A further look at the FCC's cybersecurity requirements for IoT devices.

 

Note from Tom:

I have moved to Substack as my primary blog platform. I will continue to put up all my posts about the power industry and NERC CIP on Energy Central. However, if you want to see all my new posts, as well as my 1200+ legacy posts starting in 2013, please support me by becoming a paid subscriber to my Substack blog. The cost is $30 a year. Thanks! 

Last week, I put up a post that discussed the Federal Communications Commission’s “Cyber Trust Mark” program, known more generally as a “device labeling” program. I opined that a “carrot-based” approach to cybersecurity regulation like this one is much better than a “stick-based” approach like..well, most other cyber regulations.

I also lamented that it looks like the program might be dead. I said this because, while there was a White House announcement on January 7 of the “launch” of the program, there have been no further official announcements about the program since then. It seemed logical to assume that the whole idea was dead, probably for at least the duration of the current administration.

However, my speculation was wrong. On Monday, I got an email from my friend Grace Burkard, Director of Operations for the ioXt Alliance, an organization that has been certifying the cybersecurity of IoT devices for many years. She pointed out that the Cyber Trust Mark program is far from dead. To quote her email, “Publicly not much has happened, but a lot of work went into the Stakeholder process from January-June, where 20-25 organizations met to discuss the Technical/Non-Technical requirements, the label design, and the surveillance/renewal requirements.”

“It was a huge effort and UL submitted the recommendations[i] to the FCC on June 13. The FCC has since been reviewing all of them and we expect them to publish a Public Notice sometime soon asking for the public's comments.”

Note that UL Solutions (the former Underwriters Labs that many of us know from their seal of approval found on electrical products) is currently the Lead Administrator for the Cyber Trust Mark program, which has a three-tier structure of participants. The Lead Administrator is the top tier. The next tier is the nine Cyber Labeling Authorities (including ioXt), which administer labels under the program. The final tier is the authorized Cyber Labs, which will test and inspect devices for compliance with the labeling requirements once the FCC opens the application process and approves them.

Grace provided me with the documents that UL submitted as their recommendations on June 13. When I get time (hopefully soon), I’ll summarize these and provide further observations on the program. 

If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com or comment on this blog’s Substack community chat.

---

[i] If you can’t download the documents from this link (I couldn’t, but Grace can) and want to see them, please drop me an email and I’ll send them to you (they’re public documents, of course),.