On March 25, 2024, the Federal Communications Commission (FCC) issued a call for further public comments on the “Cybersecurity Labeling for Internet of Things” and responded to some public comments by April 24. This directive introduced a voluntary labeling program, the “Cyber Trust Mark,” for IoT products that meet basic cybersecurity standards. The aim is to enhance consumer transparency and data protection, and to guard against data security threats from certain companies and adversarial nations to the U.S.

For details about this labeling program and the application process, please refer to the recent blog “FCC Launches Cybersecurity Labeling for IoT to Boost Consumer Trust and Compliance”.

The proposal focuses on wireless, internet-connected consumer IoT products, including the IoT devices and necessary components such as network/gateway hardware, applications software, and backend. It’s important to note that the FCC may expand the range and types of IoT products in the future.

Additionally, the FCC proposed rules for a “National Security Statement” for the IoT labeling program, intended to assure consumers that products receiving the FCC’s IoT cybersecurity label do not contain hidden vulnerabilities from high-risk countries, that the data collected by the products will not be stored in or pass through high-risk countries, and that the products cannot be remotely controlled by servers located in high-risk countries.

This article will focus on the main content of the “National Security Statement” rules and their impact on businesses operating internationally.

National Security Statement

I. High-Risk Countries The FCC proposes to include countries defined as “foreign adversary countries” by the U.S. Department of Commerce within the category of high-risk countries. These are nations engaged in a prolonged pattern or serious acts that significantly harm the security and safety of the United States or its people, including China, Cuba, Iran, North Korea, Russia, and Venezuela.

II. Manufacturer’s Disclosure and Declaration Obligations

1. General Disclosure The FCC is seeking further opinions on whether manufacturers should disclose to the FCC and/or to consumers in a registry the following:

• Whether the hardware and/or software are developed and manufactured in high-risk countries, and where hardware and software updates will be developed and deployed;
• Whether the data collected by the products is stored in or passes through high-risk countries.

1. Obligations for General Disclosure Statements Regarding the information for general disclosure, the FCC proposes that manufacturers applying for the IoT cybersecurity label should include one of the following statements in their application:

• Any software running or controlling the product, or any software updates running or controlling the product, have never been and will not be developed or deployed in any countries on the Commerce Department’s high-risk country list, except for open-source contributions not directly or indirectly paid for by us or our direct or indirect partners.
• The software running on this device, or that might run due to future software updates, is developed in one or more high-risk countries listed by the Commerce Department. The applicant is not aware of any backdoors or other sabotage actions, nor is there any reason to believe there is a particularly increased risk of such actions compared to other software developed in such a country, but we inform purchasers and users that the Commerce Department has designated high-risk countries or regions as jurisdictions significantly adverse to the security and safety of the United States and its personnel.

For “whether the data collected by the products is stored in or passes through high-risk countries,” the applicant should declare one of the following:

• Any customer data collected by this product will not be sent to servers located in high-risk countries as defined by the Commerce Department. Servers controlling the devices remotely will also not be located in such countries.
• The customer data collected by this product will be sent to servers located in high-risk countries. We inform purchasers and users that the Commerce Department has designated high-risk countries or regions as jurisdictions significantly adverse to the security and safety of the United States and its personnel.

When soliciting opinions on whether manufacturers should have the obligation to disclose and declare if “the data collected by the products is stored in or passes through high-risk countries,” the FCC will focus on the following issues:

• Whether manufacturers have sufficient knowledge of the data collected by the devices to know where the servers hosting the collected data are located or where the servers remotely controlling the devices will be located;
• Whether the location of data storage might change without the manufacturers’ knowledge;
• Whether there are other factors that might affect the manufacturers’ ability to make the above declarations.

1. Additional Disclosure The FCC is also seeking opinions on whether manufacturers who undertake the aforementioned general disclosure and declaration obligations should be required to disclose additional information. Additional information for further disclosure includes:

• Whether the names of high-risk countries must be disclosed;
• Whether specific activities of the manufacturer’s hardware or software components or servers, which have already occurred, are about to occur, or may occur in high-risk countries, must be disclosed.

In soliciting whether manufacturers should have additional disclosure obligations, the FCC will focus on the following issues:

• How such disclosures might help purchasers make informed product purchasing decisions;
• What burdens such additional disclosures might impose on manufacturers.

Moreover, the FCC is seeking opinions on “whether manufacturers should be required to include these additional details in the registry to inform consumers about these matters.”

III. Prohibition on Obtaining IoT Cybersecurity Labels The FCC is considering whether to directly prohibit products involving high-risk countries from obtaining IoT cybersecurity labels in the following cases:

1. If the software or hardware originates from high-risk countries;
2. If data is to be stored in high-risk countries;
3. If the products are remotely controlled by servers located within high-risk countries. The FCC also proposes whether there should be a specific prohibition on certain product components, such as cellular interface modules, that present a clear increased risk, thus potentially needing to specifically prohibit these types of components from receiving the IoT cybersecurity label.

IV. Other Proposed Obligations The FCC is further soliciting opinions on the following obligations for manufacturers:

1. Whether the FCC should require manufacturers to include these declaration statements in the registry to inform consumers.
2. How manufacturers should inform users who are not purchasers.
3. Any additional language requirements on the product registration pages.

Kaamel Takeaways

From the aforementioned FCC’s proposed additional “National Security Declaration” obligations for manufacturers, it is evident that the FCC is focusing on three scenarios for IoT products applying for labels: “whether the software or hardware comes from high-risk countries,” “whether the data is stored in high-risk countries,” and “whether the products are remotely controlled by servers within high-risk countries.” Currently, the FCC’s stance on IoT products in these situations remains unclear. The stricter measure would be to directly prohibit products in such situations from obtaining the label, whereas a relatively lighter measure would allow such products to apply for the label but with obligations to disclose and declare.

We believe that even if the FCC adopts the lighter of the two measures, it will still impact enterprises operating internationally in these situations. Although the cybersecurity labeling program is voluntary, aimed at motivating consumers to choose products with cybersecurity labels and thus driving the market, consumers tend to prefer buying IoT products with such labels. As the FCC evaluates this voluntary program: “While it is a voluntary program, consumer demand will likely drive its widespread adoption.” Therefore, for products that obtain the IoT cybersecurity label, having special “disclosure and declaration obligations” might influence consumer choices, thereby further affecting these enterprises’ operations in offering IoT products and services in the U.S. market. Although the public consultation period has ended, the implementation and enforcement of the new rules will take time, and we need to further observe their actual implementation.