Note from Tom:
I have moved to Substack as my primary blog
platform. I will continue to put up all my posts about the power industry and
NERC CIP on Energy Central. However, if you want to see all my new posts, as
well as my 1200+ legacy posts starting in 2013, please support me by becoming a
paid subscriber to my Substack blog. The cost is $30 a year. Thanks!
Last week, I put up a post
that discussed the Federal Communications Commission’s “Cyber Trust Mark” program, known more generally as a “device
labeling” program. I opined that a “carrot-based” approach to cybersecurity regulation like
this one is much better than a “stick-based” approach like..well, most other cyber
regulations.
I also lamented that it looks like the program might be dead. I
said this because, while there was a White House announcement on January 7 of
the “launch” of the program, there have been no further
official announcements about the program since then. It seemed logical to
assume that the whole idea was dead, probably for at least the duration of the
current administration.
However, my speculation was wrong. On Monday, I got an email from
my friend Grace Burkard, Director of Operations for the ioXt Alliance,
an organization that has been certifying the cybersecurity of IoT
devices for many years. She pointed out that the Cyber Trust Mark program is
far from dead. To quote her email, “Publicly not much has happened, but a lot of work went
into the Stakeholder process from January-June, where 20-25 organizations met
to discuss the Technical/Non-Technical requirements, the label design, and the
surveillance/renewal requirements.”
“It was a huge effort and UL submitted the recommendations[i] to the FCC on June
13. The FCC has since been reviewing all of them and we expect them to publish
a Public Notice sometime soon asking for the public's comments.”
Note that UL Solutions
(the former Underwriters Labs that many of us know from their seal of approval found
on electrical products) is currently the Lead Administrator for the Cyber Trust
Mark program, which has a three-tier structure of participants. The Lead
Administrator is the top tier. The next tier is the nine Cyber Labeling
Authorities (including ioXt), which administer labels under the program. The
final tier is the authorized Cyber Labs, which will test and inspect devices
for compliance with the labeling requirements once the FCC opens the
application process and approves them.
Grace provided me with the documents that UL submitted as their recommendations on June 13. When I get time (hopefully soon), I’ll summarize these and provide further observations on the program.
If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com or comment on this blog’s Substack community chat.
[i] If you can’t
download the documents from this link (I couldn’t, but Grace can) and want to
see them, please drop me an email and I’ll send them to you (they’re public documents, of
course),.
No comments:
Post a Comment