SERVICES
What We Do
Certification and Approval Services
Equipment Certification or Conformity Assessment from ISO/IEC 17025-accredited testing laboratories, appropriately-listed laboratories, and other approved sources.
Worldwide/International Type Approvals
Key access to over 200 global markets countries, with a global team of ACB regional offices, partners, agents and experts in every hemisphere.
FCC Certification Services
American Certification Body has the broadest combined industry expertise in the world with Certification to the FCC Rules and Regulations our specialty, serving the industry since the year 2000.
Regulatory Updates
Newsletter
FCC Issues New Notice of Proposed Rulemaking (NPRM) on Labeling for IoT Devices
NPRM [PSHSB: PS Docket No. 23–239; FCC 23– 65 FR ID 166265]
The FCC issued NPRM on August 10, 2023, regarding the security labeling of devices defined as Internet of Things (IoT). According to the official notice in the Federal Register published on August 25, 2023, the ‘usual’ 30-day period for comments lands “on or before September 25, 2023, and reply comments are due on or before October 10, 2023.” The usual 45-day reply-comments period thus applying.
If you’re a manufacturer, test lab or certification body, you just might want to check this out. The NPRM is chock full of goodies regarding the state of the IoT Market. According to a few sources (noted in the NPRM), more than 25 Billion (capital B) devices will be connected to the Internet by 2030. That’s a lot of potential for ‘nefarious’ actors seeking to compromise the integrity of the Internet of Things
Much of the NPRM provides a useful background and perspective on the state of technology and is great background reading (I’m not kidding) for those who need some perspective on the vulnerabilities and security issues dealing with IoT devices, and there are many.
Goal of the NPRM
“In this Notice of Proposed Rulemaking (NPRM), we propose measures to improve consumer confidence and understanding of the security of their connected devices,” i.e., IoT devices.
The approach outlined in the NPRM, frankly, in my view is mostly “baked” as these often are, that is, the Commission has largely made up its mind on the general approach, and comments are useful to provide perspective and to “tweak” the final Rules. From my experience, the comments will be reviewed, considered, and commented on in an official reply. The big banana is to decide whether Certification of Suppliers Declaration of Conformity SDoC (with some kind of third-party review) is appropriate.
Their ”Legal Basis:” The FCC “tentatively conclude(s) that the Commission has authority to adopt the proposed IoT labeling program. In particular, section 302(a) of the Communications Act authorizes the FCC ‘consistent with the public interest, convenience, and necessity, [to] make reasonable regulations (1) governing the interference potential of devices which in their operation are capable of emitting radio frequency energy by radiation, conduction, or other means in sufficient degree to cause harmful interference to radio communications…’”
There you go.
Weaknesses of IoT Devices
It is also interesting to note that the FCC, charged with “protecting the airways,” spends a bit of time discussing the potential for hackers/botnets/bad guys to try to affect device operation and cause interference to communications. One can imagine that a nefarious group/organization could penetrate a WiFi Routers network, for example, shut them off (or worse, destroy them with corrupt code) and cut off the much-needed access from the millions/billions of users in the US and elsewhere.
For example, one of the concerns is the threat of a larger “Botnet” that could use the device(s) that are compromised as interference generator(s). From the Statement of Commissioner Nathan Simington:
“The Mirai botnet, which at its peak consisted of over 600,000 compromised devices performing large-scale cyberattacks in unison, grew by scanning the internet for devices with unpatched vulnerabilities like IP cameras and routers and taking control of them.”
Some of the weaknesses that are endemic in the industry are outlined in the NPRM: “use of default passwords, lack of regular security updates, and weak encryption and insecure authentication.
CyberLABs
The notion of “CyberLAB” is raised (not new), but there are defined criteria set forth with the usual hierarchy of FCC-NIST-Accreditation Bodies-CyberLABs.
Qualifications of a CyberLAB:
- The CyberLAB has technical expertise in cybersecurity testing and conformity assessment of IoT devices and products.
- Resources: The CyberLAB has the necessary equipment, facilities, and personnel to conduct cybersecurity testing and conformity assessment of IoT devices and products.
- Procedures: The CyberLAB has documented procedures for conformity assessment.
- Continued competence: Once accredited or recognized, CyberLABs would be periodically audited and reviewed to ensure they continue to comply with the IoT security standards and testing procedures.53
For devices, the main criteria, following NIST (National Institute of Science and Technology) guidelines, contain the core requirements of IoT-labeling compliance in Appendix A.
“Appendix A: Within the scope of a consumer IoT product, the following baseline product criteria are recommended by NIST to define the cybersecurity outcomes expected of IoT products and IoT product developers as part of a consumer IoT product labeling program.”
These baseline criteria include Details are elucidated in each section of the Appendix, namely:
- Asset Identification
- Product Configuration
- Data Protection
- Interface Access Control
- Software Update
- Documentation
- Information and Query Reception
- Information Dissemination
- Product Education and Awareness
The NPRM asks for more comments on these items and if there are other considerations that should be included in the final Rule-Making.
Ultimately, the goal of the voluntary cybersecurity labeling program would provide “easily understood accessible information to consumers.” This goal is to have a label that would provide this information to consumers (and other types of users) with, perhaps, a QR code that could be accessed that could contain critical information about the adherence of the device to the cyber protocols.
Ultimately, the Commission asks for comments on the “interplay between the proposed IoT cybersecurity labeling program and our current equipment authorization rules.” Noting that the new process may not be administered in the same manner and gives the proposal that they generally “operate in a distinct manner.”
“Comments are due on or before September 25, 2023, and reply comments are due on or before October 10, 2023.
Training and Seminars
Our seminars are presented to designers, developers and testers of wireless products. As the technologies evolve, the regulations for measurement and certification of wireless products are constantly evolving and creating challenges for electronics industry. Keeping abreast of these changes and the nuances of the regulations is critical for speeding electronics products’ time-to-market. Fierce competition from rival developers creates additional pressure to design the devices for compliance with the regulatory requirements and “getting it right the first time.”
- Learn the FCC Certification Requirements
- Learn the latest FCC and ISED Canada Rules and Regulations
- Hear from the experts on FCC and ISED interpretations
- Understand the requirements of the European RED / EMC and discuss recent activity.
- Interact and exchange with your colleagues in the compliance/regulatory industry
Fast Certification services for Wireless Products
American Certification Body (ACB) provides Certification for Wireless Devices. We can support you for global market access for your electronic devices, including US/FCC, Canada, Japan, Hong Kong, Asia and European Approvals (CE Marking) for Licensed and Unlicensed wireless products. We work with our clients around the world and around the clock. We understand your time to market concerns and we realize that Certifications are an important timing issue for all manufacturers. Contact us anytime. Certification questions and inquiries are welcome.
ACB is your source for radio equipment authorizations including 802.11a/b/g, Bluetooth, frequency hopping spread spectrum, digital transmission systems, WiFi, WiMax, GSM, CDMA, WCDMA, HSPA (HSDPA, HSUPA), marine, aviation, land-mobile, OFDM, point-to-point, point-to-multipoint, EPIRB, PLB, BPL, PDA, radar, ISM devices, Smart Phones, and broadcasting equipment. Nearly all devices which use radio frequency energy, from garage door openers to microwave broadcast towers, are eligible for Certification through ACB. Specific Absorption Rate (SAR), Maximum Permissible Exposure (MPE) and Hearing Aid Compatibility (HAC) evaluations are provided as part of our total Certification package.
ACB e-file system
Register to securely upload exhibit files (for example: test report, photos, SAR report, block diagram) to support applications you create with our system.
Once registered, you can create applications for FCC, ISED Certifications, Japan/MIC Approvals and Notified Body opinions (CE Mark).
After you create your application (by filling out an online form) and upload files, the ACB customer service and engineering staff will update your project as it moves through the review process.
To help guide you through the certification process, we offer forms and documents to help complete your filing where applicable. Various types of approvals can each require a different set of supporting forms and/or documents. If you have any questions or require any assistance simply contact our customer service staff.
For your convenience, online payment is also available via our e-file certification system.