Voluntary cybersecurity program for IoT products in the USA

Cyber Trust Mark and the FCC IoT label for consumer products

The Federal Communications Commission (FCC) is implementing a labeling program for IoT consumer products to provide consumers with certainty about their basic cybersecurity. The Federal Communications Commission's (FCC) final rule and decision is dated July 30, 2024 (PSHSB: PS Docket No. 23-239; FR ID 210726).


In a few days, we expect the update to the federal regulations available online (ecfr) in the US. Specifically, there will be a new subsection of "Part 8-SAFEGUARDING AND SECURING THE OPEN INTERNET" in the Telecommunications Act (Title 47). Among other things, the Telecommunications Act also describes the Radio, EMF and EMC requirements:

  • Part 15 Radio Frequency Devices
  • Part 18 Industrial, Scientific, and Medical Equipment

In connection with radio, EMF and EMC requirements, the Federal Communications Commission (FCC) is already familiar to many manufacturers in the course of market access.

The new subpart is called: "Subpart B-Cybersecurity Labeling Program for IoT Products" (47 CFR Part 8).

Broken down, we can describe the affected product types as IoT products for consumers, which consist of an IoT device and additional product components. The IoT device is an "Internet-connected device" (IoT). Its additional product components may include a backend, a gateway, and a mobile app.

The IoT Consumer Product Program is voluntary and allows compliant IoT consumer products to carry an FCC IoT label.

In addition to the Internet connection, the IoT device must also emit radio frequency energy and have at least one transducer (sensor or actuator) for direct interaction with the physical world. There must be at least one interface to the digital world, e.g. Wi-Fi, Bluetooth.

The basis for the IoT labeling program is the standard: NIST IR 8425, which defines not only product-related requirements, but also process-related requirements:

 

Product-related requirements: 

2.2.1. IoT product functions (NIST IR 8425:2022)

- System identification

- Product configuration

- Data protection

- Interface access control

- Software update

- Awareness of the state of cyber security



Process-related requirements:

2.2.2 Non-technical support functions for IoT products (NIST IR 8425:2022)

- Documentation

- Receiving information and requests

- Dissemination of information

- Product training and awareness


A corresponding CyberLAB is integrated for conformity assessment. An online register will also be set up to inform the public about compliant products. All documents to be submitted are requested via an interface of the online register, including information on whether the manufacturer maintains a hardware bill of materials (HBOM) and/or a software bill of materials (SBOM).


For further support and questions, please do not hesitate to contact us.

 

Author

Benjamin Kerger (B. Eng.)
Product Compliance Consultant

Published on 26.08.2024
Category: Focus Industry, Focus Consumer Goods & Retail, Fokus Electrical and Wireless, Fokus Medical Devices, Compliance

back to list

Breaking News in Standards and Product Compliance

The world of standards and market authorization requirements may turn slowly, but it does turn.  Regular updates, revisions and reforms prove it.  We'll keep you posted!

And in other news, here's the latest on Standards and Product Compliance
GLOBALNORM News
Our Christmas campaign “donate rather than send” 2024

Charity instead of Christmas cards

Read more

Awarded as an entrepreneur of the future 2024

First of all: The German Innovation Institute for Sustainability and Digitalization (diind) is a Hamburg-based institution that brings together science and business to provide communication and marketing managers with reliable, high-quality information.

Read more

Produktkanzlei and GLOBALNORM

Offering customers 360° service

Read more

STANDARDS News
Draft DIN EN ISO 12100:2025-12

Safety of machinery - General principles for design - Risk assessment and risk reduction (ISO/DIS 12100:2024)

Read more

New DIN DKE SPEC 99100:2025-02

Requirements for data attributes of the battery passport

Read more

Common specifications (GS) of the EU

Alternative solution if no harmonized standards are available

Read more

COMPLIANCE News
New reporting obligations under the Cyber Resilience Act

The Cyber Resilience Act introduces a new reporting requirement for actively exploited vulnerabilities.

Read more

Assessment of cyber security risks

A mental bridge from product safety-related risk assessment to cyber security risks.

Read more

Updated draft of ecodesign requirements for external power supplies

Expansion to wireless charging pads and USB Type-C cables

Read more

De
Login
x

In accordance with the EU ePrivacy (Cookie) Directive (2009/136/EG), we would like to inform you that our website uses cookies. By using our website, you accept and agree to our Privacy policy. Please view our Privacy policy to find out what cookies we use and how to disable them.

OK