The U.S. Federal Communications Commission (FCC) has officially proposed the pilot for its Cyber Trust Mark smart home cybersecurity program that would certify the baseline cybersecurity of devices and is now soliciting public comments on the scope of the proposed program.
The FCC has published its official Notice of Proposed Rulemaking to officially propose the new rules for cybersecurity of smart devices and is asking for comments on the type of devices or products to be included, oversight of the program, how to develop security standards for a wide range of devices and how to demonstrate compliance with those standards, among other issues.
The FCC and Biden Administration first announced the proposed U.S. Cyber Trust Mark program on July 18 with the goal of educating consumers and users of smart devices on the security of devices they’re purchasing. Similar to the Energy Star label that tells consumers about the energy efficiency of a product, the Cyber Trust Mark would be designed to give consumers knowledge that the device they’re purchasing meets a set of cybersecurity standards. The program is scheduled to launch by the end of 2024.
The standards would be based on criteria developed by the National Institute of Standards and Technology, but how those standards would apply to the wide range of smart devices on the market or how authorities would decide that they comply with standards has yet to be defined.
It remains to be seen how the program could impact the custom home integration industry, as CE pros install higher-end smart home and IoT products that typically aren’t found in stores or on retail sites and are only available through specialty distributors. However, there is a growing category of smart home devices that are being sold directly to consumers.
The program comes as the cybersecurity industry highlights the relative insecurity of the Internet of Things (IoT), which defines many smart home devices that are connected to the internet. Researchers say these devices are prone to attacks due to the use of default passwords, lack of regular security updates, weak encryption and insecure authentication.
The FCC then goes on to say in its proposal, that such vulnerabilities can then be exploited by attackers for a variety of hazardous actions such as using the device as part of a larger botnet or as a base to launch denial of service (DoS) attacks. Hacked devices could also be used to run interference with other devices, leading to even further disruptions within the smart home at large.
To begin, the program would essentially include IoT devices as defined by NIST, which defines them as “devices that have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth) for interfacing with the digital world.”
However, the FCC is adding the term “internet-connected” to the definition and is also adding the premise that an IoT device must be capable of intentionally emitting RF energy to communicate or interact with the physical world.
However, the FCC is seeking comments on that definition. In addition, the commission wants to know whether or not to include backend gateways or mobile apps used to control the device as part of the program.
The FCC also wants to know if it should consider use cases outside of the home, such as office, medical and industrial settings, which would have a broader impact on the professional AV integration industry.
Read the FCC’s Fact Sheet, Notice of Proposed Rulemaking, and commissioner statements here to learn more about the program and the issues on which public comment is sought.
View the FCC proceeding and submit a comment here.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!