Industry Groups Urge Voluntary IoT Security Labeling Program, Based on NIST Guidance

responses in initial comments on an August NPRM (see 2310100034). “While significant operational details must still be determined before a program can launch, we are encouraged by the Commission’s intention to work collaboratively with industry in a way that helps consumers make more informed buying choices while encouraging device makers to meet established cybersecurity standards,” the groups said in a filing posted Thursday in docket 23-239. The groups also said the program “must be distinct from equipment authorization processes, including no requirement to complete the certification or authorization process before qualifying for the Mark.” Achieving certification “should indicate that a product is equipped with ‘reasonable security’ for purposes of liability protection,” the filing said. Manufacturers should be allowed to “self-attest with appropriate trust mechanisms that are based on meeting” NIST’s core baseline for consumer IoT products. The FCC should also “encourage international alignment of cybersecurity labeling practices and mutual recognition agreements” and the U.S. government should launch “a robust consumer education campaign … to drive awareness and understanding of the Mark,” said the filing. It was signed by groups including the Connectivity Standards Alliance, CTIA, the Information Technology Industry Council, the National Electrical Manufacturers Association, the Security Industry Association, the Telecommunications Industry Association, the U.S. Chamber of Commerce and USTelecom.