FCC proposes new cybersecurity mandates for submarine cable operators in major rule review seeks public input Industrial Cyber

pThe US Federal Communications Commission FCC is conducting its first comprehensive review of submarine cable rules since 2001 to enhance the protection of the nations submarine cable infrastructure amid evolving national security concerns The review also proposes that all applicants for cable landing licenses and licensees submitting periodic reports must certify that they have developed and implemented cybersecurity risk management plans Existing licensees must also provide this certification for the first time following a prioritization schedule ppAdditionally applicants and licensees must confirm they take reasonable measures to protect the confidentiality integrity and availability of their systems The cybersecurity plans should outline identified risks mitigation controls and how these controls are effectively applied The Commission is seeking comments on these proposalsppThe FCC review also aims to establish new rules for better safeguarding submarine cable infrastructure including a proposed threeyear reporting requirement for landing licenses and potential changes to the current 25year license term The FCC also seeks to clarify its jurisdiction and application requirements while aiming to improve circuit capacity data quality and facilitate information sharing with federal agencies to strengthen oversight of US communications networks ppIn a Federal Register notice published on Thursday the FCC has called for comments from interested stakeholders which must be submitted by April 14 2025 Reply comments are due by May 12 2025 Additionally written feedback on the proposed information collection requirements under the Paperwork Reduction Act should be submitted by the public the Office of Management and Budget OMB and other interested parties by May 12 2025ppGiven the importance of cybersecurity the Commission believes that the operation of submarine cable systems should meet baseline security requirements to safeguard systems against threats the notice explained The Commission believes these proposals are consistent with the National Cybersecurity Strategy and in that connection are in keeping with a wholeofgovernment effort to establish cybersecurity requirements to support national security and public safety ppAlso the FCC expects that creating updating and implementing cybersecurity risk management plans would help protect applicants and licensees systems and services from serious threats to national security public safety and the economy These proposals would require specific actions to protect communications networks and infrastructure and collaborating with communications sector industry members to identify best practices The Commission seeks comment on these expectations and any national security economic or public safety benefits of effective cybersecurity practices and cybersecurity risk management for applicants and licenseesppThe Commission proposes that each applicant or licensee have the flexibility to structure its cybersecurity risk management plan in a manner that is tailored to its organization provided that the plan demonstrates that the applicant or licensee is taking affirmative steps to analyze security risks and improve its security posture While the Commission believes there are many ways that applicants or licensees may satisfy this requirement the Commission proposes that they could successfully demonstrate compliance with this proposed requirement by following an established risk management framework such as the National Institute of Standards and Technology NIST Cybersecurity Framework CSF ppFurthermore the FCC seeks comment on a flexible approach including whether it would reduce the costs imposed on applicants and licensees including other possible risk management frameworks that applicants and licensees implement other than the NIST CSF To the extent commenters believe the Commission should mandate a particular risk management framework or take a less flexible approach the Commission seeks comment on their proposed alternative their rationale and why it would serve the public interest ppThe notice also seeks information on whether the FCC should require applicants and licensees to apply the NIST CSF as the Commission has done in other proceedings  The Commission further seeks comment on how an applicant should demonstrate that it has taken affirmative steps to analyze security risks and improve its security posture after implementing a cybersecurity risk management planppThe FCC proposes that an applicants chief executive officer CEO chief financial officer CFO chief technology officer CTO or a similarly situated senior officer responsible for governance of the organizations security practices would be required to sign the applicants cybersecurity risk management plan The Commission believes that a signatory with visibility into the network and organization must ensure the plan encompasses all necessary elements and is executed throughout the organization It also seeks comment on whether to require applicants and licensees cybersecurity risk management plans to include provisions for identifying assessing and mitigating supply chain cybersecurity threatsppThe Commission proposes to require applicants and licensees to describe in their risk management plans their implementation of security controls sufficient to ensure the confidentiality integrity and availability of all aspects of their communications systems and services It proposes that applicants and licensees can meet cybersecurity requirements by demonstrating the implementation of established best practices such as the Cybersecurity and Infrastructure Security Agencys CISA crosssector cybersecurity performance goals or the Center for Internet Security Critical Security Controls The Commission emphasizes that cybersecurity risk management plans should be tailored to the specific needs and circumstances of each applicant or licensee to effectively protect against cyber threats Comments on this proposal are being soughtppIn conjunction with this proposal the FCC seeks comment on whether to require applicants and licensees to implement specific security controls sufficient to protect the confidentiality integrity and availability of their systems and services ppIn the Alerting Security NPRM the Commission proposed to require alerting participants to implement the following six controls among other measures changing default passwords before operation installing security updates promptly securing equipment behind properly configured firewalls or using other segmentation practices requiring multifactor authentication where applicable addressing the replacement of endoflife equipment and wiping clearing or encrypting user information before disposing of old devices These six controls were drawn from CISAs common baseline of cybersecurity controls The Commission seeks comment on whether it should require the implementation of these or some other subset of common security controls to protect applicants and licensees systems and servicesppThe Commission observes that applicants and licensees can benefit from free and lowcost resources that are available to help identify and implement best practices and improve their security over time without requiring the hiring of outside experts NIST publishes guidance that could assist organizations with measuring their safeguards including how to address ransomware malware malicious code spyware distributed denial of service DDoS attacks phishing securing networks and threats to mobile phones CISA offers vulnerability scanning at no cost for critical infrastructure which includes communications providers and also provides CPG Assessment Training with regional cybersecurity experts that will help communications providers better understand CPGs and the cybersecurity risk assessment process ppThe FCC proposes that applicants and licensees submit cybersecurity risk management plans to the Commission upon request It also puts forward that applicants and licensees must preserve data and records related to their cybersecurity risk management plans including any information that is necessary to show how the cybersecurity risk management plan is implemented for two years from the submission of the related risk management plan certification to the Commission ppThe Commission believes it would promote neither public safety nor national security if applicants and licensees could escape responsibility for the cybersecurity of their systems and services by outsourcing the provision of those systems and services to third parties It seeks comment on the extent to which applicants and licensees currently include minimum cybersecurity requirements in their contracts with third partiesppThe FCC notice identified that the Commission proposes to require cable landing licensees to provide cybersecurity certifications in the report Among other things the Commission proposes that licensees certify in the report that they have created updated and implemented cybersecurity risk management plans The Commission also proposes to require these applicants and licensees to certify that they take reasonable measures to protect the confidentiality integrity and availability of their systems and services that could affect their provision of communications servicesppThe Commission also estimated that applicants will incur an additional cost associated with the Commissions proposal to certify compliance with baseline cybersecurity standards including implementing the cybersecurity risk management plans The Commission expects that the amount of work associated with preparing a new license application will likely be similar to the work associated with preparing a renewal application Additionally the licensees would be required to provide the Commission with updated information every three yearsppThe FCC also proposes not to require small and other entities to submit or file their cybersecurity risk management plans at a designated time each year Instead the Commission proposes that applicants and licensees submit cybersecurity management plans to the Commission upon request Additionally the Commission proposes that applicants and licensees must preserve data and records related to their cybersecurity risk management plans including any information that is necessary to show how the cybersecurity risk management plan is implemented for two years from the submission of the related risk management plan certification to the CommissionppIn January the FCC announced measures to protect the nations communication systems from major cybersecurity threats especially those originating from statesponsored cyber actors in the Peoples Republic of China This move follows recent reports of foreign entities successfully infiltrating US communication networks Building on earlier actions taken in December the FCC mandated that telecom carriers strengthen their networks to improve the resilience of US communications against future cyberattacks including those orchestrated by statesponsored groups in China The agency remains steadfast in its commitment to ensuring that telecommunications companies effectively secure their networksppAll rights reserved Terms and ConditionsppPrivacy Policy Cookie Policyp