FCC Equipment Authorizations: Guidelines for Equipment and IoT Devices

A big step in bringing electronic devices to market is going through Federal Communications Commission (FCC) testing and gaining equipment authorization.

A device that receives equipment authorization has demonstrated that it complies with all the FCC’s requirements. Earlier this year, for instance, the FCC adopted rules to establish a voluntary cybersecurity labeling program for consumer wireless Internet of Things (IoT) products. What will that mean for manufacturers and importers?

On any given day, sifting through legal guidelines on whether a device adheres to emission limits, frequency allocation, technical specifications and RF exposure can be tricky.

That’s why Machine Design turned to Lee Petro, a Washington, D.C.-based member of the Communications Law Practice at Dickinson Wright. Adept at navigating regulatory complexities, including those posed by the FCC, FTC and Congress, Lee works with industrial and consumer product manufacturing clients to obtain FCC equipment authorizations for the importation and marketing of new technologies.

In the following Q&A, Petro answers a few basic questions.

Machine Design: Please tell us about yourself and the work you do in relation to FCC equipment authorizations of equipment.

Lee Petro: I am a Member with Dickinson Wright PLLC in the Washington, D.C. office. I have been practicing for 27 years, and represent broadcast companies, wireless service providers, educational institutions, and consumer product and industrial companies on regulatory and transactional matters. A significant part of my current work is guiding consumer and industrial product manufacturers through the equipment authorization process before the regulatory agencies in the United States, European Union and Asian countries. This work includes working with companies that are launching new products, advising on the clients’ importation compliance requirements and providing assistance to those that become subject to regulatory enforcement actions.

MD: What are the technical standards a device must meet to comply with FCC regulations?

LP: The FCC’s technical standards depend largely on whether the device is an “intentional,” “unintentional” or “incidental” radiator of radio frequency energy. These standards address a device’s compliance with the FCC’s rules establishing emission limits, frequency allocation, technical specifications and RF exposure.

Emission Limits. Devices must comply with specific radio frequency (RF) and conducted emission limits to avoid interference with other electronic equipment and communication networks.
Frequency Allocation. Equipment must operate at frequencies allocated for their specific type of service and must not cause harmful interference to other services.
Technical Specifications. Devices must meet technical specifications related to modulation, bandwidth, power levels and other technical characteristics as outlined by the FCC rules.
RF Exposure. Devices that emit RF energy must comply with the FCC’s RF exposure guidelines to ensure they do not pose a health risk to users or bystanders.

MD: What specific equipment authorization procedure (e.g., Certification, Declaration of Conformity, Verification) is required for the device?

LP: The FCC has developed different equipment authorization procedures for devices based on the risk that the device’s operation may cause to users and bystanders and other devices. As discussed above, the FCC has developed different rules depending on the nature of the device’s operation, and risk of harm and interference to the surrounding area.

The most rigorous testing regime—Certification—is reserved for intentionally radiating RF devices or devices that operate on FCC-licensed spectrum, including wireless microphones, wireless telephones, Wi-Fi transmitters and Bluetooth radios. The certification process requires that the manufacturer hire a Telecommunication Certification Body (TCB) to conduct tests and prepare a report demonstrating that the RF device complies with the FCC’s technical rules. Once the device is tested by the TCB and shown to comply with the FCC’s rules, the TCB submits a formal application to the FCC containing the test report(s) and other required documentation, and the FCC issues a grant of Certification.

For non-intentional radiators, the FCC recently combined two historically distinct authorization procedures—Verification and Declaration of Conformity—into a new approach—the Supplier’s Declaration of Conformity (SDoC). Under the SDoC authorization procedure, the responsible party (either the manufacturer or importer) will conduct the necessary tests to confirm that the device complies with the FCC’s technical standards. Neither the FCC nor a TCB is required to review the test reports, and the responsible party is required to maintain adequate records to demonstrate that the device has been tested.

When devices combine both intentional and unintentional radiating modules, the FCC permits the responsible party to use the SDoC equipment authorization procedure to confirm compliance for the unintentional radiating modules, and the Certification procedures for the intentional radiators. Where both intentional and unintentional modules are combined into one device, it is not uncommon for the responsible party to use the Certification procedures for the entire device to ensure that the assembled device complies with the applicable FCC Regulations.

MD: What are the labeling requirements? How can OEMs/importers ensure the products/components qualify for the FCC identifier and compliance statements?

LP: The labeling requirements will depend on which of the two equipment authorization procedures was used. For devices that underwent the SDoC procedure, the FCC requires that the label contain a unique identifier (i.e., trade name and model number) be affixed to the device. For devices that underwent the Certification procedure, the FCC requires that a nameplate or label be affixed to the device containing the FCC Identifier (FCC ID) issued by the FCC when it approved the Equipment Certification.

Two exceptions apply to these general rules. First, where the device is too small for a label to be affixed, the labeling information can be placed in the user manual accompanying the product. Alternatively, if the device is designed to work in connection with another product that has an electronic display, an “e-label” can be used, so long as the packaging contains the required FCC ID or unique identifier.

OEM and U.S.-based importers should request that the vendor provide the FCC ID and any related documentation containing the required consumer warning information before entering into an agreement with the vendor. There are numerous FCC enforcement actions involving white-label manufacturers who have given assurances to U.S.-based importers that the devices comply with applicable technical requirements, only to find out that these assurances were not provided in good faith and/or up to date. Where the devices are only required to be self-certified through the SDoC approval process, U.S.-based importers should request that the underlying test reports be provided before a final agreement is reached.

MD: How do we ensure that a device complies with RF exposure limits set by the FCC?

LP: Where the vendor has provided the FCC ID issued by the FCC, companies can search the FCC’s Equipment Authorization search page to confirm that the FCC ID relates to the device to be sold. The underlying test reports, equipment photos, User Manual, and attestation statements are maintained for each product with an FCC ID, which helps ensure that the purchaser can confirm that the device complies with all applicable FCC rules.

It is more difficult for devices that only underwent the SDoC procedures, but requesting that the manufacturer provide the documentation relied upon to self-certify compliance should provide a certain level of assurance that the device complies with the FCC rules.

MD: Are there any specific importation guidelines or restrictions importers need to follow for FCC compliance?

LP: Documentation of compliance with the equipment authorization rules is required for importation and the designation of a responsible party in the United States is required.

The FCC will permit the importation of 4,000 or fewer units to be imported before equipment authorization is completed for the limited purpose of testing for compliance with the FCC’s rules, product development, or suitability for marketing. These devices may not be offered for sale or marketed to the public. Additionally, the FCC will permit the importation of 400 or fewer devices when the devices are to be demonstrated at industry trade shows and will not be offered for sale or marketed to the general public.

MD: The FCC voted to create a voluntary cybersecurity labeling program for wireless consumer Internet of Things (“IoT”) products. What can you tell us about the expected benefits and challenges with creating a “U.S. Cyber Trust Mark” program?

LP: Earlier this year, the FCC adopted rules to establish a voluntary cybersecurity labeling program for consumer wireless Internet of Things (IoT) products. The initial focus of the Labeling Program will be on consumer IoT products, which, after going through the certification process, will be associated with the Cyber Trust Mark and QR code that will link interested consumers to product information about the device, including where to find software patches and security updates. The FCC will not be reviewing the products. Instead, the products will be sent to accredited test labs to confirm compliance with the IoT Labeling Program technical standards.

In June 2024, the FCC staff initiated the process for reviewing applications filed by entities that wish to serve as the Cybersecurity Label Administrator (CLA) and Lead Administrator of the program. The CLAs and Lead Administrator must demonstrate expertise in cybersecurity and thorough knowledge of the FCC’s rules and must not have any affiliation with entities on the Covered List or the Department of Commerce’s Entity List.

At this point, it is uncertain whether the public will rely on the IoT Labeling Program when making their purchase decisions. As noted, the initial devices to go through the Program are targeted to consumers, rather than industrial or enterprise IoT devices that are more frequently targeted in cyberattacks. Further, those manufacturers that do participate in the program will have additional administrative obligations, and greater potential liability if they fail to update their information in the product registry in the future. Because it may take several years before the Cyber Trust Mark becomes a threshold requirement by consumers, manufacturers may not see any immediate benefits arising from their participation in the program.

MD: What ongoing compliance and reporting obligations should be followed after obtaining the FCC equipment authorization?

LP: Because both the Certification and SDoC equipment authorization processes focus on a specific device’s operation, any changes to the device, i.e., increased power or different frequency, will require the manufacturer to retest the device to confirm ongoing compliance with the FCC’s rules. Even if the manufacturer did not intend to make technical changes, it is common for technical issues to arise when the manufacturer changes the supplier of equipment used in the RF device. Therefore, we recommend that the manufacturers establish procedures to routinely audit the device’s supply chain and periodically conduct random testing, especially when there are a significant number of units sold.

Additionally, because the FCC’s compliance rules focus on the responsible party in the United States should there be any complaints or audits conducted by field agents, it is important to ensure that the contact information is kept current and that the supporting documentation associated with the equipment authorization process be readily available.

MD: Who can assist with pre-authorization testing, certification and navigating the FCC authorization process?

LP: It is important to establish a relationship with an engineering firm and/or legal counsel early in the process to ensure that the final version of a product complies with the FCC’s technical rules. In certain circumstances, it may be necessary to seek a waiver of the

FCC’s technical rules for the device to operate in a particular frequency band. Telecommunications Certification Bodies (TCBs) are not permitted to grant waivers of the FCC’s rules, so those must be submitted directly to the FCC’s staff for processing before the equipment authorization approval can be granted by the TCB. In recent years, there has been a growing number of waiver requests processed by the FCC as new technologies have been developed to operate on spectrum currently assigned for other uses. A short conversation with FCC counsel can help avoid certain product development delays and expedite the launch of a product.

MD: Is there anything else you would like to share?

LP: The FCC has increased its enforcement actions relating to the equipment authorization program in the past several years. In just the first half of 2024, the FCC’s Enforcement Bureau has proposed fines in excess of $5 million for violations of the equipment authorization and marketing rules, and several years ago, the FCC conducted multi-year enforcement investigations in several industries that relied upon noncompliant components obtained from white-label manufacturers. By incorporating compliance programs as part of the product launch process will help manufacturers and U.S.-based companies avoid future enforcement actions.