Several weeks ago, the Federal Communications Commission (FCC) embarked on one of the most far-reaching regulatory gambits in its 90-year history. It is formally known as a Notice of Proposed Rulemaking in the matter of Cybersecurity Labeling for Internet of Things, Docket 23-239. The FCC offers ICT product developers the use of its FCC trademarked cyber trust mark placed on their products in exchange for accepting open-ended Commission cybersecurity jurisdiction and a potentially vast new cyber security regulatory regime that has significant global implications and antithetical to the Zero Trust Model strategy. The scheme relies on a NIST advisory that includes 64 initial mandated requirements with certification lab review—many of them very costly if not impossible to achieve.
The proceeding also raises an array of significant concerns about transparency and the way it is going forward. The concerns include the Commission’s choice of jurisdictional devise and model being used, the potentially enormous scale and cost with minimal benefit to consumers, the adverse impacts on technology innovation, and the duplication of similar mature implementations that already exist. Three outstanding examples of the last concern include ETSI standards prepared and evolved by industry implementing the EU IoT equivalent, the CTIA industry labeling scheme that implements both ETSI and NIST standards, and the Cloud Security Alliance (CSA) IoT security framework—all discussed below.
The FCC comment period has been extended to 6 October 2023.
Jurisdictional Devise
The FCC began its existence as an essential radio regulatory agency almost a century ago, and its complex authority derives primarily from this r ..
Support the originator by clicking the read the rest link below.
