Several consumer technology and smart home trade associations, including the Consumer Technology Association (CTA) and Connectivity Standards Alliance (CSA) (the group behind Matter) are urging the Federal Communications Commission to consider several factors when implementing the proposed Cyber Trust Mark IoT security labeling program.
In a recent filing with the FCC, the CTA, CSA, CTIA, National Electrical Manufacturers Association and US Telecom followed up a meeting with U.S. security officials by highlighting several factors they say are necessary to make the proposed program a success.
The trade associations urge the FCC to keep the program voluntary, leverage the work of the National Institute of Standard and Technology standards and allow for self-attestation, ensure that participation operates as a safe harbor under federal law and preempts state law, and should be first launched at the device level with expansion to the product possible in the future.
In addition, the trade associations urge the government to lead a consumer education campaign to increase awareness of the Cyber Trust Mark program.
The program, first announced in July 2023, is essentially the cybersecurity equivalent of the Energy Star label, certifying that a device meets certain requirements as outlined by NIST. Consumers will see the Cyber Trust Mark on packaging and will be able to scan a QR code linking to a national registry of certified devices to provide consumers with information about IoT and smart home devices.
2024 Lighting Controls and Fixtures Report
Lightapalooza took place in late February, and the growth of the event has mirrored the rapid ascension lighting fixtures and controls.Download your copy now!
In a recommendation that appears in many other filings, the trade associations say the program should remain voluntary and avoid any purchasing or procurement requirements, calling a voluntary program and risk-based best practices the “hallmarks of IoT security as it exists today and being developed and iterated upon around the world.”
Another popular recommendation, the trade groups say the program should leverage the work of NSIT to facilitate a speedy and efficient rollout of the program, as well as giving it the “best chance of success” as it would rely upon existing standards and not reinvent the wheel.
The trade associations also urge preemption and safe harbors, which they call “critical” to the program’s success. Participation should operate as a safe harbor under federal law and preempt state law for both consumer protection laws and substantive cybersecurity standards.
The FCC should work with other agencies to make sure that participation in the program “offers meaningful protection.” Well-designed safe harbors would strengthen the program and encourage voluntary participation while also preventing a patchwork of cybersecurity regulation.
“These protections would not allow a company to avoid all liability for all security failings, but rather ensure that the steps the manufacturer is taking to secure the device are considered ‘reasonable’ security measures by relevant regulatory authorities,” the trade groups say.
“Safe harbors and preemption in this context promote uniformity in the cybersecurity landscape and therefore help to promote, rather than undermine, strong cybersecurity practices that are more cohesive and understandable for all stakeholders and consumers.”
In urging the FCC to keep the program focused on the device level at launch, the groups say roll out support for product-level certification will be challenging, as that would extend the program to apps, backend services and cloud infrastructure that are “built, controlled and maintained by entities entirely different from one another.”
However, the trade groups say these challenges may diminish as standards and testing evolve.
To help educate consumers, the government should lead awareness campaigns, and the private sector should augment with a range of advertising and other efforts, the groups say.
Notably absent from the group of trade associations was CEDIA, but the organization has previously chimed in with its own filing and set of recommendations, urging the government to consider the role of integrators in the program.
However, some of CEDIA’s recommendations mirror those of the other trade associations, including keeping the program voluntary and the importance of a robust consumer awareness campaign.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!