The Federal Communications Commission (FCC) announced that it is taking steps to address cybersecurity vulnerabilities exposed by the recent Salt Typhoon cyberattack, which was linked to foreign state-sponsored actors.
FCC Chairwoman Jessica Rosenworcel issued a statement proposing a Declaratory Ruling addressing this issue, which has been circulated to the other Commissioners. The Declaratory Ruling would confirm that Section 105 of the Communications Assistance for Law Enforcement Act (CALEA) requires telecommunications carriers to secure their networks against unauthorized access and interception. This Declaratory Ruling also clarifies that these obligations apply to both network equipment and network management practices.
Proposed Rulemaking to Require Cybersecurity Risk Management Plans and Annual Certification
The FCC also circulated a Notice of Proposed Rulemaking (NPRM), which outlines additional measures to enhance cybersecurity:
- Annual Certification: Under the proposed rule, telecom providers would be required to develop, implement, and maintain comprehensive cybersecurity risk management plans. Telecom providers would also be required to submit an annual certification to the FCC attesting to compliance with these plans.
- Public Input: The NPRM seeks comments on expanding these requirements to a broader range of communications providers and solicits suggestions for further strengthening cybersecurity defenses for telecommunication services.
If both are adopted, the Declaratory Ruling will take immediate effect, while the NPRM will initiate a public comment period before any final rules are implemented.
Ensuring Compliance with Current Obligations
In light of these developments, telecom providers should ensure compliance with their existing obligations under CALEA, in particular the required filing of a System Security and Integrity (SSI) Plan. Telecom providers are required to submit and maintain an up-to-date SSI Plan with the FCC in accordance with current regulations. This plan outlines the measures taken to ensure compliance with lawful interception obligations while safeguarding against unauthorized access to communications.
Next Steps for Telecom Providers
Telecom providers should be prepared to adapt to the potential new regulatory framework and strengthen their cybersecurity posture. Key actions to consider include:
- Reviewing and enhancing cybersecurity risk management plans to meet both current and anticipated obligations.
- Conducting internal audits of compliance with CALEA, including the accuracy and sufficiency of SSI Plans.
- Monitoring FCC proceedings to stay informed about the NPRM and participate in the public comment process.
If you require assistance with navigating these developments or ensuring compliance with existing requirements under CALEA, including assistance with drafting and filing an SSI Plan, Marashlian & Donahue, PLLC, the CommLaw Group, is here to help. Contact Susan Duarte (sfd@commlawgroup.com or 703-714-1318), or Adam Davis (amd@commlawgroup.com or 703-714-1325) for more information.
