Protecting the Nation's Communications Systems From Cybersecurity Threats

Issuing agencies

Abstract

In this document, the Federal Communications Commission ("Commission" or "FCC") announces that it has reconsidered and rescinded a prior Declaratory Ruling and Notice of Proposed Rulemaking, neither of which had been published in the Federal Register. The Declaratory Ruling misconstrued the Communications Assistance for Law Enforcement Act (CALEA), and the Notice of Proposed Rulemaking was based in part on the Declaratory Ruling's flawed legal analysis and proposed ineffective cybersecurity requirements. This Order follows the FCC's engagement with providers to help strengthen their cybersecurity posture.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 238 (Monday, December 15, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 238 (Monday, December 15, 2025)]
[Notices]
[Pages 58006-58011]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-22830]


-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

[PS Docket No. 22-329; FCC 25-81; FR ID 322072]


Protecting the Nation's Communications Systems From Cybersecurity 
Threats

AGENCY: Federal Communications Commission

ACTION: Notice; order on reconsideration.

-----------------------------------------------------------------------

SUMMARY: In this document, the Federal Communications Commission 
(``Commission'' or ``FCC'') announces that it has reconsidered and 
rescinded a prior Declaratory Ruling and Notice of Proposed Rulemaking, 
neither of which had been published in the Federal Register. The 
Declaratory Ruling misconstrued the Communications Assistance for Law 
Enforcement Act (CALEA), and the Notice of Proposed Rulemaking was 
based in part on the Declaratory Ruling's flawed legal analysis and 
proposed ineffective cybersecurity requirements. This Order follows the 
FCC's engagement with providers to help strengthen their cybersecurity 
posture.

DATES: The Order on Reconsideration was adopted on November 20, 2025.

FOR FURTHER INFORMATION CONTACT: Leon T. Kenworthy, Cybersecurity and 
Communications Reliability Division, Public Safety and Homeland 
Security Bureau, at <a href="/cdn-cgi/l/email-protection#88c4ede7e6a6c3ede6ffe7fafce0f1c8eeebeba6efe7fe"><span class="__cf_email__" data-cfemail="115d747e7f3f5a747f667e63657968517772723f767e67">[email&#160;protected]</span></a> or at (202) 418-1886.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Order 
on Reconsideration, in PS Docket No. 22-329; FCC 25-81, adopted on 
November 20, 2025 and released on November 21, 2025. The full text of 
this document is available online at <a href="https://docs.fcc.gov/public/attachments/FCC-25-81A1.pdf">https://docs.fcc.gov/public/attachments/FCC-25-81A1.pdf</a>. The full text of this document is also 
available for inspection and copying during business hours in the FCC 
Reference Center, 45 L Street NE, Washington, DC 20554. To request 
materials in accessible formats for people with disabilities, send an 
email to <a href="/cdn-cgi/l/email-protection#7a3c39394f4a4e3a1c1919541d150c"><span class="__cf_email__" data-cfemail="60262323555054200603034e070f16">[email&#160;protected]</span></a> or call the Consumer & Governmental Affairs 
Bureau at 202-418-0530 (voice).

Synopsis

I. Introduction

    Foreign adversaries and other bad actors are consistently 
attempting to jeopardize America's national security by launching 
cyberattacks against our communications networks. That is why this FCC 
has bolstered the agency's work to address these threats through 
numerous rulemakings and enforcement actions. As part of its efforts to 
do so, the FCC stood up a new Council on National Security within the 
agency earlier this year, and we have been working with network 
providers since the beginning of the year.
    Following these FCC engagements with carriers, providers agreed 
this year to take ``extensive, urgent, and coordinated efforts to 
mitigate operational risks, protect consumers, and preserve national 
security interests'' against the range of cyberattacks that target 
their networks. In particular, through a collaborative approach, 
providers have agreed to implement additional cybersecurity controls to 
harden their networks. These controls have included accelerated 
patching of outdated or vulnerable equipment, updating and reviewing 
access controls, disabling unnecessary outbound connections, and 
improving their threat-hunting efforts. Providers have also committed 
to increased cybersecurity information sharing, both with the federal 
government and within the communications sector. This represents a 
significant change in cybersecurity practices compared to the measures 
in place in January.
    In light of these changes, the Commission takes two actions today. 
First, we reconsider and rescind a January 16, 2025, Declaratory Ruling 
issued by the prior FCC. As explained below, that decision was both an 
unlawful and ineffective attempt to show that the agency was taking 
some type of action on cybersecurity issues. It was unlawful because 
the FCC purported to read a statute that required

[[Page 58007]]

telecommunications carriers to allow lawful wiretaps within a certain 
portion of their network as a provision that required carriers to adopt 
specific network management practices in every portion of their 
network. It was ineffective because it neither responded to the nature 
of the relevant cybersecurity threats nor was it consistent with the 
agile and collaborative approach to cybersecurity that has proven 
successful.
    Second, and for similar reasons, we are withdrawing the Notice of 
Proposed Rulemaking (NPRM) that accompanied the Declaratory Ruling. The 
FCC must focus its resources on advancing cybersecurity protections 
that are both lawful and effective. Collaboration with carriers, 
coupled with targeted, legally robust regulatory and enforcement 
measures, has proven successful--more so than the proposed one-size-
fits-all approach announced in the Declaratory Ruling and proposed in 
the NPRM.

II. Background

    U.S. communications networks are vulnerable to cyber exploits that 
pose significant risks to national security, public safety, and 
economic stability. The increasing sophistication of cyberattacks, 
particularly those linked to the People's Republic of China (PRC), 
highlights the urgent need for cybersecurity measures. For example, in 
September 2024, it was disclosed that the PRC-sponsored advanced 
persistent threat group Salt Typhoon had infiltrated at least eight 
U.S. communications companies as part of a massive espionage campaign 
that affected dozens of countries. The attacks exploited publicly known 
common vulnerabilities and exposures (CVEs) and other avoidable 
weaknesses to compromise networks, rather than zero-day (i.e., 
previously undisclosed) vulnerabilities.
    Congress created the Commission, among other reasons, ``for the 
purpose of the national defense . . . .'' The Commission's commitment 
to improving the security of the nation's communications networks 
remains steadfast, as demonstrated by coordinated efforts and 
rulemakings to protect the security of our nation's communications 
networks and infrastructure from potential security threats.

A. Recent Commission Action To Protect the Nation's Communications 
Systems

    The Commission has taken a series of recent actions to harden 
communications networks and improve their security posture. The 
Commission works closely with federal partner agencies and carriers to 
identify vulnerabilities, risks, and threats, and convey real-time 
guidance to protect networks from foreign adversaries, like the PRC. In 
March 2025, the Commission established a Council on National Security 
within the Commission to, among other things, ``facilitate the 
Commission's engagement with national security partners across the 
Executive Branch and in Congress'' and ``mitigate America's 
vulnerabilities to cyberattacks, espionage, and surveillance by foreign 
adversaries.'' The Commission also investigates communications network 
outages that result from cyber incidents, and its Public Safety and 
Homeland Security Bureau recently published a Public Notice seeking 
comment from the public and the public safety community about a recent 
outage that reportedly resulted from a ransomware attack.
    The Commission has also adopted targeted rules to address the 
greatest cybersecurity risks to critical communications infrastructure 
without imposing inflexible and ambiguous requirements. For instance, 
the Commission recently adopted a Report and Order, based on a record 
developed through notice-and-comment rulemaking, that requires 
licensees that operate submarine cable networks to create and implement 
cybersecurity risk management plans. That action included a Further 
Notice of Proposed Rulemaking that proposes to fast-track submarine 
cable applications by presumptively exempting them from Executive 
Branch review if they meet certain enhanced physical and cybersecurity 
standards, among other requirements.
    In May 2025, the Commission also adopted a Report and Order and 
Further Notice of Proposed Rulemaking adopting rules to ensure that 
test labs, telecommunications certification bodies, and laboratory 
accreditation bodies recognized in the FCC's equipment authorization 
program are not subject to ownership, direction, or control by 
untrustworthy actors that pose a risk to national security, including 
China. In September, we announced that we have begun proceedings to 
withdraw recognition from these ``bad labs.'' We are investigating the 
continued U.S. operations of Chinese Communist Party (CCP)-aligned 
businesses whose equipment or services the Commission placed on its 
Covered List. In October, we began the process to revoke HKT 
(International) Limited's domestic authority and revoke and terminate 
its international authority pursuant to section 214 of the 
Communications Act of 1934, and addressed security vulnerabilities in 
electronic equipment marketed in the United States by closing two 
potential loopholes in our equipment authorization program and 
proposing to extend our equipment security rules to a larger class of 
foreign adversary-controlled devices.

B. Other Communications Sector Cybersecurity Measures

    Many communications service providers are already subject to 
existing or forthcoming federal cybersecurity requirements. For 
example, the Securities and Exchange Commission (SEC) requires public 
companies to describe their processes for assessing, identifying, and 
managing material risks from cybersecurity threats, as well as board of 
directors and management oversight of those risks, as part of 
registration statements, annual reports, and other filings. Public 
companies must also disclose any material cybersecurity incident and 
describe material aspects of the nature, scope, and timing of the 
incident, as well as the impact of the incident, in Form 8-K filings. 
Additionally, many carriers are subject to state laws that require them 
to implement reasonable cybersecurity risk management practices to 
protect customer data. The Cyber Incident Reporting for Critical 
Infrastructure Act of 2022 (CIRCIA), as amended, also requires the 
Cybersecurity and Infrastructure Security Agency (CISA) to promulgate 
regulations implementing CIRCIA's covered cyber incident and ransom 
payment reporting requirements for covered entities, including those in 
critical infrastructure sectors like communications. CISA sought 
comment on cyber incident reporting requirements in June 2024 and has 
indicated it expects to adopt a final rule in May 2026.
    Moreover, some providers voluntarily adhere to industry and 
government cybersecurity standards. For example, the National Institute 
of Standards and Technology (NIST) Cybersecurity Framework (CSF) 2.0 
provides guidance to industry, government agencies, and other 
organizations to help manage cybersecurity risks. The CSF ``describes 
what desirable outcomes an organization can aspire to'' but ``does not 
prescribe outcomes nor how they can be achieved,'' instead suggesting 
the CSF should be used in conjunction with other resources like 
frameworks, standards, and guidelines. Many wireless carriers, 
including AT&T, Verizon, and T-Mobile, assert that they

[[Page 58008]]

follow practices that align with the CSF or incorporate its core 
functions into their cybersecurity programs. CISA also provides 
voluntary tools and services to aid in strengthening cybersecurity 
practices, including the Cybersecurity Performance Goals (CPGs), which 
are baseline practices that critical infrastructure entities can use to 
manage and reduce cybersecurity risks. CISA's cross-sector CPGs provide 
sector-agnostic, prioritized guidance to help organizations focus 
resources on the most effective risk-reduction measures. To support CPG 
adoption, CISA offers Assessment Training with regional cybersecurity 
experts to help communications providers better understand the CPGs and 
cybersecurity risk assessment. The Telecommunications Industry 
Association (TIA) also sells a standard providing baseline security 
requirements that apply to all aspects of the information and 
communications technology supply chain, including ``processes for 
identifying, addressing, and reporting security risks to minimize the 
potential for attack and adverse impact on consumers and businesses.''

C. The Communications Assistance for Law Enforcement Act (CALEA)

    Congress enacted CALEA in 1994 ``to preserve the ability of law 
enforcement officials to conduct authorized electronic surveillance in 
the face of the recent, rapid technological changes in 
telecommunications that threaten their ability to intercept 
communications.'' As the Commission recognized in its first Notice of 
Proposed Rulemaking on its implementation of CALEA, ``CALEA assigns 
certain responsibilities to the Commission and permits it, at its 
discretion, to assume others.'' Among those responsibilities is the 
duty to adopt rules to implement the ``systems security and integrity'' 
obligations of section 105 of CALEA. The Commission has implemented 
these responsibilities in multiple rulemaking proceedings for nearly 
thirty years, including specific rules implementing both section 105 
and the assistance-capability requirements of section 103. The 
Commission has also cited these duties in adopting other rules directed 
at preventing carriers from allowing unauthorized surveillance within 
their networks.
    Other Commission proceedings implementing CALEA have interpreted or 
applied section 103 of that statute, which requires telecommunications 
carriers to ensure that their equipment, services, and facilities meet 
four ``assistance capability'' requirements. Those requirements are 
directed at ensuring that carriers' networks are capable of assisting 
the government in conducting lawfully authorized electronic 
surveillance, including by intercepting a subscriber's communications; 
providing access to call-identifying information that is reasonably 
available to the carrier; delivering such communications and 
information to the government; and doing so unobtrusively in a way that 
protects the privacy and security of communications and information not 
authorized to be intercepted and information regarding the government's 
authorized surveillance activities. Section 103 expressly ``does not 
authorize any law enforcement agency or officer'' to either require 
that carriers adopt, or prohibit carriers from adopting, ``any specific 
design of equipment, facilities, services, features, or system 
configurations.'' Section 107 provides that a carrier shall be found to 
be in compliance with section 103 if it complies with ``publicly 
available technical requirements or standards adopted by an industry 
association or standard-setting organization,'' or by the Commission in 
response to a petition from the government or from any person who 
believes such technical requirements or standards are deficient.
    The scope of CALEA's applicability is notably affected by its 
definition of ``telecommunications carrier,'' which includes an entity 
providing a service that the Commission finds to be ``a replacement for 
the substantial portion of the local telephone exchange service'' if 
doing so is in the public interest. Based on this ``Substantial 
Replacement Provision,'' in 2005, the Commission interpreted CALEA's 
definition of ``telecommunications carrier'' as ``broader than that 
found in the Communications Act'' and as including facilities-based 
broadband internet access service (BIAS) providers and interconnected 
Voice over internet Protocol (VoIP) service providers.

D. January 2025 Declaratory Ruling and Notice of Proposed Rulemaking

    On January 15, 2025, five days before the change in administration, 
the Commission adopted the Declaratory Ruling and NPRM without prior 
public notice or any opportunity for public comment. The Declaratory 
Ruling ``conclud[ed] that section 105 of CALEA affirmatively requires 
telecommunications carriers . . . to secure their networks from 
unlawful access to or interception of communications.'' It interpreted 
section 105 by purporting to ``clarify that telecommunications 
carriers' duties under section 105 of CALEA extend not only to the 
equipment they choose to use in their networks, but also to how they 
manage their networks.'' It reasoned that, because section 105 requires 
that carriers `` `shall ensure' that the `only' interception of 
communications or access to call-identifying information is that which 
is'' authorized, ``CALEA obligates carriers to prevent interception of 
communications or access to call-identifying information by any other 
means.'' From this, the Declaratory Ruling concluded that ``section 105 
of CALEA independently obligates telecommunications carriers to prevent 
all incidents of unauthorized interception of communications and access 
to call-identifying information, not merely those carried out by law 
enforcement.''
    Based on this interpretation, the Declaratory Ruling stated that 
carriers would be ``unlikely'' to satisfy these statutory obligations 
``without adopting certain basic cybersecurity practices for their 
communications systems and services,'' such as ``implementing role-
based access controls, changing default passwords, requiring minimum 
password strength, and adopting multifactor authentication.'' It 
further stated that ``a failure to patch known vulnerabilities or to 
employ best practices that are known to be necessary in response to 
identified exploits would appear to fall short of fulfilling this 
statutory obligation.'' It described as ``necessary'' that the 
following practices be implemented at the enterprise level:

    Enterprise-level implementation of these basic cybersecurity 
hygiene practices is necessary to prevent unlawful real-time access 
to communications because vulnerabilities in ancillary systems, 
operational networks, or administrative infrastructure can provide 
attackers with unauthorized access that can ultimately compromise 
surveillance systems and other network elements. For example, even 
well-protected switches within an otherwise unsecured network would 
be vulnerable to compromise through the integration of infected 
systems in the supply chain or lateral movement by threat actors 
within the network. The integration of cybersecurity best practices 
across an enterprise makes it less likely that attackers can gain 
unauthorized access to networks from more common points of entry, 
such as corporate IT systems, customer-facing portals, and third-
party vendors.

    Also based on this interpretation of CALEA section 105, the 
Declaratory Ruling concluded that Congress had authorized the 
Commission to adopt rules that require telecommunications carriers (as 
defined for purposes of CALEA) to take specific steps to secure their 
networks against unauthorized

[[Page 58009]]

interception. The Declaratory Ruling was effective immediately.
    The NPRM proposed cybersecurity rules that would apply to a broad 
range of ``Covered Providers,'' which it defined as including 
facilities-based BIAS providers; all broadcasting stations; all cable 
systems; wireline video systems; wireline communications providers; 
commercial radio operators; interconnected VoIP providers; 
telecommunications relay service providers; satellite communications 
providers; commercial mobile radio providers; wireless resellers and 
Mobile Virtual Network Operators; covered 911 service providers; 
covered 988 service providers; and international section 214 
authorization holders. The proposed rules would require those entities 
to create, update, and implement cybersecurity and supply chain risk 
management plans, and also to take reasonable measures to protect the 
confidentiality, integrity, and availability of their systems and 
services that could affect their provision of communications service. 
The Commission described various sources of legal authority that it 
believed would, together, provide a basis for applying those 
requirements to each of the types of Covered Providers. For statutory 
authority to impose the proposed requirements on telecommunications 
carriers as defined by CALEA, it relied in part on the conclusion of 
the Declaratory Ruling.
    On February 18, 2025, CTIA--The Wireless Association, NCTA--The 
internet & Television Association, and USTelecom--The Broadband 
Association (Petitioners) filed a Petition for Reconsideration asking 
the Commission to rescind the Declaratory Ruling.\1\ On February 28, 
2025, the Electronic Privacy Information Center (EPIC) filed an 
Opposition to the Petition. Petitioners submitted a reply on March 10, 
2025. Petitioners, EPIC, and the Texas Association of Business 
subsequently submitted ex parte filings.
---------------------------------------------------------------------------

    \1\ Petitioners filed their Petition before publication of the 
Declaratory Ruling in the Federal Register. The Petition may 
therefore have been premature, see 47 CFR 1.4(b)(1), but we need not 
resolve that issue because we may consider the merits of the 
petition on our own motion, 47 CFR 1.108.
---------------------------------------------------------------------------

    In a further October 16, 2025 ex parte letter, Petitioners 
identified ways in which the communications sector has worked with the 
federal government and made further commitments to harden their 
networks. With respect to coordination with the federal government and 
across the sector, the Petitioners highlighted the communications 
sector's participation in the National Coordinating Center for 
Telecommunications' Communications Information Sharing and Analysis 
Center (Comm-ISAC), and noted that some providers have participated in 
the Commission's Communications Security, Reliability, and 
Interoperability Council (CSRIC), which has prepared a series of 
reports concerning cybersecurity risks affecting the communications 
sector and identifying best practices to mitigate those risks. 
According to Petitioners, these forums and other collaborative 
activities involving CISA, federal law enforcement, and the Commission 
have enabled some carriers to quickly share threat indicators with 
federal officials to promote a sector-wide response to cybersecurity 
threats as they occur.
    Specifically in response to the Salt Typhoon attacks, Petitioners 
explain that the sector partnered with the Federal Bureau of 
Investigation, National Security Agency, and CISA, which enabled 
agencies ``to render technical assistance, rapidly share information to 
assist other potential victims, and work to strengthen cyber defenses 
across the commercial communications sector.'' As a result of this 
collaboration, the federal government and its communications sector 
partners were able to share guidance that details specific tactics, 
techniques, and procedures used for initial exploitation, persistence, 
collection, and exfiltration; indicators of compromise and CVEs that 
were exploited; and threat hunting tips and specific mitigations that 
organizations are encouraged to implement to reduce the threat of 
Chinese state-sponsored and other advanced persistent threats.
    Petitioners also assert that carriers have taken steps to harden 
their networks in recent months based on what they learned from the 
Salt Typhoon attacks. Some of the steps that providers have taken, 
where practical and commensurate with the risk, include implementing 
accelerated patching cycles, updating access controls, reviewing remote 
access configurations, improving threat hunting efforts, establishing 
log review processes and systems, disabling unnecessary outbound 
connections to limit lateral network movement, analyzing indicators of 
compromise, strengthening contractual obligations with third-party 
vendors, investing in zero trust approaches, and preparing for evolving 
threats. Petitioners conclude that industry has voluntarily ``devoted 
extensive personnel and resources to enhancing its cybersecurity 
posture in the wake of Salt Typhoon, and it will continue to do so to 
evolve its defenses as new threats emerge.''

III. Discussion

E. Adoption of the Declaratory Ruling Was Unlawful and Unnecessary

    We now conclude that adoption of the Declaratory Ruling was 
unlawful, because it adopted an erroneously broad reading of section 
105 of CALEA and purported to assert the ability for the Commission to 
enforce this interpretation without adopting rules. The Declaratory 
Ruling was also ineffective because it failed to respond to the nature 
of the relevant cybersecurity threats and undermined the Commission's 
past agile and collaborative approach to cybersecurity. It is possible 
that the Commission erred in reaching its decision at least in part 
because it adopted it in a rushed manner just five days before a change 
of administration and without any public input.
1. The Declaratory Ruling Misinterpreted CALEA
    It was unlawful for the Commission to announce an interpretation of 
CALEA section 105 without adopting implementing rules. The Commission's 
role in implementing CALEA is limited as provided in the statute. In 
particular, the Commission lacks authority to enforce its view of what 
the statute independently requires. The Commission is charged with 
adopting rules to implement CALEA, particularly rules to address 
specific scenarios designated by Congress: (1) specific systems 
security and integrity requirements specified by section 229(b); (2) 
cost recovery for compliance with section 103, as specified by section 
229(e); and, (3) in response to a petition, technical requirements or 
standards that satisfy the requirements of section 103 as provided in 
section 107(b). Section 229(a) also provides more general authority to 
``prescribe such rules as are necessary to implement the requirements 
of [CALEA],'' and section 229(d) provides that the Commission may 
enforce any such rules as violations of rules adopted under the 
Communications Act. Absent rules, however, the Declaratory Ruling does 
not explain how the Commission could enforce CALEA's statutory 
provisions directly. Rather, section 108 of CALEA appears to commit 
authority to enforce the statutory requirements only to the courts. By 
contrast, the Communications Act includes provisions explicitly 
authorizing the Commission to enforce not only its duly adopted rules 
but also the requirements of that Act itself.

[[Page 58010]]

    Indeed, the Commission recognized that its enforcement of CALEA 
depends on having adopted rules when, in 2006, it decided to codify the 
requirements of section 103 into part 1, subpart Z, of its rules. The 
Declaratory Ruling did not explain how it could depart from this 
approach and enforce the CALEA statute directly. Even EPIC, in a 
memorandum supporting its opposition to the petition for 
reconsideration, can point only to CALEA's delegations of rulemaking 
authority to support Commission action in this area. To the extent EPIC 
points to provisions in the Communications Act other than section 229 
that may be relevant to cybersecurity, it cannot justify a Declaratory 
Ruling that purports to announce an interpretation of a statutory duty 
in CALEA, a separate statute. Section 229(c), also cited by EPIC, 
cannot provide appropriate justification because this section too 
requires the Commission first to have issued ``regulations prescribed 
under this section.'' Thus, the proper way for the Commission to 
implement CALEA is through notice-and-comment rulemaking, as it has 
done several times before, and not through a sua sponte Declaratory 
Ruling purporting to interpret the statute itself. Certain statements 
in the Declaratory Ruling also created vague obligations better suited 
for a rulemaking.
    The Commission also erred in disregarding the limits imposed by the 
phrase ``effected within its switching premises'' in section 105 of 
CALEA. The Declaratory Ruling claimed that section 105 ``affirmatively 
obligates carriers to take action to prevent all unauthorized 
interception and access to call-identifying information within their 
networks.'' Though it acknowledged that section 105 refers only to 
interceptions and access that occur ``within [a carrier's] switching 
premises'' and noted the Commission's earlier recognition of that 
limitation, it suggested instead that the obligation would apply to 
``their [entire] networks,'' without apparent limitation. As then-
Commissioner Carr noted in dissent, the language of the Declaratory 
Ruling appears to ``impos[e] an affirmative obligation on a covered 
provider to take certain undefined cybersecurity actions across every 
portion of their network--meaning, both within and outside the 
switching premises.'' The Declaratory Ruling's statement that section 
105 requires ``[e]nterprise-level implementation'' of cybersecurity 
practices appears to go beyond the statute's clear reference to 
``within its switching premises.''
    The Declaratory Ruling also ignored a key limitation on CALEA's 
definition of ``interception.'' The Declaratory Ruling noted that CALEA 
incorporates by reference the Wiretap Act's broad definition of 
``intercept'' as ``the aural or other acquisition of the contents of 
any wire, electronic, or oral communication through the use of any 
electronic, mechanical, or other device.'' The Commission reasoned that 
this expansive definition, combined with CALEA's use of the word 
``any,'' meant that section 105 reaches every unauthorized attempt to 
access a communications network, not just governmental interception 
efforts. That approach ignores the construction that courts have 
consistently placed on the Wiretap Act's definition. As the Sixth 
Circuit has explained, the Wiretap Act is limited to communications 
intercepted contemporaneously with their transmission rather than data 
at rest. The Declaratory Ruling's focus on the subject engaging in 
interception overlooks the more important object of the interception--
namely, real-time communications, rather than information stored in 
providers' systems. The Declaratory Ruling's required ``basic 
cybersecurity hygiene practices''--role-based access controls, changing 
default passwords, requiring minimum password strength, and adopting 
multifactor authentication--are all designed to thwart attempts to 
exfiltrate data on communications systems both in transit and at rest, 
thus reaching beyond section 105's limited focus on contemporaneous 
interception. Nor does CALEA's narrow definition of ``call-identifying 
information''--which encompasses only ``dialing or signaling 
information that identifies the origin, direction, destination, or 
termination of each communication generated or received by a subscriber 
by means of any equipment, facility, or service of a telecommunications 
carrier''--require carriers to secure all information across their 
entire enterprises.
    For these reasons, we find that the Declaratory Ruling was legally 
erroneous.
2. The Declaratory Ruling Is Ineffective at Promoting Cybersecurity
    Salt Typhoon is a sophisticated nation-state hack by China 
targeting specific vulnerabilities, some of which are still being 
exploited. But the Declaratory Ruling, which broadly requires all 
telecommunications carriers to ``take action to prevent all 
unauthorized interception and access to call-identifying information 
within their networks,'' offers no guidance about which particular 
vulnerabilities to prioritize or which at-risk information to protect, 
leaving carriers with a burdensome and inchoate compliance standard 
that does little to secure communications networks and protect national 
security. Moreover, the Declaratory Ruling applies the same inflexible, 
across-the-board cybersecurity requirements to all telecommunications 
carriers without regard to their risk, size, or organizational posture. 
This vague and amorphous standard risks imposing costly new burdens on 
many providers that are either not relevant to the potential threats 
they face, or which are redundant because those providers may already 
employ sufficient cybersecurity practices to reasonably reduce the risk 
of successful exploits by the most sophisticated threat actors. 
Reversing such policy is a separate and independent ground for 
rescinding the Declaratory Ruling. It also abandons the Commission's 
practice of working with industry to identify the areas of greatest 
security risk, offering guidance in reducing risk where possible, and 
adopting targeted, clear rules where necessary to secure networks.
    Instead of taking the Declaratory Ruling's broad tack, we believe 
that the Commission should promote an agile and collaborative approach 
to cybersecurity as reflected in existing federal and state 
cybersecurity requirements and public-private partnerships that protect 
and secure communications networks. As Petitioners observe, 
communications providers ``have long partnered with the federal 
government on its whole-of-government effort to secure critical 
infrastructure.'' This collaborative approach to cybersecurity includes 
industry participation in the Comm-ISAC; the contribution of technical 
expertise to CSRIC; and collaboration with other federal agencies such 
as NIST and CISA to help produce best practices, guidelines, and tools 
to reduce cybersecurity risk.
    This flexible and coordinated approach has demonstrable benefits 
for the security of the communications sector. We agree with the 
Petitioners that ``[t]he government-industry partnership model of 
collaboration has enabled communications providers to respond swiftly 
and agilely to Salt Typhoon, reduce vulnerabilities exposed by the 
attack, and bolster network cyber defenses in the future to deter 
repeat incursions.'' According to Petitioners, the collaborative 
relationship between communications providers and the federal 
government enabled some carriers to quickly share threat indicators 
related to the Salt

[[Page 58011]]

Typhoon attacks with federal law enforcement agencies, who in turn were 
able to guide other carriers in taking steps to remove threat actors 
from their networks and harden them against future exploits. 
Petitioners acknowledge that ``Salt Typhoon and the related Volt 
Typhoon are nation-state, adversary-affiliated [advanced persistent 
threats] with unlimited resources against which private sector 
companies alone cannot defend themselves,'' and note that, since the 
attacks, some carriers have participated in regular briefings with the 
Commission and federal law enforcement and intelligence agencies to 
share information and promote a coordinated national response strategy. 
In addition, some carriers have taken additional steps to harden their 
networks in recent months, including implementing accelerated patching 
cycles, updating access controls, reviewing remote access 
configurations, improving threat hunting efforts, disabling unnecessary 
outbound connections to limit lateral network movement, and 
strengthening contractual obligations with third-party vendors.
    Petitioners note that providers make these security improvements to 
their networks voluntarily and remain dedicated to bolstering security 
through their partnerships with the federal government. As part of 
these efforts, they have made commitments that include leading 
providers establishing and actively participating in the Communications 
Cybersecurity Information Sharing and Analysis Center (``C2 ISAC''), 
``the next-generation Information Sharing and Analysis Center model 
designed to facilitate real-time threat intelligence sharing among 
members.'' Providers have also established new intra-sector sharing and 
collaboration mechanisms, including a new forum for collaboration among 
Chief Information Security Officers from U.S. and Canadian providers, 
which they commit to expanding to other ``like-minded countries'' this 
autumn. These commitments demonstrate that the federal government's 
collaborative approach to cybersecurity continues to be effective and 
that the inflexible and vague approach of the Declaratory Ruling is 
unnecessary.
    Furthermore, the Commission is leveraging the full range of the 
Commission's regulatory, investigatory, and enforcement authorities to 
protect Americans and American companies from foreign adversaries, 
particularly the threats posed by the PRC and CCP, consistent with the 
whole-of-government approach. We are proceeding in separate dockets 
under clear and established statutory authorities to strengthen 
technology and telecommunications supply chains, to mitigate America's 
vulnerabilities to cyberattacks, espionage, and surveillance by foreign 
adversaries, and to ensure U.S. leadership in critical technologies. To 
highlight only some of those initiatives, we have adopted rules that 
require all applicants for submarine cable landing licenses to certify 
that they have created and will implement and update cybersecurity and 
physical security risk management plans; adopted rules to ensure that 
foreign adversary controlled-test labs are not participating in the 
FCC's equipment authorization program; and are proposing to extend our 
equipment security rules to a larger class of foreign adversary-
controlled devices. In each instance, we promoted requirements for 
which we have clear legal authority that target specific adversaries 
and threats while developing and considering a record that allows us to 
weigh the costs and benefits of further regulation.
    Had the Commission sought and considered public comment before 
adopting the Declaratory Ruling, it is possible that the agency would 
have understood that its proposed approach was overly broad, vague, and 
counterproductive. Its approach to cybersecurity failed to consider 
multiple aspects of the current and evolving cybersecurity landscape, 
including relevant best practices identified by CSRIC, technical 
standards, and industry security standards. The Declaratory Ruling 
represented a drastic departure from data security standards, yet the 
Declaratory Ruling does not discuss this departure at all. The 
Declaratory Ruling also failed to consider less burdensome approaches, 
including collaboration between the federal government and industry, 
engaging with stakeholders who have experience and expertise in 
securing the nation's communications networks, or working to harmonize 
the Commission's cybersecurity expectations with existing best 
practices. In sum, the Declaratory Ruling was an ill-advised, rushed 
effort to take a controversial action without being grounded in a 
proper notice-and-comment process.

F. The NPRM Is Unnecessary

    We also hereby rescind the NPRM that was adopted simultaneously 
with the Declaratory Ruling. The Commission adopted the NPRM on January 
15, 2025, and released its text on its website on January 16, 2025, but 
has not published it (or a summary) in the Federal Register as would be 
required under the Administrative Procedure Act. Therefore, the period 
for public comments never commenced, and there is no record for the 
Commission to address here. Rather than promote a one-size-fits-all 
approach of a single rulemaking to govern all Commission licensees, we 
intend to continue to take the targeted approach to promoting effective 
cybersecurity protections discussed above. The NPRM in this proceeding 
is therefore unnecessary and will not be pursued.

IV. Ordering Clause

    Accordingly, it is ordered that, pursuant to sections 1.106 and 
1.108 of the Commission's rules, 47 CFR 1.106, 1.108, and section 
405(a) of the Communications Act of 1934, as amended, 47 U.S.C. 405(a), 
this Order on Reconsideration is adopted. The Declaratory Ruling and 
Notice of Proposed Rulemaking, FCC 25-9, 40 FCC Rcd 876 (Jan. 15, 
2025), is rescinded and withdrawn.

Federal Communications Commission.
Marlene Dortch,
Secretary.
[FR Doc. 2025-22830 Filed 12-12-25; 8:45 am]
BILLING CODE 6712-01-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>