[Federal Register Volume 89, Number 138 (Thursday, July 18, 2024)]
[Proposed Rules]
[Pages 58312-58323]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-15379]
=======================================================================
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 8
[PS Docket No. 23-239; DA 24-617; FR ID 229959]
Public Safety and Homeland Security Bureau Requests Comment on
Implementation of the Cybersecurity Labeling for Internet of Things
Program
AGENCY: Federal Communications Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission
(Commission or FCC) seeks comment on additional items to further the
efficient and timely rollout of the IoT Labeling program. These items
include the format of Cybersecurity Label Administrator (CLA) and Lead
Administrator applications; filing fees for CLA applications; criteria
for selecting CLAs and the Lead Administrator; CLA sharing of Lead
Administrator expenses; Lead Administrator neutrality; processes for
withdrawal of CLA and Lead Administrator approvals; recognition of
CyberLABs outside the United States; complaint processes;
confidentiality and security requirements; and the IoT registry.
DATES: Comments are due on or before August 19, 2024; reply comments
are due on or before September 3, 2024. Comments on section II.B are
due on or before August 19, 2024.
ADDRESSES: Pursuant to Sec. Sec. 1.415 and 1.419 of the Commission's
rules, 47 CFR 1.415, 1.419, interested parties may file comments and
reply comments on or before the dates indicated on the first page of
this document. Comments may be filed using the Commission's Electronic
Comment Filing System (ECFS). You may submit comments, identified by PS
Docket No. 23-239, by any of the following methods:
Electronic Filers: Comments may be filed electronically
using the internet by accessing the ECFS: https://www.fcc.gov/ecfs/.
Paper Filers: Parties who choose to file by paper must
file an original and one copy of each filing.
Filings can be sent by hand or messenger delivery, by
commercial courier, or by the U.S. Postal Service. All filings must be
addressed to the Secretary, Federal Communications Commission.
Hand-delivered or messenger-delivered paper filings for
the Commission's Secretary are accepted between 8:00 a.m. and 4:00 p.m.
by the FCC's mailing contractor at 9050 Junction Drive, Annapolis
Junction, MD 20701. All hand deliveries must be held together with
rubber bands or fasteners. Any envelopes and boxes must be disposed of
before entering the building.
Commercial courier deliveries (any deliveries not by the
U.S. Postal Service) must be sent to 9050 Junction Drive, Annapolis
Junction, MD 20701. Filings sent by U.S. Postal Service First-Class
Mail, Priority Mail, and Priority Mail Express must be sent to 45 L
Street NE, Washington, DC 20554.
People with Disabilities: To request materials in
accessible formats for people with disabilities (braille, large print,
electronic files, audio format), send an email to [email protected] or
call the Consumer & Governmental Affairs Bureau at 202-418-0530.
FOR FURTHER INFORMATION CONTACT: Tara B. Shostek, Cybersecurity and
Communications Reliability Division, Public Safety and Homeland
Security Bureau, (202) 418-8130, or by email to [email protected].
For additional information concerning the Paperwork Reduction Act
information collection requirements contained in this document, contact
Nicole Ongele, Office of Managing Director, Performance and Program
Management, 202-418-2991, or by email to [email protected].
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's
document in PS Docket No. 23-239, DA 24-617; released on June 27, 2024.
The full text of this document is available at https://docs.fcc.gov/public/attachments/DA-24-617A1.pdf.
Paperwork Reduction Act. The document may contain new or modified
information collection(s) subject to the Paperwork Reduction Act of
1995. All such new or modified information collection requirements will
be submitted to OMB for review under section 3507(d) of the PRA. OMB,
the general public, and other Federal agencies are invited to comment
on any new or modified information collection requirements contained in
this proceeding. In addition, pursuant to the Small Business Paperwork
Relief Act of 2002, we seek specific comment on how we might ``further
reduce the information collection burden for small business concerns
with fewer than 25 employees.''
Providing Accountability Through Transparency Act. Consistent with
the Providing Accountability Through Transparency Act, Public Law 118-
9, a summary of this document will be available on https://www.fcc.gov/proposed-rulemakings.
[[Page 58313]]
Ex Parte Rules--Permit but Disclose. This proceeding shall be
treated as a ``permit-but-disclose'' proceeding in accordance with the
Commission's ex parte rules. Persons making ex parte presentations must
file a copy of any written presentation or a memorandum summarizing any
oral presentation within two business days after the presentation
(unless a different deadline applicable to the Sunshine period
applies). Persons making oral ex parte presentations are reminded that
memoranda summarizing the presentation must (1) list all persons
attending or otherwise participating in the meeting at which the ex
parte presentation was made, and (2) summarize all data presented and
arguments made during the presentation. If the presentation consisted
in whole or in part of the presentation of data or arguments already
reflected in the presenter's written comments, memoranda or other
filings in the proceeding, the presenter may provide citations to such
data or arguments in his or her prior comments, memoranda, or other
filings (specifying the relevant page and/or paragraph numbers where
such data or arguments can be found) in lieu of summarizing them in the
memorandum. Documents shown or given to Commission staff during ex
parte meetings are deemed to be written ex parte presentations and must
be filed consistent with rule 1.1206(b). In proceedings governed by
rule 1.49(f) or for which the Commission has made available a method of
electronic filing, written ex parte presentations and memoranda
summarizing oral ex parte presentations, and all attachments thereto,
must be filed through the electronic comment filing system available
for that proceeding, and must be filed in their native format (e.g.,
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding
should familiarize themselves with the Commission's ex parte rules.
Confidential Treatment. Parties wishing to file materials with a
claim of confidentiality should follow the procedures set forth in
Sec. 0.459 of the Commission's rules. Casual claims of confidentiality
are not accepted. Confidential submissions may not be filed via ECFS
but rather should be filed with the Secretary's Office following the
procedures set forth in 47 CFR 0.459. Redacted versions of confidential
submissions may be filed via ECFS. Parties are advised that the FCC
looks with disfavor on claims of confidentiality for entire documents.
When a claim of confidentiality is made, a public, redacted version of
the document should also be filed.
Digital Equity and Inclusion. The Commission, as part of its
continuing effort to advance digital equity for all,\1\ including
people of color, persons with disabilities, persons who live in rural
or Tribal areas, and others who are or have been historically
underserved, marginalized, or adversely affected by persistent poverty
or inequality, invites comment on any equity-related considerations \2\
and benefits (if any) that may be associated with the proposals and
issues discussed herein. Specifically, we seek comment on how our
proposals may promote or inhibit advances in diversity, equity,
inclusion, and accessibility, as well the scope of the Commission's
relevant legal authority.
---------------------------------------------------------------------------
\1\ Section 1 of the Communications Act of 1934 as amended
provides that the FCC ``regulat[es] interstate and foreign commerce
in communication by wire and radio so as to make [such service]
available, so far as possible, to all the people of the United
States, without discrimination on the basis of race, color,
religion, national origin, or sex.'' 47 U.S.C. 151.
\2\ The term ``equity'' is used here consistent with Executive
Order 13985 as the consistent and systematic fair, just, and
impartial treatment of all individuals, including individuals who
belong to underserved communities that have been denied such
treatment, such as Black, Latino, and Indigenous and Native American
persons, Asian Americans and Pacific Islanders and other persons of
color; members of religious minorities; lesbian, gay, bisexual,
transgender, and queer (LGBTQ+) persons; persons with disabilities;
persons who live in rural areas; and persons otherwise adversely
affected by persistent poverty or inequality. See Exec. Order No.
13985, 86 FR 7009, Executive Order on Advancing Racial Equity and
Support for Underserved Communities Through the Federal Government
(January 20, 2021).
---------------------------------------------------------------------------
Synopsis
1. In March 2024, the Federal Communications Commission (FCC or
Commission) adopted a Report and Order and Further Notice of Proposed
Rulemaking (IoT Labeling Order) establishing the framework for the
Commission's voluntary cybersecurity labeling program for consumer
wireless Internet of Things (IoT) products (IoT Labeling Program).
Recognizing the additional work that would need to be done to implement
the framework, the Commission delegated authority to the Public Safety
and Homeland Security Bureau (PSHSB or Bureau), in coordination with
the Office of the Managing Director (OMD), to seek comment on certain
additional items to further the efficient and timely rollout of the
program. Accordingly, with this document, the PSHSB and OMD request
comment on: the format of Cybersecurity Label Administrator (CLA) and
Lead Administrator applications; filing fees for CLA applications;
criteria for selecting CLAs and the Lead Administrator; CLA sharing of
Lead Administrator expenses; Lead Administrator neutrality; processes
for withdrawal of CLA and Lead Administrator approvals; recognition of
CyberLABs outside the United States; complaint processes;
confidentiality and security requirements; and the IoT registry.\3\
---------------------------------------------------------------------------
\3\ We note that this documentis not meant to address all
outstanding implementation issues in connection with the IoT
Labeling Program; there are additional implementation matters and
specific delegations of authority from the IoT Labeling Order that
the Bureau will be addressing in subsequent documents.
---------------------------------------------------------------------------
Discussion
A. Format of CLA and Lead Administrator Applications
2. The IoT Labeling Order provides that the Commission will accept
applications for entities seeking to qualify as CLAs and those
applicants seeking the position of Lead Administrator, but did not
specify the format these applications should take. The Bureau believes
that CLA/Lead Administrator applications should be submitted in
narrative format via email and seeks comment on this tentative
determination and any alternative methods or formats for submission.
While the Bureau recognizes the organizational value of a fillable
form, the information to be submitted by entities seeking to be a CLA/
Lead Administrator seemingly lends itself to a narrative discussion of
the qualifications and strengths the applicant possesses to support the
FCC's IoT Labeling Program. The Bureau still could re-evaluate the need
for a fillable form after it has processed and reviewed the initial
CLA/Lead Administrator applications and seek comment on a proposed
format for such a form. We seek comment on these issues.
B. FCC Filing Fees for CLA and Lead Administrator Applications
3. The IoT Labeling Order directs the Bureau, in conjunction with
OMD, to adopt procedures and take additional steps, including
applicable fees (pursuant to any required public notice and comment),
as necessary to ensure compliance with the Communications Act with
respect to any rules adopted therein that contemplate the filing of
applications directly with the Commission.\4\ Section 8 of the
Communications Act requires the Commission to assess and collect
[[Page 58314]]
application fees to cover the costs of the Commission to process
applications. Although the Commission has assessed and collected
application fees pursuant to section 8 of the Communications Act since
1986,\5\ in 2018, Congress modified section 8 of the Communications Act
to change the application fee program from a statutory schedule of
application fees to a requirement that the Commission update and amend
the existing schedule of application fees by rule to recover the costs
of the Commission to process applications.\6\ Section 8(c) of the Act
also requires the Commission to, by rule, amend the application fee
schedule if the Commission determines that the schedule requires
amendment to ensure that: (1) such fees reflect increases or decreases
in the costs of processing applications at the Commission or (2) such
schedule reflects the consolidation or addition of new categories of
applications.
---------------------------------------------------------------------------
\4\ The IoT Labeling Order directs manufacturers to file
applications directly with CLAs to use the U.S. Cyber Trust Mark
and, as such, those fees are not contemplated in this inquiry.
\5\ While the 1986 schedule adopted by Congress was accurate at
the time adopted because it was based on cost information provided
by the Commission to Congress, the framework did not allow the fee
schedule to change as a result of advancements in technology and
corresponding changes in Commission procedures and rules. Notably,
the Commission was constrained from adding, removing, or otherwise
changing the structure or levels of application fees prior to the
RAY BAUM'S Act, outside of a ministerial biannual order adopting
without notice and comment changes to fees based on the Consumer
Price Index.
\6\ The Repack Airwaves Yielding Better Access for Users of
Modern Services Act of 2018, or the RAY BAUM'S Act of 2018, amended
sections 8 and 9 and added section 9A to the Communications Act of
1934, as amended and provided that such provisions would become
effective on October 1, 2018. Consolidated Appropriations Act, 2018,
Public Law 115-141, 132 Stat. 1084, Division P--RAY BAUM'S Act of
2018, Title I, section 103 (2018). 47 U.S.C. 158. Congress provided,
however, that application fees in effect prior to the effective date
of the new section 8 would remain in effect until the Commission
adjusts or amends such fee. RAY BAUM'S Act of 2018, Title I, section
103(d) (uncodified provisions entitled ``Transitional Rules'').
---------------------------------------------------------------------------
4. In the 2020 Application Fee Order, the Commission explained that
in accordance with the RAY BAUM'S Act, application fees are based on
the ``costs of the Commission to process applications.'' Specifically,
the Commission establishes an application fee based on direct labor
costs of processing a particular application, which are calculated ``by
multiplying an estimate of the number of hours needed for each task, up
through first-level supervisory tasks required to process the
application, by an estimate of the labor cost per hour for the employee
performing the task and by an estimate of the probability that the task
needed to be performed.'' In the 2020 Application Fee Order, the
Commission adopted five functional categories of fees: Wireless
Licensing Fees, Media Licensing Fees, Equipment Approval Fees, Domestic
Service Fees, and International Service Fees.
5. The Bureau seeks comment on whether applications filed with the
Commission by entities seeking qualification as a CLA or seeking the
position of Lead Administrator constitute an application under section
8 of the Act. If so, is there an existing fee category that would cover
such applications? If there are no existing fee categories that are
applicable, should new application fee categories, ``Cybersecurity
Label Administrator'' and ``Lead Administrator,'' be established? We
seek comment on the legal and factual basis for assessing a fee
pursuant to section 8 of the Communications Act on these applications.
6. If we conclude that a filing with the Commission seeking to be a
CLA or to be the Lead Administrator constitutes an application under
section 8 of the Act, then we must consider the cost of processing such
a filing to inform what fee the Commission would charge in connection
with such a filing. We note that the agency has narrowly construed the
scope of what constitutes processing for applications subject to fees.
Applying the Commission's framework for the costs of processing
applications adopted in the 2020 Application Fee Order, we believe that
the processing of CLA applications, including the initial conditional
approval and subsequent review required after the CLA notifies the
Commission that it has obtained the International Organization for
Standardization/International Electrotechnical Commission (ISO/IEC)
17065 accreditation, consists of engineer and engineer supervisory
review, and attorney and attorney supervisory review.
7. As detailed below, the Bureau estimates that the time it will
take to process each CLA application will be 15 hours and the time it
will take to process each Lead Administrator application will be 8
hours. We estimate the labor cost per hour for the various 2024 general
schedule pay grades of the employees that process applications based on
the current pay table for Washington, DC, at the step 5 level, we
estimate overhead costs as 20% of the salary level also per that rule,
and we estimate each employee works 2,087 hours in one year. We also
round the fee to the nearest $5.00 increment as required by section 8
as amended. We seek comment on this approach.
8. The Bureau estimates that each CLA application will require 10
hours of engineering review at the GS-15 level, 2 hours of engineering
supervisory review at the GS-15 level; 2 hours of attorney application
review at the GS-12 level, and 1 hour of attorney supervisory review at
the GS-15 level. The estimated total labor costs (including 20%
overhead) for the engineering review (GS-15, step 5) of each CLA
application is $1,282.20 (12 engineering hours * 106.85 = 1,282.20).\7\
The estimated labor costs (including 20% overhead) for the attorney
application review (GS-12, step 5) for each CLA application is $129.28
(2 hours * $64.64 = $129.28).\8\ The estimated total labor costs
(including 20% overhead) for the attorney supervisory review (GS-15,
step 5) for each CLA application is $106.85 (1 hour * 106.85 =
106.85).\9\ The total labor costs per CLA application is $1,518.33
(1,282.20 + 129.28 + 106.85). Based on these hourly rates and the
estimated time for processing each CLA application, the Bureau proposes
that the filing fee for a CLA application is $1,520 and we seek comment
on this proposal.
---------------------------------------------------------------------------
\7\ The annual pay for a GS-15, step 5 in the Washington-
Baltimore-Arlington, DC-MD-VA-WV-PA Locality Pay area is $185,824.
Overhead costs are $37,164.80 (20% * 185,824 = 37,164.80). The
hourly rate of a GS-15, Step 5 including overhead costs based on
2,087 annual hours is $106.85 (185,824 + 37,164.80 = 222,988.80;
222,988.80/2,087 hours = 106.85). The Bureau estimates that each CLA
application will require 12 hours of engineering review at the GS-
15, step 5 level.
\8\ The annual pay for a GS-12, step 5 in the Washington-
Baltimore-Arlington, DC-MD-VA-WV-PA Locality Pay area is $112,425.
Overhead costs are $22,485.00 (20% * 112,425 = 22,485). The hourly
rate of a GS-12, step 5 including overhead costs based on 2,087
annual hours is $64.64 (112,425 + 22,485 = 134,910; 134,910/2,087
64.64). The Bureau estimates that each CLA application will require
2 hours of attorney review at the GS-12, step 5 level.
\9\ The hourly rate of a GS-15, step 5 attorney is the same as
the hourly rate of a GS-15, step 5 engineer, which is $106.85. The
Bureau estimates that each CLA application will require 1 hour of
attorney review at the GS-15, step 5 level.
---------------------------------------------------------------------------
9. Some entities seeking to qualify as a CLA may include additional
information in their application seeking the position of Lead
Administrator, which will similarly require additional engineering and
engineering supervisory review, and attorney application and attorney
supervisory review. The Bureau estimates that each Lead Administrator
application, which occurs after the CLA application has already been
reviewed, will require 4 hours of engineering review at the GS-15
level, 1 hour of supervisory engineering review at the GS-15 level, 2
hours of attorney application review at the GS-12 level, and 1 hour of
attorney supervisory review at the GS-15 level.
[[Page 58315]]
10. We propose that applications for Lead Administrator must
include an additional fee of $770 to cover the FCC's costs of
processing Lead Administrator applications. The Bureau seeks comment on
this determination. The Bureau estimates that each Lead Administrator
application will require 5 hours of engineering application review at
the GS-15, step 5 level at an hourly rate of $106.85 (5 * 106.85 =
534.25), 2 hours of attorney application review at the GS-12, step 5
level at an hour rate of $64.64 (2 * 64.64 = 129.28) and 1 hour of
attorney supervisor review at the GS-15, step 5 level at an hourly rate
of $106.85 (1 * 106.85 = 106.85) for a total of $770.38 (534.25 +
129.28 + 106.85). The Bureau seeks comment on the estimation of time to
process the Lead Administrator applications and the proposed fee for
processing the application. Our proposals for processing fees are based
on averages. Given that these are new categories of applications, at
this time, we do not believe we have a factual basis to assess fees for
administrative updates, minor changes or updates to a CLA application,
or for entities seeking to withdraw as a CLA. We also do not believe we
have a factual basis to assess fees for administrative updates, minor
changes, or updates to a Lead Administrator application, or for an
entity seeking to withdraw a Lead Administrator. Until we have
experience with processing these new types of applications, it would be
difficult to calculate identifiable direct costs beyond those included
in the calculation of the initial application fee. For both the CLA and
Lead Administrator applications, we seek comment on whether we have
included in our estimates the appropriate steps under the Commission's
2020 Application Fee Order framework to determine processing costs. If
commenters view our estimates to be over or under inclusive, to the
extent practicable, commenters should explain their views by including
reference to any application fees adopted in the 2020 proceeding that
the commenter considers analogous to the CLA and/or Lead Administrator
application.
C. Bureau Selection of Cybersecurity Label Administrators and the Lead
Administrator
11. The IoT Labeling Order provides that the Bureau will release a
public notice opening a filing window for the acceptance of CLA
applications, which will include an option for CLA applicants to
indicate they also seek the role of Lead Administrator.\10\ The IoT
Labeling Order specifies the expertise and qualifications each
applicant for CLA and Lead Administrator must demonstrate and delegates
to the Bureau the authority to adopt additional criteria and
administrative procedures necessary to efficiently select one or more
independent, non-governmental entities to act as CLA(s) and Lead
Administrator. The Bureau seeks comment on whether there are additional
areas of expertise or specific requirements a CLA applicant should be
required to demonstrate in addition to those listed in the Order.\11\
The Bureau seeks comment on what additional criteria, if any, the
Bureau should take into consideration during the Lead Administrator
selection process. What additional criteria would help us ensure that
CLA(s) and the Lead Administrator are able to advance the Commission's
policy objective to raise consumer confidence with regard to the
cybersecurity of consumer wireless IoT products while strengthening the
nation's cybersecurity posture? How should the Bureau differentiate
between Lead Administrator candidates for selection? Should all
selection criteria be weighted the same? If not, which criteria should
carry more?
---------------------------------------------------------------------------
\10\ The Bureau, in coordination with OMD and OGC will review
these applications and determine which applications meet the CLA
requirements and which CLA applicant best meets the requirements of
Lead Administrator.
\11\ The IoT Labeling Order contemplates the acceptance of
applications for CLAs located outside the United States after
appropriate international agreements or other appropriate
prerequisites are in place.
---------------------------------------------------------------------------
D. Lead Administrator Expenses Shared Among CLAs
12. The IoT Labeling Order ``expect[ed]'' that the Lead
Administrator's expenses ``in performing its duties on behalf of the
program as a whole'' will be ``shared among CLAs as a whole,'' but does
not provide a mechanism or details for such sharing. The Bureau seeks
comment on the most effective mechanism for CLAs to share the Lead
Administrator's expenses, including whether and how to distinguish
costs associated with identified Lead Administrator responsibilities,
potential changes in the Lead Administrator, and the timing of
reimbursement for such expenses. Commenters should also consider
whether and how any cost sharing mechanism might change after the
initial rollout of the program, including any rationale for doing so.
Alternatively, we seek comment on whether the Lead Administrator is in
the best position to propose how costs should be shared among CLAs. To
the extent commenters have estimates of the Lead Administrator's
expenses, we invite them to share such estimates. In addition, we seek
comment on the categories of expenses that should be attributable to
the Lead Administrator's responsibilities under this program. What
auditing requirements should be required of the Lead Administrator? Are
there financial controls, or other controls, the Commission has adopted
in the case of other program administrators that it relies on that
would be appropriate in this context? We note that the IoT Labeling
Order does not contemplate other funding sources for the Lead
Administrator's expenses, beyond sharing ``among CLAs as a whole.''
E. Lead Administrator Neutrality
13. The Commission recognized the competitive implications of an
entity being both the Lead Administrator and a CLA and, as such,
delegated authority to the Bureau to review, seek public comment on,
and approve/disapprove the Lead Administrator recommendations. We seek
comment on whether there are safeguards the Bureau might adopt to
ensure the stakeholder process remains competitively neutral and the
recommendations the Lead Administrator makes to the Commission (e.g.,
standards and testing criteria and label design) are stakeholder
consensus-based and competitively neutral. For example, are there
additional or different safeguards the Commission has adopted in the
case of other program administrators that it relies on that would be
appropriate in this context? We seek comment on whether the Bureau
should adopt additional safeguards to ensure fulsome and broad
stakeholder engagement in this process. Are there other safeguards the
Bureau should adopt to ensure the Lead Administrator, who is
potentially a competitor of other CLAs, does not have an unfair
economic, or other, competitive advantage?
F. Withdrawal of CLA and Lead Administrator Approval
14. The IoT Labeling Order provides that the Commission will
withdraw its approval of a CLA if the CLA's designation or
accreditation is withdrawn, if there is just cause for withdrawing
approval, or upon request of the CLA. The Commission will notify a CLA
in writing of its intention to withdraw or limit the scope of the CLA's
approval and provide at least 60 days for the CLA to respond. The
Bureau will announce the withdrawal of
[[Page 58316]]
a CLA approval by public notice. The IoT Labeling Order also delegates
authority to the Bureau to ``manage changes in the Lead
Administrator.'' We believe the same processes should be applied to the
withdrawal of the Lead Administrator. We seek comment on this tentative
determination. The Bureau also seeks comment on steps that should be
taken to replace the Lead Administrator. Should a replacement Lead
Administrator be chosen by the Bureau from among the remaining
accredited and recognized CLAs based on the same criteria and
procedures used to select the original Lead Administrator? Should the
Commission open a new filing window for CLAs seeking to be Lead
Administrator? What other procedures, if any, should the Commission
adopt to ensure the efficient replacement of a Lead Administrator?
Should the Bureau set a term for the Lead Administrator and at the end
of this term open the position up to new applications? If yes, what
term is appropriate? Commenters may provide any other additional
information that is pertinent to this inquiry.
G. Recognition of CyberLABs by Lead Administrator Located Outside the
United States
15. The IoT Labeling Order provides that CyberLABs may be located
outside the United States provided they are accredited to ISO/IEC 17025
and the FCC's program scope and delegates authority to the Bureau to
adopt any additional criteria or procedures necessary with respect to
their use. We seek comment on whether there are additional procedures
or criteria that should be considered when the Lead Administrator
recognizes labs located outside the United States. Are there existing
international frameworks in other areas that might provide an
appropriate model to allow for recognition of a lab located outside of
the United States?
H. Complaints
16. The Commission is the ultimate arbiter of complaints submitted,
whether directly to the Commission, CLAs, the Lead Administrator,
CyberLABs, or any other third-party entity, alleging improper,
nonconforming, and/or unauthorized use of the U.S. Cyber Trust Mark.
The Commission will actively and diligently enforce the IoT Labeling
Program's requirements to maintain the integrity of the FCC IoT Label,
the U.S. Cyber Trust Mark, and the program. The IoT Labeling Order
emphasized that deceptive or misleading use of the FCC IoT Label or
U.S. Cyber Trust Mark are prohibited, and set out a 20-day cure period
for grantees to investigate complaints of non-compliance and report the
results to the Bureau. The IoT Labeling Order also determined that the
Commission and CLAs will receive complaints of noncompliant displays of
the Cyber Trust Mark and delegated authority to the Bureau, in
coordination with the Consumer and Governmental Affairs Bureau, to
determine the process for receiving and responding to complaints. The
Lead Administrator will receive complaints about the registry and
coordinate with manufacturers to resolve any associated technical
problems, and the Lead Administrator is also responsible for
interfacing with the Commission on behalf of CLAs, including as it
relates to complaints. We seek comment on the specific processes for
receiving and responding to complaints associated with the IoT Labeling
Program. Should entities file complaints with the Bureau, in addition
to submitting them directly to a CLA, including the Lead Administrator?
If complaints are filed with the Commission, should complaints
associated with grantees that applied for authorization to use the FCC
IoT Label be initially referred to the CLA that reviewed the original
application for investigation and a determination of whether the
application was approved or denied? Should these processes be different
if the complaint involves a CyberLAB located outside of the United
States? If so, what is the legal basis for these differences? In
situations where there is no associated CLA, such as when a product
displays the mark without permission, we believe that complaints of
fraudulent or deceptive use of the Cyber Trust Mark by those entities
that never applied for authorization (i.e., where there is no
applicable CLA) should be filed directly with the Commission. We seek
comment on this belief. The Commission determined in the IoT Labeling
Order that a grant of authorization to use the FCC IoT Label is
automatically terminated upon notice by the Bureau following submission
of a complaint of non-compliance, if that non-compliance has not been
adequately corrected or addressed in a report describing actions taken
to correct the deficiencies within 20 days. We seek comment on what
requirements should follow from such a termination of authority. Should
the Commission adopt disqualification procedures similar to ENERGY
STAR's, which include ceasing shipments of units displaying the label,
ceasing the labeling of associated units, removing references to the
label from marketing materials, covering or removing labels on
noncompliant units within the brand owner's control, and conducting
retail store level assessments to identify mislabeled products?
I. Confidentiality and Security Requirements
17. The Bureau anticipates that the manufacturer applications
submitted to CLAs will contain commercially sensitive and proprietary
information that the manufacturers customarily treat as confidential,
including, but not limited to, test reports. The Bureau proposes that
these applications should be treated as presumptively confidential and
CLAs should be required to maintain this confidentiality. The Bureau
seeks comment on this tentative determination. We also seek comment on
whether CLA applications submitted to the Commission will likewise
contain commercially sensitive and proprietary information that is
routinely treated as confidential and thus should be treated as
presumptively confidential.\12\ Are certain aspects of either of these
applications not appropriately treated as presumptively confidential?
Are there public interest and/or transparency reasons to make CLA
applications and/or Lead Administrator applications publicly available?
Should only those CLA applications that are approved be publicly
available, while CLA applications that are denied be kept confidential?
---------------------------------------------------------------------------
\12\ The Bureau has an obligation to publish data maintained by
the Commission that would be subject to disclosure under the Freedom
of Information Act (FOIA).
---------------------------------------------------------------------------
18. Information submitted by manufacturers to CLAs, the Lead
Administrator, or CyberLABs, in the course of seeking authority to use
the FCC IoT Label, including but not limited to applications and test
reports, and information submitted to the Lead Administrator by a lab
seeking recognition as a CyberLAB (i.e., authorized to conduct
conformance testing under the Commission's IoT Labeling Program) are
not agency records of the Commission. Only information submitted to the
Commission, such as submissions in furtherance of applications by
entities seeking authority from the Commission to be a CLA and/or Lead
Administrator, are records of the Commission.
19. The Federal Information Security Modernization Act of 2014
(FISMA) requires, among other things, that each Federal agency provide
protections commensurate with the risk and
[[Page 58317]]
magnitude of the harm resulting from the unauthorized access, use,
disclosure, disruption, modification, or destruction of ``information
collected or maintained by or on behalf of the agency'' and
``information systems used or operated by an agency or by a contractor
of an agency or other organization on behalf of an agency.'' We
tentatively conclude that these requirements attach to the Lead
Administrator and CLAs, who both collect and maintain information and
operate information systems on behalf of the FCC. We seek comment on
this tentative conclusion. We note that in the IoT Labeling Order, the
Commission described that each entity seeking authority to act as a CLA
should demonstrate expertise in, among other things, ``[f]ederal law
and guidance governing the security and privacy of agency information
systems,'' which we believe encompasses FISMA and related guidance from
the Office of Management and Budget and publications from the National
Institute of Standards and Technology (NIST). If these requirements are
applicable to the Lead Administrator and CLAs, would they incur
additional costs, and if so, what are they? What benefits would attach
to FISMA compliance with respect to the confidentiality, integrity, and
availability of information and information systems if FISMA and
related requirements are applicable to the Lead Administrator and CLAs?
Are there additional security requirements the Commission should
require of the databases that are used in support of the IoT Labeling
Program?
J. Registry
20. The Commission determined in the IoT Labeling Order that the
FCC IoT Label must include the Cyber Trust Mark and a QR Code that
links to a dynamic, decentralized, publicly available registry
containing information supplied by entities authorized to use the FCC
IoT Label (e.g., manufacturers) through a common Application
Programming Interface (API).\13\ The Commission agreed that it should
use a third-party to host and manage the registry due to the resources
required to establish the registry; determined that the Lead
Administrator is in the best position to interface with manufacturers
to ensure the smooth operation of the registry; and directed the Lead
Administrator to receive and address any technical issues that arise in
connection with the registry's API and displaying information from the
registry to the consumer when they present the QR Code. Further, as
detailed below, the IoT Labeling Order envisioned a registry that
supports different presentation options.
---------------------------------------------------------------------------
\13\ The goal of the registry is to assist the public in
understanding security-related information about the products that
bear the Cyber Trust Mark.
---------------------------------------------------------------------------
21. We seek comment on what, if any, registry disclosure fields, in
addition to those already required by the IoT Labeling Order, would be
beneficial to consumers.\14\ Should manufacturers be required to list
the sensors contained in the complying product, such as cameras,
microphones, and location tracking devices? Should manufacturers be
required to disclose what data is collected by those sensors, and
whether that data is shared with third parties? \15\ The Commission
also recognizes some products/product classes may benefit from
additional data elements being disclosed in the registry. For example,
the Commission observed that ``the information contained in the
registry for a particular IoT product or product class may also depend
on the standards and testing procedures adopted for each particular IoT
product.'' The Commission also recognized ``that some of the
information recommended by NIST in its consumer education
recommendations . . . may be valuable for consumers to see in the
registry.'' Other possible candidates for inclusion identified in the
IoT Labeling Order included, ``manufacturer's access control
protections (e.g., information about passwords, multi-factor
authentication), whether or not the data is encrypted while in motion
and at rest (including in the home, app, and cloud), patch policies,
and security or privacy information.'' Are there particular registry
data elements that would support the product's security features for
those using assistive technologies? Are there additional registry
disclosure fields that are necessary for specific products/product
classes, based on those or other considerations and if so, what they
should be?
---------------------------------------------------------------------------
\14\ The Commission delegated authority to the Bureau to seek
comment on the need for additional data fields beyond the baseline
of necessary information that must be displayed for an IoT product
in the registry which includes: disclosure of product name,
manufacturer name, date of authorization, contact information for
the CLA and CyberLAB, instructions on how to change the default
password, information on how to configure the device securely,
information as to whether software updates are automatic and how to
access updates if not, the minimum support period, and whether the
manufacturer maintains a Hardware Bill of Materials (HBOM) and/or a
Software Bill of Materials (SBOM).
\15\ Regarding whether to disclose whether data is shared with
third parties, commenters should consider security/privacy issues
and if data should be replicated; and if the data should be
replicated in multiple repositories--by the relevant CLA(s) or
vendors, for example--and publicly accessible via a single query
point?
---------------------------------------------------------------------------
22. The Commission also delegated authority to the Bureau to
establish the structure of the registry; and identify the common API
and how the API should be structured and used. To this end, we seek
comment generally on the structure, format, and maintenance of the
registry, and how the queried registry data will be displayed to the
consumer. The Bureau believes that the manufacturer would be
responsible for their own product data and keeping the data current. We
also believe that the data would be hosted by the manufacturers or in
partnership with their selected third party and made available through
the common API that is secure by design and seek comment on these
tentative determinations. How should the API access be best secured to
ensure its integrity and availability? What controls (e.g., rate limits
for use of the API) should be required or allowed, and where would
those controls best be implemented? How should manufacturers maintain
and implement interactions with their product's data in connection with
the API? Should manufacturers be responsible for maintaining and
implementing the API in connection with its interactions with the
registry data, and if so, how? How should the Commission reduce burdens
on manufacturers in supporting the decentralized registry? We seek
comment on how often the registry data should be updated and on how
costs involved in maintaining the registry should be handled. We invite
commenters to provide any other technical information to be considered
in establishing the registry.
23. The Bureau seeks comment on its tentative determination that at
least three different registry display options may be supported:
Product specific data hosted by the manufacturer or their
selected third party;
Vendor data provided for presentation by a commercial
retailer; and
Aggregated data provided for presentation of multiple
products.
Are these presentation options consistent with the goals of the IoT
Labeling Order that the registry should enable the display to the
consumer of required information about individual products, while
providing the flexibility to support the envisioned use cases? Are
there other presentation options that we should consider for the
display or consumption of registry information in determining the
structure and technical details involved with the operation of the
registry? Should the registry meet
[[Page 58318]]
certain performance metrics so that poor user experience does not
discourage use? Who is in the best position to manage access to the
distributed registry as well as access to the API and the level of
access available?
24. The Bureau seeks comment on its tentative determination that
there should be a specific aggregated data ``landing page'' \16\ for
the registry, which should be a ``.gov'' domain to bring the consumer
additional trust and validity to the IoT Labeling Program. The Bureau
also seeks comment on the party that should be responsible for hosting
this landing page. Is the Lead Administrator in the best position to
host the landing page? What additional costs are involved with this
responsibility? What security procedures must be adopted by that third
party? Should the landing page meet certain performance metrics so that
poor user experience does not discourage use? Are there additional
security or privacy requirements arising from Federal law that are
applicable to the registry? Should the registry operator(s), as
appropriate, be required to implement adequate security, privacy, and
availability controls to meet FISMA low/moderate standards, or a
commercial equivalent?
---------------------------------------------------------------------------
\16\ The ``landing page'' is envisioned to be a web page/site
that provides search capabilities to aggregate data pulled from the
distributed registry and presents data for individual products or
multiple products in a common format as prescribed by the IoT
Labeling Order.
---------------------------------------------------------------------------
Procedural Matters
25. Regulatory Flexibility Act. The Regulatory Flexibility Act of
1980, as amended (RFA), requires that an agency prepare a regulatory
flexibility analysis for notice and comment rulemakings, unless the
agency certifies that ``the rule will not, if promulgated, have a
significant economic impact on a substantial number of small
entities.'' Accordingly, we have prepared a Supplemental Regulatory
Flexibility Analysis (Supplemental IRFA) concerning the possible impact
of the rulemaking and policy changes contained in this document. The
Supplemental IRFA concerning the possible impact of the rulemaking and
policy changes contained in this document can be found as Exhibit A of
the Public Safety and Homeland Security Bureau's Public Notice, DA 24-
617, released June 27, 2024, at this link: https://docs.fcc.gov/public/attachments/DA-24-617A1.pdf. Written public comments are requested on
the Supplemental IRFA. Comments must have a separate and distinct
heading designating them as responses to the Supplemental IRFA and must
be filed by the deadlines for comments on the first page of this
document.
26. Supplemental Regulatory Flexibility Analysis. As required by
the Regulatory Flexibility Act of 1980, as amended (RFA), the Bureau
has prepared this Supplemental Initial Regulatory Flexibility Analysis
(Supplemental IRFA) of the possible significant economic impact on
small entities of the policies and rules discussed in the document to
supplement the Commission's Initial and Final Regulatory Flexibility
Analyses completed in the IoT Labeling NPRM released in August 2023,
and the IoT Labeling Order released in March 2024. Written public
comments are requested on this Supplemental IRFA. Comments must be
identified as responses to the Supplemental IRFA and must be filed by
the same deadline for comments specified in the DATES section of this
document. The Bureau will send a copy of the document, including this
Supplemental IRFA, to the Chief Counsel for Advocacy of the Small
Business Administration (SBA). In addition, the document and
Supplemental IRFA (or summaries thereof) will be published in the
Federal Register.
27. Need for, and Objectives of, the Proposed Rules. The IoT
Labeling Order adopted a voluntary cybersecurity labeling program for
consumer Internet of Things (IoT) products that will provide consumers
with an easy-to-understand indicator of a product's relative
cybersecurity and improve consumer confidence and understanding of IoT
product cybersecurity. The IoT Labeling Program will authorize
qualifying IoT products to display the FCC IoT Label, which includes
the U.S. Cyber Trust Mark and a QR Code that links to a registry with
product-specific consumer-friendly information. The program will adopt
standards and testing procedures based on the National Institute of
Standards and Technology (NIST) Core Baseline for Consumer IoT
Products, and it will be supported by Cybersecurity Label
Administrators (CLAs) and recognized Cybersecurity Testing Laboratories
(CyberLABs). A Lead Administrator will be chosen by the Commission from
among the CLAs and will be responsible for collaborating with
stakeholders to make recommendations including technical cybersecurity
standards and testing procedures with which IoT products must comply to
be authorized to use the FCC IoT Label, the label design, and a
consumer education campaign, to be reviewed by the Commission.
28. In the IoT Labeling Order, the Commission delegated authority
to the Public Safety and Homeland Security Bureau (Bureau) to seek
comment on certain additional items to further the efficient and timely
rollout of the program. This document seeks comment on a number of
those items, including the format of CLA and Lead Administrator
applications; filing fees for CLA applications; criteria for selecting
CLAs and the Lead Administrator; CLA sharing of Lead Administrator
expenses; extensions of time to become accredited; Lead Administrator
neutrality; complaint processes; and the IoT registry. The proposals
considered in this document will contribute to the voluntary IoT
Labeling Program and further the Commission's objective to provide
better information to consumers about the cybersecurity of the IoT
products they use, and bolster the cybersecurity of the nationwide IoT
ecosystem.
29. Legal Basis. The proposed action is authorized pursuant to
sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, of the
Communications Act of 1934, as amended.
30. Description and Estimate of the Number of Small Entities to
Which the Proposed Rules Will Apply. The RFA directs agencies to
provide a description and, where feasible, an estimate of the number of
small entities that may be affected by the proposed rules and policies,
adopted. The RFA generally defines the term ``small entity'' as having
the same meaning as the terms ``small business,'' ``small
organization,'' and ``small governmental jurisdiction.'' In addition,
the term ``small business'' has the same meaning as the term ``small
business concern'' under the Small Business Act.'' \17\ A ``small
business concern'' is one which: (1) is independently owned and
operated; (2) is not dominant in its field of operation; and (3)
satisfies any additional criteria established by the SBA.
---------------------------------------------------------------------------
\17\ Pursuant to 5 U.S.C. 601(3), the statutory definition of a
small business applies ``unless an agency, after consultation with
the Office of Advocacy of the Small Business Administration and
after opportunity for public comment, establishes one or more
definitions of such term which are appropriate to the activities of
the agency and publishes such definition(s) in the Federal
Register.''
---------------------------------------------------------------------------
31. As noted above, Regulatory Flexibility Analyses were
incorporated into the IoT Labeling NPRM and the IoT Labeling Order. In
those analyses, the Commission described in detail the small entities
that might be significantly affected. Accordingly, in this document,
for the Supplemental IRFA, we incorporate by reference the
[[Page 58319]]
descriptions and estimates of the number of small entities from the
previous Regulatory Flexibility Analyses in the IoT Labeling NPRM and
the IoT Labeling Order.
32. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities. The IoT Labeling Program
will be voluntary, so small entities who do not participate in the
program will not be subject to any new or modified reporting,
recordkeeping, or other compliance obligations. Small entities that
choose to participate in the program will incur recordkeeping,
reporting, and other compliance obligations necessary to test their IoT
products to demonstrate compliance with the program requirements. Small
entities that choose to participate by applying to be a CLA or CyberLAB
will also incur recordkeeping, reporting, and other compliance
obligations. We note that obligations for small entities and other
applicants were detailed and adopted by the Commission in the IoT
Labeling Order. The proposals and discussions in this document seek
comment on additional details to the program, including application,
selection, and replacement for CLAs and the Lead Administrator as
needed, the complaints process, and the registry.
33. Small entities will need to keep the records necessary to
demonstrate initial and continued compliance with program requirements,
as an IoT product manufacturer or a CLA, including test reports,
records related to potential complaint investigations, and data
disclosures for the registry, among others. More specifically, small
and other grantees of authority to use the FCC IOT Label may also be
subject to additional reporting, recordkeeping, and/or other compliance
requirements related to the IoT registry in light of the our inquiry
and request for comments in the document on (1) what, if any additional
registry disclosure fields would benefit consumers, and (2) whether to
require manufacturers to list the sensors contained a complying
product, identify what data is collected by those sensors, and disclose
whether that data is shared with third parties.
34. The document calculates and proposes that small and other CLA
and Lead Administrator applicants be subject to an application filing
fee of $1,520 for CLA Applicants and an additional $770 for CLA
applicants that apply to be a Lead Administrator, to cover the
Commission's costs of processing these applications. With regard to
other costs that could result from this proceeding, at this time the
record does not include sufficient cost information to allow the Bureau
to quantify the costs of compliance for small entities, including
whether it will be necessary for small entities to hire professionals
to comply with the proposals and other matters upon which we seek
comment, if adopted. To help the Bureau more fully evaluate the cost of
compliance for small entities should its proposals be adopted, in this
document, we request comments on the implications of our proposals and
whether there are more efficient and less burdensome alternatives
(including cost estimates) for the Bureau to consider. We expect the
information we received in comments to help the Bureau identify and
evaluate relevant matters for small entities, including compliance
costs and other burdens that may result from the proposals and
inquiries we make in the document.
35. Steps Taken to Minimize the Significant Economic Impact on
Small Entities, and Significant Alternatives Considered. The RFA
requires an agency to describe any significant, specifically small
businesses, alternatives that it has considered in reaching its
proposed approach, which may include the following four alternatives
(among others): ``(1) the establishment of differing compliance or
reporting requirements or timetables that take into account the
resources available to small entities; (2) the clarification,
consolidation, or simplification of compliance and reporting
requirements under the rule for such small entities; (3) the use of
performance rather than design standards; and (4) an exemption from
coverage of the rule, or any part thereof, for such small entities.''
36. For the IoT Labeling Program to be meaningful to consumers, the
requirements for an IoT product to be granted authority to use the FCC
IoT Label must be uniform for small businesses and other entities. The
Bureau maintains the view expressed in the IoT Labeling Order that the
significance of mark integrity, and building confidence among consumers
that devices and products bearing the FCC IoT Label can be trusted to
be cyber secure, necessitates adherence by all entities participating
in the program to the same rules, regardless of size.
37. In the document, steps taken by the Bureau which should
minimize the economic impact for small entities include our decision
not to assess fees for administrative updates, minor changes or updates
to a CLA application, or for entities seeking to withdraw as a CLA. The
Bureau sought comment on the format of CLA and Lead Administrator
applications, as well as the fees associated with those applications,
and additional areas of expertise or specific requirements a CLA
applicant should be required to demonstrate. We also considered and
sought comment on other aspects of the Lead Administrator's roles and
responsibilities, including the most effective mechanism for CLAs to
share in funding the Lead Administrator's expenses, safeguards the
Bureau might adopt to ensure Lead Administrator neutrality, and steps
to replace the Lead Administrator as needed. Following our conclusion
that CLA and Lead Administrator applications are not covered by any
existing Commission fee categories and therefore new categories should
be established, we alternatively inquired and sought comment on
whether, and which existing Commission fee category do CLA and Lead
Administrator applications fall within, if any. Additionally, the
Bureau considered whether there are additional procedures or criteria
that should be considered when recognizing CyberLABs located outside
the United States. As stated in the IoT Labeling Order, declining to
require CyberLABs to be physically located in the U.S. provides more
testing lab options for small and other entities. In comments, small
entities can identify other requirements or criteria that could
minimize the economic impact as IoT product manufacturers submitting
applications to a CLA or CyberLAB, or as a prospective CLA or CyberLAB
themselves.
38. The Bureau also sought comment on the process for receiving and
responding to complaints associated with the program, as well as what
requirements should follow from a termination of authority to use the
FCC IoT Label due to noncompliance. We asked whether complaints
associated with grantees that applied for authorization to use the FCC
IoT Label should be initially referred back to the CLA that reviewed
the original application. We believe this would be less costly to small
entities than going through a separate entity for investigation of
complaints. Small entities can also address in comments whether the
termination requirements presented would create significant economic
impacts and identify alternatives that may reduce those costs.
39. Additionally, the Bureau considered and sought comment in the
document on details related to the publicly accessible IoT registry,
including additional data disclosure fields, structure and format of
the registry, and the Bureau's determination that the registry landing
page should be
[[Page 58320]]
a ``.gov'' domain. We considered and asked what additional fields would
be beneficial to consumers, such as information related to sensors
contained in the product and elements that would support users of
assistive technologies. We also considered and asked how the common
application programming interface (API) that makes manufacturer data
available to consumers should be funded and what responsibilities
manufacturers should have for maintaining and implementing it. Small
entities can specify in comments whether additional aspects of the
registry would create significant economic impacts and identify
alternatives that may reduce those costs. Regarding the landing page,
we asked what additional costs would be associated with hosting such a
page. While small entities choosing to participate in the program would
have to make required registry data available through the common API,
allowing grantees to report information through the API alleviates the
need for additional notification requirements which would increase
costs for small entities.
40. The Bureau also proposed in the document that manufacturer
applications submitted to CLAs, including but not limited to test
reports, are presumptively confidential which should benefit small
manufacturers, and sought comment on this approach. We tentatively
concluded the Lead Administrator and CLAs are required to comply with
the Federal Information Security Management Act of 2002 (FISMA),\18\
and we sought comment on whether there are additional costs associated
with such compliance. In comments, small entities can identify which of
these proposals raised in this document are particularly difficult or
costly for them and how different, simplified, or consolidated
requirements would address those burdens. They can also propose any
modifications to the proposals that would their minimize anticipated
economic impact. The Bureau expects to consider more fully the economic
impact on small entities following its review of any comments filed in
response to the document, including any costs and benefits information
we receive. The Bureau's evaluation of the comments filed in this
proceeding will shape the final alternatives we consider, the final
conclusions we reach, and any final actions we ultimately take in this
proceeding to minimize any significant economic impact that may occur
on small entities.
---------------------------------------------------------------------------
\18\ 44 U.S.C. 3541, et seq.
---------------------------------------------------------------------------
41. Federal Rules that May Duplicate, Overlap, or Conflict with the
Proposed Rules. None.
Ordering Clauses
42. Accordingly, it is ordered, pursuant to sections 1, 2, 4(i),
4(n), 302, 303(r), 312, 333, and 503, of the Communications Act of
1934, as amended that this document is hereby adopted.
43. It is further ordered that the Commission's Office of the
Secretary, shall send a copy of this document, including the
Supplemental Initial Regulatory Flexibility Analysis, to the Chief
Counsel for Advocacy of the Small Business Administration.
----------------------------------------------------------------------------------------------------------------
APPLICATION FOR CYBERSECURITY LABELING ADMINISTRATOR AND LEAD ADMINISTRATOR
CYBERSECURITY LABEL ADMINISTRATOR (CLA)
1. Applicant
----------------------------------------------------------------------------------------------------------------
Name: Address
-------------------------------------------------------------------------------
Street City Zip
-------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
Point of Contact: Name Title Email Phone Number
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
2. Describe Applicant's organization structure and how this structure
supports the Commission's CLA requirements.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
3. Describe the processes Applicant will use to review applications
seeking authority to use the FCC IoT Label (based on type testing as
identified in ISO/IEC 17065).
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
4. Describe the safeguards Applicant will implement (or already has in
place) to avoid personal and organization conflict when processing
applications.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
5. Describe in detail Applicant's expertise in all of the following
areas:
(a) Cybersecurity expertise and capabilities. Include a description of
Applicant's knowledge of IoT and FCC IoT Labeling requirements.
[[Page 58321]]
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
(b) Expert knowledge of NIST's cybersecurity guidance, including but
not limited to NIST's recommended criteria and labeling program
approaches for cybersecurity labeling of consumer IoT products.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
(c) Expert knowledge of FCC rules and procedures associated with
product compliance testing and certification.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
(d) Knowledge of Federal law and guidance governing the security and
privacy of agency information systems.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
(e) Explain how Applicant will securely handle large volumes of
information and include Applicant's related internal security
practices.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
(f) Explain how Applicant will securely handle large volumes of
information and include Applicant's related internal security
practices.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
(g) Status of accreditation pursuant to all the requirements
associated with ISO/IEC 17065 and the FCC scope.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
(h) Describe the controls Applicant has implemented to eliminate
actual or potential conflicts of interests (both personal and
organizational), particularly with regard to commercially sensitive
information, to include but not limited to, remaining impartial and
unbiased and prevent them from giving preferential treatment to
certain applications (e.g., application line jumping) and from
implementing heightened scrutiny of applications from entities not
members or otherwise aligned with the CLA.
---------------------------------------------------------------------------
\19\ For purposes of the Commission's IoT labeling program an
``affiliate'' is defined as ``a person that (directly or indirectly)
owns or controls, is owned or controlled by, or is under common
ownership or control with, another person. For purposes of this part
the term `own' means to own an equity interest (or the equivalent
thereof) of more than 10 percent.''
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
Check all that apply:
6. Applicant is not owned or controlled by or affiliated [ballot]
\19\ with any entity identified on the Commission's
Covered List
7. Applicant is not owned or controlled by or affiliated [ballot]
with any listed sources of prohibition under 47 CFR 8.204
8. Applicant, its affiliate(s), or subsidiary(ies) are not [ballot]
owned or controlled by a foreign adversary country defined
by the Department of Commerce in 15 CFR 7.4
9. Applicant is not owned or controlled by or affiliated [ballot]
with any person or entity that has been suspended or
debarred form receiving federal procurements or financial
awards
10. Applicant is not otherwise prohibited from [ballot]
participating in the IoT Labeling Program
[[Page 58322]]
If any of the boxes in this section do not apply to Applicant, attach an
exhibit explaining the circumstances and demonstrating why Applicant is
qualified to be Lead Administrator.
LEAD ADMINISTRATOR
Applicants seeking the role of Lead Administrator must provide all of
the information requested below.
(Leave the following information blank if not applying for role of Lead
Administrator.)
In the following section, provide a detailed description of how
Applicant will execute the duties of the Lead Administrator and include
all of the following:
1. Describe Applicant's previous experience in IoT cybersecurity.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
2. Describe Applicant's previous roles, if any, in IoT labeling.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
3. Describe Applicant's capacity to execute the Lead Administrator
duties.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
4. Describe Applicant's plan/approach to interfacing with the Commission
on the behalf of CLAs.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
5. Describe in detail Applicant's plan for engaging and collaborating
with stakeholders (including other CLAs) to identify or develop FCC
recommendations as required by 47 CFR 8.221.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
6. Describe in detail Applicant's proposed consumer education campaign.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
7. Any additional information Applicant believes demonstrates why they
should be on how the applicant's qualifications align with the role of
Lead Administrator.
------------------------------------------------------------------------
-------------------------------------------------------------------------
------------------------------------------------------------------------
Information Current and Complete
Information filed with the FCC must be kept current and complete. The
Applicant must notify the FCC regarding any substantial and significant
changes in the information furnished in the application(s). See 47 CFR
1.65.
Certification Statements
By signing this applicant, the Applicant certifies that all statements
and information provided in this application and in any exhibits or
attachments are part of this application and are true, complete,
correct, and made in good faith.
The Applicant certifies that neither the Applicant nor any other party
to the application is subject to a denial of Federal benefits pursuant
to section 5301 of the Anti-Drug Abuse Act of 1988, 21 U.S.C. 862,
because of a conviction for possession or distribution of a controlled
substance. This certification does not apply to applications filed in
services exempted under Sec. 1.2002(c) of the Commission's rules, 47
CFR 1.2002(c). See 47 CFR 1.2002(b) for the definition of ``party to
the application'' as used in this certification.
The Applicant certifies that it is not in default on any payment for
Commission licenses and that it is not delinquent on any non-tax debt
owed to any federal agency.
The Applicant certifies that the Applicant and all of the related
individuals and entities required to be disclosed on this application
are not person(s) who have been, for reasons of national security,
barred by any agency of the Federal Government from federal
procurement.
[[Page 58323]]
Signature
Typed or printed name of Party Authorized to Sign
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
First Name: MI: Last Name Suffix Title
----------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------
Signature Date
----------------------------------------------------------------------------------------------------------------
FAILURE TO SIGN THIS APPLICATION MAY RESULT IN DISMISSAL OF THE APPLICATION AND FORFEITURE OF ANY FEES PAID.
----------------------------------------------------------------------------------------------------------------
Federal Communications Commission.
David Furth,
Deputy Bureau Chief, Public Safety and Homeland Security Bureau.
[FR Doc. 2024-15379 Filed 7-17-24; 8:45 am]
BILLING CODE 6712-01-P