Voluntary cybersecurity program for IoT products in the USA

Cyber Trust Mark and the FCC IoT label for consumer products

The Federal Communications Commission (FCC) is implementing a labeling program for IoT consumer products to provide consumers with certainty about their basic cybersecurity. The Federal Communications Commission's (FCC) final rule and decision is dated July 30, 2024 (PSHSB: PS Docket No. 23-239; FR ID 210726).


In a few days, we expect the update to the federal regulations available online (ecfr) in the US. Specifically, there will be a new subsection of "Part 8-SAFEGUARDING AND SECURING THE OPEN INTERNET" in the Telecommunications Act (Title 47). Among other things, the Telecommunications Act also describes the Radio, EMF and EMC requirements:

  • Part 15 Radio Frequency Devices
  • Part 18 Industrial, Scientific, and Medical Equipment

In connection with radio, EMF and EMC requirements, the Federal Communications Commission (FCC) is already familiar to many manufacturers in the course of market access.

The new subpart is called: "Subpart B-Cybersecurity Labeling Program for IoT Products" (47 CFR Part 8).

Broken down, we can describe the affected product types as IoT products for consumers, which consist of an IoT device and additional product components. The IoT device is an "Internet-connected device" (IoT). Its additional product components may include a backend, a gateway, and a mobile app.

The IoT Consumer Product Program is voluntary and allows compliant IoT consumer products to carry an FCC IoT label.

In addition to the Internet connection, the IoT device must also emit radio frequency energy and have at least one transducer (sensor or actuator) for direct interaction with the physical world. There must be at least one interface to the digital world, e.g. Wi-Fi, Bluetooth.

The basis for the IoT labeling program is the standard: NIST IR 8425, which defines not only product-related requirements, but also process-related requirements:

 

Product-related requirements: 

2.2.1. IoT product functions (NIST IR 8425:2022)

- System identification

- Product configuration

- Data protection

- Interface access control

- Software update

- Awareness of the state of cyber security



Process-related requirements:

2.2.2 Non-technical support functions for IoT products (NIST IR 8425:2022)

- Documentation

- Receiving information and requests

- Dissemination of information

- Product training and awareness


A corresponding CyberLAB is integrated for conformity assessment. An online register will also be set up to inform the public about compliant products. All documents to be submitted are requested via an interface of the online register, including information on whether the manufacturer maintains a hardware bill of materials (HBOM) and/or a software bill of materials (SBOM).


For further support and questions, please do not hesitate to contact us.

 

Author

Benjamin Kerger (B. Eng.)
Product Compliance Consultant

Published on 26.08.2024
Category: Focus Industry, Focus Consumer Goods & Retail, Fokus Electrical and Wireless, Fokus Medical Devices, Compliance

back to list

Compliance News

The latest developments in all areas of market authorization and product compliance.

Comprehensive expertise in Standards Management
More News
EU: CRA standards and the successors to EN 18031

EN 40000-1-X series

Read more

EU: Update REACH 2026.02

Current developments January 2026 - April 2026

Read more

EU: REACH PFAS restriction SEAC consultation

Last chance to participate until May 2026

Read more

Expert-verified information packages for compliant products worldwide

Save resources, reduce liability risk, gain security!

learn more and order now

De En
Login
x

In accordance with the EU ePrivacy (Cookie) Directive (2009/136/EG), we would like to inform you that our website uses cookies. By using our website, you accept and agree to our Privacy policy. Please view our Privacy policy to find out what cookies we use and how to disable them.

OK