Tech and Telecom Groups Want Cyber Trust Mark Labeling Voluntary

WASHINGTON, February 22, 2024 — Tech and telecom industry organizations agree to support the Federal Communications Commission’s cybersecurity labeling program so long as it remains voluntary and there are no purchasing or procurement mandates. 

A group of trade associations including US Telecom, the wireless association CTIA, and the Consumer Technology Association met on Friday with agency officials over its proposed Cyber Mark Trust, according to an ex parte report filed by the industry officials.

“Flexible, voluntary, risk-based best practices,” are the cornerstones of establishing effective cybersecurity practices, claimed the groups, which also included the Connectivity Standards Alliance, National Electrical Manufacturers Association and the Association of Home Appliance Manufacturers. 

The organizations said there is broad support for the creation of a voluntary labeling program without mandates. They added that no single set of requirements or standards can be appropriate for all Internet of Things (IoT) devices. 

The groups also argued that the Cyber Trust Mark program should allow for self-attestation, following the lead of the National Institute of Standards and Technology’s pre-existing work on cybersecurity and consumer labeling. 

FCC should not ‘reinvent the wheel,’ industry says

The trade associations urged the FCC to not be tempted to “reinvent the wheel” and learn from NIST’s “many years” of work on labeling 

“The record shows that this is important both for speed and efficiency in implementation of the program, and for giving the program the best chance of success,” according to the groups. 

Furthermore, the groups urge the FCC to establish the program as a safe harbor. Establishing the Cyber Mark Trust as a safe harbor under federal law would overrule state laws in regards to consumer protection law and cyber security regulations, the groups argue.

Though the organizations understand that the FCC alone cannot grant immunity, they believe the commission can collaborate with other agencies, “to make sure that participation in the program offers meaningful protection.” 

Furthermore, The organizations claimed the labeling program should be started at the device-level before implementation at the product-level. The associations claimed that the current cybersecurity frameworks were intended to operate at the device level.

Implementing a product-level labeling program would be tricky due to the many components a product may include. For example, an IoT product may contain apps, backend services, each of which may be operated by completely separate entities, the letter claims. 

The industry groups also urged the FCC to refrain from mandating upgrades to software or firmware, and defer to NIST on that subject. 

In August 2023, the FCC unveiled the Cyber Trust Mark with the goal of helping consumers find products that meet the commission’s cybersecurity standards.