Code of Federal Regulations (Last Updated: November 8, 2024) |
Title 47 - Telecommunication |
Chapter I—Federal Communications Commission |
SubChapter A—General |
Part 8 - Safeguarding and Securing the Internet |
Subpart B - Cybersecurity Labeling Program for IoT Products |
§ 8.217 - CyberLABs.
-
§ 8.217 CyberLABs.
(a) A CyberLAB providing testing of products seeking a grant of authorization to use the FCC IoT Label shall be accredited by a recognized accreditation body, which must attest that the CyberLAB has demonstrated:
(1) Technical expertise in cybersecurity testing and conformity assessment of IoT devices and products.
(2) Compliance with accreditation requirements based on ISO/IEC 17025 (incorporated by reference, see § 8.201).
(3) Knowledge of FCC rules and procedures associated with products compliance testing and cybersecurity certification.
(4) Necessary equipment, facilities, and personnel to conduct cybersecurity testing and conformity assessment of IoT devices and products.
(5) Documented procedures for conformity assessment.
(6) Implementation of controls to eliminate potential conflicts of interests, particularly with regard to commercially sensitive information.
(7) That the CyberLAB is not an organization, its affiliates, or subsidiaries identified by the listed sources of prohibition under § 8.204.
(8) That it has certified the truth and accuracy of all information it has submitted to support its accreditation.
(b) Once accredited or recognized the CyberLAB will be periodically audited and reviewed to ensure they continue to comply with the requirements of the ISO/IEC 17025 standard.
(c) The Lead Administrator will verify that the CyberLAB is not listed in any of the lists in § 8.204.
(d) The Lead Administrator will maintain a list of accredited CyberLABs that it has recognized, and make publicly available the list of accredited CyberLAB. Inclusion of a CyberLAB on the accredited list does not constitute Commission endorsement of that facility. Recognition afforded to a CyberLAB under the labeling program will be automatically terminated for entities that are subsequently placed on the Covered List, listed sources of prohibition under § 8.204, or of it, its affiliate, or subsidiary is owned or controlled by a foreign adversary country defined by the Department of Commerce in 15 CFR 7.4.
(e) In order to be recognized and included on the list in paragraph (d) of this section, the accrediting organization must submit the information in paragraphs (e)(1) through (9) of this section to the Lead Administrator:
(1) Laboratory name, location of test site(s), mailing address and contact information;
(2) Name of accrediting organization;
(3) Scope of laboratory accreditation;
(4) Date of expiration of accreditation;
(5) Designation number;
(6) FCC Registration Number (FRN);
(7) A statement as to whether or not the laboratory performs testing on a contract basis;
(8) For laboratories outside the United States, details of the arrangement under which the accreditation of the laboratory is recognized; and
(9) Other information as requested by the Commission.
(f) A laboratory that has been accredited with a scope covering the measurements required for the types of IoT products that it will test shall be deemed competent to test and submit test data for IoT products subject to cybersecurity certification. Such a laboratory shall be accredited by a Public Safety and Homeland Security Bureau-recognized accreditation organization based on ISO/IEC 17025. The organization accrediting the laboratory must be recognized by the Public Safety and Homeland Security Bureau to perform such accreditation based on ISO/IEC 17011 (incorporated by reference, see § 8.201). The frequency for reassessment of the test facility and the information that is required to be filed or retained by the testing party shall comply with the requirements established by the accrediting organization, but shall occur on an interval not to exceed two years.