On July 18, 2023, the Biden-Harris Administration announced its "U.S. Cyber Trust Mark" initiative.1 Under this program, the Federal Communications Commission (FCC) will establish a voluntary certification and labeling program to guide and inform consumers purchasing Internet of Things (IoT) devices such as "smart refrigerators, smart microwaves, smart televisions, smart climate control systems, smart fitness trackers, and more." By providing information about certain cybersecurity protections and practices, this program is ostensibly intended to help consumers evaluate the cybersecurity of devices. FCC Chair Rosenworcel has stated that this program could be up and running in late 2024 after a forthcoming public comment period.2
President Biden first highlighted IoT labeling as a priority in his May 2021 Executive Order on Improving the Nation's Cybersecurity.3 There, President Biden directed the National Institute for Standards and Technology (NIST) to identify, in conjunction with the Federal Trade Commission, IoT cybersecurity criteria for a consumer labeling program. The Administration then announced its intent, in October 2022, to establish an IoT security and privacy label similar to the Energy Star label operated by the Environmental Protection Agency.4 More recently, the Administration confirmed in the March 2023 National Cybersecurity Strategy that it intended to continue to develop "IoT security labeling programs" in an effort to enable consumers "to compare the cybersecurity protections offered by different IoT products, thus creating a market incentive for greater security across the entire IoT ecosystem."5
The Cyber Trust Mark initiative will seek to achieve this goal through the application of "a distinct shield logo . . . to products meeting established cybersecurity criteria." In addition, a QR code on the product would link to "a national registry of certified devices to provide consumers with specific and comparable security information about these smart products." The applicable cybersecurity criteria will draw on NIST's work to establish specific cybersecurity criteria for IoT devices. The Administration noted, for example, that based on existing NIST guidance, qualifying devices would likely be required to have unique and strong default passwords, data protection, software updates, and incident detection capabilities.
Federal agencies also will take steps beyond the immediate labeling program. The Administration announced, for example, that NIST will undertake work to define cybersecurity requirements for consumer-grade routers, which the Administration identified as a high-risk product. The Administration announced that this work would be completed by the end of 2023, with the goal of allowing the FCC "to consider use of these requirements to expand the labeling program to cover consumer grade routers." Additionally, the Department of Energy will collaborate with the National Labs and industry partners to research and develop cybersecurity labeling requirements for smart meters and power inverters. Moreover, the Department of State will support the FCC in international engagement seeking standards harmonization and "mutual recognition of similar labeling efforts."
A number of leading retailers and technology companies participated in the announcement of the Cyber Trust Mark program and committed to support it going forward. While voluntary in nature, the Administration's prioritization of this labeling program and the support of certain leading businesses suggests that it could have long-term effects on how technology companies develop and market IoT devices. With Chair Rosenworcel noting predictions that more than 25 billion IoT devices are expected to be in circulation by 2030, the cybersecurity of these devices—and potential legal ramifications—will only become more significant over time. To help the Cyber Trust Mark program advance this goal and reduce unintended consequences, interested stakeholders should consider weighing in during the upcoming comment period on the scope and design of the anticipated program.
The authors thank summer associate Hadassah Solomson for her contribution to this Legal Update.
Footnotes
1. The White House, Biden-Harris Administration Announces
Cybersecurity Labeling Program for Smart Devices to Protect
American Consumers (July 18, 2023).
3. See Mayer Brown, President Biden Issues Executive Order to Improve Nation's Cybersecurity (May 17, 2021).
5. See Mayer Brown, White House Releases National Cybersecurity Strategy (March 6, 2023).
Visit us at mayerbrown.com
Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.
© Copyright 2023. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.
