in a report describing actions taken to correct the deficiencies within 20 days. We seek comment on what requirements should follow from such a termination of authority. Should the Commission adopt disqualification procedures similar to ENERGY STAR's, which include ceasing shipments of units displaying the label, ceasing the labeling of associated units, removing references to the label from marketing materials, covering or removing labels on noncompliant units within the brand owner's control, and conducting retail store level assessments to identify mislabeled products? I. Confidentiality and Security Requirements 17. The Bureau anticipates that the manufacturer applications submitted to CLAs will contain commercially sensitive and proprietary information that the manufacturers customarily treat as confidential, including, but not limited to, test reports. The Bureau proposes that these applications should be treated as presumptively confidential and CLAs should be required to maintain this confidentiality. The Bureau seeks comment on this tentative determination. We also seek comment on whether CLA applications submitted to the Commission will likewise contain commercially sensitive and proprietary information that is routinely treated as confidential and thus should be treated as presumptively confidential.\12\ Are certain aspects of either of these applications not appropriately treated as presumptively confidential? Are there public interest and/or transparency reasons to make CLA applications and/or Lead Administrator applications publicly available? Should only those CLA applications that are approved be publicly available, while CLA applications that are denied be kept confidential? --------------------------------------------------------------------------- \12\ The Bureau has an obligation to publish data maintained by the Commission that would be subject to disclosure under the Freedom of Information Act (FOIA). --------------------------------------------------------------------------- 18. Information submitted by manufacturers to CLAs, the Lead Administrator, or CyberLABs, in the course of seeking authority to use the FCC IoT Label, including but not limited to applications and test reports, and information submitted to the Lead Administrator by a lab seeking recognition as a CyberLAB (i.e., authorized to conduct conformance testing under the Commission's IoT Labeling Program) are not agency records of the Commission. Only information submitted to the Commission, such as submissions in furtherance of applications by entities seeking authority from the Commission to be a CLA and/or Lead Administrator, are records of the Commission. 19. The Federal Information Security Modernization Act of 2014 (FISMA) requires, among other things, that each Federal agency provide protections commensurate with the risk and [[Page 58317]] magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of ``information collected or maintained by or on behalf of the agency'' and ``information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.'' We tentatively conclude that these requirements attach to the Lead Administrator and CLAs, who both collect and maintain information and operate information systems on behalf of the FCC. We seek comment on this tentative conclusion. We note that in the IoT Labeling Order, the Commission described that each entity seeking authority to act as a CLA should demonstrate expertise in, among other things, ``[f]ederal law and guidance governing the security and privacy of agency information systems,'' which we believe encompasses FISMA and related guidance from the Office of Management and Budget and publications from the National Institute of Standards and Technology (NIST). If these requirements are applicable to the Lead Administrator and CLAs, would they incur additional costs, and if so, what are they? What benefits would attach to FISMA compliance with respect to the confidentiality, integrity, and availability of information and information systems if FISMA and related requirements are applicable to the Lead Administrator and CLAs? Are there additional security requirements the Commission should require of the databases that are used in support of the IoT Labeling Program? J. Registry 20. The Commission determined in the IoT Labeling Order that the FCC IoT Label must include the Cyber Trust Mark and a QR Code that links to a dynamic, decentralized, publicly available registry containing information supplied by entities authorized to use the FCC IoT Label (e.g., manufacturers) through a common Application Programming Interface (API).\13\ The Commission agreed that it should use a third-party to host and manage the registry due to the resources required to establish the registry; determined that the Lead Administrator is in the best position to interface with manufacturers to ensure the smooth operation of the registry; and directed the Lead Administrator to receive and address any technical issues that arise in connection with the registry's API and displaying information from the registry to the consumer when they present the QR Code. Further, as detailed below, the IoT Labeling Order envisioned a registry that supports different presentation options. --------------------------------------------------------------------------- \13\ The goal of the registry is to assist the public in understanding security-related information about the products that bear the Cyber Trust Mark. --------------------------------------------------------------------------- 21. We seek comment on what, if any, registry disclosure fields, in addition to those already required by the IoT Labeling Order, would be beneficial to consumers.\14\ Should manufacturers be required to list the sensors contained in the complying product, such as cameras, microphones, and location tracking devices? Should manufacturers be required to disclose what data is collected by those sensors, and whether that data is shared with third parties? \15\ The Commission also recognizes some products/product classes may benefit from additional data elements being disclosed in the registry. For example, the Commission observed that ``the information contained in the registry for a particular IoT product or product class may also depend on the standards and testing procedures adopted for each particular IoT product.'' The Commission also recognized ``that some of the information recommended by NIST in its consumer education recommendations . . . may be valuable for consumers to see in the registry.'' Other possible candidates for inclusion identified in the IoT Labeling Order included, ``manufacturer's access control protections (e.g., information about passwords, multi-factor authentication), whether or not the data is encrypted while in motion and at rest (including in the home, app, and cloud), patch policies, and security or privacy information.'' Are there particular registry data elements that would support the product's security features for those using assistive technologies? Are there additional registry disclosure fields that are necessary for specific products/product classes, based on those or other considerations and if so, what they should be? --------------------------------------------------------------------------- \14\ The Commission delegated authority to the Bureau to seek comment on the need for additional data fields beyond the baseline of necessary information that must be displayed for an IoT product in the registry which includes: disclosure of product name, manufacturer name, date of authorization, contact information for the CLA and CyberLAB, instructions on how to change the default password, information on how to configure the device securely, information as to whether software updates are automatic and how to access updates if not, the minimum support period, and whether the manufacturer maintains a Hardware Bill of Materials (HBOM) and/or a Software Bill of Materials (SBOM). \15\ Regarding whether to disclose whether data is shared with third parties, commenters should consider security/privacy issues and if data should be replicated; and if the data should be replicated in multiple repositories--by the relevant CLA(s) or vendors, for example--and publicly accessible via a single query point? --------------------------------------------------------------------------- 22. The Commission also delegated authority to the Bureau to establish the structure of the registry; and identify the common API and how the API should be structured and used. To this end, we seek comment generally on the structure, format, and maintenance of the registry, and how the queried registry data will be displayed to the consumer. The Bureau believes that the manufacturer would be responsible for their own product data and keeping the data current. We also believe that the data would be hosted by the manufacturers or in partnership with their selected third party and made available through the common API that is secure by design and seek comment on these tentative determinations. How should the API access be best secured to ensure its integrity and availability? What controls (e.g., rate limits for use of the API) should be required or allowed, and where would those controls best be implemented? How should manufacturers maintain and implement interactions with their product's data in connection with the API? Should manufacturers be responsible for maintaining and implementing the API in connection with its interactions with the registry data, and if so, how? How should the Commission reduce burdens on manufacturers in supporting the decentralized registry? We seek comment on how often the registry data should be updated and on how costs involved in maintaining the registry should be handled. We invite commenters to provide any other technical information to be considered in establishing the registry. 23. The Bureau seeks comment on its tentative determination that at least three different registry display options may be supported: Product specific data hosted by the manufacturer or their selected third party; Vendor data provided for presentation by a commercial retailer; and Aggregated data provided for presentation of multiple products. Are these presentation options consistent with the goals of the IoT Labeling Order that the registry should enable the display to the consumer of required information about individual products, while providing the flexibility to support the envisioned use cases? Are there other presentation options that we should consider for the display or consumption of registry information in determining the structure and technical details involved with the operation of the registry? Should the registry meet [[Page 58318]] certain performance metrics so that poor user experience does not discourage use? Who is in the best position to manage access to the distributed registry as well as access to the API and the level of access available? 24. The Bureau seeks comment on its tentative determination that there should be a specific aggregated data ``landing page'' \16\ for the registry, which should be a ``.gov'' domain to bring the consumer additional trust and validity to the IoT Labeling Program. The Bureau also seeks comment on the party that should be responsible for hosting this landing page. Is the Lead Administrator in the best position to host the landing page? What additional costs are involved with this responsibility? What security procedures must be adopted by that third party? Should the landing page meet certain performance metrics so that poor user experience does not discourage use? Are there additional security or privacy requirements arising from Federal law that are applicable to the registry? Should the registry operator(s), as appropriate, be required to implement adequate security, privacy, and availability controls to meet FISMA low/moderate standards, or a commercial equivalent? --------------------------------------------------------------------------- \16\ The ``landing page'' is envisioned to be a web page/site that provides search capabilities to aggregate data pulled from the distributed registry and presents data for individual products or multiple products in a common format as prescribed by the IoT Labeling Order. --------------------------------------------------------------------------- Procedural Matters 25. Regulatory Flexibility Act. The Regulatory Flexibility Act of 1980, as amended (RFA), requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that ``the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities.'' Accordingly, we have prepared a Supplemental Regulatory Flexibility Analysis (Supplemental IRFA) concerning the possible impact of the rulemaking and policy changes contained in this document. The Supplemental IRFA concerning the possible impact of the rulemaking and policy changes contained in this document can be found as Exhibit A of the Public Safety and Homeland Security Bureau's Public Notice, DA 24- 617, released June 27, 2024, at this link: https://docs.fcc.gov/public/attachments/DA-24-617A1.pdf. Written public comments are requested on the Supplemental IRFA. Comments must have a separate and distinct heading designating them as responses to the Supplemental IRFA and must be filed by the deadlines for comments on the first page of this document. 26. Supplemental Regulatory Flexibility Analysis. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), the Bureau has prepared this Supplemental Initial Regulatory Flexibility Analysis (Supplemental IRFA) of the possible significant economic impact on small entities of the policies and rules discussed in the document to supplement the Commission's Initial and Final Regulatory Flexibility Analyses completed in the IoT Labeling NPRM released in August 2023, and the IoT Labeling Order released in March 2024. Written public comments are requested on this Supplemental IRFA. Comments must be identified as responses to the Supplemental IRFA and must be filed by the same deadline for comments specified in the DATES section of this document. The Bureau will send a copy of the document, including this Supplemental IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). In addition, the document and Supplemental IRFA (or summaries thereof) will be published in the Federal Register. 27. Need for, and Objectives of, the Proposed Rules. The IoT Labeling Order adopted a voluntary cybersecurity labeling program for consumer Internet of Things (IoT) products that will provide consumers with an easy-to-understand indicator of a product's relative cybersecurity and improve consumer confidence and understanding of IoT product cybersecurity. The IoT Labeling Program will authorize qualifying IoT products to display the FCC IoT Label, which includes the U.S. Cyber Trust Mark and a QR Code that links to a registry with product-specific consumer-friendly information. The program will adopt standards and testing procedures based on the National Institute of Standards and Technology (NIST) Core Baseline for Consumer IoT Products, and it will be supported by Cybersecurity Label Administrators (CLAs) and recognized Cybersecurity Testing Laboratories (CyberLABs). A Lead Administrator will be chosen by the Commission from among the CLAs and will be responsible for collaborating with stakeholders to make recommendations including technical cybersecurity standards and testing procedures with which IoT products must comply to be authorized to use the FCC IoT Label, the label design, and a consumer education campaign, to be reviewed by the Commission. 28. In the IoT Labeling Order, the Commission delegated authority to the Public Safety and Homeland Security Bureau (Bureau) to seek comment on certain additional items to further the efficient and timely rollout of the program. This document seeks comment on a number of those items, including the format of CLA and Lead Administrator applications; filing fees for CLA applications; criteria for selecting CLAs and the Lead Administrator; CLA sharing of Lead Administrator expenses; extensions of time to become accredited; Lead Administrator neutrality; complaint processes; and the IoT registry. The proposals considered in this document will contribute to the voluntary IoT Labeling Program and further the Commission's objective to provide better information to consumers about the cybersecurity of the IoT products they use, and bolster the cybersecurity of the nationwide IoT ecosystem. 29. Legal Basis. The proposed action is authorized pursuant to sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, of the Communications Act of 1934, as amended. 30. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply. The RFA directs agencies to provide a description and, where feasible, an estimate of the number of small entities that may be affected by the proposed rules and policies, adopted. The RFA generally defines the term ``small entity'' as having the same meaning as the terms ``small business,'' ``small organization,'' and ``small governmental jurisdiction.'' In addition, the term ``small business'' has the same meaning as the term ``small business concern'' under the Small Business Act.'' \17\ A ``small business concern'' is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA. --------------------------------------------------------------------------- \17\ Pursuant to 5 U.S.C. 601(3), the statutory definition of a small business applies ``unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.'' --------------------------------------------------------------------------- 31. As noted above, Regulatory Flexibility Analyses were incorporated into the IoT Labeling NPRM and the IoT Labeling Order. In those analyses, the Commission described in detail the small entities that might be significantly affected. Accordingly, in this document, for the Supplemental IRFA, we incorporate by reference the [[Page 58319]] descriptions and estimates of the number of small entities from the previous Regulatory Flexibility Analyses in the IoT Labeling NPRM and the IoT Labeling Order. 32. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities. The IoT Labeling Program will be voluntary, so small entities who do not participate in the program will not be subject to any new or modified reporting, recordkeeping, or other compliance obligations. Small entities that choose to participate in the program will incur recordkeeping, reporting, and other compliance obligations necessary to test their IoT products to demonstrate compliance with the program requirements. Small entities that choose to participate by applying to be a CLA or CyberLAB will also incur recordkeeping, reporting, and other compliance obligations. We note that obligations for small entities and other applicants were detailed and adopted by the Commission in the IoT Labeling Order. The proposals and discussions in this document seek comment on additional details to the program, including application, selection, and replacement for CLAs and the Lead Administrator as needed, the complaints process, and the registry. 33. Small entities will need to keep the records necessary to demonstrate initial and continued compliance with program requirements, as an IoT product manufacturer or a CLA, including test reports, records related to potential complaint investigations, and data disclosures for the registry, among others. More specifically, small and other grantees of authority to use the FCC IOT Label may also be subject to additional reporting, recordkeeping, and/or other compliance requirements related to the IoT registry in light of the our inquiry and request for comments in the document on (1) what, if any additional registry disclosure fields would benefit consumers, and (2) whether to require manufacturers to list the sensors contained a complying product, identify what data is collected by those sensors, and disclose whether that data is shared with third parties. 34. The document calculates and proposes that small and other CLA and Lead Administrator applicants be subject to an application filing fee of $1,520 for CLA Applicants and an additional $770 for CLA applicants that apply to be a Lead Administrator, to cover the Commission's costs of processing these applications. With regard to other costs that could result from this proceeding, at this time the record does not include sufficient cost information to allow the Bureau to quantify the costs of compliance for small entities, including whether it will be necessary for small entities to hire professionals to comply with the proposals and other matters upon which we seek comment, if adopted. To help the Bureau more fully evaluate the cost of compliance for small entities should its proposals be adopted, in this document, we request comments on the implications of our proposals and whether there are more efficient and less burdensome alternatives (including cost estimates) for the Bureau to consider. We expect the information we received in comments to help the Bureau identify and evaluate relevant matters for small entities, including compliance costs and other burdens that may result from the proposals and inquiries we make in the document. 35. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered. The RFA requires an agency to describe any significant, specifically small businesses, alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): ``(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance and reporting requirements under the rule for such small entities; (3) the use of performance rather than design standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities.'' 36. For the IoT Labeling Program to be meaningful to consumers, the requirements for an IoT product to be granted authority to use the FCC IoT Label must be uniform for small businesses and other entities. The Bureau maintains the view expressed in the IoT Labeling Order that the significance of mark integrity, and building confidence among consumers that devices and products bearing the FCC IoT Label can be trusted to be cyber secure, necessitates adherence by all entities participating in the program to the same rules, regardless of size. 37. In the document, steps taken by the Bureau which should minimize the economic impact for small entities include our decision not to assess fees for administrative updates, minor changes or updates to a CLA application, or for entities seeking to withdraw as a CLA. The Bureau sought comment on the format of CLA and Lead Administrator applications, as well as the fees associated with those applications, and additional areas of expertise or specific requirements a CLA applicant should be required to demonstrate. We also considered and sought comment on other aspects of the Lead Administrator's roles and responsibilities, including the most effective mechanism for CLAs to share in funding the Lead Administrator's expenses, safeguards the Bureau might adopt to ensure Lead Administrator neutrality, and steps to replace the Lead Administrator as needed. Following our conclusion that CLA and Lead Administrator applications are not covered by any existing Commission fee categories and therefore new categories should be established, we alternatively inquired and sought comment on whether, and which existing Commission fee category do CLA and Lead Administrator applications fall within, if any. Additionally, the Bureau considered whether there are additional procedures or criteria that should be considered when recognizing CyberLABs located outside the United States. As stated in the IoT Labeling Order, declining to require CyberLABs to be physically located in the U.S. provides more testing lab options for small and other entities. In comments, small entities can identify other requirements or criteria that could minimize the economic impact as IoT product manufacturers submitting applications to a CLA or CyberLAB, or as a prospective CLA or CyberLAB themselves. 38. The Bureau also sought comment on the process for receiving and responding to complaints associated with the program, as well as what requirements should follow from a termination of authority to use the FCC IoT Label due to noncompliance. We asked whether complaints associated with grantees that applied for authorization to use the FCC IoT Label should be initially referred back to the CLA that reviewed the original application. We believe this would be less costly to small entities than going through a separate entity for investigation of complaints. Small entities can also address in comments whether the termination requirements presented would create significant economic impacts and identify alternatives that may reduce those costs. 39. Additionally, the Bureau considered and sought comment in the document on details related to the publicly accessible IoT registry, including additional data disclosure fields, structure and format of the registry, and the Bureau's determination that the registry landing page should be [[Page 58320]] a ``.gov'' domain. We considered and asked what additional fields would be beneficial to consumers, such as information related to sensors contained in the product and elements that would support users of assistive technologies. We also considered and asked how the common application programming interface (API) that makes manufacturer data available to consumers should be funded and what responsibilities manufacturers should have for maintaining and implementing it. Small entities can specify in comments whether additional aspects of the registry would create significant economic impacts and identify alternatives that may reduce those costs. Regarding the landing page, we asked what additional costs would be associated with hosting such a page. While small entities choosing to participate in the program would have to make required registry data available through the common API, allowing grantees to report information through the API alleviates the need for additional notification requirements which would increase costs for small entities. 40. The Bureau also proposed in the document that manufacturer applications submitted to CLAs, including but not limited to test reports, are presumptively confidential which should benefit small manufacturers, and sought comment on this approach. We tentatively concluded the Lead Administrator and CLAs are required to comply with the Federal Information Security Management Act of 2002 (FISMA),\18\ and we sought comment on whether there are additional costs associated with such compliance. In comments, small entities can identify which of these proposals raised in this document are particularly difficult or costly for them and how different, simplified, or consolidated requirements would address those burdens. They can also propose any modifications to the proposals that would their minimize anticipated economic impact. The Bureau expects to consider more fully the economic impact on small entities following its review of any comments filed in response to the document, including any costs and benefits information we receive. The Bureau's evaluation of the comments filed in this proceeding will shape the final alternatives we consider, the final conclusions we reach, and any final actions we ultimately take in this proceeding to minimize any significant economic impact that may occur on small entities. --------------------------------------------------------------------------- \18\ 44 U.S.C. 3541, et seq. --------------------------------------------------------------------------- 41. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules. None. Ordering Clauses 42. Accordingly, it is ordered, pursuant to sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, of the Communications Act of 1934, as amended that this document is hereby adopted. 43. It is further ordered that the Commission's Office of the Secretary, shall send a copy of this document, including the Supplemental Initial Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration. ---------------------------------------------------------------------------------------------------------------- APPLICATION FOR CYBERSECURITY LABELING ADMINISTRATOR AND LEAD ADMINISTRATOR CYBERSECURITY LABEL ADMINISTRATOR (CLA) 1. Applicant ---------------------------------------------------------------------------------------------------------------- Name: Address ------------------------------------------------------------------------------- Street City Zip ------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Point of Contact: Name Title Email Phone Number ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- 2. Describe Applicant's organization structure and how this structure supports the Commission's CLA requirements. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ 3. Describe the processes Applicant will use to review applications seeking authority to use the FCC IoT Label (based on type testing as identified in ISO/IEC 17065). ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ 4. Describe the safeguards Applicant will implement (or already has in place) to avoid personal and organization conflict when processing applications. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ 5. Describe in detail Applicant's expertise in all of the following areas: (a) Cybersecurity expertise and capabilities. Include a description of Applicant's knowledge of IoT and FCC IoT Labeling requirements. [[Page 58321]] ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ (b) Expert knowledge of NIST's cybersecurity guidance, including but not limited to NIST's recommended criteria and labeling program approaches for cybersecurity labeling of consumer IoT products. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ (c) Expert knowledge of FCC rules and procedures associated with product compliance testing and certification. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ (d) Knowledge of Federal law and guidance governing the security and privacy of agency information systems. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ (e) Explain how Applicant will securely handle large volumes of information and include Applicant's related internal security practices. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ (f) Explain how Applicant will securely handle large volumes of information and include Applicant's related internal security practices. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ (g) Status of accreditation pursuant to all the requirements associated with ISO/IEC 17065 and the FCC scope. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ (h) Describe the controls Applicant has implemented to eliminate actual or potential conflicts of interests (both personal and organizational), particularly with regard to commercially sensitive information, to include but not limited to, remaining impartial and unbiased and prevent them from giving preferential treatment to certain applications (e.g., application line jumping) and from implementing heightened scrutiny of applications from entities not members or otherwise aligned with the CLA. --------------------------------------------------------------------------- \19\ For purposes of the Commission's IoT labeling program an ``affiliate'' is defined as ``a person that (directly or indirectly) owns or controls, is owned or controlled by, or is under common ownership or control with, another person. For purposes of this part the term `own' means to own an equity interest (or the equivalent thereof) of more than 10 percent.'' ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ Check all that apply: 6. Applicant is not owned or controlled by or affiliated [ballot] \19\ with any entity identified on the Commission's Covered List 7. Applicant is not owned or controlled by or affiliated [ballot] with any listed sources of prohibition under 47 CFR 8.204 8. Applicant, its affiliate(s), or subsidiary(ies) are not [ballot] owned or controlled by a foreign adversary country defined by the Department of Commerce in 15 CFR 7.4 9. Applicant is not owned or controlled by or affiliated [ballot] with any person or entity that has been suspended or debarred form receiving federal procurements or financial awards 10. Applicant is not otherwise prohibited from [ballot] participating in the IoT Labeling Program [[Page 58322]] If any of the boxes in this section do not apply to Applicant, attach an exhibit explaining the circumstances and demonstrating why Applicant is qualified to be Lead Administrator. LEAD ADMINISTRATOR Applicants seeking the role of Lead Administrator must provide all of the information requested below. (Leave the following information blank if not applying for role of Lead Administrator.) In the following section, provide a detailed description of how Applicant will execute the duties of the Lead Administrator and include all of the following: 1. Describe Applicant's previous experience in IoT cybersecurity. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ 2. Describe Applicant's previous roles, if any, in IoT labeling. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ 3. Describe Applicant's capacity to execute the Lead Administrator duties. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ 4. Describe Applicant's plan/approach to interfacing with the Commission on the behalf of CLAs. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ 5. Describe in detail Applicant's plan for engaging and collaborating with stakeholders (including other CLAs) to identify or develop FCC recommendations as required by 47 CFR 8.221. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ 6. Describe in detail Applicant's proposed consumer education campaign. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ 7. Any additional information Applicant believes demonstrates why they should be on how the applicant's qualifications align with the role of Lead Administrator. ------------------------------------------------------------------------ ------------------------------------------------------------------------- ------------------------------------------------------------------------ Information Current and Complete Information filed with the FCC must be kept current and complete. The Applicant must notify the FCC regarding any substantial and significant changes in the information furnished in the application(s). See 47 CFR 1.65. Certification Statements By signing this applicant, the Applicant certifies that all statements and information provided in this application and in any exhibits or attachments are part of this application and are true, complete, correct, and made in good faith. The Applicant certifies that neither the Applicant nor any other party to the application is subject to a denial of Federal benefits pursuant to section 5301 of the Anti-Drug Abuse Act of 1988, 21 U.S.C. 862, because of a conviction for possession or distribution of a controlled substance. This certification does not apply to applications filed in services exempted under Sec. 1.2002(c) of the Commission's rules, 47 CFR 1.2002(c). See 47 CFR 1.2002(b) for the definition of ``party to the application'' as used in this certification. The Applicant certifies that it is not in default on any payment for Commission licenses and that it is not delinquent on any non-tax debt owed to any federal agency. The Applicant certifies that the Applicant and all of the related individuals and entities required to be disclosed on this application are not person(s) who have been, for reasons of national security, barred by any agency of the Federal Government from federal procurement. [[Page 58323]] Signature Typed or printed name of Party Authorized to Sign ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- First Name: MI: Last Name Suffix Title ---------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------- Signature Date ---------------------------------------------------------------------------------------------------------------- FAILURE TO SIGN THIS APPLICATION MAY RESULT IN DISMISSAL OF THE APPLICATION AND FORFEITURE OF ANY FEES PAID. ---------------------------------------------------------------------------------------------------------------- Federal Communications Commission. David Furth, Deputy Bureau Chief, Public Safety and Homeland Security Bureau. [FR Doc. 2024-15379 Filed 7-17-24; 8:45 am] BILLING CODE 6712-01-P