(a) Establishing a Lead Administrator. If more than one qualified entity is selected by the Commission to be a CLA, the Commission will select a Lead Administrator. The Lead Administrator shall:
(1) Interface with the Commission on behalf of the CLAs, including but not limited to submitting to the Bureau all complaints alleging a product bearing the FCC IoT Label does not meet the requirements of the Commission's labeling program;
(2) Coordinate with CLAs and moderate stakeholder meetings;
(3) Accept, review, and approve or deny applications from labs seeking recognition as a lab authorized to perform the conformity testing necessary to support an application for authority to affix the FCC IoT Label, and maintain a publicly available list of Lead Administrator-recognized labs and a list of labs that have lost their recognition;
(4) Within 90 days of election as Lead Administrator, the Lead Administrator will, in collaboration with the CLAs and stakeholders (e.g., cyber experts from industry, government, and academia):
(i) Submit to the Bureau recommendations identifying and/or developing the technical standards and testing procedures for the Commission to consider with regard to at least one class of IoT products eligible for the IoT labeling program. The Bureau will evaluate the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission's rules in this subpart;
(ii) Submit to the Bureau a recommendation on how often a given class of IoT products must renew their request for authority to bear the FCC IoT Label, which may be dependent on the type of product, and that such a recommendation be submitted in connection with the relevant standards recommendations for an IoT product or class of IoT products. The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission's rules in this subpart;
(iii) Submit to the Bureau a recommendation on procedures for post market surveillance by the CLAs. The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission's rules in this subpart;
(iv) Make recommendations to the Bureau with regard to updates to the registry including whether the registry should be in additional languages, and if so, to recommend specific languages for inclusion; and
(v) Submit to the Bureau recommendations on the design of the FCC IoT Label, including but not limited to labeling design and placement (e.g., size and white spaces, product packaging) and whether to include the product support end date on labels for certain products or category of products. The Bureau will evaluate the recommendations, and if the Bureau approves of the recommendations, subject to any required public notice and comment, incorporate them by reference into the Commission's rules in this subpart;
(5) Within 45 days of publication of updates or changes to NIST guidelines, or adoption by NIST of new guidelines, recommend in collaboration with CLAs and other stakeholders any appropriate modifications to the labeling program standards and testing procedures to stay aligned with the NIST guidelines;
(6) Submit to the Commission reports on CLAs' post-market surveillance activities and findings in the format and by the date specified by Public Safety and Homeland Security Bureau;
(7) Develop in collaboration with stakeholders a consumer education campaign, submit the plan to the Public Safety and Homeland Security Bureau, and participate in consumer education;
(8) Receive complaints about the labeling program, including but not limited to consumer complaints about the registry and coordinate with manufacturers to resolve any technical problems associated with consumers accessing the information in the registry;
(9) Facilitate coordination between CLAs; and
(10) Submit to the Commission any other reports upon request of the Commission or as required by Commission rules in this subpart.
(11) Create, update, and implement a cybersecurity risk management plan identifying the cyber risks that the entity faces, the controls used to mitigate those risks, and the steps taken to ensure that these controls are applied effectively to their operations. The plan must also describe how the Lead Administrator employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of its information and information systems. The Lead Administrator's cybersecurity risk management plan must be available to the Commission upon request;
(12) Submit to the Public Safety and Homeland Security Bureau and the Office of the Managing Director, an estimate of its forward-looking costs including, separately, program stand-up costs and ongoing program costs to perform the Lead Administrator duties for the Lead Administrator's upcoming calendar year, which will be reviewed by the Cybersecurity Labeling Administrators, Public Safety and Homeland Security Bureau, and the Office of the Managing Director for reasonableness, and if reasonable, will be used to estimate the overall CLA cost sharing obligation;
(13) Implement internal controls adequate to ensure its operations maintain best practices to protect against improper payments and to prevent fraud, waste, and abuse in its handling of funds; and
(14) Submit to the Public Safety and Homeland Security Bureau and the Office of the Managing Director, an annual, independently audited, statement of program expenditures and monies received from the CLAs due before the end of the Lead Administrator's calendar year.
(b) Criteria for designation. In addition to completing the CLA application information, entities seeking to be the Lead Administrator will submit a description of how they will execute the duties of the Lead Administrator, including:
(1) Their previous experience in IoT cybersecurity;
(2) What role, if any, they have played in IoT labeling;
(3) Their capacity to execute the Lead Administrator duties;
(4) How they would engage and collaborate with stakeholders to identify or develop the Bureau recommendations;
(5) A proposed consumer education campaign; and
(6) Additional information the applicant believes demonstrates why they should be the Lead Administrator.
[89 FR 61272, July 30, 2024, as amended at 89 FR 84096, Oct. 21, 2024]