Participation Information Collection for the IoT Labeling Program 3060-1328 March 2025
Justification:
1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection.
Revisions to Information Collection Requirements Which Require OMB Approval
The Federal Communications Commission (FCC or Commission) is requesting Office of Management and Budget (OMB) approval of a revision of this information collection, which is associated with the Commission’s program for cybersecurity labeling for consumer Internet of Things (IoT) products. The Commission seeks to revise this collection to reflect additional rules adopted by the Public Safety and Homeland Security Bureau in the September 2024 Public Notice 1 under delegated authority from the Commission.2
This consumer IoT cybersecurity labeling program is an FCC program supported by a Lead Administrator and Cybersecurity Label Administrators (CLAs). The program will provide consumers with easily understood, accessible information on the relative security of a consumer IoT product they are considering for purchase, which will increase the security of devices consumers bring into their homes and as part of a national IoT ecosystem.3 CLAs will be authorized by the Commission to certify use of the FCC IoT Label, which includes the U.S. government certification mark (U.S. Cyber Trust Mark), by manufacturers whose products are found to be in compliance with the Commission’s IoT cybersecurity labeling program rules. CLAs, including the Lead Administrator will be required to maintain the confidentiality of non-public information received as part of an application for authority to use the FCC IoT Label, and must implement appropriate administrative, technical, procedural, and physical safeguards to do so.4 The Bureau notes the importance of “clear guidelines, safeguards, and protocols for handling confidential information” and adopts rules that will reduce the risk of unauthorized access, use, disclosure, disruption, modification, or destruction of program data, accordingly.5 Specifically, the updated information collection requires each CLA to create, update, and implement a cybersecurity risk management plan identifying the cyber risks that the entity faces, the controls used to mitigate those risks, and the steps taken to ensure that these controls are applied effectively to their operations.6 The plan must describe how the CLA employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of its information and information systems and must be available to the Commission upon request.7
Current Information Collection Requirements Previously Approved by OMB:
The current approved information collection is associated with the Commission’s program for cybersecurity labeling for consumer IoT products. OMB previously approved the collection of information from manufacturers filing applications seeking authority to use the label, Lead Administrators seeking approval to participate in the program, CLAs seeking approval from the Commission to participate in setting up the program and in day-to-day program management, review of CLA decisions, cybersecurity testing laboratories (CyberLABs) seeking recognition from the Commission to test consumer IoT products, and accreditation bodies authorized to accredit CyberLABs and CLAs, and CLA and Lead Administrator responsibilities including post-market surveillance, grant of authorization to use the FCC IoT Label, and publication of a registry providing additional information on each product authorized to bear the FCC IoT Label.8
Statutory authority for this collection of information is contained in sections 1, 2, 4(i), 4(n), 302, 303(r), 312, 333, and 503, of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 152, 154(i), 154(n), 302a, 303(r), 312, 333, 503; the IoT Cybersecurity Improvement Act of 2020, 15 U.S.C. § 278g-3a to § 278g-3e .
This information collection does not affect individuals or households; thus, there are no impacts under the Privacy Act.
2. Indicate how, by whom and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.
The general purpose of the approved information collection is to consider and determine the suitability of applicants and accreditation bodies seeking to participate in the administration of the Commission’s IoT Labeling Program and the eligibility of products to bear the US Cyber Trust Mark. The Commission is in the process of establishing the IoT Labeling Program. Thus far, the existing information collection has resulted in the receipt of CLA and Lead Administrator applications. The revised information collection will help ensure the confidentiality, integrity, and availability of information and information systems associated with the administration of the IoT Labeling Program and will help protect CLAs from security threats. Through this information collection, the Commission will have access, upon request, to CLA cybersecurity risk management plans and be able to confirm that risk management plans are being regularly updated. Each CLA will have the flexibility to structure its cybersecurity risk management plan in the manner that is best tailored to its operations, as long as the plan demonstrates that the entity is taking affirmative steps to analyze security risks and improve its security posture.
The updated information collection will contribute to the Commission’s goal of implementing an IoT Labeling Program that consumers will trust and use to compare consumer IoT products and determine which products meet baseline cybersecurity requirements and are safer than others. The IoT Labeling Program will not guarantee the safety of the products that are successfully labeled, but it will assist consumers in understanding the security risks inherent in certain products. The program will raise consumer confidence with regard to the cybersecurity of the IoT products they purchase. In this way, consumers will have the information necessary to make smart choices without overwhelming them with too much information or difficult to access information. Consumers who purchase an IoT product that bears the FCC IoT Label can be assured that their product meets the minimum cybersecurity standards of the IoT Labeling Program, which in turn will strengthen the chain of connected IoT products in their own homes and as part of a larger national IoT ecosystem.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.
The collected information is retained by CLAs and is only submitted to the Commission upon request. For ease of administration, if requested, the information can be submitted electronically by the CLAs via dedicated e-mail address (CyberTrustMark@fcc.gov). This use of electronic submission only upon request by the Commission reduces the administrative burden on providers, facilitating compliance and oversight. The Commission’s decision to adopt electronic means for this collection of information is based on its efficiency, reliability, and ability to facilitate timely updates and reviews, thereby ensuring ongoing compliance with cybersecurity requirements.
4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in item 2 above.
The information collected is not duplicative of other information received by the Commission. Entities selected to be CLAs would not otherwise be required to create, update, and implement cybersecurity risk management plans based on the existing rules associated with the IoT Labeling Program in Part 8 of the Commission’s rules.
5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.
Applying to be a CLA is voluntary, so small businesses or other small entities who do not apply to be a CLA will not be subject to any new or modified information collections. Only those small entities that choose to apply to be a CLA, and whose applications are approved, will incur the new information collection requirements adopted in the September 2024 Public Notice. Under the approach adopted by the Bureau, each entity has the flexibility to structure its cybersecurity risk management plan in a manner that is tailored to its own operations, provided that the plan demonstrates that the entity is taking affirmative steps to analyze security risks and improve its security posture. Entities can also successfully demonstrate satisfaction with this requirement by following an established risk management framework, such as the NIST Cybersecurity Framework or Risk Management Framework. These frameworks are designed to be scalable and adaptable to the needs and capabilities of companies both large and small, are well understood by industry, and are flexible. Small entities are not required to submit their entire cybersecurity plans but must only make them available to the Commission upon request, which can be done electronically. This approach significantly reduces the paperwork burden while ensuring that essential cybersecurity measures are in place and subject to review by the Commission, if needed. For the IoT Labeling Program to be meaningful to consumers, all CLAs, including both small businesses and other entities, must be subject to the same requirements. By providing clear guidance and leveraging electronic submission systems, the Commission aims to support small entities in meeting cybersecurity requirements without imposing undue burden, thereby balancing the need for robust cybersecurity practices with the operational realities of small businesses and other small entities.
6. Describe the consequences to a Federal program or policy activity, if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reduce burden.
The information collection requested is necessary to maintain the integrity of the FCC’s IoT cybersecurity labeling program. If the Bureau did not require CLAs to develop cybersecurity risk management plans, there would be a greater likelihood that program data, which includes manufacturer applications seeking authority to affix the U.S. Cyber Trust Mark on their products, would be at risk of unauthorized access, use, disclosure, disruption, modification, or destruction. Such incidents would not only be detrimental to the reputation and trustworthiness of the U.S. Cyber Trust Mark, but may also pose a threat to the safety and security of consumers IoT products.
The absence of a requirement to make cybersecurity risk management plans available upon request would also hinder the Commission’s ability to monitor and verify compliance with cybersecurity requirements. This would make it challenging to ensure that CLAs are implementing necessary protective measures. It would also lead to a lack of accountability and oversight, potentially resulting in inconsistent application of cybersecurity practices across different entities.
7. Explain any special circumstances that would cause an information collection to be conducted in a manner inconsistent with the criteria listed in supporting statement.
This revised information collection is consistent with the requirements of 5 C.F.R. § 1320 and the criteria listed in this Supporting Statement. The Commission does not anticipate circumstances that would result in a collection of information in an inconsistent manner.
8. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency’s Report and Order, required by 5 CFR 1320.8(d), soliciting comments on the information prior to submission to OMB.
Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.
On December 30,2024 pursuant to 5 C.F.R. Section 1320.8(d), a 60-Day Notice was published in the Federal Register (See 89 FR 106480) for the information collection requirements contained in this collection with comments due on or before February 28, 2025. The Commission did not receive any comments following publication of the Notice.
9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.
No payment or gift to respondents has been or will be made in connection to this information collection.
10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulation, or agency policy.
Cybersecurity risk management plans requested by the Commission for confirmation of whether plans are being regularly updated, to review a specific plan as needed, or to proactively review a sample of plans to confirm they sufficiently identify the cybersecurity risks to the Lead Administrator and CLAs in the labeling program are presumptively confidential.9
11. Provide additional justification for any questions of a sensitive nature.
This collection of information does not address any matters of a sensitive nature.
12. Provide estimates of the hour burden of the collection of information. The statement should: indicate the number of respondents, frequency of response, annual hour burden, and an explanation of how the burden was estimated. If the hour burden on respondents is expected to vary widely because of differences in activity, size, or complexity, show the range of estimated hour burden, and explain the reasons for the variance.
Current Information Collection Requirements Previously Approved by OMB (Applicants Seeking Authorization to Use the FCC IoT Label):
47 CFR § 8.208 - Application requirements
The Commission believes there are 100 entities desiring a grant of authorization to use the FCC IoT Label. We anticipate that 100 entities will each file applications for 10 products to use the label. This number is arrived from about 300 responses received in response to the NPRM, with over 50+ entities providing multiple responses to the NPRM, either individually, or as a large collective. Further, an existing IoT labeling program in Singapore received more than 300 applications requesting assessment for IoT cybersecurity label.10 If two IoT devices/products per entity were submitted, it would signify that 150 entities are participating in Singapore’s program. Accordingly, the Commission thinks it is fair to assume the middle of the range of the above numbers, thereby arriving at 100 respondents interested in seeking a grant of authorization to use the FCC IoT Label for 10 products each.
Annual Number of Respondents: 100
Annual Number of Responses: 100 respondents x 10 response per respondent = 1,000 responses
Annual Burden Hours: 1,000 responses x 10 hours per response = 10,000 hours per respondent annually
100 respondents x 10 responses x 10 hours = 10,000 Total Burden Hours
The Commission assumes that respondents generally use “in house” personnel, whose pay is comparable to mid-to-senior level federal employees (GS-12/5, GS-14/5 and GS-15/5). As detailed below, the Commission estimates respondent’s average cost to be $65.36 per hour, using the latest 2025 GS salary figures for the locality pay area of Washington-Baltimore-Arlington,11 to comply with the requirement to submit an application seeking a grant of authorization to use the FCC IoT Label:
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 3 $55.07
GS-12/5 Staff Administrator 3 $55.07
GS-14/5 Engineer 3 $77.38
GS-15/5 Attorney 1 $91.02
Total Hours and Average Hourly Costs 10 $65.36
Annual “In-House” Cost:
10,000 Total Burden Hours x $65.36/hr = $653,600.00
47 CFR § 8.212 – Review of CLA decisions
As noted above, the Commission estimates that there are likely approximately 1,000 applications seeking a grant of authorization to use the FCC IoT Label. While specific numbers are not available regarding decision reviews from the existing IoT labeling program in Singapore, the Commission assumes about 5 in 100 consumer IoT product applications may receive a decision from a CLA not granting authorization to use the FCC IoT Label. Of these decisions, the Commission anticipates about half will be brought before the Commission for review, i.e., 1 in 40 applications. If 1,000 applications are anticipated by the Commission, then it is fair to assume that only 25 respondents out of the 1,000 will seek review of a CLA decision.
Annual Number of Respondents: 25 respondents seeking review
Annual Number of Responses: 1 response per respondent (25 responses)
Annual Burden Hours: 10 hours per response
25 respondents x 1 response x 10 hours = 250 Total Burden Hours
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 1 $55.07
GS-12/5 Staff Administrator 1 $55.07
GS-14/5 Engineer 4 $77.38
GS-15/5 Attorney 4 $91.02
Total Hours and Average Hourly Costs 10 $78.37
Annual “In-House” Cost:
250 Total Burden Hours x $78.37/hr = $19,592.50
47 CFR § 8.214 – IoT product defect and/or design change
As noted above, the Commission estimates that there are likely approximately 1,000 applications seeking a grant of authorization to use the FCC IoT Label. While specific numbers are not available regarding complaints filed against respondents who have been granted authorization to use the FCC IoT Label nor for the number of defects found during post-market surveillance from the existing IoT labeling program in Singapore, the Commission assumes about 1 in 100 applications will have a complaint filed against it or be determined to be out of compliance during post-market surveillance. If 1,000 applications are anticipated by the Commission, then only 10 respondents out of the 1,000 will need to respond to a complaint or file a report with the Commission addressing actions they have taken to correct defects found in the course of post-market surveillance.
Annual Number of Respondents: 10
Annual Number of Responses: 1 response per respondent (10 responses)
Annual Burden Hours: 20 hours per response
10 respondent x 1 response x 20 hours = 200 Total Burden Hours
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 3 $55.07
GS-12/5 Staff Administrator 3 $55.07
GS-14/5 Engineer 6 $77.38
GS-15/5 Attorney 8 $91.02
Total Hours and Average Hourly Costs 20 $76.14
Annual “In-House” Cost:
200 Total Burden Hours x $76.14/hr = $15,228.00
47 CFR § 8.215 – Retention of records
The Commission estimates that there will be no burden associated with this collection since the information being collected is information that an entity will likely already collect for standard business purposes, e.g., a record of the original design and specifications and all changes that have been made to the complying consumer IoT product.
0 respondents x 0 response x 0 hours = 0 Total Burden Hours
47 CFR § 8.222 – Establishment of an IoT Registry
As noted above, the Commission estimates that there are likely around 100 interested respondents who will seek a grant of authorization to use the FCC IoT Label for 10 products each. Even if the Commission generously assumes that all 1,000 applications will receive a grant of authorization to use the FCC IoT Label, complying with this information collection would likely have a minimal burden since the information required by the registry is information already collected by a respondent in their normal course of business operations, e.g., product name, manufacturer name, date of authorizations. Accordingly, only administrative staff would be briefly needed to comply with this information collection. If 1,000 products are anticipated to be approved, and all 1,000 products are assumed to be granted authorization to use the FCC IoT Label, the information to for each of the 1,000 products will need to be included in the registry.
Annual Number of Respondents: 100
Annual Number of Responses: 10 response per respondent (1,000 responses)
Annual Burden Hours: 1 hours per response
100 respondents x 10 responses x 1 hour = 1,000 Total Burden Hours
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 0 $55.07
GS-12/5 Staff Administrator 1 $55.07
GS-14/5 Engineer 0 $77.38
GS-15/5 Attorney 0 $91.02
Total Hours and Average Hourly Costs 1 $55.07
Annual “In-House” Cost:
1,000 Total Burden Hours x $55.07/hr = $55,070.00
Cumulative Totals for the Information Collection for Respondents Seeking a Grant of Authorization to Use the FCC IoT Label:
Total Annual Number of Respondents: 100 + 25 + 10 + 0 + 100 respondents = 235 respondents
Total Annual Number of Responses: 1,000 + 25 + 10 + 0 + 1,000 responses = 2,035 responses
Total Annual Burden Hours: 10,000 + 250 + 200 + 0 + 1,000
hours = 11,450 burden hours
Total Annual “In-House” Costs: $653,600.00 + $19,592.50 + $15,228.00 + $0 + $55,070.00 = $743,490.50
Current Information Collection Requirements Previously Approved by OMB (Applicants Seeking Recognition as a Cybersecurity Labeling Administrator (CLA) to Administer the IoT Labeling Program):
47 CFR § 8.219 - Approval/Recognition of Cybersecurity Label Administrators
The Commission believes there are approximately 12 entities desiring recognition as a CLA. This number is arrived from the feedback received in response to the NPRM, where over 40 industry organizations provided feedback for the NPRM. It is fair to assume that approximately one-third of these industry organizations would be interested in recognition as a CLA, in view of their comments supporting the IoT Labeling Program. For recognition as a CLA, an entity would only submit one application.
Annual Number of Respondents: 12
Annual Number of Responses: 1 per respondent (12 responses)
Annual Burden Hours: 20 per response
12 respondents x 1 response x 20 hours = 240 Total Burden Hours
As noted previously, the Commission assumes that respondents generally use “in house” personnel, whose pay is comparable to mid-to-senior level federal employees (GS-12/5, GS-14/5 and GS-15/5). As detailed below, the Commission estimates respondent’s average cost to be $72.55 per hour, to receive recognition as a CLA from the Commission:
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 4 $55.07
GS-12/5 Staff Administrator 4 $55.07
GS-14/5 Engineer 6 $77.38
GS-15/5 Attorney 6 $91.02
Total Hours and Average Hourly Costs 20 $72.55
Annual “In-House” Cost:
240 Total Burden Hours x $72.55/hr = $17,412.00
47 CFR § 8.220 – Requirements for CLAs
As explained above, the Commission estimates there are approximately 12 entities desiring as a CLA in view of the feedback received for the NPRM. This number is arrived from the feedback received in response to the NPRM, where over 40 industry organizations provided feedback for the NPRM. It is fair to assume that approximately one-third of these industry organizations would be interested in being an authorized CLA, in view of their comments supporting the IoT Labeling Program. To satisfy requirements to be a CLA, an entity would only need to submit information one time to the Commission.
Annual Number of Respondents: 12
Annual Number of Responses: 1 per respondent (12 responses)
Annual Burden Hours: 30 per response
12 respondents x 1 response x 30 hours = 360 Total Burden Hours
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 5 $55.07
GS-12/5 Staff Administrator 5 $55.07
GS-14/5 Engineer 10 $77.38
GS-15/5 Attorney 10 $91.02
Total Hours and Average Hourly Costs 30 $74.49
Annual “In-House” Cost:
360 Total Burden Hours x $74.49/hr = $26,816.40
47 CFR § 8.220(g) – Post-market surveillance requirements.
The Commission estimates there will be 12 CLAs. This number is arrived from the feedback received in response to the NPRM, where over 40 industry organizations provided feedback for the NPRM. All 12 CLAs will be required to conduct post-market surveillance of products they have approved to bear the IoT Label and submit to the Commission reports of their findings. Each CLA will be required to test a certain number of samples of the total number of product types for which the CLA has certified use of the Label. We estimate each CLA will be required to test and submit a report on 50 percent of the approximately 84 applications it has approved.
Annual Number of Respondents: 12
Annual Number of Responses: 42 per respondent (42 responses)
Annual Burden Hours: 20 per response
12 respondents x 42 responses x 20 hours = 10,080 Total Burden Hours
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 4 $55.07
GS-12/5 Staff Administrator 4 $55.07
GS-14/5 Engineer 6 $77.38
GS-15/5 Attorney 6 $91.02
Total Hours and Average Hourly Costs 20 $72.55
Annual “In-House” Cost:
10,080 Total Burden Hours x $72.55/hr = $731,304.00
47 CFR § 8.221 – Requirements for the Lead Administrator
Since the Commission estimates there are approximately 12 entities desiring recognition as a CLA, this allows for the Commission to select a Lead Administrator, as outlined in the Order.12 We assume all 12 would seek authority as the Lead Administrator, however, only one Lead Administrator would be needed as the IoT Labeling Program initially focuses on consumer IoT products. To be selected, an entity CLA seeking authority to be a Lead Administrator would only need to submit information one time to the Commission.
Annual Number of Respondents: 12
Annual Number of Responses: 1 per respondent (12 response)
Annual Burden Hours: 10 per response
12 respondents x 1 responses x 10 hours = 120 Total Burden Hours
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 3 $55.07
GS-12/5 Staff Administrator 3 $55.07
GS-14/5 Engineer 2 $77.38
GS-15/5 Attorney 2 $91.02
Total Hours and Average Hourly Costs 10 $66.72
Annual “In-House” Cost:
120 Total Burden Hours x $66.72/hr = $8,006.40
47 CFR § 8.209 – Grant of authorization to use FCC IoT Label
Since the Commission estimates there are approximately 12 CLAs who will examine approximately 1,000 applications seeking a grant of authorization to use the FCC IoT Label, each CLA will need to assess approximately 84 applications.
Annual Number of Respondents: 12
Annual Number of Responses: 84 per respondent (approximately 1,000 responses)
Annual Burden Hours: 20 per response
12 respondents x 84 responses x 20 hours = 20,160 Total Burden Hours
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 6 $55.07
GS-12/5 Staff Administrator 2 $55.07
GS-14/5 Engineer 8 $77.38
GS-15/5 Attorney 4 $91.02
Total Hours and Average Hourly Costs 20 $71.18
Annual “In-House” Cost:
20,160 Total Burden Hours x $71.18/hr = $1,434,988.80
Cumulative Totals for the Information Collection for Respondents Seeking Recognition as a CLA:
Total Annual Number of Respondents: 12 + 12 + 12 + 12 + 12 respondents = 60 respondents
Total Annual Number of Responses: 12 + 12 + 42 + 12 + 1,000 responses = 1,078 responses
Total Annual Burden Hours: 240 + 360 + 10,080 + 120 + 20,160 hours = 30,960 burden hours
Total Annual “In-House” Costs: $17,412 + $26,816.40 + $731,304.00 + $8,006.40 + $1,434,988.80= $2,218,527.60
Current Information Collection Requirements Previously Approved by OMB (CyberLABs):
47 CFR § 8.217 – CyberLABs
The Commission believes there are 12 entities suitable for recognition as a CyberLAB. This number is arrived from numbers found in industry. Specifically, one industry organization indicates there are dozens of authorized IoT testing labs throughout the world.13 It is fair to assume that approximately one-third of these entities would be interested in recognition as a CyberLAB. For recognition as a CyberLAB, an entity would only need to submit one application.
Annual Number of Respondents: 12
Annual Number of Responses: 1 per respondent (12 responses)
Annual Burden Hours: 20 per response
12 respondents x 1 response x 20 hours = 240 Total Burden Hours
As noted previously, the Commission assumes that respondents generally use “in house” personnel, whose pay is comparable to mid-to-senior level federal employees (GS-12/5, GS-14/5 and GS-15/5). As detailed below, the Commission estimates respondent’s average cost to be $72.55 per hour, to receive recognition as a CyberLAB:
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 4 $55.07
GS-12/5 Staff Administrator 4 $55.07
GS-14/5 Engineer 6 $77.38
GS-15/5 Attorney 6 $91.02
Total Hours and Average Hourly Costs 20 $72.55
Annual “In-House” Cost:
240 Total Burden Hours x $72.55/hr = $17,412.00
Current Information Collection Requirements Previously Approved by OMB (Accreditation Bodies):
47 CFR § 8.218 – Recognition of CyberLAB accreditation bodies
Since the Commission believes there will 5 entities seeking recognition by the Commission as an accrediting body authorized to accredit CyberLABs and CLAs. For recognition as an accreditation body, an entity would only need to submit one application.
Annual Number of Respondents: 5
Annual Number of Responses: 1 per respondent (5 response)
Annual Burden Hours: 10 per response
5 respondents x 1 response x 10 hours = 50 Total Burden Hours
As noted previously, the Commission assumes that respondents generally use “in house” personnel, whose pay is comparable to mid-to-senior level federal employees (GS-12/5, GS-14/5 and GS-15/5). As detailed below, the Commission estimates respondent’s average cost to be $72.55 per hour, to receive recognition as an accreditation body:
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 2 $55.07
GS-12/5 Staff Administrator 2 $55.07
GS-14/5 Engineer 3 $77.38
GS-15/5 Attorney 3 $91.02
Total Hours and Average Hourly Costs 10 $72.55
Annual “In-House” Cost:
50 Total Burden Hours x $72.55/hr = $3,627.50
Cumulative Totals for All Information Collection Requests:
Total Annual Number of Respondents: 235 + 60 + 12 +5 respondents = 312 respondents
Total Annual Number of Responses: 2,035 + 1,078 + 12 + 5 responses = 3,130 responses
Total Annual Burden Hours: 11,450 + 30,960 + 240 + 50 hours = 42,700 burden hours
Total Annual “In-House” Costs: $743,490.50 + $2,218,527.60 + $17,412.00 + $3,627.50 = $2,983,057.60
Revised Information Collection Requirements which Require OMB Approval (Respondents Seeking Recognition as CLAs):
The Commission believes there are approximately 20 entities that will be approved as a CLA. This number is upwardly adjusted by 8 entities from the last time this number was estimated for this collection, based on the increased interest the Commission has received in the program in addition to the feedback received in response to the IoT Labeling NPRM,14 where over 40 industry organizations provided feedback. It is fair to assume that approximately half these industry organizations would be interested in recognition as a CLA, in view of their comments supporting the IoT Labeling Program. Selected CLAs would be required to create, update, and implement one cybersecurity risk management plan, which would be made available to the Commission upon request.
Method of Estimation of Burden:
We find that 20 hours is a reasonable average burden estimate for each CLA to create a new cybersecurity risk management plan. However, many potential CLAs already have cybersecurity plans or are already implementing measures to protect their systems from cyberattacks. To the extent that these entities already have cybersecurity risk management plans, we expect that the additional time required to comply with the rules we adopt today would be minimal. To the extent that these entities are making cybersecurity improvements to their systems, we expect that they are already conducting some level of risk assessment and mitigation planning that they can formalize into a cybersecurity risk management plan. While we expect that the time spent on these existing cybersecurity efforts will offset at least some of the burden associated with creating and updating cybersecurity risk management plans, we base our estimated 20 hours on the creation of a new cybersecurity risk management plan for all reporting entities.
Annual Number of Respondents: 20
Annual Number of Responses: 1 per respondent (20 responses)
Annual Burden Hours: 20 per response
20 respondents x 1 response x 20 hours = 400 Total Burden Hours
We are reporting an upward adjustment of 400 hours because of the increased number of expected respondents, as well as the new requirement that approved CLAs prepare a cybersecurity risk management plan.
The Commission has previously assumed that respondents generally use “in house” personnel, whose pay is comparable to mid-to-senior level federal employees (GS-12/5, GS-14/5 and GS-15/5). As detailed below, the Commission estimates respondents’ average cost to be $68.95 per hour, to create, update, and implement a cybersecurity risk management plan and make it available to the Commission upon request:
Staff Hours Hourly Cost
GS-12/5 Technical Specialist 6 $55.07
GS-12/5 Staff Administrator 4 $55.07
GS-14/5 Engineer 6 $77.38
GS-15/5 Attorney 4 $91.02
Total Hours and Average Hourly Costs 20 $68.95
Annual “In-House” Cost:
400 Total Burden Hours x $68.95/hr = $27,580.00
We are reporting an upward adjustment in the Total Annual “In-House Cost” of $27,580 because of the increased number of expected respondents to the new requirement that approved CLAs prepare a cybersecurity risk management plan.
Revised Cumulative Totals for the Information Collection for Respondents Seeking Recognition as a CLA:
Total Annual Number of Respondents: 12 + 12 + 12 + 12 + 12 + 20 respondents = 80 respondents
Total Annual Number of Responses: 12 + 12 + 42 + 12 + 1,000 + 20 responses = 1,098 responses
Total Annual Burden Hours: 240 + 360 + 10,080 + 120 + 20,160 + 400 hours = 31,360 burden hours
Total Annual “In-House” Costs: $17,412.00 + $26,816.40 + $731,304.00 + $8,006.40 + $1,434,988.80 + $27,580.00 = $2,246,107.60
Revised Cumulative Totals for All Information Collection Requests:
Total Annual Number of Respondents: 235 + 80 + 12 + 5 respondents = 332 respondents
Total Annual Number of Responses: 2,035 + 1,098 + 12 + 5 responses = 3,150 responses
Total Annual Burden Hours: 11,450 + 31,360 + 240 + 50 hours = 43,100 burden hours
Total Annual “In-House” Costs: $743,490.50 + $2,246,107.60+ $17,412.00 + $3,627.50 = $3,010,637.60
13. Provide estimate for the total annual cost burden to respondents or record keepers resulting from the collection of information. (Do not include the cost of any hour burden shown in items 12 and 14).
The Commission expects the reporting requirement will be met by respondents’ “in-house” staff as described in Question 12 above. No external costs will result from the modifications to the existing information collection.
14. Provide estimates of annualized costs to the Federal government. Also provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing, and support staff), and any other expenses that would not have been incurred without this collection of information.
The Commission does not expect to incur costs beyond the normal labor costs for staff.
15. Explain the reasons for any program changes or adjustments for this information collection.
The Commission is reporting program changes to this revised information collection.
There are program changes to the total number of annual hours for this collection due to (1) an increase in the number of estimated respondents subject to this collection (from 12 respondents to 20 respondents; overall this increased your total respondents from 312 to 332 which is 20); and (2) the additional burdens placed on respondents by the September 2024 Public Notice requiring the preparation of cybersecurity risk management plans (from 30,960 burden hours to 31,360 burden hours for Respondents Seeking Recognition as a CLA).
There are also program changes to the number of annual responses for this collection due to the new requirement that CLAs prepare cybersecurity risk management plans, resulting in an increase from 3,130 total annual responses to 3,150 total annual responses across all respondents.
No adjustments are being reported.
16. For collections of information whose results will be published, outline plans for tabulation and publication.
The Commission does not plan to publish this information.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.
The Commission is not seeking approval to not display the expiration date for OMB approval of the revisions to this information collection.
18. Explain any exceptions to the Certification Statement identified in Item 19, “Certification of Paperwork Reduction Act Submissions.”
There are no exceptions to the Certification Statement.
B. Collections of Information Employing Statistical Methods
The revisions to this information collection do not employ any statistical methods.
1 Public Safety and Homeland Security Bureau Announces 15-Business Day Filing Window for Cybersecurity Labeling Administrator and Lead Administrator Applications Under the Cybersecurity Labeling for Internet of Things Program, PS Docket No. 23-239, Public Notice, (Sept. 10, 2024) (September 2024 Public Notice).
2 Cybersecurity Labeling for Internet of Things, PS Docket No. 23-239, Report and Order and Further Notice of Proposed Rulemaking, FCC 24-26, at 36, para. 64 (Mar. 15, 2024) (IoT Labeling Order).
3 See id.
4 See September 2024 Public Notice at 14, para. 26.
5 Id. at 14, para. 30.
6 47 CFR § 8.220(14).
7 Id.
8 See IoT Labeling Order.
9 September 2024 Public Notice at 15, para. 32.
10 See Press Release, CSA Singapore, Opening Address by Senior Minister of State, Ministry of Communications and Information, Dr Janil Puthucheary at International IOT Security Roundtable 2022 (Oct. 20, 2022), https://www.csa.gov.sg/News-Events/speeches/2022/opening-address-by-sms-mci-dr-janil-puthucheary-at-iiot-security-roundtable-2022.
11 OPM, General Schedule, https://www.opm.gov/policy-data-oversight/pay-leave/salaries-wages/2025/general-schedule (last visited Mar. 10, 2025).
12 IoT Labeling Program Order at 25-26, para. 45.
13 See CTIA, IoT Network Certified, Test Labs, https://iotnetworkcertified.com/test-labs/ (last visited Mar. 18, 2024).
14 Cybersecurity Labeling for Internet of Things, PS Docket No. 23-239, FCC 23-65, Notice of Proposed Rulemaking (2023) (IoT Labeling NPRM).
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | The Commission is requesting Office of Management and Budget (OMB) approval for a revision of this information collection |
| Author | nwalls |
| File Modified | 0000-00-00 |
| File Created | 2025-03-12 |