	Federal Communications Commission	DA 26-354



DA 26-354
Released:  April 13, 2026

PUBLIC SAFETY AND HOMELAND SECURITY BUREAU SELECTS 
IOXT ALLIANCE TO SERVE AS NEW LEAD ADMINISTRATOR OF THE
U.S. CYBER TRUST MARK PROGRAM

1. By this Public Notice, the Public Safety and Homeland Security Bureau (Bureau) announces the selection of ioXt Alliance (ioXt) to serve as the Lead Administrator of the Federal Communications Commission’s (FCC or Commission) voluntary cybersecurity labeling program for consumer wireless Internet of Things (IoT) products (U.S. Cyber Trust Mark (USCTM) Program). Cybersecurity Labeling for Internet of Things, PS Docket No. 23-239, Report and Order and Further Notice of Proposed Rulemaking, 39 FCC Rcd 2497, 2520-25, paras. 42, 52 (2024) (IoT Labeling Order).
  The IoT Labeling Order delegated authority to the Bureau to select the Lead Administrator from among the Cybersecurity Label Administrators (CLAs), ioXt was conditionally approved to serve as a CLA on December 11, 2024.  See Public Safety and Homeland Security Breau Announces Conditionally Approved Cybersecurity Label Administrators for the Internet of Things Cybersecurity Labeling Program, Public Notice, PS Docket No. 23-239, DA 24-1241 (Dec. 11, 2024).
 and the Bureau finds that ioXt satisfies the USCTM Program’s Lead Administrator criteria and requirements.
2. ioXt is an independent, U.S.-based non-profit organization, whose focus is on improving the security, privacy, and transparency of IoT products.  ioXt describes itself as the United States’ preeminent certification body dedicated to the security of IoT products and a leader in the relevant stakeholder community.  ioXt indicates that it is well positioned to serve as Lead Administrator and will contribute its unparalleled infrastructure and expertise to ensure the successful implementation of the Program.  
Lead Administrator Responsibilities

3. ioXt will undertake the duties outlined in the IoT Labeling Order, IoT Labeling Order, 39 FCC Rcd at 2559, paras. 51-58 (detailing the duties of the Lead Administrator); see also 47 CFR § 8.221.
 including leading the ongoing stakeholder engagement to recommend additional IoT-specific standards and testing procedures, developing a consumer outreach campaign in collaboration with stakeholders, and acting as liaison between the Commission and CLAs. IoT Labeling Order, 39 FCC Rcd at 2520, 2523 paras. 42, 51.  The previous Lead Administrator submitted an initial set of recommendations to the Bureau, which are being reviewed by Bureau staff and will be placed on Public Notice for public comment.
  The Commission will retain ultimate control and oversight over the Program as the USCTM Program owner.  Any additional stakeholder engagement will include CLAs, as well as a variety of interested stakeholders (e.g., cyber experts from industry, government, and academia). IoT Labeling Order, 39 FCC Rcd at 2526, para. 56; 47 C.F.R. § 8.221(a)(4).

4. ioXt will submit to the Bureau and the Office of the Managing Director (OMD) an estimate of its forward-looking costs including, separately, program stand-up costs and ongoing program costs to perform the Lead Administrator duties for the upcoming calendar year, which will be reviewed by CLAs, the Bureau, and OMD for reasonableness. Public Safety and Homeland Security Bureau Announces 15-Business Day Filing Window for Cybersecurity Labeling Administrator and Lead Administrator Applications Under the Cybersecurity Labeling for Internet of Things Program, Public Notice, PS Docket No. 23-239, DA 24-900 at 9, paras. 18-19 (Sept. 10, 2024) (Filing Window Notice).
  If these estimated costs are determined to be reasonable, they will be used to estimate the overall CLA cost sharing obligation.  CLAs and ioXt will determine the cost sharing methodology, which should be reasonable and equitable and will be subject to ongoing oversight by the Commission. We recognize that ioXt, as a conditionally approved CLA, will also incur a CLA cost sharing obligation.
  ioXt will conduct and submit to the Bureau and OMD an annual, independently audited, statement of program expenditures and monies received from the CLAs. Filing Window Notice at 9-10, para. 19.  See also 47 CFR § 8.221(a)(1) (requiring the Lead Administrator to submit to the Commission any other reports upon request of the Commission); Filing Window Notice at 10, para. 19 (stating that the Bureau will provide further guidance on CLA cost sharing once the CLAs and the Lead Administrator have been selected).

5. ioXt is advised that its selection does not constitute FCC or U.S. government approval, acceptance, or endorsement of anything other than the organization’s participation in the administration of the USCTM Program, and ioXt shall not so construe, claim, or imply such.  By accepting their role, ioXt similarly acknowledges that activities undertaken in connection with the administration of the USCTM Program are voluntary and not intended to provide goods or services to the FCC or any other agency or instrumentality of the U.S. government.  ioXt may not submit claims for compensation to the FCC or any other agency or instrumentality of the U.S. government for activities related to its role as Lead Administrator.  Moreover, selection of ioXt does not obligate funds for any particular expenditure, nor does it authorize the transfer of funds and/or resources.  The Commission does not intend to commit funds on behalf of the FCC or any other agency or instrumentality of the U.S government for the administration of the USCTM Program nor does it provide for the payment of funds by any agency or instrumentality of the U.S. government to any entity. As outlined in the IoT Labeling Order, “to the extent that the Lead Administrator may incur costs in performing its duties on behalf of the program as a whole, we expect these costs to be shared among CLAs as a whole.”  IoT Labeling Order, 39 FCC Rcd at 2543, para. 93.
  ioXt accepts the risk of loss in engaging in its respective roles in the Program.
6. For further information regarding this proceeding, please contact Drew Morin, Deputy Division Chief, Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau or Tara B. Shostek, Attorney Advisor, Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau at CyberTrustMark@fcc.gov. 


Action by the Chief, Public Safety and Homeland Security Bureau.

-FCC-




2