Quiero saber acerca de...

lotter on DSK11XQN23PROD with PROPOSALS1

46642

Federal Register / Vol. 86, No. 158 / Thursday, August 19, 2021 / Proposed Rules
also explore opportunities to spur trustworthy innovation for more secure equipment. In this NOI, the Commission seeks comment on how the Commission can leverage its equipment authorization program to encourage manufacturers who are building devices that will connect to U.S. networks to consider cybersecurity standards and guidelines.
The development and implementation of effective cybersecurity practices requires the continued cooperation and participation of all stakeholders. In this regard, the Commission observes that both the public and private sectors have come together to develop measures to protect the integrity of communications networks and guard against malicious or foreign intrusions that can compromise network services, steal proprietary information, and harm consumers. In particular, the National Institute of Standards and Technology NIST has worked with both industry and government to produce multiple cybersecurity frameworks and other forms of guidance that help protect the integrity of communications networks.
Pursuant to Executive Order No. 13636, NIST began working with public and private stakeholders to develop a voluntary cybersecurity framework designed to reduce risks to critical infrastructure. Exec. Order No. 13636, 78 FR 11737 Feb. 19, 2013; see Natl Inst. of Standards & Tech., Cybersecurity Framework: New to Framework last updated Sept. 23, 2020, https
www.nist.gov/cyberframework/newframework. This framework consists of voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. See Natl Inst. of Standards & Tech., Cybersecurity Framework: New to Framework last updated Sept. 23, 2020, https
www.nist.gov/cyberframework/newframework. Originally issued in 2013, the NIST cybersecurity framework was updated in 2018 to clarify and refine certain aspects and better explain how entities should use the framework to improve their cybersecurity practices.
See Natl Inst. of Standards & Tech., Framework for Improving Critical Infrastructure Cybersecurity: Version 1.1
Apr. 16, 2018, https
nvlpubs.nist.gov/nistpubs/CSWP/
NIST.CSWP.04162018.pdf. In addition, among other organizations, the Federal Trade Commission has been active in cybersecurity matters for years, bringing multiple enforcement actions against firms for having poor cybersecurity practices and offering cybersecurity guidance for Internet of Things IoT

VerDate Sep<11>2014

16:45 Aug 18, 2021

Jkt 253001

devices as early as 2015. Fed. Trade Commn, Careful Connections: Building Security in the Internet of Things Jan.
2015, https www.bulkorder.ftc.gov/
system/files/publications/pdf0199carefulconnections-buildingsecurity internetofthings.pdf. Further, industry trade groups, including CTIAThe Wireless Association, GSMA, the ioXt Alliance, and TIA have produced cybersecurity guidance applicable to various sectors of the communications industry. Non-profit standards bodies and think tanks have also produced cybersecurity guidance that could be useful to the communications industry.
See, e.g., internet Socy, Internet of Things IoT Trust Framework v2.5 May 22, 2019, https
www.internetsociety.org/resources/doc/
2018/iot-trust-framework-v2-5/.
More recently, NIST has developed a Cybersecurity for IoT Program, which specifically supports the development and application of standards, guidelines, and related tools to improve the cybersecurity of connected devices and the environments in which they are deployed. Natl Inst. of Standards &
Tech., NIST Cybersecurity for IoT
Program last updated Mar. 19, 2021, https www.nist.gov/programs-projects/
nist-cybersecurity-iot-program. Devices that operate as part of the IoT
specifically raise concerns about security risks. For example, NTIA has recognized that connected devices in the IoT can extend the scope and scale of automated, distributed attacks.
This Cybersecurity for IoT program has produced multiple reports, but perhaps most notable is Internal Report 8259, released in May 2020. Natl Inst.
of Standards & Tech., Foundational Cybersecurity Activities for IoT Device Manufacturers, Internal Report 8259
May 2020 NIST IoT Report, https
nvlpubs.nist.gov/nistpubs/ir/2020/
NIST.IR.8259.pdf. This NIST IoT Report details activities that can help manufacturers lessen the cybersecurityrelated efforts needed by customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised devices. Id. The NIST
IoT Report is voluntary guidance intended to help promote the best available practices for mitigating risks to IoT security. The report describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IoT devices they make. They include identifying expected customers and users and defining expected use cases; researching customer cybersecurity needs and goals;

PO 00000

Frm 00037

Fmt 4702

Sfmt 4702

determining how to address customer needs and goals; planning for adequate support of customer needs and goals;
defining approaches for communicating to customers; and deciding what to communicate to customers and how to communicate it. These activities are intended to fit within a manufacturers existing development process.
The Commission seeks comment on how it can leverage its equipment authorization program to help address the particular security risks that are associated with IoT devices. Should the Commission encourage manufacturers of IoT devices to follow the guidance in the NIST IoT Report? If the Commission were to utilize the equipment authorization process to incentivize better cybersecurity practices, either for all devices or specifically for IoT
devices, what form should such provisions take and how would such a program be structured most effectively?
Should the FCC allow IoT
manufacturers to voluntarily certify during the equipment authorization process that they have performed or plan to perform the activities described in the guidance? Are there other technologies or cybersecurity methods that mitigate security risks e.g., RF
fingerprinting or some other method?
What, if anything, should the Commission be doing to encourage development and adoption of such technologies or methods? Which standards should be considered? Are there other incentives or considerations that could encourage manufacturers to build security into their products?
Commenters should discuss the potential costs and benefits associated with their proposals or with the potential approaches discussed herein.
Even with broad adoption of industry best practices and standards, some equipment sold in the United States may lack appropriate security protections. What is the role of retailers in voluntarily limiting the sale of such equipment? How can retailers educate consumers about the importance of security protections for their devices?
The Commission also seeks to understand developments in international standards-setting bodies.
What is the status of international standards-setting that could be relevant to supply chain security, and what can the FCC do to encourage action by international standards-setting bodies and participation by American companies in their efforts?
The Commission observes that the Consumer Technology Association CTA published a white paper offering guidance for how government, industry, and consumers can all work together to
E:FRFM19AUP1.SGM

19AUP1