Industry officials expect changes in the cyber trust mark rules, set for a vote Thursday, though the extent is still evolving, said lawyers in the proceeding. One wildcard is whether the FCC will attach a further notice, asking questions about issues including the country of origin of security updates under the program. The item is expected to be approved 5-0, with Commissioner Nathan Simington getting some edits to reflect his initial concerns, officials said.
Representatives from the Alliance for Automotive Innovation asked the FCC to exclude motor vehicles from the definition of “IoT product” under the draft cyber mark order, set for a vote Thursday (see 2402220059). “While there is no existing cybersecurity labeling requirement for motor vehicles,” they are “subject to domain-specific cybersecurity guidance, standards, and international regulations,” said a filing posted Friday in docket 23-239. The National Highway Traffic Safety Administration “has the authority to promulgate motor vehicle safety regulations on cybersecurity, and has enforcement authority to secure recalls of motor vehicles and motor vehicle equipment with a safety-related defect, including one involving cybersecurity flaws,” the alliance said. The group met with the Public Safety Bureau and staff for Commissioners Anna Gomez, Nathan Simington and Geoffrey Starks.
CTIA sought a tweak to the FCC’s proposed cyber mark order, set for a vote March 14 (see 2402220059). In a filing posted Thursday in docket 23-239, CTIA asked the regulator to clarify that “general purpose computing and networking equipment -- including routers,” is excluded from the order. Clarifying the scope of covered devices will “promote consistency with [the National Institute of Standards and Technology’s] efforts more broadly and ensure the FCC’s program conforms to the intended scope,” said the filing. “The clarification on the scope of ‘IoT device’ is useful not just to ensure definitional consistency, but also to promote broader consistency between two parallel workstreams by the FCC and NIST,” CTIA said. NCTA also sought clarity in meetings with Public Safety Bureau and commissioner staff. Clarifications will “make the program more successful in driving security improvements by making it more appealing for manufacturers to join,” NCTA said. Cablers asked for additional clarity on the definition of “IoT product” and “IoT product components.” The FCC should make clear that “decisions related to the certification and renewal requirements and processes should be based on NIST’s standards and guidance,” the group said. NCTA urged the launch of a “centralized registry that can be easily accessed by consumers to inform their purchasing decisions.” A searchable, “one-stop-shop” will “allow consumers to more readily research and compare products that bear the Mark, and it would support the efforts of network operators, security researchers, and other entities to enhance security across the IoT ecosystem.”
The FCC's supplemental coverage from space framework draft order would see the service operate in select spectrum bands and on a secondary rather than a co-primary basis. The agency on Thursday released agenda items for commissioners' March 14 open meeting. A vote on the framework is expected that day. Also on the agenda are orders for "all-in" pricing disclosures by multichannel video distributors and launch of a voluntary cybersecurity labeling program, initially focused on wireless consumer IoT “products." In addition, Commissioners will vote on a report raising the FCC's broadband speed benchmark to 100/20 Mbps and an NPRM proposing creation of an emergency alert system code for missing and endangered adults.
Proposed FCC supplemental coverage from space (SCS) rules include a requirement that terrestrial providers must route SCS 911 calls to a public safety answering point using location-based routing or an emergency call center, the agency said Wednesday. Commissioners are expected to vote on the rules during their open meeting on March 14. Announcing the agenda for next month's meeting, the FCC also said there would be draft rules for "all-in" video pricing and a voluntary cybersecurity labeling program for wireless IoT devices. In addition, the meeting will see commissioners voting on an NPRM about creating an emergency alert system code for missing and endangered people (see 2402210066).
Witnesses set to testify during a House Communications Subcommittee hearing Thursday (see 2402090072) want lawmakers to consider longer-term initiatives for curbing China’s risk to U.S. communications networks. The push for Congress to allocate an additional $3.08 billion for the FCC’s Secure and Trusted Communications Networks Reimbursement Program (see 2401240001) will likely receive attention during the hearing, as it has in other recent panels, lobbyists said. The hearing will begin at 10 a.m. in 2123 Rayburn.
CTA representatives met with FCC Public Safety Bureau staff about the proposed launch of a voluntary cyber-trust mark for consumer devices. CTA discussed “outstanding questions” and its draft approach that would enable evaluation of “a third-party Cybersecurity Label Scheme or manufacturer’s self-attestation process” in keeping with NISTIR 8425, the National Institute for Standards and Technology’s IoT core baseline. “The Draft Framework defines assessment outcomes, scheme requirements for assessment and manufacturer evidence, and component model implications for each of the technical requirements as well as manufacturer evidence needed for each of the non-technical requirements in NISTIR 8425,” said a filing last week in docket 23-239.
Allowing the affordable connectivity program to lapse would have “significant downstream effect” on the economy, said FCC Commissioner Anna Gomez during a Q&A at ITI’s Intersect event Wednesday.
The FCC’s controversial data breach notification rules included several changes from the draft. The rules were adopted at the December open meeting over Commissioners Brendan Carr's and Nathan Simington's dissents (see 2312130019). Republican lawmakers are weighing a response to the rules, which they see as sidestepping a 2017 Congressional Review Act resolution of disapproval that rescinded similar regulations as part of the commission's 2016 ISP privacy order (see 2312200001). The order was posted in Friday’s Daily Digest.
The FCC disagreed with a letter from USTelecom CEO Jonathan Spalter urging the House and Senate Intelligence committees’ leaders to “pay special attention to the FCC’s mission creep into the cybersecurity space” because of the draft NPRM (see 2310160062). Although the commission “is already actively involved in federal interagency cybersecurity planning, coordination, and response activities, it has limited authority to incorporate updated cybersecurity standards into its network policies,” a spokesperson emailed us Monday. “A clear example of this is” the FCC’s Communications Act Section 214 authority, “which provides the agency with the ability to monitor and mitigate the existence of bad actors in telecommunication systems. That authority currently extends only to phone networks, not broadband. Similarly, the FCC has been closely working with other federal agencies on the best way to identify Broadband Gateway Protocol (BGP) vulnerabilities and mitigate risks, a process that would be strengthened through Title II reclassification by providing the agency with the clear and direct authority to act in close coordination with other agencies.”