Home/Federal/Federal Register/2022-25263

Proposed Rule2022-25263

Emergency Alert System; Wireless Emergency Alerts; Protecting the Nation's Communications Systems From Cybersecurity Threats

Primary source

Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.

Published

November 23, 2022

Issuing agencies

Federal Communications Commission

Abstract

In this document, the Commission proposes requirements for Emergency Alert System (EAS) Participants to report compromises of their EAS equipment, communications systems, and services to the Commission. Additionally, this document proposes requirements for EAS Participants and Commercial Mobile Service (CMS) providers that participate in Wireless Emergency Alerts (WEA) to annually certify to having a cybersecurity risk management plan in place and to employ sufficient security measures to ensure the confidentiality, integrity, and availability of their respective alerting systems. This document also proposes requirements for participating CMS providers to take steps to ensure that only valid alerts are displayed on consumer devices. These requirements would further protect the nation's communications systems from cybersecurity threats. With this Notice of Proposed Rulemaking, the Commission seeks comment on the proposed rules and any suitable alternatives.

Full Text

<html>
<head>
<title>Federal Register, Volume 87 Issue 225 (Wednesday, November 23, 2022)</title>
</head>
<body><pre>
[Federal Register Volume 87, Number 225 (Wednesday, November 23, 2022)]
[Proposed Rules]
[Pages 71539-71557]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2022-25263]

=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Parts 10 and 11

[PS Docket Nos. 15-94, 15-91, 22-329; FCC 22-82; FR ID 113410]

Emergency Alert System; Wireless Emergency Alerts; Protecting the
Nation's Communications Systems From Cybersecurity Threats

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Commission proposes requirements for
Emergency Alert System (EAS) Participants to report compromises of
their EAS equipment, communications systems, and services to the
Commission. Additionally, this document proposes requirements for EAS
Participants and Commercial Mobile Service (CMS) providers that
participate in Wireless Emergency Alerts (WEA) to annually certify to
having a cybersecurity risk management plan in place and to employ
sufficient security measures to ensure the confidentiality, integrity,
and availability of their respective alerting systems. This document
also proposes requirements for participating CMS providers to take
steps to ensure that only valid alerts are displayed on consumer
devices. These requirements would further protect the nation's
communications systems from cybersecurity threats. With this Notice of
Proposed Rulemaking, the Commission seeks comment on the proposed rules
and any suitable alternatives.

DATES: Comments are due on or before December 23, 2022 and reply
comments are due on or before January 23, 2023.

ADDRESSES: You may submit comments, identified by PS Docket Nos. 15-94,
15-91, and 22-329, by any of the following methods:
<bullet> Electronic Filers: Comments may be filed electronically
using the internet by accessing the ECFS: <a href="http://apps.fcc.gov/ecfs/">http://apps.fcc.gov/ecfs/</a>.
<bullet> Paper Filers: Parties who choose to file by paper must
file an original and one copy of each filing.
Filings can be sent by commercial overnight courier, or by first-
class or overnight U.S. Postal Service mail. All filings must be
addressed to the Commission's Secretary, Office of the Secretary,
Federal Communications Commission.
<bullet> Commercial overnight mail (other than U.S. Postal Service
Express Mail and Priority Mail) must be sent to 9050 Junction Drive,
Annapolis Junction, MD 20701.
<bullet> U.S. Postal Service first-class, Express, and Priority
mail must be addressed to 45 L Street NE, Washington, DC 20554.

[[Page 71540]]

<bullet> Effective March 19, 2020, and until further notice, the
Commission no longer accepts any hand or messenger delivered filings.
This is a temporary measure taken to help protect the health and safety
of individuals, and to mitigate the transmission of COVID-19. See FCC
Announces Closure of FCC Headquarters Open Window and Change in Hand-
Delivery Policy, Public Notice, DA 20-304 (March 19, 2020). <a href="https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy">https://www.fcc.gov/document/fcc-closes-headquarters-open-window-and-changes-hand-delivery-policy</a>.
People with Disabilities. To request materials in accessible
formats for people with disabilities (braille, large print, electronic
files, audio format), send an email to <a href="/cdn-cgi/l/email-protection#41272222747175012722226f262e37">[email&#160;protected]</a> or call the
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-
418-0432 (tty).

FOR FURTHER INFORMATION CONTACT: For further information regarding
Notice of Proposed Rulemaking, please contact James Wiley,
Cybersecurity and Communications Reliability Division, Public Safety
and Homeland Security Bureau, (202) 418-1678, or by email to
<a href="/cdn-cgi/l/email-protection#a8e2c9c5cddb86ffc1c4cdd1e8cecbcb86cfc7de">[email&#160;protected]</a>, or Steven Carpenter, Cybersecurity and
Communications Reliability Division, Public Safety and Homeland
Security Bureau, (202) 418-2313, or by email to
<a href="/cdn-cgi/l/email-protection#792a0d1c0f1c17573a180b091c170d1c0b391f1a1a571e160f">[email&#160;protected]</a>. For additional information concerning the
Paperwork Reduction Act information collection requirements contained
in this document, send an email to <a href="/cdn-cgi/l/email-protection#39696b78795f5a5a175e564f">[email&#160;protected]</a> or contact Nicole
Ongele, Office of Managing Director, Performance Evaluation and Records
Management, 202-418-2991, or by email to <a href="/cdn-cgi/l/email-protection#570705161731343479303821">[email&#160;protected]</a>.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice
of Proposed Rulemaking (NPRM), in PS Docket Nos. 15-94, 15-91, 22-329;
FCC 22-82, adopted and released on October 27, 2022. The full text of
this document is available by downloading the text from the
Commission's website at: <a href="https://docs.fcc.gov/public/attachments/FCC-22-82A1.pdf">https://docs.fcc.gov/public/attachments/FCC-22-82A1.pdf</a>.

Paperwork Reduction Act

This Notice of Proposed Rulemaking (NPRM) seeks comment on
potential new or revised proposed information collection requirements.
If the Commission adopts any new or revised final information
collection requirements when the final rules are adopted, the
Commission will publish a notice in the Federal Register inviting
further comments from the public on the final information collection
requirements, as required by the Paperwork Reduction Act of 1995,
Public Law 104-13 (44 U.S.C. 3501-3520). The Commission, as part of its
continuing effort to reduce paperwork burdens, invites the general
public and OMB to comment on the information collection requirements
contained in this document, as required by the PRA. Public and agency
comments on the PRA proposed information collection requirements are
due January 23, 2023.
Comments should address: (a) whether the proposed collection of
information is necessary for the proper performance of the functions of
the Commission, including whether the information shall have practical
utility; (b) the accuracy of the Commission's burden estimates; (c)
ways to enhance the quality, utility, and clarity of the information
collected; (d) ways to minimize the burden of the collection of
information on the respondents, including the use of automated
collection techniques or other forms of information technology; and (e)
way to further reduce the information collection burden on small
business concerns with fewer than 25 employees. In addition, pursuant
to the Small Business Paperwork Relief Act of 2002, Public Law 107-198,
see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might
further reduce the information collection burden for small business
concerns with fewer than 25 employees.

I. Initial Regulatory Flexibility Analysis

1. As required by the Regulatory Flexibility Act of 1980, as
amended (RFA), the Commission has prepared this Initial Regulatory
Flexibility Analysis (IRFA) of the possible significant economic impact
on a substantial number of small entities by the policies and rules
proposed in the NPRM. Written public comments are requested on this
IRFA. Comments must be identified as responses to the IRFA and must be
filed by the deadlines for comments on the NPRM. The Commission will
send a copy of the NPRM, including this IRFA, to the Chief Counsel for
Advocacy of the Small Business Administration (SBA). In addition, the
NPRM and IRFA (or summaries thereof) will be published in the Federal
Register.

A. Need for, and Objectives of, the Proposed Rules

2. The NPRM raises awareness concerning security of the nation's
alert and warning systems is essential to helping safeguard the lives
and property of all Americans. To ensure that the EAS and WEA remain
strong, the Commission must act proactively in its oversight of
stakeholders associated with these systems. The Commission has
previously encouraged stakeholders to ensure that their systems are
secure and provided guidance on specific steps that communications
providers could take to secure their equipment. According to data
collected by the Public Safety and Homeland Security Bureau (Bureau)
during the nationwide EAS test in August 2021 however, more than 5,000
EAS Participants were using outdated software or using equipment that
no longer supported regular software updates. Moreover, in the area of
equipment operational readiness, the test also revealed that an
appreciable number of EAS Participants were unable to participate in
testing due to equipment failure. This was despite receiving advanced
notice that the test was going to be conducted. The Commission
therefore believes the information revealed in the nationwide EAS test
signals that we should take action to ensure and enhance the security
of the EAS and WEA. In the NPRM, the Commission acts to improve the
security and reliability of the EAS and WEA by proposing and seeking
comment on rules promoting the operational readiness of EAS equipment,
improving awareness of unauthorized access to EAS equipment,
communications systems, or services, protecting the nation's alerting
systems through the development, implementation, and certification of a
cybersecurity risk management plan and displaying only valid WEA
messages on mobile devices.
3. The NPRM includes specific proposals upon which the Commission
seeks comment include: requiring EAS Participants and Participating CMS
Providers to annually certify to having a cybersecurity risk management
plan in place and employing sufficient security controls to ensure the
confidentiality, integrity, and availability of their respective
alerting systems (including certain baseline security controls);
requiring EAS Participants to report any incident of unauthorized
access of their EAS equipment, communications systems, or services
(i.e., regardless of whether that compromise has resulted in the
transmission of a false alert) to the Commission via NORS within 72
hours of when it knew or should have known that an incident has
occurred, and provide details concerning the incident and requiring
that mobile devices only present WEA alerts from valid base stations.
In addition, the Commission seeks comment on whether and how to promote
the operational readiness of EAS. The Commission also

[[Page 71541]]

seeks comment to refresh the record on previously proposed changes to
the WEA infrastructure functionality rules, and on how our proposals in
the NPRM may promote or inhibit advances in diversity, equity,
inclusion, and accessibility, as well as on the scope of the
Commission's relevant legal authority.

B. Legal Basis

4. The proposed action is authorized pursuant to sections 1, 2,
4(i), 4(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403,
624(g), and 706 of the Communications Act of 1934, as amended, 47
U.S.C. 151, 152, 154(i), 154(n), 301, 303(b), 303(g), 303(r), 303(v),
307, 309, 335, 403, 544(g), and 606; The Warning, Alert and Response
Network (WARN) Act, WARN Act sections 602(a), (b), (c), (f), 603, 604,
and 606, 47 U.S.C. 1202(a),(b),(c), (f), 1203, 1204 and 1206; the
Wireless Communications and Public Safety Act of 1999, Pub. L. 106-81,
47 U.S.C. 615, 615a, 615b; Section 202 of the Twenty-First Century
Communications and Video Accessibility Act of 2010, as amended, 47
U.S.C. 613.

C. Description and Estimate of the Number of Small Entities to Which
the Proposed Rules Will Apply

5. The RFA directs agencies to provide a description of and, where
feasible, an estimate of, the number of small entities that may be
affected by the proposed rules, if adopted. The RFA generally defines
the term ``small entity'' as having the same meaning as the terms
``small business,'' ``small organization,'' and ``small governmental
jurisdiction.'' In addition, the term ``small business'' has the same
meaning as the term ``small business concern'' under the Small Business
Act. A ``small business concern'' is one which: (1) is independently
owned and operated; (2) is not dominant in its field of operation; and
(3) satisfies any additional criteria established by the Small Business
Administration (SBA).
6. Small Businesses, Small Organizations, Small Governmental
Jurisdictions. Our actions, over time, may affect small entities that
are not easily categorized at present. We therefore describe here, at
the outset, three broad groups of small entities that could be directly
affected herein. First, while there are industry specific size
standards for small businesses that are used in the regulatory
flexibility analysis, according to data from the SBA's Office of
Advocacy, in general a small business is an independent business having
fewer than 500 employees. These types of small businesses represent
99.9% of all businesses in the United States, which translates to 32.5
million businesses.
7. Next, the type of small entity described as a ``small
organization'' is generally ``any not-for-profit enterprise which is
independently owned and operated and is not dominant in its field.''
The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000
or less to delineate its annual electronic filing requirements for
small exempt organizations. Nationwide, for tax year 2020, there were
approximately 447,689 small exempt organizations in the U.S. reporting
revenues of $50,000 or less according to the registration and tax data
for exempt organizations available from the IRS.
8. Finally, the small entity described as a ``small governmental
jurisdiction'' is defined generally as ``governments of cities,
counties, towns, townships, villages, school districts, or special
districts, with a population of less than fifty thousand.'' U.S. Census
Bureau data from the 2017 Census of Governments indicate that there
were 90,075 local governmental jurisdictions consisting of general
purpose governments and special purpose governments in the United
States. Of this number there were 36,931 general purpose governments
(county, municipal and town or township) with populations of less than
50,000 and 12,040 special purpose governments--independent school
districts with enrollment populations of less than 50,000. Accordingly,
based on the 2017 U.S. Census of Governments data, we estimate that at
least 48,971 entities fall into the category of ``small governmental
jurisdictions.''
9. Wireless Telecommunications Carriers (except Satellite). This
industry comprises establishments engaged in operating and maintaining
switching and transmission facilities to provide communications via the
airwaves. Establishments in this industry have spectrum licenses and
provide services using that spectrum, such as cellular services, paging
services, wireless internet access, and wireless video services. The
SBA size standard for this industry classifies a business as small if
it has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show
that there were 2,893 firms in this industry that operated for the
entire year. Of that number, 2,837 firms employed fewer than 250
employees. Additionally, based on Commission data in the 2021 Universal
Service Monitoring Report, as of December 31, 2020, there were 797
providers that reported they were engaged in the provision of wireless
services. Of these providers, the Commission estimates that 715
providers have 1,500 or fewer employees. Consequently, using the SBA's
small business size standard, most of these providers can be considered
small entities.
10. Broadband Personal Communications Service. The broadband
personal communications services (PCS) spectrum encompasses services in
the 1850-1910 and 1930-1990 MHz bands. The closest industry with a SBA
small business size standard applicable to these services is Wireless
Telecommunications Carriers (except Satellite). The SBA small business
size standard for this industry classifies a business as small if it
has 1,500 or fewer employees. U.S. Census Bureau data for 2017 show
that there were 2,893 firms that operated in this industry for the
entire year. Of this number, 2,837 firms employed fewer than 250
employees. Thus under the SBA size standard, the Commission estimates
that a majority of licensees in this industry can be considered small.
11. Based on Commission data as of November 2021, there were
approximately 5,060 active licenses in the Broadband PCS service. The
Commission's small business size standards with respect to Broadband
PCS involve eligibility for bidding credits and installment payments in
the auction of licenses for these services. In auctions for these
licenses, the Commission defined ``small business'' as an entity that,
together with its affiliates and controlling interests, has average
gross revenues not exceeding $40 million for the preceding three years,
and a ``very small business'' as an entity that, together with its
affiliates and controlling interests, has had average annual gross
revenues not exceeding $15 million for the preceding three years.
Winning bidders claiming small business credits won Broadband PCS
licenses in C, D, E, and F Blocks.
12. In frequency bands where licenses were subject to auction, the
Commission notes that as a general matter, the number of winning
bidders that qualify as small businesses at the close of an auction
does not necessarily represent the number of small businesses currently
in service. Further, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated. Additionally, since the
Commission does not collect data on the number of employees for
licensees providing these, at this time we are not able to estimate the
number of licensees with active licenses that would qualify as small

[[Page 71542]]

under the SBA's small business size standard.
13. Narrowband Personal Communications Services. Narrowband
Personal Communications Services (Narrowband PCS) are PCS services
operating in the 901-902 MHz, 930-931 MHz, and 940-941 MHz bands. PCS
services are radio communications that encompass mobile and ancillary
fixed communication that provide services to individuals and businesses
and can be integrated with a variety of competing networks. Wireless
Telecommunications Carriers (except Satellite) is the closest industry
with a SBA small business size standard applicable to these services.
The SBA small business size standard for this industry classifies a
business as small if it has 1,500 or fewer employees. U.S. Census
Bureau data for 2017 show that there were 2,893 firms that operated in
this industry for the entire year. Of this number, 2,837 firms employed
fewer than 250 employees. Thus under the SBA size standard, the
Commission estimates that a majority of licensees in this industry can
be considered small.
14. According to Commission data as of December 2021, there were
approximately 4,211 active Narrowband PCS licenses. The Commission's
small business size standards with respect to Narrowband PCS involve
eligibility for bidding credits and installment payments in the auction
of licenses for these services. For the auction of these licenses, the
Commission defined a ``small business'' as an entity that, together
with affiliates and controlling interests, has average gross revenues
for the three preceding years of not more than $40 million. A ``very
small business'' is defined as an entity that, together with affiliates
and controlling interests, has average gross revenues for the three
preceding years of not more than $15 million. Pursuant to these
definitions, 7 winning bidders claiming small and very small bidding
credits won approximately 359 licenses. One of the winning bidders
claiming a small business status classification in these Narrowband PCS
license auctions had an active license as of December 2021.
15. In frequency bands where licenses were subject to auction, the
Commission notes that as a general matter, the number of winning
bidders that qualify as small businesses at the close of an auction
does not necessarily represent the number of small businesses currently
in service. Further, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated. Additionally, since the
Commission does not collect data on the number of employees for
licensees providing these services, at this time we are not able to
estimate the number of licensees with active licenses that would
qualify as small under the SBA's small business size standard.
16. Wireless Communications Services. Wireless Communications
Services (WCS) can be used for a variety of fixed, mobile,
radiolocation, and digital audio broadcasting satellite services.
Wireless spectrum is made available and licensed for the provision of
wireless communications services in several frequency bands subject to
Part 27 of the Commission's rules. Wireless Telecommunications Carriers
(except Satellite) is the closest industry with a SBA small business
size standard applicable to these services. The SBA small business size
standard for this industry classifies a business as small if it has
1,500 or fewer employees. U.S. Census Bureau data for 2017 show that
there were 2,893 firms that operated in this industry for the entire
year. Of this number, 2,837 firms employed fewer than 250 employees.
Thus under the SBA size standard, the Commission estimates that a
majority of licensees in this industry can be considered small.
17. The Commission's small business size standards with respect to
WCS involve eligibility for bidding credits and installment payments in
the auction of licenses for the various frequency bands included in
WCS. When bidding credits are adopted for the auction of licenses in
WCS frequency bands, such credits may be available to several types of
small businesses based average gross revenues (small, very small and
entrepreneur) pursuant to the competitive bidding rules adopted in
conjunction with the requirements for the auction and/or as identified
in the designated entities section in Part 27 of the Commission's rules
for the specific WCS frequency bands.
18. In frequency bands where licenses were subject to auction, the
Commission notes that as a general matter, the number of winning
bidders that qualify as small businesses at the close of an auction
does not necessarily represent the number of small businesses currently
in service. Further, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated. Additionally, since the
Commission does not collect data on the number of employees for
licensees providing these services, at this time we are not able to
estimate the number of licensees with active licenses that would
qualify as small under the SBA's small business size standard.
19. 700 MHz Guard Band Licensees. The 700 MHz Guard Band
encompasses spectrum in 746-747/776-777 MHz and 762-764/792-794 MHz
frequency bands. Wireless Telecommunications Carriers (except
Satellite) is the closest industry with a SBA small business size
standard applicable to licenses providing services in these bands. The
SBA small business size standard for this industry classifies a
business as small if it has 1,500 or fewer employees. U.S. Census
Bureau data for 2017 show that there were 2,893 firms that operated in
this industry for the entire year. Of this number, 2,837 firms employed
fewer than 250 employees. Thus under the SBA size standard, the
Commission estimates that a majority of licensees in this industry can
be considered small.
20. According to Commission data as of December 2021, there were
approximately 224 active 700 MHz Guard Band licenses. The Commission's
small business size standards with respect to 700 MHz Guard Band
licensees involve eligibility for bidding credits and installment
payments in the auction of licenses. For the auction of these licenses,
the Commission defined a ``small business'' as an entity that, together
with its affiliates and controlling principals, has average gross
revenues not exceeding $40 million for the preceding three years, and a
``very small business'' an entity that, together with its affiliates
and controlling principals, has average gross revenues that are not
more than $15 million for the preceding three years. Pursuant to these
definitions, five winning bidders claiming one of the small business
status classifications won 26 licenses, and one winning bidder claiming
small business won two licenses. None of the winning bidders claiming a
small business status classification in these 700 MHz Guard Band
license auctions had an active license as of December 2021.
21. In frequency bands where licenses were subject to auction, the
Commission notes that as a general matter, the number of winning
bidders that qualify as small businesses at the close of an auction
does not necessarily represent the number of small businesses currently
in service. Further, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated. Additionally, since the
Commission does not collect data on the number of employees for
licensees providing these services, at this time we are not able to
estimate the number of licensees with active licenses that would
qualify as

[[Page 71543]]

small under the SBA's small business size standard.
22. Lower 700 MHz Band Licenses. The lower 700 MHz band encompasses
spectrum in the 698-746 MHz frequency bands. Permissible operations in
these bands include flexible fixed, mobile, and broadcast uses,
including mobile and other digital new broadcast operation; fixed and
mobile wireless commercial services (including FDD- and TDD-based
services); as well as fixed and mobile wireless uses for private,
internal radio needs, two-way interactive, cellular, and mobile
television broadcasting services. Wireless Telecommunications Carriers
(except Satellite) is the closest industry with a SBA small business
size standard applicable to licenses providing services in these bands.
The SBA small business size standard for this industry classifies a
business as small if it has 1,500 or fewer employees. U.S. Census
Bureau data for 2017 show that there were 2,893 firms that operated in
this industry for the entire year. Of this number, 2,837 firms employed
fewer than 250 employees. Thus under the SBA size standard, the
Commission estimates that a majority of licensees in this industry can
be considered small.
23. According to Commission data as of December 2021, there were
approximately 2,824 active Lower 700 MHz Band licenses. The
Commission's small business size standards with respect to Lower 700
MHz Band licensees involve eligibility for bidding credits and
installment payments in the auction of licenses. For auctions of Lower
700 MHz Band licenses the Commission adopted criteria for three groups
of small businesses. A very small business was defined as an entity
that, together with its affiliates and controlling interests, has
average annual gross revenues not exceeding $15 million for the
preceding three years, a small business was defined as an entity that,
together with its affiliates and controlling interests, has average
gross revenues not exceeding $40 million for the preceding three years,
and an entrepreneur was defined as an entity that, together with its
affiliates and controlling interests, has average gross revenues not
exceeding $3 million for the preceding three years. In auctions for
Lower 700 MHz Band licenses seventy-two winning bidders claiming a
small business classification won 329 licenses, twenty-six winning
bidders claiming a small business classification won 214 licenses, and
three winning bidders claiming a small business classification won all
five auctioned licenses.
24. In frequency bands where licenses were subject to auction, the
Commission notes that as a general matter, the number of winning
bidders that qualify as small businesses at the close of an auction
does not necessarily represent the number of small businesses currently
in service. Further, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated. Additionally, since the
Commission does not collect data on the number of employees for
licensees providing these services, at this time we are not able to
estimate the number of licensees with active licenses that would
qualify as small under the SBA's small business size standard.
25. Upper 700 MHz Band Licenses. The upper 700 MHz band encompasses
spectrum in the 746-806 MHz bands. Upper 700 MHz D Block licenses are
nationwide licenses associated with the 758-763 MHz and 788-793 MHz
bands. Permissible operations in these bands include flexible fixed,
mobile, and broadcast uses, including mobile and other digital new
broadcast operation; fixed and mobile wireless commercial services
(including FDD- and TDD-based services); as well as fixed and mobile
wireless uses for private, internal radio needs, two-way interactive,
cellular, and mobile television broadcasting services. Wireless
Telecommunications Carriers (except Satellite) is the closest industry
with a SBA small business size standard applicable to licenses
providing services in these bands. The SBA small business size standard
for this industry classifies a business as small if it has 1,500 or
fewer employees. U.S. Census Bureau data for 2017 show that there were
2,893 firms that operated in this industry for the entire year. Of that
number, 2,837 firms employed fewer than 250 employees. Thus, under the
SBA size standard, the Commission estimates that a majority of
licensees in this industry can be considered small.
26. According to Commission data as of December 2021, there were
approximately 152 active Upper 700 MHz Band licenses. The Commission's
small business size standards with respect to Upper 700 MHz Band
licensees involve eligibility for bidding credits and installment
payments in the auction of licenses. For the auction of these licenses,
the Commission defined a ``small business'' as an entity that, together
with its affiliates and controlling principals, has average gross
revenues not exceeding $40 million for the preceding three years, and a
``very small business'' an entity that, together with its affiliates
and controlling principals, has average gross revenues that are not
more than $15 million for the preceding three years. Pursuant to these
definitions, three winning bidders claiming very small business status
won five of the twelve available licenses.
27. In frequency bands where licenses were subject to auction, the
Commission notes that as a general matter, the number of winning
bidders that qualify as small businesses at the close of an auction
does not necessarily represent the number of small businesses currently
in service. Further, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated. Additionally, since the
Commission does not collect data on the number of employees for
licensees providing these services, at this time we are not able to
estimate the number of licensees with active licenses that would
qualify as small under the SBA's small business size standard.
28. Advanced Wireless Services (AWS)--(1710-1755 MHz and 2110-2155
MHz bands (AWS-1); 1915-1920 MHz, 1995-2000 MHz, 2020-2025 MHz and
2175-2180 MHz bands (AWS-2); 2155-2175 MHz band (AWS-3); 2000-2020 MHz
and 2180-2200 MHz (AWS-4). Spectrum is made available and licensed in
these bands for the provision of various wireless communications
services. Wireless Telecommunications Carriers (except Satellite) is
the closest industry with a SBA small business size standard applicable
to these services. The SBA small business size standard for this
industry classifies a business as small if it has 1,500 or fewer
employees. U.S. Census Bureau data for 2017 show that there were 2,893
firms that operated in this industry for the entire year. Of this
number, 2,837 firms employed fewer than 250 employees. Thus, under the
SBA size standard, the Commission estimates that a majority of
licensees in this industry can be considered small.
29. According to Commission data as December 2021, there were
approximately 4,472 active AWS licenses. The Commission's small
business size standards with respect to AWS involve eligibility for
bidding credits and installment payments in the auction of licenses for
these services. For the auction of AWS licenses, the Commission defined
a ``small business'' as an entity with average annual gross revenues
for the preceding three years not exceeding $40 million, and a ``very
small business'' as an entity with average annual gross revenues for
the preceding three years not exceeding $15 million. Pursuant to these
definitions,

[[Page 71544]]

57 winning bidders claiming status as small or very small businesses
won 215 of 1,087 licenses. In the most recent auction of AWS licenses
15 of 37 bidders qualifying for status as small or very small
businesses won licenses.
30. In frequency bands where licenses were subject to auction, the
Commission notes that as a general matter, the number of winning
bidders that qualify as small businesses at the close of an auction
does not necessarily represent the number of small businesses currently
in service. Further, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated. Additionally, since the
Commission does not collect data on the number of employees for
licensees providing these services, at this time we are not able to
estimate the number of licensees with active licenses that would
qualify as small under the SBA's small business size standard.
31. Broadband Radio Service and Educational Broadband Service.
Broadband Radio Service systems, previously referred to as Multipoint
Distribution Service (MDS) and Multichannel Multipoint Distribution
Service (MMDS) systems, and ``wireless cable,'' transmit video
programming to subscribers and provide two-way high speed data
operations using the microwave frequencies of the Broadband Radio
Service (BRS) and Educational Broadband Service (EBS) (previously
referred to as the Instructional Television Fixed Service (ITFS)).
Wireless cable operators that use spectrum in the BRS often
supplemented with leased channels from the EBS, provide a competitive
alternative to wired cable and other multichannel video programming
distributors. Wireless cable programming to subscribers resembles cable
television, but instead of coaxial cable, wireless cable uses microwave
channels.
32. In light of the use of wireless frequencies by BRS and EBS
services, the closest industry with a SBA small business size standard
applicable to these services is Wireless Telecommunications Carriers
(except Satellite). The SBA small business size standard for this
industry classifies a business as small if it has 1,500 or fewer
employees. U.S. Census Bureau data for 2017 show that there were 2,893
firms that operated in this industry for the entire year. Of this
number, 2,837 firms employed fewer than 250 employees. Thus under the
SBA size standard, the Commission estimates that a majority of
licensees in this industry can be considered small.
33. According to Commission data as December 2021, there were
approximately 5,869 active BRS and EBS licenses. The Commission's small
business size standards with respect to BRS involves eligibility for
bidding credits and installment payments in the auction of licenses for
these services. For the auction of BRS licenses, the Commission adopted
criteria for three groups of small businesses. A very small business is
an entity that, together with its affiliates and controlling interests,
has average annual gross revenues exceed $3 million and did not exceed
$15 million for the preceding three years, a small business is an
entity that, together with its affiliates and controlling interests,
has average gross revenues exceed $15 million and did not exceed $40
million for the preceding three years, and an entrepreneur is an entity
that, together with its affiliates and controlling interests, has
average gross revenues not exceeding $3 million for the preceding three
years. Of the ten winning bidders for BRS licenses, two bidders
claiming the small business status won 4 licenses, one bidder claiming
the very small business status won three licenses and two bidders
claiming entrepreneur status won six licenses. One of the winning
bidders claiming a small business status classification in the BRS
license auction has an active licenses as of December 2021.
34. The Commission's small business size standards for EBS define a
small business as an entity that, together with its affiliates, its
controlling interests and the affiliates of its controlling interests,
has average gross revenues that are not more than $55 million for the
preceding five (5) years, and a very small business is an entity that,
together with its affiliates, its controlling interests and the
affiliates of its controlling interests, has average gross revenues
that are not more than $20 million for the preceding five (5) years. In
frequency bands where licenses were subject to auction, the Commission
notes that as a general matter, the number of winning bidders that
qualify as small businesses at the close of an auction does not
necessarily represent the number of small businesses currently in
service. Further, the Commission does not generally track subsequent
business size unless, in the context of assignments or transfers,
unjust enrichment issues are implicated. Additionally, since the
Commission does not collect data on the number of employees for
licensees providing these services, at this time we are not able to
estimate the number of licensees with active licenses that would
qualify as small under the SBA's small business size standard.
35. The Educational Broadcasting Services. Cable-based educational
broadcasting services fall under the broad category of the Wired
Telecommunications Carriers industry. The Wired Telecommunications
Carriers industry comprises establishments primarily engaged in
operating and/or providing access to transmission facilities and
infrastructure that they own and/or lease for the transmission of
voice, data, text, sound, and video using wired telecommunications
networks. Transmission facilities may be based on a single technology
or a combination of technologies. Establishments in this industry use
the wired telecommunications network facilities that they operate to
provide a variety of services, such as wired telephony services,
including VoIP services; wired (cable) audio and video programming
distribution; and wired broadband internet services.
36. The SBA small business size standard for this industry
classifies businesses having 1,500 or fewer employees as small. U.S.
Census Bureau data for 2017 show that there were 3,054 firms in this
industry that operated for the entire year. Of this total, 2,964 firms
operated with fewer than 250 employees. Thus, under this size standard,
the majority of firms in this industry can be considered small.
Additionally, according to Commission data as of December 2021, there
were 4,477 active EBS licenses. The Commission estimates that the
majority of these licenses are held by non-profit educational
institutions and school districts and are likely small entities.
37. Radio and Television Broadcasting and Wireless Communications
Equipment Manufacturing. This industry comprises establishments
primarily engaged in manufacturing radio and television broadcast and
wireless communications equipment. Examples of products made by these
establishments are: transmitting and receiving antennas, cable
television equipment, GPS equipment, pagers, cellular phones, mobile
communications equipment, and radio and television studio and
broadcasting equipment. The SBA small business size standard for this
industry classifies businesses having 1,250 employees or less as small.
U.S. Census Bureau data for 2017 show that there were 656 firms in this
industry that operated for the entire year. Of this number, 624 firms
had fewer than 250 employees. Thus, under the SBA size

[[Page 71545]]

standard, the majority of firms in this industry can be considered
small.
38. Software Publishers. This industry comprises establishments
primarily engaged in computer software publishing or publishing and
reproduction. Establishments in this industry carry out operations
necessary for producing and distributing computer software, such as
designing, providing documentation, assisting in installation, and
providing support services to software purchasers. These establishments
may design, develop, and publish, or publish only. The SBA small
business size standard for this industry classifies businesses having
annual receipts of $41.5 million or less as small. U.S. Census Bureau
data for 2017 indicate that 7,842 firms in this industry operated for
the entire year. Of this number 7,226 firms had revenue of less than
$25 million. Based on this data, we conclude that a majority of firms
in this industry are small.
39. Noncommercial Educational (NCE) and Public Broadcast Stations.
Noncommercial educational broadcast stations and public broadcast
stations are television or radio broadcast stations which under the
Commission's rules are eligible to be licensed by the Commission as a
noncommercial educational radio or television broadcast station and are
owned and operated by a public agency or nonprofit private foundation,
corporation, or association; or are owned and operated by a
municipality which transmits only noncommercial programs for education
purposes.
40. The SBA small business size standards and U.S. Census Bureau
data classify radio stations and television broadcasting separately and
both categories may include both noncommercial and commercial stations.
The SBA small business size standard for both radio stations and
television broadcasting classify firms having $41.5 million or less in
annual receipts as small. For Radio Stations, U.S. Census Bureau data
for 2017 show that 1,879 of the 2,963 firms that operated during that
year had revenue of less than $25 million per year. For Television
Broadcasting, U.S. Census Bureau data for 2017 show that 657 of the 744
firms that operated for the entire year had revenue of less than
$25,000,000. While the U.S. Census Bureau data does not indicate the
number of non-commercial stations, we estimate that under the
applicable SBA size standard the majority of noncommercial educational
broadcast stations and public broadcast stations are small entities.
41. According to Commission data as of March 31, 2022, there were
4,503 licensed noncommercial educational radio and television stations.
In addition, the Commission estimates as of March 31, 2022, there were
384 licensed noncommercial educational (NCE) television stations, 383
Class A TV stations, 1,840 LPTV stations and 3,231 TV translator
stations. The Commission does not compile and otherwise does not have
access to financial information for these stations that permit it to
determine how many stations qualify as small entities under the SBA
small business size standards. However, given the nature of these
services, we will presume that all noncommercial educational and public
broadcast stations qualify as small entities under the above SBA small
business size standards.
42. Radio Stations. This industry is comprised of ``establishments
primarily engaged in broadcasting aural programs by radio to the
public.'' Programming may originate in their own studio, from an
affiliated network, or from external sources. The SBA small business
size standard for this industry classifies firms having $41.5 million
or less in annual receipts as small. U.S. Census Bureau data for 2017
show that 2,963 firms operated in this industry during that year. Of
this number, 1,879 firms operated with revenue of less than $25 million
per year. Based on this data and the SBA's small business size
standard, we estimate a majority of such entities are small entities.
43. The Commission estimates that as of March 31, 2022, there were
4,508 licensed commercial AM radio stations and 6,763 licensed
commercial FM radio stations, for a combined total of 11,271 commercial
radio stations. Of this total, 11,269 stations (or 99.98%) had revenues
of $41.5 million or less in 2021, according to Commission staff review
of the BIA Kelsey Inc. Media Access Pro Database (BIA) on June 1, 2022,
and therefore these licensees qualify as small entities under the SBA
definition. In addition, the Commission estimates that as of March 31,
2022, there were 4,119 licensed noncommercial (NCE) FM radio stations,
2,049 low power FM (LPFM) stations, and 8,919 FM translators and
boosters. The Commission however does not compile, and otherwise does
not have access to financial information for these radio stations that
would permit it to determine how many of these stations qualify as
small entities under the SBA small business size standard.
Nevertheless, given the SBA's large annual receipts threshold for this
industry and the nature of these radio station licensees, we presume
that all of these entities qualify as small entities under the above
SBA small business size standard.
44. We note, however, that in assessing whether a business concern
qualifies as ``small'' under the above definition, business (control)
affiliations must be included. Our estimate, therefore, likely
overstates the number of small entities that might be affected by our
action, because the revenue figure on which it is based does not
include or aggregate revenues from affiliated companies. In addition,
another element of the definition of ``small business'' requires that
an entity not be dominant in its field of operation. We are unable at
this time to define or quantify the criteria that would establish
whether a specific radio or television broadcast station is dominant in
its field of operation. Accordingly, the estimate of small businesses
to which the rules may apply does not exclude any radio or television
station from the definition of a small business on this basis and is
therefore possibly over-inclusive. An additional element of the
definition of ``small business'' is that the entity must be
independently owned and operated. Because it is difficult to assess
these criteria in the context of media entities, the estimate of small
businesses to which the rules may apply does not exclude any radio or
television station from the definition of a small business on this
basis and similarly may be over-inclusive.
45. FM Translator Stations and Low-Power FM Stations. FM
translators and Low Power FM Stations are classified in the industry
for Radio Stations. The Radio Stations industry comprises
establishments primarily engaged in broadcasting aural programs by
radio to the public. Programming may originate in their own studio,
from an affiliated network, or from external sources. The SBA small
business size standard for this industry classifies firms having $41.5
million or less in annual receipts as small. U.S. Census Bureau data
for 2017 show that 2,963 firms operated during that year. Of that
number, 1,879 firms operated with revenue of less than $25 million per
year. Therefore, based on the SBA's size standard we conclude that the
majority of FM Translator stations and Low Power FM Stations are small.
Additionally, according to Commission data, as of March 31, 2022, there
were 8,919 FM Translator Stations and 2,049 Low Power FM licensed
broadcast stations. The Commission however does not compile and
otherwise does not have access to information on the revenue of these
stations that would permit it to

[[Page 71546]]

determine how many of the stations would qualify as small entities. For
purposes of this regulatory flexibility analysis, we presume the
majority of these stations are small entities.
46. Television Broadcasting. This industry is comprised of
``establishments primarily engaged in broadcasting images together with
sound.'' These establishments operate television broadcast studios and
facilities for the programming and transmission of programs to the
public. These establishments also produce or transmit visual
programming to affiliated broadcast television stations, which in turn
broadcast the programs to the public on a predetermined schedule.
Programming may originate in their own studio, from an affiliated
network, or from external sources. The SBA small business size standard
for this industry classifies businesses having $41.5 million or less in
annual receipts as small. 2017 U.S. Census Bureau data indicate that
744 firms in this industry operated for the entire year. Of that
number, 657 firms had revenue of less than $25,000,000. Based on this
data we estimate that the majority of television broadcasters are small
entities under the SBA small business size standard.
47. The Commission estimates that as of March 31, 2022, there were
1,373 licensed commercial television stations. Of this total, 1,280
stations (or 93.2%) had revenues of $41.5 million or less in 2021,
according to Commission staff review of the BIA Kelsey Inc. Media
Access Pro Television Database (BIA) on June 1, 2022, and therefore
these licensees qualify as small entities under the SBA definition. In
addition, the Commission estimates as of March 31, 2022, there were 384
licensed noncommercial educational (NCE) television stations, 383 Class
A TV stations, 1,840 LPTV stations and 3,231 TV translator stations.
The Commission however does not compile, and otherwise does not have
access to financial information for these television broadcast stations
that would permit it to determine how many of these stations qualify as
small entities under the SBA small business size standard.
Nevertheless, given the SBA's large annual receipts threshold for this
industry and the nature of these television station licensees, we
presume that all of these entities qualify as small entities under the
above SBA small business size standard.
48. Cable and Other Subscription Programming. The U.S. Census
Bureau defines this industry as establishments primarily engaged in
operating studios and facilities for the broadcasting of programs on a
subscription or fee basis. The broadcast programming is typically
narrowcast in nature (e.g., limited format, such as news, sports,
education, or youth-oriented). These establishments produce programming
in their own facilities or acquire programming from external sources.
The programming material is usually delivered to a third party, such as
cable systems or direct-to-home satellite systems, for transmission to
viewers. The SBA small business size standard for this industry
classifies firms with annual receipts less than $41.5 million as small.
Based on U.S. Census Bureau data for 2017, 378 firms operated in this
industry during that year. Of that number, 149 firms operated with
revenue of less than $25 million a year and 44 firms operated with
revenue of $25 million or more. Based on this data, the Commission
estimates that the majority of firms operating in this industry are
small.
49. Cable System Operators (Rate Regulation Standard). The
Commission has developed its own small business size standard for the
purpose of cable rate regulation. Under the Commission's rules, a
``small cable company'' is one serving 400,000 or fewer subscribers
nationwide. Based on industry data, there are about 420 cable companies
in the U.S. Of these, only seven have more than 400,000 subscribers. In
addition, under the Commission's rules, a ``small system'' is a cable
system serving 15,000 or fewer subscribers. Based on industry data,
there are about 4,139 cable systems (headends) in the U.S. Of these,
about 639 have more than 15,000 subscribers. Accordingly, the
Commission estimates that the majority of cable companies and cable
systems are small.
50. Cable System Operators (Telecom Act Standard). The
Communications Act of 1934, as amended, contains a size standard for a
``small cable operator,'' which is ``a cable operator that, directly or
through an affiliate, serves in the aggregate fewer than one percent of
all subscribers in the United States and is not affiliated with any
entity or entities whose gross annual revenues in the aggregate exceed
$250,000,000.'' For purposes of the Telecom Act Standard, the
Commission determined that a cable system operator that serves fewer
than 677,000 subscribers, either directly or through affiliates, will
meet the definition of a small cable operator based on the cable
subscriber count established in a 2001 Public Notice. Based on industry
data, only six cable system operators have more than 677,000
subscribers. Accordingly, the Commission estimates that the majority of
cable system operators are small under this size standard. We note
however, that the Commission neither requests nor collects information
on whether cable system operators are affiliated with entities whose
gross annual revenues exceed $250 million. Therefore, we are unable at
this time to estimate with greater precision the number of cable system
operators that would qualify as small cable operators under the
definition in the Communications Act.
51. Satellite Telecommunications. This industry comprises firms
``primarily engaged in providing telecommunications services to other
establishments in the telecommunications and broadcasting industries by
forwarding and receiving communications signals via a system of
satellites or reselling satellite telecommunications.'' Satellite
telecommunications service providers include satellite and earth
station operators. The SBA small business size standard for this
industry classifies a business with $35 million or less in annual
receipts as small. U.S. Census Bureau data for 2017 show that 275 firms
in this industry operated for the entire year. Of this number, 242
firms had revenue of less than $25 million. Additionally, based on
Commission data in the 2021 Universal Service Monitoring Report, as of
December 31, 2020, there were 71 providers that reported they were
engaged in the provision of satellite telecommunications services. Of
these providers, the Commission estimates that approximately 48
providers have 1,500 or fewer employees. Consequently using the SBA's
small business size standard, a little more than of these providers can
be considered small entities.
52. All Other Telecommunications. This industry is comprised of
establishments primarily engaged in providing specialized
telecommunications services, such as satellite tracking, communications
telemetry, and radar station operation. This industry also includes
establishments primarily engaged in providing satellite terminal
stations and associated facilities connected with one or more
terrestrial systems and capable of transmitting telecommunications to,
and receiving telecommunications from, satellite systems. Providers of
internet services (e.g. dial-up ISPs) or voice over internet protocol
(VoIP) services, via client-supplied telecommunications connections are
also included in this industry. The SBA small business size standard
for this industry classifies firms with annual receipts of $35 million
or less as small. U.S. Census Bureau data for 2017 show that there

[[Page 71547]]

were 1,079 firms in this industry that operated for the entire year. Of
those firms, 1,039 had revenue of less than $25 million. Based on this
data, the Commission estimates that the majority of ``All Other
Telecommunications'' firms can be considered small.
53. Direct Broadcast Satellite (``DBS'') Service. DBS service is a
nationally distributed subscription service that delivers video and
audio programming via satellite to a small parabolic ``dish'' antenna
at the subscriber's location. DBS is included in the Wired
Telecommunications Carriers industry which comprises establishments
primarily engaged in operating and/or providing access to transmission
facilities and infrastructure that they own and/or lease for the
transmission of voice, data, text, sound, and video using wired
telecommunications networks. Transmission facilities may be based on a
single technology or combination of technologies. Establishments in
this industry use the wired telecommunications network facilities that
they operate to provide a variety of services, such as wired telephony
services, including VoIP services, wired (cable) audio and video
programming distribution; and wired broadband internet services. By
exception, establishments providing satellite television distribution
services using facilities and infrastructure that they operate are
included in this industry.
54. The SBA small business size standard for Wired
Telecommunications Carriers classifies firms having 1,500 or fewer
employees as small. U.S. Census Bureau data for 2017 show that 3,054
firms operated in this industry for the entire year. Of this number,
2,964 firms operated with fewer than 250 employees. Based on this data,
the majority of firms in this industry can be considered small under
the SBA small business size standard. According to Commission data
however, only two entities provide DBS service--DIRECTV (owned by AT&T)
and DISH Network, which require a great deal of capital for operation.
DIRECTV and DISH Network both exceed the SBA size standard for
classification as a small business. Therefore, we must conclude based
on internally developed Commission data, in general DBS service is
provided only by large firms.

D. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities

55. We expect the actions proposed in the NPRM, if adopted, will
impose additional reporting, recordkeeping and/or other compliance
obligations on small as well as other entities who are EAS Participants
and Participating CMS Providers. More specifically, if adopted, EAS
Participants and Participating CMS Providers would be required to
annually certify to creating, updating, and implementing a
cybersecurity risk management plan to ensure the confidentiality,
integrity, and availability of their respective alerting systems. The
cybersecurity risk management plan must contain among other things, a
description of how organizational resources are employed to ensure the
confidentiality, integrity, and availability of the alerting system.
Further, any incident involving the unauthorized access to EAS
equipment, communications systems, or services, regardless of whether
the event resulted in the transmission of a false alert would require
EAS Participants to report the unauthorized access to the Commission
within 72 hours of when the EAS Participant knew or should have known
that an incident has occurred. The Commission also seeks comment on
whether and how to strengthen the operational readiness of the EAS.
56. In assessing the cost of compliance with our proposed rule to
create a cybersecurity risk management plan, we estimate the cost for
each small EAS Participant and each Participating CMS Providers to be
approximately $820. These costs are based on 10 hours of labor at $82
an hour and apply to all EAS Participants and Participating CMS
Providers not just small entities. We anticipate however, that many
small EAS Participants and Participating CMS Providers will not require
10 hours to develop or update a cybersecurity risk management plan
tailored to the size of their organization. The cost for reporting an
unauthorized access incident we believe would be similar to the cost of
reporting a false alert, which the Commission has estimated to have a
total cost of $11,600 per year across 290 EAS Participants. This total
cost when apportioned to each EAS Participant comes out to
approximately $40 per EAS Participant.
57. We estimate a $9.2 million one-time cost for all Participating
CMS Providers, not just small providers, to update the WEA standards
and software necessary to comply with our proposed rule that
Participating CMS Providers transmit sufficient authentication
information to allow mobile devices to present WEA alerts only if they
come from valid base stations. This figure consists of approximately a
$500,000 cost to update applicable WEA standards and approximately an
$8.7 million cost to update applicable software. We quantify the cost
of modifying standards as the annual compensation for 30 network
engineers compensated at the national average for their field ($85,816/
year; $41.26/hour), plus annual benefits ($26,775/year; 12.87/hour)
working for the amount of time that it takes to develop a standard (one
hour every other week for one year, 26 hours) for 12 distinct
standards. We quantify the cost of modifying software as the annual
compensation for a software engineer compensated at the national
average for their field ($86,998/year), plus annual benefits ($27,143/
year) working for the amount of time that it takes to develop software
(one year) at each of the 76 CMS Providers that participate in WEA.
58. At this time the Commission cannot quantify the cost of
compliance for small entities to comply with the other proposals or
approaches on which it seeks comment in the NPRM. We believe that the
modifications to improve and enhance the security of the EAS that we
discuss in the NPRM are the most efficient and least burdensome
approach and do not believe small entities will have to hire
professionals to meet the requirements discussed in the NPRM, if
adopted. To help the Commission more fully evaluate the cost of
compliance for small entities should our proposals be adopted, in the
NPRM, we request comments on the cost implications of our proposals and
ask whether there are more efficient and less burdensome alternatives
(including cost estimates) for the Commission to consider. We expect
the information we receive in comments including cost and benefit
analyses, will help the Commission identify and evaluate relevant
matters for small entities, including compliance costs and other
burdens that may result from the proposals and inquiries we make in the
NPRM.

E. Steps Taken To Minimize the Significant Economic Impact on Small
Entities, and Significant Alternatives Considered

59. The RFA requires an agency to describe any significant,
specifically small business alternatives that it has considered in
reaching its proposed approach, which may include (among others) the
following four alternatives: (1) the establishment of differing
compliance or reporting requirements or timetables that take into
account the resources available to small entities; (2) the
clarification, consolidation, or simplification of compliance or
reporting requirements under the rule for such small entities; (3) the
use of performance, rather than design, standards; and (4) and
exemption from

[[Page 71548]]

coverage of the rule, or any part thereof, for such small entities.
60. The Commission has taken steps to minimize the impact of the
proposals in the NPRM as a general matter, and specifically targeting
small entities, has sought comment on the extent to which we can limit
the overall economic impact of these proposed requirements if we
provide increased flexibility for businesses classified as small under
the SBA small business size standard. Below we discuss actions taken
and alternatives considered by the Commission for the rules proposed
promoting the operational readiness of EAS equipment, improving
awareness of unauthorized access to EAS equipment, communications
systems, and services, and requiring the development, implementation,
and certification of a cybersecurity risk management plan.
61. To further the Commission's objectives to promote EAS equipment
operational readiness, in the NPRM we seek comment on whether to
require EAS Participants to repair EAS equipment with prompt and
reasonable diligence, on whether the EAS Participants should notify the
Commission of the status of their repairs, and, if so, on the timing,
content, and means of that notification.
62. We seek comment on whether a compliance timeframe of 30 days
from publication in the Federal Register of notice that the Office of
Management and Budget (OMB) has completed its review of the modified
information collection to improve the Commission's visibility into the
repair or replacement of non-operational EAS equipment would not impose
a burden on small entities. Small and other EAS Participants currently
make entries in their broadcast station logs and cable system records
showing the date and time equipment was removed and restored to
service, and therefore already have processes and procedures in place
to record information about the operational status of their EAS
equipment in station logs that could be utilized for the proposed
notification requirement. In the event that the Commission were to
alternatively require this notification to be provided through NORS,
the requirement would become effective within 30 days from publication
in the Federal Register of notice that the OMB has approved the
modified information collection or upon publication in the Federal
Register of a Public Notice announcing that NORS is technically capable
of receiving such notifications, whichever is later. Similarly, this
requirement should not impose a burden on small entities for the reason
stated above and since EAS Participants are already likely to be using
NORS.
63. Our approach to improving awareness of unauthorized access to
EAS equipment, communications systems, and services relies on our
belief that significant public safety benefits will accrue if EAS
Participants were required to provide the Commission with notification
that their EAS equipment, communications systems, and services have
been accessed without authorization, even in the absence of a
subsequent transmission of a false alert. The reporting requirement we
proposed in the NPRM requiring EAS Participants to provide notification
to the Commission via NORS within 72 hours of when an EAS Participant
knew or should have known that an incident has occurred should result
in low marginal costs for small and other EAS participants since our
requirement parallels the reporting obligations EAS Participants may
have to other government agencies that require critical infrastructure
sector entities to report cyber incidents. This would allow the
requirement to be satisfied by reporting substantially similar
information to another federal agency in a similar timeframe. We
believe the cost to report unauthorized access is comparable to the
cost of reporting false alerts which further supports our belief that
these costs will be relatively low for small and other EAS
Participants. In the NPRM we have requested comments and cost and
benefit analyses on our proposal and beliefs. In addition, we have
requested alternative proposals (accompanied by cost analyses) for
unauthorized access reporting requirements that would be less costly
for small and other EAS Participants while producing similar or greater
benefits.
64. The requirement for EAS Participants to report any incident of
unauthorized access of its EAS equipment, communications systems, or
services would be effective 60 days from publication in the Federal
Register of notice that the OMB has approved the modified information
collection. Since we consider the requirement to report unauthorized
access similar to the Commission's false alert reporting requirement,
there are likely to be compliance synergies for small and other EAS
Participants, and less of a burden than there would be in the absence
of the similarity. We therefore seek comment in the NPRM on whether an
EAS Participant's process for ascertaining whether an incident of
unauthorized access of its EAS equipment, communications systems, or
services has occurred and reporting it to the Commission entails a
level of effort comparable to compliance with the Commission's false
alert reporting requirement.
65. To further explore the impact of the cybersecurity risk
management plan requirement proposed in the NPRM which requires small
and other EAS Participants and Participating CMS Providers to create,
implement, and annually update a cybersecurity risk management plan and
submit an annual certification attesting to compliance with
requirement, Commission seeks comment on steps that it could take to
limit various burdens. In particular, the Commission requests comment
on whether the steps that it describes for EAS Participants and
Participating CMS Providers to submit their risk management plans are
the most efficient way to implement a certification requirement. In the
NPRM, we propose to afford each EAS Participant and Participating CMS
Provider the flexibility to include content in its plan that is
tailored to its organization, provided that the plan demonstrates how
the EAS Participant or Participating CMS Provider identifies the cyber
risks that they face, the controls they use to mitigate those risks,
and how they ensure that these controls are applied effectively to
their operations.
66. The Commission also proposes to require that each plan include
security controls sufficient to ensure the confidentiality, integrity,
and availability (CIA) of the EAS. While we believe there are numerous
methods to satisfy this aspect of the requirement, we have proposed to
allow the requirement to be satisfied by providing evidence of the
successful implementation of an established set of cybersecurity best
practices, such as applicable Center for internet Security (CIS)
Critical Security Controls or the Cybersecurity & Infrastructure
Security Agency (CISA) Cybersecurity Baseline. We believe adopting this
flexible approach will allow EAS Participants and Participating CMS
Providers to develop a plan that is appropriate for their
organization's size and available resources, while still ensuring that
the plan results in ongoing and material improvements in EAS and WEA
security. The Commission anticipates that this flexibility will reduce
the costs imposed on small business EAS Participants and Participating
CMS Providers, which will have different cybersecurity needs than
larger EAS Participants and Participating CMS Providers, respectively.
We do note, however, that to ensure that every EAS

[[Page 71549]]

Participant implements a baseline of security controls, the Commission
proposes to require that each plan include certain security measures:
changing default passwords prior to operation, installing security
updates in a timely manner, securing equipment behind properly
configured firewalls or using other segmentation practices, requiring
multifactor authentication where applicable, addressing the replacement
of end-of-life equipment, and wiping, clearing, or encrypting user
information before disposing of old devices.
67. The Commission proposes to require compliance with the
requirement to implement a cybersecurity risk management plan and
certification within twelve months of the publication in the Federal
Register of notice that the OMB has approved the modified information
collection. We recognize that larger EAS Participants are likely to
already have cybersecurity risk management plans in place. We ask
whether we should allow small entities a two-year timeframe to
implement this requirement. The two-year timeframe should provide
sufficient time for small EAS Participants and small Participating CMS
Providers that do not already have a risk management plan in place to
create one. The timeframe would also be sufficient to prepare their
organizations to manage security and privacy risks, categorize their
systems and the information being processed, stored, and transmitted,
and select controls to protect their systems. Further, a two-year
timeframe would provide time for these entities to implement the
security controls that the plan describes, assess whether the controls
are in place, operating as intended, and producing the desired results,
appoint a senior official to authorize the system, and develop
mechanisms to continuously monitor control implementation and risks to
the system.
68. In the NPRM, the Commission identifies alternative approaches
on several matters that might minimize the economic impact for small
entities. For example, the Commission requests alternatives to
providing a second notification to the Commission once repairs of EAS
equipment have been completed, and the EAS Participant's EAS systems
have been tested and determined to once again be fully functional. The
Commission seeks comment on potential alternatives to, and additional
aspects of, the discussed approach, as well as their accompanying costs
and benefits. The Commission recommends that EAS Participants file the
required notifications regarding EAS equipment failures and repairs in
the NORS database, but requests comment on other means EAS Participants
could use to submit the notifications such as via email to a designated
email address.
69. The Commission expects to more fully consider the economic
impact and alternatives for small entities following the review of
comments filed in response to the NPRM, including costs and benefits
analyses. Having data on the costs and economic impacts of proposals
and approaches will allow the Commission to better evaluate options and
alternatives for minimization of any significant economic impact on
small entities as a result of the proposals and approaches raised in
the NPRM. The Commission's evaluation of this information will shape
the final alternatives it considers to minimize any significant
economic impact that may occur on small entities, the final conclusions
it reaches, and any final rules it promulgates in this proceeding.

F. Federal Rules That May Duplicate, Overlap, or Conflict With the
Proposed Rules

70. None.

II. Notice of Proposed Rulemaking

A. Promoting the Operational Readiness of EAS Equipment

71. We observe that, according to the Bureau's last nationwide EAS
test report, an appreciable number of EAS Participants were unable to
participate in testing due to equipment failure--despite advance notice
that such test was to take place--suggesting that equipment failures
are not addressed by EAS Participants as swiftly as reasonably possible
and that more needs to be done to improve EAS operational readiness.
Today, EAS Participants may continue operations for a period of 60 days
despite having defective equipment that preclude their participation in
EAS. We seek comment on whether this approach is effective at ensuring
the operational readiness of EAS. How frequently does EAS equipment
encounter defects that prevent it from receiving or retransmitting
alerts? What are the most common types of defects that are experienced?
What steps are necessary to repair these defects, and how often do they
typically take to repair? Do EAS Participants take prompt steps to
repair their EAS equipment, or do they typically take several days or
weeks before seeking repairs? Do other EAS stakeholders, such as alert
originators, have concerns about equipment failures preventing the
transmission of emergency alerts to the public? We encourage commenters
to highlight any specific incidences in which an EAS equipment defect
prevented members of the public from being alerted to an emergency.
72. We seek comment on how to better promote the operational
readiness of EAS equipment. For example, instead of requiring repairs
within 60 days, would it serve the public interest to require EAS
Participants to conduct repairs promptly and with reasonable diligence?
Are all EAS Participants already doing so? If so, what are the reasons
why some EAS Participants are not able to conduct repairs promptly and
diligently? What factors should we consider when determining whether
repairs are made promptly and with reasonable diligence? What barriers
prevent equipment from being repaired promptly and what steps can we
take to remove those barriers?
73. Would it improve EAS operational readiness and public safety in
general to increase the situational awareness of the Commission, alert
originators, and others about the occurrence of equipment defects that
might prevent alerts from reaching the public? For example, would such
an approach allow us to better enforce our operational readiness rules
and identify persistent technical problems, and make contingency plans
for alert delivery? If so, should we adopt an EAS equipment defect
notification requirement? For example, should we require EAS
Participants to report EAS equipment defects and submit a follow-up
notification when the equipment is repaired? Within what timeframe
should they perform that notification to ensure that stakeholders are
aware of possible impacts on EAS (e.g. 24 hours)? What content should
the notification contain? For example, should notifications include the
same information that is already included in requests for additional
repair time that are required sent to the Regional Director of the FCC
field office for the area that the EAS Participant serves? We seek
comment on how, if at all, the Commission should share information to
promote situational awareness among relevant stakeholders, such as
alert originators State Emergency Communications Committees. We also
seek comment on whether to treat this information as confidential and,
if so, how to protect it. Are there other steps that we should take to
better ensure that EAS is ready and available when it is needed?
74. We seek comment on any measures that the Commission could take
to reduce burdens on EAS Participants if it were to take further

[[Page 71550]]

steps to promote the operational readiness of EAS equipment. Should we
remove the requirement under Sec. 11.35(b) that EAS Participants make
entries in their own broadcast station log and cable system records
showing the date and time the equipment was removed and restored to
service? Would the elimination of the ``60 day'' rule in favor of a
prompt repair rule reduce certain burdens on EAS Participants? We seek
comments on the costs of any approaches to improving EAS operational
readiness that commenters propose that we consider. In doing so,
commenters should offer specific cost estimates where possible. For
example, we seek comment on whether it would be reasonable to estimate
that EAS Participants would transmit a maximum of 2,000 EAS equipment
defect notifications annually under the approach discussed above, as
565 EAS Participants reported their equipment was defective during the
2021 Nationwide EAS Test? Would it be reasonable to estimate that 2,000
annual notifications would require one hour of labor each from a
General and Operations Manager who is compensated at $82 per hour,
resulting in an overall cost of $164,000? We seek similarly detailed
analysis on potential alternatives to improve EAS operational
readiness.

B. Improving Awareness of Unauthorized Access to EAS Equipment

75. Section 11.45(b) of the Commission's rules requires that an EAS
Participant notify the Commission by email within 24 hours of its
discovery that it has transmitted or otherwise sent a false alert to
the public, including details concerning the event. We believe that it
would be in the public interest to strengthen this rule in view of the
increasing threats that cyber attacks pose to EAS networks and
equipment. Accordingly, we propose to revise this rule to further
require that an EAS Participant report any incident of unauthorized
access of its EAS equipment (i.e., regardless of whether that
compromise has resulted in the transmission of a false alert), to the
Commission via NORS within 72 hours of when it knew or should have
known that an incident has occurred and provide details concerning the
incident. We seek comment on this proposal.
76. We observe that protecting EAS equipment alone is unlikely to
be sufficient to protect the EAS from a cyber attack. Even without
directly accessing an EAS Participant's EAS equipment, a bad actor
could send a false alert or prevent a legitimate alert with lifesaving
information from reaching the public by gaining unauthorized access to
EAS Participants' communications systems and services. For this reason,
we also propose to require that an EAS Participant report any incident
of unauthorized access to any aspects of an EAS Participant's
communications systems and services that potentially could affect their
provision of EAS. This would include infrastructure that serves to
prevent unauthorized access to EAS equipment, including firewalls and
Virtual Private Networks. We seek comment on this proposal and on any
suitable alternatives.
77. We believe the proposed rule is justified in light of the
instances of false EAS alerts in recent years, caused by compromised
EAS equipment being used to transmit a false message. As recounted
above, we are aware of several situations in the past decade in which
bad actors were either capable of obtaining, or actually obtained
unauthorized access to EAS equipment. We seek comment on these views.
Are there any other past or present security incidents involving EAS
about which the Commission should be aware? Does unauthorized access to
EAS equipment provide bad actors with the ability to disrupt EAS
Participants' regularly scheduled programming, which has the potential
to inflict financial harm in relation to their advertisers and
reputational harm with their audiences? Are there any other kinds of
harms resulting from unauthorized access to EAS equipment that the
Commission should consider?
78. We believe significant public safety benefits would accrue if
EAS Participants were required to provide the Commission with
notification that their EAS equipment, communications systems, or
services have been accessed without authorization, even in the absence
of a subsequent transmission of a false alert. This view is based on
our observation that, after a system is compromised, many attackers
will position themselves to attack connected systems in several
different ways. For example, we have observed that it is characteristic
of some cyber attacks that an attacker will start by compromising one
device and then, prior to launching a specific attack, spend time and
effort to identify and compromise other devices in the network,
potentially using the initially comprised device as an access point to
other devices. The Commission could use the proposed notifications to
work with providers and other government agencies to resolve an
equipment compromise before the compromise is actually exploited to
cause false EAS transmissions in at least some instances. We further
believe that the Commission could leverage information on the frequency
and nature of equipment compromise to better understand the prevalence
and trends associated such attacks across the nation. The Commission
and its government partners would thus be better apprised of the risks
posed to EAS and in a position to use this information to inform
further measures that might be necessary to secure EAS.
79. We seek comment on these views, including detailed information
as to the associated costs and benefits of the proposed approach. For
example, what would be a reasonable estimate of the financial harm that
such a cyber attack would inflict upon an EAS Participant, and how
should such estimates be calculated? We believe the cost of reporting
an unauthorized access incident would tend to be similar to the cost of
reporting a false alert, which the Commission has estimated to have a
total cost of $11,600 per year across all EAS Participants. We seek
comment on that estimate. Are EAS Participants already conducting
investigations and gathering information about suspected incidents of
unauthorized access to EAS equipment, communications systems, and
services? Are there less costly alternatives to an unauthorized access
reporting requirement that would achieve similar or greater benefits?
We believe that the marginal costs of an unauthorized access reporting
requirement are likely to be low, as the requirement parallels the
requirements of an upcoming CISA rulemaking. Specifically, CISA is
required by the Cyber Incident Reporting for Critical Infrastructure
Act of 2022 (CIRCIA) to adopt rules requiring critical infrastructure
sector entities to report cyber incidents, but allows the requirement
to be satisfied by reporting substantially similar information to
another federal agency in a similar timeframe. We seek comment on that
belief.
80. We propose to define ``unauthorized access'' to EAS equipment,
communications systems, and services for the purposes of today's
proposal to refer to any incident involving either remote or local
access to EAS equipment, communications systems, or services by an
individual or other entity that either does not have permission to
access the equipment or exceeds their authorized access. We seek
comment on this definition. For example, does this proposed definition
mirror the methods that have been, and are likely to be, used by cyber-
attackers to infiltrate EAS? We seek comment on whether it is
appropriate to require that

[[Page 71551]]

EAS Participants provide notification to the Commission within 72 hours
of when they knew or should have known that an incident has occurred.
Is this time frame appropriate or would it, for example, put undue
pressure on EAS Participants at a critical time when they may be
attempting to fully diagnose and resolve the compromise to their
systems? On the other hand, is this time frame too slow to provide the
Commission and government partners with timely notice of an incident?
For example, consistent with the NORS reporting deadlines for
interconnected VoIP outages, should the Commission be notified within
24 hours of a reasonable belief that an incident has occurred? In the
alternative, should we require EAS Participants to provide notification
to the Commission within 72 hours of ``its reasonable belief that an
incident has occurred,'' consistent with the approach to cyber incident
reporting outlined by CIRCIA? Or, would this approach create
disincentives for a provider to monitor the security of its own
network? Would any alternative approach be more effective? Similar to
what is contemplated by CIRCIA, should EAS Participants be required to
submit updates to the Commission if substantial new or different
information becomes available, until the date that the Commission is
notified that the incident has concluded and been fully mitigated and
resolved? Is the overall approach we propose today consistent with the
incident reporting requirements of other federal and state government
agencies, and if not, how should our proposal be harmonized to be more
consistent with those requirements?
81. We seek comment on the kinds of information that should be
included in reports of unauthorized access. We propose that reports
include, to the extent it is applicable and available at the time of
reporting, the date range of the incident, a description of the
unauthorized access, the impact to the EAS Participant's EAS
operational readiness, a description of the vulnerabilities exploited
and the techniques used to access the device, identifying information
for each actor responsible for the incident, and contact information
for the EAS Participant. We believe this information is necessary to
understand the unauthorized access incident, resolve it before the
compromise is actually exploited to send a false alert, and harmonize
our requirements with those of other federal agencies. We seek comment
on the proposed content of these reports and whether it should be
modified. We propose that the contents of these reports be treated as
presumptively confidential and only shared on a confidential basis with
other Federal agencies and state government agencies that agree to
protect them to the same extent and in the same manner as the
Commission would and, to the extent that the policies or regulations of
those agencies are stricter, to the same extent and in the same manner
as they would if they had collected the information themselves. We also
propose to allow disclosure by the Commission, or by parties with whom
the Commission has shared the notifications, of anonymized information
about breaches that might be useful for industry, security researchers,
policymakers, and the general public. We seek comment on this approach
to cyber incident information sharing.
82. We seek comment on how these reports should be submitted to the
Commission. Should they be submitted to the FCC Operation Center by
email, in similar fashion to the false alert reports that EAS
Participants are already required to file with the Commission? Should
these reports be submitted in NORS to better capture the required
contents in clearly defined fields and more easily facilitate sharing
with federal partners? Or should we develop a new electronic database
to collect the content of the reports? Are there other approaches we
should consider? What are the costs and benefits associated with each
approach? We seek comment on whether Participating CMS Providers should
also be required to report incidents of unauthorized access to their
WEA systems, or services. Similar to EAS, we believe that such a
requirement would allow the Commission and its government partners to
better identify and evaluate risks posed to EAS and inform further
measures that might be necessary to secure WEA. Should reports be
required in the same timeframe and with the same content as proposed
for EAS? Are there any differences between EAS and WEA that would
warrant differing unauthorized access reporting requirements for WEA?
If so, what are those differences and how should the requirements be
modified to reflect them?

C. Protecting the Nation's Alerting Systems Through the Development,
Implementation, and Certification of a Cybersecurity Risk Management
Plan

1. EAS Security
83. As discussed above, the EAS has faced cybersecurity risks for
more than a decade, with PSHSB regularly advising EAS Participants to
follow cybersecurity best practices and take other steps to improve
their cybersecurity posture. Despite these admonitions, however, we
have not observed meaningful security improvements. For example, PSHSB
has frequently advised EAS Participants to update their EAS software to
ensure that they have installed the most recent security patches,
including one such round of outreach in 2020 after the discovery that
certain EAS equipment was potentially vulnerable to IP-based attacks.
However, in filings related to the Nationwide EAS Test in August 2021,
the Bureau observed that more than 5,000 EAS Participants were using
outdated software or using equipment that no longer supported regular
software updates. In light of these failures, we believe the Commission
should take action to ensure the security of EAS.
84. We propose to require EAS Participants to submit an annual
certification attesting that they have created, updated, and
implemented a cybersecurity risk management plan. The cybersecurity
risk management plan would describe how the EAS Participant employs
their organizational resources and processes to ensure the
confidentiality, integrity, and availability of the EAS. The plan must
discuss how the EAS Participant identifies the cyber risks that they
face, the controls they use to mitigate those risks, and how they
ensure that these controls are applied effectively to their operations.
We believe that this certification requirement would improve the
overall security of EAS by ensuring that EAS Participants are regularly
taking steps to address security threats as part of their
organization's day-to-day strategic and operational planning. We also
believe the creation and implementation of cybersecurity risk
management plans would help to ensure EAS operational readiness and
eliminate false alerts, which divert public safety and other government
resources from other important activities, impose costs on EAS
Participants that have to deal with many of the consequences and,
ultimately, desensitize the public to legitimate alerts. We seek
comment on this proposal. Do stakeholders agree this proposal would
improve the security of the EAS? Are there other benefits that may
accrue from the creation and implementation of cybersecurity risk
management plans by EAS Participants? Is an annual certification the
right frequency with which to file certifications, or are there
circumstances

[[Page 71552]]

where more (or less) frequent filings might be necessary?
85. We propose to afford each EAS Participant flexibility to
structure its plan in a manner that is tailored to its organization,
provided that the plan demonstrate that the EAS Participant is taking
affirmative steps to analyze security risks and improve its security
posture. While we believe there are many ways for EAS Participants to
satisfy this requirement, we propose that EAS Participants can
successfully demonstrate that they have satisfied this requirement by
structuring their plans to follow an established risk management
framework, such as the National Institute of Standards and Technology
(NIST) Risk Management Framework or the NIST Cybersecurity Framework.
We believe this flexible approach would allow EAS Participants to
develop a plan that is appropriate for their organization's size and
available resources, while still ensuring that the plan results in
ongoing and material improvements in EAS security. We also anticipate
that this requirement would reduce the costs imposed on smaller EAS
Participants, which may have different cybersecurity needs than larger
EAS Participants. We seek comment on this proposal. Alternatively,
should we require EAS Participants to structure their plans to follow
the NIST Risk Management Framework or the NIST Cybersecurity Framework?
If so, should we require EAS Participants to follow the current version
of each framework (i.e., Risk Management Framework for Information
Systems and Organizations, NIST Special Publication 800-37, Revision 2;
NIST Cybersecurity Framework V1.1)? If we take this approach, we
anticipate that NIST may one day release updated versions of these
frameworks, and we would then expect to seek notice and comment on
whether we should require EAS Participants to follow the updated
versions. We seek comment on this approach.
86. We propose that each cybersecurity risk management framework
include security controls sufficient to ensure the confidentiality,
integrity, and availability (CIA) of the EAS. We expect that reasonable
security measures will include measures that are commonly the subject
of best practices. While we believe there are potentially many ways for
EAS Participants to satisfy this aspect of the requirement, we propose
that EAS Participants will have satisfied it if they demonstrate they
have successfully implemented an established set of cybersecurity best
practices, such as applicable CIS Critical Security Controls or the
CISA Cybersecurity Baseline. To ensure that every EAS Participant
implements a baseline of security controls, however, we propose to
require that each plan include security measures that address changing
default passwords prior to operation, installing security updates in a
timely manner, securing equipment behind properly configured firewalls
or using other segmentation practices, requiring multifactor
authentication where applicable, addressing the replacement of end-of-
life equipment, and wiping, clearing, or encrypting user information
before disposing of old devices. We expect that compliant cybersecurity
risk management plans will not be limited to only these specific
measures, as plans will vary based on individual providers' needs and
circumstances and will need regular updates to keep up with an evolving
threat environment. We seek comment on these proposed rules. Are there
other specific security measures that we should require EAS
Participants to implement? For example, should we require EAS
Participants to conduct network security audits or vulnerability
assessments to identify potential security vulnerabilities? If so, how
often should they be conducted? Should we require EAS Participants to
report to the Commission when their network audits, network
vulnerability assessments, or penetration testing reports reveal
critical vulnerabilities? If so, how should we define a ``critical
vulnerability'' for this purpose? Should we require EAS Participants to
implement Incident Response Plans that describe how the procedures that
EAS Participants would follow when respond to an ongoing cybersecurity
incident? Should we require EAS Participants to conduct cybersecurity
training for their employees or contractors and if so, what should the
contents of that training be? What kinds of security measures have EAS
Participants already implemented to protect the EAS, and how effective
are they at mitigating cybersecurity risks? Should we require EAS
Participants to keep records that demonstrate how they have implemented
each of the baseline security controls? If so, what specific types of
information should the records include and for how long should they be
kept? Have EAS Participants identified unsuccessful attempts to access
their systems, and if so, what specific security measures best thwarted
those attempts?
87. Does this approach strike the appropriate balance between
improving EAS security, complementing EAS Participants' existing
cybersecurity activities, and reducing burdens on small EAS
Participants? If not, how should this requirement be modified to
achieve that balance? We seek comment on whether this approach grants
too much flexibility and will not result in improvements to EAS
security. We also seek comment on alternative approaches that would be
effective at improving EAS security. For example, should we require EAS
Participants to address a specified list of cybersecurity subject
matters in their risk management plans? Instead of requiring the use of
a risk management plan, should we require EAS Participants to take
specific steps to secure their EAS equipment? If so, could such a
requirement be drafted in a way to encourage EAS Participants to
continually examine and improve their cybersecurity posture, rather
than merely check items off a list? Is our proposed certification
requirement too burdensome on small EAS Participants? If so, what would
be a more cost-effective way to promote EAS security for small EAS
Participants?
88. We observe that protecting EAS equipment alone is unlikely to
be sufficient to protect the EAS from a cyber attack. In addition to
the risk of a bad actor sending a false alert, a bad actor could attack
other elements of an EAS Participant's systems or service as a way to
prevent a legitimate alert with lifesaving information from reaching
the public. For this reason, we propose to require that the
cybersecurity risk management plan address not only the security of EAS
equipment, but also the security of all aspects of an EAS Participant's
communications systems and services that potentially could affect their
provision of EAS. We seek comment on this requirement. Are there
alternative requirements that we should consider to ensure that bad
actors cannot prevent the transmission of legitimate alerts (or engage
in the transmission of false ones)?
89. We seek comment on whether there are industry groups,
cybersecurity organizations, or other organizations that may be
positioned to help EAS Participants create, implement, and maintain
their cybersecurity risk management plan. What kinds of resources do
these organizations offer, and how can EAS Participants make use of
them? For example, are there organizations that offer, or that would be
able to begin offering, authoritative sources of cybersecurity
information and expertise? Are there organizations that can support EAS
Participants by offering cybersecurity training, risk management plan
templates, or otherwise promote the cybersecurity? If so, to what
extent can these

[[Page 71553]]

organizations help reduce the burdens related to the proposed
certification requirement and make EAS more secure?
90. We propose that EAS Participants certify to creating, annually
updating, and implementing a cybersecurity risk management plan by
checking a box as part of its annual filing of EAS Test Reporting
System Form One. We seek comment on whether this is the most efficient
way to implement a certification requirement for EAS Participants. If
not, how should the certification be implemented? While the Commission
does not intend to review each individual plan for sufficiency, we
propose that the cybersecurity risk management plan be made available
to the Commission upon request so that the Commission may review a
specific plan as needed or proactively review a sample of EAS
Participants' plans to ensure that they are sufficient to ensure the
confidentiality, integrity, and availability of the EAS. In such
circumstances, cybersecurity risk management plans would be treated as
presumptively confidential. We propose to delegate to the Bureau the
authority to request review of such cybersecurity risk management plans
and to evaluate them for sufficiency. We seek comment on this approach
to evaluating plans. For how long we should require EAS Participants to
retain prior versions of their cybersecurity risk management plans to
enable the Bureau's review?
91. We propose that the filing of, and subsequent compliance with,
a cybersecurity risk management plan would not serve as a safe harbor
or excuse or any other diminishment of responsibility for negligent
security practices. We believe that allowing the filing of and
compliance with a plan to have such an effect could create a perverse
incentive. EAS Participants must remain constantly vigilant in
preventing intrusions and can only satisfy that responsibility by
acting reasonably in all circumstances. Any negligence in protecting
the confidentially, integrity, and availability of EAS that results in
transmission of false alerts or non-transmission of valid EAS messages
would establish a violation of that duty, regardless of the content of
the plan. Furthermore, we propose that an EAS Participant's failure to
sufficiently develop or implement their plan, would be treated as a
violation of the proposed rules. We seek comment on the criteria or
indicia that we should consider when determining whether a plan is
insufficient to mitigate cyber risk. We also seek comment on any
measures that the Commission should take to verify whether EAS
Participants have implemented of their plans.
92. We believe that the benefits of this proposal outweigh the
costs. While we believe that it is impossible to quantify the precise
dollar value of improvements to the public's safety, life, and health,
as a general matter, we nonetheless believe that very substantial
public safety benefits will result from the rules we propose today: EAS
will be better able to ensure that real alerts with lifesaving
information are successfully delivered to the public and false alerts
are prevented in order to preserve public trust and better ensure that
the public takes appropriate action during real emergencies. As a
consequence, we anticipate that the rule changes we adopt today will
yield substantial life-saving benefits. Independent of that analysis,
the Commission has previously found that ``a foreign adversary's access
to American communications networks could result in hostile actions to
disrupt and surveil our communications networks, impacting our nation's
economy generally and online commerce specifically, and result in the
breach of confidential data.'' Consistent with the Commission's past
analysis, our national gross domestic product was nearly $23 trillion
last year, adjusting for inflation. Accordingly, if creating and
implementing a cybersecurity risk management plan prevents even a
0.005% disruption to our economy, we believe our proposed requirement
would generate $1.15 billion in benefits. Likewise, the digital economy
accounted for $3.31 trillion of our economy in 2020, and so we believe
preventing a disruption of even 0.05% would produce benefits of $1.66
billion. As a check on our analysis, consider the impact of existing
malicious cyber activity on the U.S. economy: $57 billion to $109
billion in 2016. Given the incentives and documented actions of hostile
nation-state actors, reducing this activity (or preventing an expansion
of such damage) by even 1% would produce benefits of $0.57 billion to
$1.09 billion. Given this analysis, we believe the benefits of our rule
to the American economy, commerce, and consumers are likely to
significantly and substantially outweigh the costs of the proposed
certification requirement. We seek comment on this analysis. Is there a
more appropriate way to quantify these benefits? Are there any
additional ways in which the proposed rules would benefit the public
that the Commission should consider?
93. We estimate that the overall cost of our proposed cybersecurity
risk management plan requirement will be approximately $21 million. We
believe that EAS Participants will, on average, require 10 hours
annually to initially draft a plan and then update the plan and submit
their certification annually. When developing this average we
anticipate that many large EAS Participants already have cybersecurity
risk management plans and will incur only de minimis costs to comply
with this requirement. We also anticipate that many small EAS
Participants will require less than 10 hours to develop or update a
plan that is appropriate to the size of their organization. Based on
this estimate, we believe that the overall cost for 25,644 EAS
Participants to comply with the proposed certification requirement with
10 hours of labor from a General and Operations Manager who is
compensated at $82 per hour will be $21,028,080. We seek comment on our
analysis.
2. WEA Security
94. We propose to require Participating CMS Providers to certify
that they are creating, annually updating, and implementing a
cybersecurity risk management plan. As discussed above, WEA also faces
security risks related to the transmission of false alerts and
compromise of a Participating CMS Providers' systems could disrupt the
transmission of a legitimate WEA message. Are there additional
cybersecurity risks to WEA about which we should be aware? To what
extent do Participating CMS Providers already have cybersecurity risk
management plans? We believe that the approach we propose above in the
context of EAS--wherein we would afford flexibility for providers to
assess what content should be in their cybersecurity risk management
plans while proposing that it demonstrate how the provider identifies
the cyber risks that they face, the controls they use to mitigate those
risks, and how they ensure that these controls are applied effectively
to their operations--lends itself to WEA as well. We seek comment on
this tentative conclusion. Are there any fundamental differences in the
transmission of WEA alerts or the threats that WEA faces that would
require a different approach to ensuring WEA's security? We seek
comment on the least burdensome means by which Participating CMS
Providers could submit their certification to the Commission, including
via the Commission's Electronic Comment Filing System, a designated
Commission email address, or a WEA-specific database designed for this
purpose.
95. As with the EAS, we propose that a cybersecurity risk
management plan

[[Page 71554]]

should include security controls sufficient to ensure the
confidentiality, integrity, and availability of WEA. We propose
sufficient security measures could be demonstrated by implementing
controls like the CISA Cybersecurity Baseline or appropriate CIS
Implementation Group. As with EAS Participants as described above we
propose to require that each plan include a baseline of security
measures that address changing default passwords prior to operation,
installing security updates in a timely manner, securing equipment
behind properly configured firewalls or using other segmentation
practices, requiring multifactor authentication where applicable,
addressing the replacement of end-of-life equipment, and wiping,
clearing, or encrypting user information before disposing of old
devices. We expect that compliant cybersecurity risk management plans
will not be limited to only these specific measures, as plans will need
regular updates to keep up with an evolving threat environment. We seek
comment on these proposed rules. Are there specific security measures
that we should require Participating CMS Providers to implement? For
example, as above, we seek comment on whether we should require
Participating CMS Providers to conduct network security audits or
vulnerability assessments to identify potential security
vulnerabilities, implement Incident Response Plans that describe the
procedures that Participating CMS Providers would follow when
responding to an ongoing cybersecurity incident, or require
Participating CMS Providers to conduct cybersecurity training for their
employees or contractors.
96. We believe that the benefits of this proposal for WEA outweighs
the costs. As discussed above for EAS, we believe that the rules we
propose today would better ensure that real WEA alerts with lifesaving
information are successfully delivered to the public and false alerts
are prevented in order to preserve public trust and better ensure that
the public takes appropriate action during real emergencies. We
estimate that the overall cost of our proposed cybersecurity risk
management plan requirement will be approximately $62,320. We
anticipate that many large Participating CMS Providers already have
cybersecurity risk management plans and will incur only de minimis
costs to comply with this requirement. We also anticipate that many
small Participating CMS Providers will require less than 10 hours to
develop or update a plan that is appropriate to the size of their
organization. Based on this estimate, we believe that the overall cost
for 76 Participating CMS Providers to comply with the proposed
certification requirement with 10 hours of labor from a General and
Operations Manager who is compensated at $82 per hour will be $62,320.
We seek comment on this analysis. To what extent do Participating CMS
Providers already implement a cybersecurity risk management framework?
Are there alternatives that would be as effective but less burdensome,
particularly to smaller providers? As with EAS above, we seek comment
on whether there are industry groups, cybersecurity organizations, or
other organizations that may be positioned to help Participating CMS
providers create, implement, and maintain their cybersecurity risk
management plans. What kinds of resources do these organizations offer,
and how can Participating CMS providers make use of them?
97. We seek comment on whether there are other categories of
communications service providers (e.g., services that support 911
calling) to which a cybersecurity risk management plan certification
requirement should apply. Like emergency alerting, 911 is part of the
nation's emergency services critical infrastructure. Similarly, like
the nation's alert and warning capability, 911 service has faced
instances of compromise by cyberattacks, and is regularly under threat.
In light of those threats, should services that support 911 calling
also be required to annually certify to creating, updating, and
implementing cybersecurity risk management plans? If so, are there
differences between emergency alerting and 911 that would warrant
changes to the risk management plan requirements we propose today, if
applied to services that support 911 calling? Are the benefits and
costs of such a requirement commensurate with the benefits and costs of
certification as described above?

D. Displaying Only Valid WEA Messages on Mobile Devices

98. False alerts, such as the false ballistic missile alert that
the Hawaii Emergency Management Agency accidentally sent during a
training exercise in 2018, can cause panic, confusion, and damage the
credibility of WEA. While that false alert was sent accidentally, bad
actors could potentially exploit known WEA vulnerabilities to
intentionally send false alerts to the public. The Commission's rules
require Participating CMS Providers' network infrastructure to
authenticate interactions with mobile devices and require mobile
devices to authenticate interactions with CMS Provider infrastructure.
In practice, however, the security handshake between Participating CMS
Providers and mobile devices does not include a process for mobile
devices to ensure that the base station to which it attaches is valid.
As a result, mobile devices that are not actively engaged with a valid
base station are vulnerable to receiving and presenting false alerts.
This threat exists when a mobile device attempts authentication with
the provider, switches base stations, or returns to active from idle
mode.
99. Accordingly, we propose to require Participating CMS Providers
transmit sufficient authentication information to allow mobile devices
to present WEA alerts only if they come from valid base stations.
Ongoing work in international standards bodies suggests that
Participating CMS Providers could achieve this outcome by transmitting
sufficient authentication information to allow mobile devices to
authenticate either the alert or the base station itself. For example,
Participating CMS Providers could provide for authentication of the
base station using a unique identifier or an encryption key. To what
extent do Participating CMS Providers already uniquely identify
legitimate base stations with a selection of base station
characteristics to defend against denial-of-service attacks and fraud
(i.e., through base station fingerprinting)? Could Participating CMS
Providers leverage base station fingerprinting to protect the public
from false WEA alerts through updates to WEA standards and mobile
device firmware? Alternatively, or in addition, could WEA-capable
mobile devices receive an appropriate encryption key from the network
and then use that key to confirm either that an alert is authentic or
that the base station transmitting it is authentic before presenting
the alert? Should our rules prohibit CMS Providers and equipment
manufacturers from marketing devices as WEA-capable unless they have
these technical capabilities?
100. We seek comment on the trade-offs attendant to available
technological approaches to protecting the public from false alerts.
Could implementation of these approaches affect the ability of non-
service initialized WEA-capable mobile devices, SIM-less WEA-capable
mobile devices, or mobile devices that are no longer contractually
associated with a CMS Provider to receive WEA alerts depending on the
handset technology or generation of wireless network used? If so, how
could the

[[Page 71555]]

Commission mitigate these potential drawbacks by refining its proposed
rules? To the extent that technological solutions have been
implemented, is it still possible for a false alert of this type to be
displayed on mobile devices, and if so, under what conditions? What
steps could be taken to further minimize or eliminate these kinds of
false alerts?
101. We estimate that Participating CMS Providers would incur a
$14.5 million one-time cost to update the WEA standards and software
necessary to comply with this requirement. This figure consists of
approximately a $814,000 cost to update applicable WEA standards and
approximately a $13.7 million cost to update applicable software. We
quantify the cost of modifying standards as the annual compensation for
30 network engineers compensated at the national average for their
field ($120,650/year; $58/hour), plus annual benefits ($60,325/year;
29/hour) working for the amount of time that it takes to develop a
standard (one hour every other week for one year, 26 hours) for 12
distinct standards. We quantify the cost of modifying software as the
annual compensation for a software developer compensated at the
national average for their field ($120,990/year), plus annual benefits
($60,495/year) working for the amount of time that it takes to develop
software (one year) at each of the 76 CMS Providers that participate in
WEA. We seek comment on these cost estimates and the underlying cost
methodology we are using. We also seek comment on any other costs and
benefits that would result from this proposal. Incidents of false WEA
alerts can cause significant confusion and diminish the public's trust
in emergency alerts. For example, what harms could arise if an invalid
base station sends a false alert to attendees to a public event, such
as a parade or sporting event? For each technological approach
considered, we urge commenters to address its effectiveness and cost of
implementation, any additional latency that the measure could introduce
into the delivery of WEA alerts, and the potential for the security
measure to result in the suppression of legitimate alert content.

E. WEA Infrastructure Functionality

102. Pursuant to the WARN Act, CMS Providers' participation in WEA
is voluntary, but CMS Providers that elect to participate in WEA must
comply with all the WEA rules. The WEA rules provide that WEA
functionality, both in Participating CMS Providers' networks and in
mobile devices, ``are dependent upon the capabilities of the delivery
technologies implemented by a Participating CMS Provider'' and certain
WEA protocols ``are defined and controlled by each Participating CMS
Provider.'' The inclusion of these statements may create the mistaken
impression that Participating CMS Providers' compliance with the rules
that follow, including the base station authentication rules we propose
today, would be conditioned on the Participating CMS Providers'
delivery technology. Emergency management agencies expect WEA to work
as intended and when needed, and this language unintentionally could
create uncertainties about the quality of WEA service that
Participating CMS Providers offer. For these reasons, the Commission
proposed to remove this language from the WEA rules in 2016. T-Mobile,
ATIS, and CTIA, the only three commenters addressing this proposal,
urged the Commission not to adopt it because ``the rules should
maximize the technological flexibility of CMS Providers participating
in WEA.'' In the ten years since WEA's deployment, however,
Participating CMS Providers have coalesced around cell broadcast as the
wireless technology used to transmit WEA alerts to capable mobile
devices, and ATIS has standardized system performance.
103. Accordingly, we seek to refresh the record on our proposal to
remove these statements from the WEA rules. We believe these provisions
introduce confusion and are unnecessary, particularly as we do not
expect that any Participating CMS Provider would need to make changes
to their WEA service as a result of this proposed amendment. We seek
comment on this proposal, particularly from any CMS Provider that would
need to make changes to their WEA offerings in the event that the rules
were so amended.

F. Promoting Digital Equity

104. The Commission, as part of its continuing effort to advance
digital equity for all, including people of color, persons with
disabilities, persons who live in rural or Tribal areas, and others who
are or have been historically underserved, marginalized, or adversely
affected by persistent poverty or inequality, invites comment on any
equity-related considerations and benefits (if any) that may be
associated with the proposals and issues discussed herein.
Specifically, we seek comment on how our proposals may promote or
inhibit advances in diversity, equity, inclusion, and accessibility, as
well the scope of the Commission's relevant legal authority.

G. Compliance Timeframes

105. Promoting the Operational Readiness of EAS Equipment. To the
extent that we adopt requirements to improve the operational readiness
of EAS, we seek comment on when those rules should go into effect. For
example, if we were to adopt rules to hasten or improve the
Commission's visibility into the repair or replacement of non-
operational EAS equipment, should those rules go into effect 30 days
from publication in the Federal Register of notice that the Office of
Management and Budget has completed its review of the modified
information collection? What factors should we consider when
determining when alternative operational readiness requirements should
go into effect?
106. Improving Awareness of Unauthorized Access to EAS Equipment.
We propose that the revision of Sec. 11.45 to require EAS Participants
to report any incident of unauthorized access of their EAS equipment
would be effective 60 days from publication in the Federal Register of
notice that the Office of Management and Budget has completed its
review of the modified information collection. We seek comment on this
proposed timeframe. In the NDAA21 R&O, the Commission required EAS
Participants to report false alerts to the Commission and, in a
subsequent Public Notice, announced a compliance deadline approximately
60 days from publication in the Federal Register of notice that the
Office of Management and Budget has approved the modified information
collection. We seek comment on whether an EAS Participant's process for
ascertaining whether an incident of unauthorized access of its EAS
equipment has occurred and reporting it to the Commission entails a
level of effort comparable to compliance with the Commission's false
alert reporting requirement. Would EAS Participants' compliance with
the Commission's false alert reporting requirement reduce the
incremental burden of compliance with this proposal?
107. Certifying to the Implementation of Cybersecurity Risk
Management Plans. We propose that EAS Participants and Participating
CMS Providers must certify to the implementation of a cybersecurity
risk management plan that includes measures sufficient to ensure the
confidentiality, integrity, and reliability of their respective
alerting systems within 12 months of the publication in the Federal
Register of notice that the Office of Management and Budget has
completed its review of the modified information collection. A

[[Page 71556]]

12-month timeframe would be intended to provide time for EAS
Participants that do not already have a risk management plan in place
to create one, including by preparing the organization to manage
security and privacy risks, categorizing the systems and the
information that it processes, stores, and transmits, and selecting
controls to protect the system. A 12-month timeframe could also provide
time to implement the security controls that the plan describes, assess
whether the controls are in place, operating as intended, and producing
the desired results, appoint a senior official to authorize the system,
and develop mechanisms to continuously monitor control implementation
and risks to the system. We seek comment on these proposals. Should we
offer EAS Participants and Participating CMS Providers who are small
businesses an additional 12 months to comply with this requirement,
with compliance required within 24 months of publication in the Federal
Register of notice that the Office of Management and Budget has
completed its review of the modified information collection? Is there
any reason why EAS and Participating CMS Providers should have
different implementation timeframes?
108. Displaying Only Valid WEA Messages on Mobile Devices. We
propose that CMS Providers transmit sufficient authentication
information to allow mobile devices to present WEA alerts only if they
come from valid base stations 30 months from the publication of these
rules in the Federal Register. The record in our WEA proceedings
supports the premise that Participating CMS Providers require 12 months
to work through appropriate industry bodies to publish relevant
standards, another 12 months for Participating CMS Providers and mobile
device manufacturers to develop, test, and integrate software upgrades
consistent with those standards, and then 6 more months to deploy this
new technology to the field during normal technology refresh cycles. We
seek comment on the applicability of this approach and timeframe, with
which Participating CMS Providers have experience, to this proposal. We
seek comment, in the alternative, on whether the urgent public safety
need to protect the public from false alerts necessitates an expedited
compliance timeframe and, if so, what that compliance timeframe should
be.
109. WEA Infrastructure Functionality. We propose to remove
language from our WEA infrastructure and mobile device rules effective
30 days after the rules' publication in the Federal Register. We do not
believe that Participating CMS Providers will need to make any changes
to comply with these rules as revised because they offer a WEA service
that is consistent with the rules as otherwise written. We seek comment
on this compliance timeframe and on this view.

III. Ordering Clauses

110. Accordingly, it is ordered that pursuant to sections 1, 2,
4(i), 4(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403,
624(g), and 706 of the Communications Act of 1934, as amended, 47
U.S.C. 151, 152, 154(i), 154(n), 301, 303(b), 303(g), 303(r), 303(v),
307, 309, 335, 403, 544(g), and 606; The Warning, Alert and Response
Network (WARN) Act, WARN Act sections 602(a), (b), (c), (f), 603, 604,
and 606, 47 U.S.C. 1202(a), (b), (c), (f), 1203, 1204 and 1206; the
Wireless Communications and Public Safety Act of 1999, Public Law 106-
81, 47 U.S.C. 615, 615a, 615b; Section 202 of the Twenty-First Century
Communications and Video Accessibility Act of 2010, as amended, 47
U.S.C. 613, this Notice of Proposed Rulemaking is hereby ADOPTED.

List of Subjects

47 CFR Part 10

Communications common carriers, Radio.

47 CFR Part 11

Radio, Television.

Federal Communications Commission
Marlene Dortch,
Secretary.

Proposed Rules

For the reasons discussed in this preamble, the Federal
Communications Commission proposes to amend 47 CFR parts 10 and 11 as
follows:

PART 10--WIRELESS EMERGENCY ALERTS

0
1. The authority citation for part 10 continues to read as follows:

Authority: 47 U.S.C. 151, 154(i) and (o), 201, 303(r), 403, and
606, 1202(a), (b), (c), (f), 1203, 1204, and 1206.

0
2. Revise Sec. 10.330 to read as follows:

Sec. 10.330 Provider infrastructure requirements.

This section specifies the general functions that a Participating
CMS Provider is required to perform within its infrastructure.
(a) Distribution of Alert Messages to mobile devices.
(b) Authentication of interactions with mobile devices, including
the transmission of sufficient authentication information to allow
mobile devices to only present WEA alerts from valid base stations.
(c) Reference Points D & E. Reference Point D is the interface
between a CMS Provider gateway and its infrastructure. Reference Point
E is the interface between a provider's infrastructure and mobile
devices including air interfaces.
0
3. Add Sec. 10.360 to subpart C to read as follows:

Sec. 10.360 Cybersecurity Risk Management Plan Certification.

(a) Each participating CMS Provider shall submit a certification to
the Commission that it has created, annually updated, and implemented a
cybersecurity risk management plan. The cybersecurity risk management
plan shall describe how the Participating CMS Provider employs its
organizational resources and processes to ensure the confidentiality,
integrity, and availability of WEA. The plan shall discuss how the
Participating CMS Provider identifies the cyber risks that it faces,
the controls it uses to mitigate those risks, and how it ensures that
these controls are applied effectively to its operations. The plan
shall address the security of all aspects of the Participating CMS
Provider's communications systems and services that potentially could
affect its provision of WEA messages. The plan shall be made available
to the Commission upon request.
(b) Participating CMS Providers shall employ sufficient security
controls to ensure the confidentially, integrity, and availability of
the EAS. In furtherance of this requirement, the cybersecurity risk
management plan shall address, but not be limited to, the following
security controls:
(1) Changing default passwords prior to operation;
(2) Installing security updates in a timely manner;
(3) Securing equipment behind properly configured firewalls or
using other segmentation practices;
(4) Requiring multifactor authentication where applicable;
(5) Addressing the replacement of end-of-life equipment; and
(6) Wiping, clearing, or encrypting user information before
disposing of old devices.
(c) Participating CMS Providers shall take reasonable measures to
protect the confidentiality, integrity, and availability of EAS to
avoid the transmission of false alerts or non-transmission of valid
Alert Messages;

[[Page 71557]]

failure to do so shall be, in addition to a violation of any specific
provisions of this section, Sec. 11.45(a) of this chapter, or Sec.
10.520(d), an independent breach of this duty.
0
4. Revise Sec. 10.500 introductory text as follows:

Sec. 10.500 General requirements.

Mobile devices are required to perform the following functions:
* * * * *

PART 11--EMERGENCY ALERT SYSTEM (EAS)

0
5. The authority citation for part 11 continues to read as follows:

Authority: 47 U.S.C. 151, 154 (i) and (o), 303(r), 544(g), 606,
1201, 1206.

0
6. Amend Sec. 11.35 by adding paragraph (d) to read as follows:

Sec. 11.35 Equipment operational readiness.

* * * * *
(d) Annual EAS Security Certification.
(1) The identifying information required by the ETRS as specified
in Sec. 11.61(a)(3)(iv) shall include a Certification to the
Commission that the EAS Participant has created, annually updated, and
implemented a cybersecurity risk management plan. The cybersecurity
risk management plan shall describe how the EAS Participant employs its
organizational resources and processes to ensure the confidentiality,
integrity, and availability of the EAS. The plan shall discuss how the
EAS Participant identifies the cyber risks that its faces, the controls
it uses to mitigate those risks, and how it ensures that these controls
are applied effectively to their operations. The plan shall address the
security of all aspects of an EAS Participant's communications systems
and services that potentially could affect its provision of EAS
messages. The plan shall be made available to the Commission upon
request.
(2) EAS Participants shall employ sufficient security controls to
ensure the confidentially, integrity, and availability of the EAS. In
furtherance of this requirement, the cybersecurity risk management plan
shall address, but not be limited to, the following security controls:
(i) Changing default passwords prior to operation;
(ii) Installing security updates in a timely manner;
(iii) Securing equipment behind properly configured firewalls or
using other segmentation practices;
(iv) Requiring multifactor authentication where applicable;
(v) Addressing the replacement of end-of-life equipment; and
(vi) Wiping, clearing, or encrypting user information before
disposing of old devices.
(3) EAS Participants shall take reasonable measures to protect the
confidentiality, integrity, and availability of EAS to avoid the
transmission of false alerts or non-transmission of valid EAS messages;
failure to do so shall be, in addition to a violation of any specific
provisions of this section, Sec. 11.45(a), or Sec. 10.520(d) of this
chapter, an independent breach of this duty.
0
7. Amend Sec. 11.45 by redesignating paragraph (c) as paragraph (d)
and adding a new paragraph (c) to read as follows:

Sec. 11.45 Prohibition of false or deceptive EAS transmissions.

* * * * *
(c) No later than seventy-two (72) hours after an EAS Participant
knows or should have known that its EAS equipment, or communications
systems, or services that potentially could affect their provision of
EAS, have been accessed in an unauthorized manner, the EAS Participant
shall provide notification to the Commission identifying, if
applicable, the date range of the incident, a description of the
unauthorized access, the impact to the EAS Participant's EAS
operational readiness, a description of the vulnerabilities exploited
and the techniques used to access the device, identifying information
for each actor responsible for the incident, and contact information
for the EAS Participant. When one event or set of events gives rise to
obligations under both paragraphs (b) and (c) of this section, an EAS
Participant remains subject to each requirement individually. The
Participant may elect to send a single notification to the Commission
within 24 hours providing all the information described in both
paragraphs or separate notification to the Commission within 24 hours
and 72 hours.
* * * * *
[FR Doc. 2022-25263 Filed 11-22-22; 8:45 am]
BILLING CODE 6712-01-P

</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>

View on FederalRegister.gov →Plain-text source

Indexed from Federal Register on November 23, 2022.

This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.