In the previous edition of the ICORE Blog we discussed a major security breach, the Salt Typhoon attack, and reported that FCC Chairwoman Rosenworcel, had circulated with her fellow Commissioners a Declaratory Ruling and a Notice of Proposed Rulemaking (NPRM) addressing the need to protect the nation’s communications networks from cybersecurity threats and attacks. On January 15, 2025, the Declaratory Ruling and NPRM were adopted by the Commission and released the following day.. The Declaratory Ruling is effective immediately. The following discussion highlights the key aspects of the Declaratory Ruling and NPRM:
* Declaratory Ruling (Ruling)
* Stating that the cybersecurity of our nation’s communications infrastructure is essential to promoting national security, public safety, and economic security, the Commission concludes that section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks from unlawful access. The Ruling notes that the Commission has previously found that section 105 of CALEA creates an obligation for telecommunications carriers to avoid the risk that equipment suppliers will act in an illegal manner in regard to the carrier’s switching equipment without its knowledge. The Ruling further states that telecommunications carriers’ duties under section 105 extend not only to the equipment they choose to use in their networks, but also to how they manage their networks.
* The Ruling reiterates the Commission’s previous conclusion that section 105 currently obligates carriers to take action to prevent all unauthorized interception and access to call-identifying information within their networks.
* The ruling further states the Commission’s belief that presently, telecommunications carriers would be unlikely to satisfy their statutory obligations under section 105 without adopting certain basic cybersecurity practices including ” basic cybersecurity hygiene practices such as implementing role-based access controls, changing default passwords, requiring minimum password strength, and adopting multifactor authentication.” Further, the Ruling stresses the importance of Enterprise-level implementation of these basic cybersecurity hygiene practices is necessary to prevent unlawful real-time access to communications.
* Notice of Proposed Rulemaking (NPRM)
* The NPRM proposes to adopt specific cybersecurity and supply chain risk management requirements and would apply these requirements to a broader universe of service providers including facilities based fixed and mobile Broadband Internet Access Service (BIAS) providers, wireline communications providers, and interconnected VoIP providers to name just a few of the listed providers referred to collectively as Covered Providers. The NPRM proposes and seeks comment on the following:
* Requiring all Covered Providers to create, update, and implement cybersecurity and supply chain risk management plans.
* Providing flexibility in the structure of the plans. The NPRM cites the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) as a model for compliance.
* Requiring sign-off by a senior officer of the Covered Provider.
* The NPRM recognizes that EA-CAM carriers have already implemented cybersecurity and risk management plans.
* Requiring annual audits by Covered Providers and asks how often audits are or should be conducted and should audits be performed by third party auditors.
* Requiring an annual certification by Covered Parties that they have created, updated, and implemented cybersecurity and risk management plans.
* Requiring that a Covered Providers plans be made available to the Commission upon request.
* From a timing perspective, the NPRM proposes that small providers, as defined by the Small Business Administration (SBA), must certify to the creation of cybersecurity and supply chain risk management plans within 12 months of the publication in the Federal Register of OMB review and approval of the information collection process. Small providers would not need to complete the implementation of their plans until 24 months after OMB review and approval. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. The NPRM proposes that non-small providers must certify to the implementation of their plans within 12 months of OMB approval.
* Comments on the NPRM are due 30 days from the date of publication in the Federal Register. Reply comments are due 60 days from the date of Publication in the Federal Register
In the Declaratory Ruling, the Commission strongly asserts that telecommunications carriers currently are obligated under section 105 of CALEA to secure their networks from unlawful access and specifies the types of cybersecurity practices that carriers should have in place today to address that statutory requirement. The NPRM proposes and seeks comment on steps to broaden the application of enhanced cybersecurity and supply chain risk management rules to a larger universe of providers. As mentioned above, EA-CAM carriers are already required to create, update, and implement cybersecurity and supply chain risk management plans, however, the NPRM proposes increased responsibilities for these carriers as well in terms of audit requirements and annual certification filings.
