Federal Communications Commission FCC 24-26
devices in our IoT Labeling Program. In addition, we exclude from this program motor vehicles
60
and
motor vehicle equipment
61
given that the National Highway Traffic Safety Administration (NHTSA) “has
the authority to promulgate motor vehicle safety regulations on cybersecurity and has enforcement
authority to secure recalls of motor vehicles and motor vehicle equipment with a safety-related defect,
including one involving cybersecurity flaws.”
62
We also exclude from our IoT Labeling program any
communications equipment on the Covered List that the Commission maintains pursuant to the Secure
and Trusted Communications Networks Act and equipment produced by certain other entities as
discussed below. Finally, our initial IoT Labeling Program will focus on wireless consumer IoT devices
consistent with the core of our section 302 authority governing the interference potential of devices that
emit radio frequency energy—and thus we exclude wired IoT devices at this time.
16. Definition of IoT Devices. Although we focus our IoT Labeling program on IoT
“products,” to lay a foundation we must first address the definition of IoT “devices” because this
definition is a building block of the IoT “product” definition. In this respect, we adopt the modified
version of the NIST definition of “IoT device” that the Commission proposed in the IoT Labeling
NPRM.
63
Specifically, the IoT Labeling NPRM proposed defining an IoT device to include (1) an
Internet-connected device capable of intentionally emitting RF energy that has at least one transducer
(sensor or actuator) for interacting directly with the physical world, coupled with (2) at least one network
interface (e.g., Wi-Fi, Bluetooth) for interfacing with the digital world.
64
This definition builds on NIST’s
definition by adding “Internet-connected” as a requirement, because “a key component of IoT is the usage
of standard Internet protocols for functionality.”
65
The modified definition adopted today also adds that a
device must be “capable of intentionally emitting RF energy,” because aspects of the Commission’s
authority recognizes the particular risks of harmful interference associated with such devices. It should be
noted that we direct the Label Administrator to collaborate with Cybersecurity Label Administrators
(CLAs) and other stakeholders (e.g., cyber experts from industry, government, and academia) as
60
Motor Vehicle “means a vehicle driven or drawn by mechanical power and manufactured primarily for use on
public streets, roads, and highways, but does not include a vehicle operated only on a rail line.” 49 U.S.C. §§
30102(7).
61
Motor Vehicle Equipment “means - (A) any system, part, or component of a motor vehicle as originally
manufactured; (B) any similar part or component manufactured or sold for replacement or improvement of a system,
part, or component, or as an accessory or addition to a motor vehicle; or (C) any device or an article or apparel,
including a motorcycle helmet and excluding medicine or eyeglasses prescribed by a licensed practitioner, that – (i)
is not a system, part, or component of a motor vehicle; and (ii) is manufactured, sold, delivered, or offered to be sold
for use on public streets, roads, and highways with the apparent purpose of safeguarding users of motor vehicles
against risk of accident, injury, or death.” 49 U.S.C. §§ 30102(8).
62
Letter from Tara Hairston, Senior Director – Technology Policy, Alliance for Automotive Innovation, to Marlene
H. Dortch, Secretary, FCC, PS Docket No. 23-239, at 9 (filed March 8, 2024) (Auto Innovators Ex Parte) (noting
the NHTSA Cyber Best Practices for Motor Vehicles leverages the NIST framework); Letter from J. David
Grossman, Vice President, Regulatory Affairs and Mike Bergman, Vice President, Technology & Standards,
Consumer Technology Association, to Marlene H. Dortch, Secretary, FCC, PS Docket No. 23-239, at 9 (filed March
4, 2024) (CTA March Ex Parte).
63
IoT Labeling NPRM at 7, para. 11.
64
Id.
65
Id. (citing NISTIR 8425 at 23). As with the NIST definition, our definition specifically “excludes common
general purpose computing equipment (e.g., personal computers, smartphones) as well as routers.” NIST White
Paper at page 3, note 3. See also Letter from David Valdez, Vice President, Privacy & Cybersecurity Policy, CTIA,
to Marlene H. Dortch, Secretary, FCC, PS Docket No. 23-239, at 1-2 (filed March 6, 2024) (CTIA Ex Parte); Letter
from Katie McAuliffe, Senior Director, Telecom Policy, Information Technology Industry Council, to Marlene H.
Dortch, Secretary, FCC, PS Docket No. 23-239, at 2 (filed March 7, 2024) (ITI Ex Parte); Letter from Grace
Burkard, Director of Operations, ioXt Alliance, to Marlene H. Dortch, Secretary, FCC, PS Docket No. 23-239, at 2
(filed March 7, 2024) (ioXt Ex Parte).