SUPPLEMENTARY INFORMATION:

The FCC may not conduct or sponsor a collection of information unless it displays a currently valid control number. No person shall be subject to any penalty for failing to comply with a collection of information subject to the PRA that does not display a valid Office of Management and Budget (OMB) control number.

OMB Control Number: 3060-1328.

Title: Participation Information Collection for the IoT Labeling Program.

Form Number: N/A.

Type of Review: Revision of a currently approved collection.

Respondents: Business or other for-profit; Not-for-profit institutions.

Number of Respondents and Responses: 332 respondents; 3,150 responses.

Estimated Time per Response: 20 hours.

Frequency of Response: One-time and on occasion reporting requirements; recordkeeping requirements.

Obligation to Respond: Voluntary. Statutory authority for this collection is contained in 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, of the Communications Act of 1934, as amended, 47 U.S.C. 151, 152, 154(i), 154(n), 302a, 303(r), 312, 333, 503; the IoT Cybersecurity Improvement Act of 2020, 15 U.S.C. 278g-3a to 278g-3e.

Total Annual Burden: 43,100 hours.

Total Annual Cost: No Cost.

Needs and Uses: The Commission seeks to revise this collection to reflect changes to these rules adopted by the Commission in a Public Notice on September 10, 2024 (opening an application filing window and adopting for Cybersecurity Label Administrator (CLA) and Lead Administrator). The FCC's consumer IoT cybersecurity labeling program will provide consumers with easily understood, accessible information on the relative security of a consumer IoT product they are considering for purchase, which will increase the security of devices consumers bring into their homes and as part of a national IoT ecosystem. CLAs will be authorized by the Commission to certify use of the FCC IoT Label, which includes the U.S. government certification mark (U.S. Cyber Trust Mark), by manufacturers whose products are found to be in compliance with the Commission's IoT cybersecurity labeling program rules. The September 2024 Public Notice adopted rules for the CLAs and the Lead Administrator to reduce the risk of unauthorized access, use, disclosure, disruption, modification, or destruction of program data. Under this collection, each CLA will be required to create, update, and implement a cybersecurity risk management plan identifying the cyber risks that the entity faces, the controls used to mitigate those risks, and the steps taken to ensure that these controls are applied effectively to their operations. The plan must also describe how the CLA employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of its information and information systems. The CLA's cybersecurity risk management plan must be available to the Commission upon request.