FCC Requires Network Security Measures and Proposes New Cybersecurity Requirements

FCC Requires Network Security Measures and Proposes New Cybersecurity Requirements

The Federal Communications Commission (FCC or Commission) has taken immediate action to strengthen communications network security through two distinct actions- a Declaratory Ruling and proposed new cybersecurity requirements. Both these actions come in response to recent major cybersecurity breaches of U.S. telecommunications networks. This effort is concurrent with recent Presidential initiatives, including an Executive Order aimed at promoting national cybersecurity and protecting critical government services.

CALEA Declaratory Ruling and Section 105 Obligations

The Declaratory Ruling, effective immediately, clarifies that telecommunications carriers must secure their networks from unauthorized access and communications interception under Section 105 of the Communications Assistance for Law Enforcement Act (CALEA), or be subject to monetary penalties. To satisfy these obligations, the FCC expects carriers to implement basic cybersecurity hygiene practices including role-based access controls, password requirements, and multifactor authentication. Carriers should deploy enterprise-level cybersecurity best practices across their networks, including patching known or identified vulnerabilities, as vulnerabilities in any part of the network could compromise surveillance systems. The Commission concluded carriers would be unlikely to meet their Section 105 statutory obligations without adopting these basic cybersecurity measures.

Notice of Proposed Rulemaking

In an accompanying Notice of Proposed Rulemaking, the Commission proposes to require communications providers to create and implement cybersecurity and supply chain risk management plans. Providers would need to submit annual certifications confirming they have these plans in place and are following them. The plans must show how providers protect their networks and systems from security threats.

The proposed requirements extend beyond the EA-CAM providers this already applies to, including a wide range of providers including rural telecommunications providers, broadband providers, cable operators, wireless carriers, and satellite providers. Recognizing the unique challenges facing smaller providers, the Commission proposes several accommodating measures for small providers, as defined by the Small Business Administration (SBA). These include a 24-month implementation period (compared to 12 months for large providers), flexibility in developing security approaches, access to free security resources through the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) including vulnerability scanning, and the ability to integrate plans with existing operations.

How JSI Can Help

The Commission seeks comment on key issues including defining small providers, appropriate security measures, and implementation costs. Comments will be due 30 days after Federal Register publication, with reply comments due 30 days later.
JSI can assist clients in understanding these requirements, developing or reviewing cybersecurity and supply chain plans, preparing required certifications, or participating in the Commission’s comment process. For assistance or to discuss filing comments, please contact Daniel Lindley or Brett Hallagan.

REVISION (January 21, 2025)

On January 20, 2025, President Trump issued an Executive Memorandum (Memorandum) instituting a government-wide regulatory freeze. The memorandum directs all executive departments and agencies to halt the proposal and issuance of new rules, requiring review and approval by newly appointed or designated agency heads. This includes withdrawing rules already sent to the Office of the Federal Register but not yet published and potentially postponing the effective dates of recently published regulations for a 60-day review period.

As a result, the FCC’s Notice of Proposed Rulemaking (NPRM) on cybersecurity requirements is currently on hold, pending review by newly appointed FCC Chairman Brandon Carr. The Declaratory Ruling remains in effect.