The U.S. Federal Communications Commission (FCC) is conducting its first comprehensive review of submarine cable rules since 2001 to enhance the protection of the nation’s submarine cable infrastructure amid evolving national security concerns. The review also proposes that all applicants for cable landing licenses and licensees submitting periodic reports must certify that they have developed and implemented cybersecurity risk management plans. Existing licensees must also provide this certification for the first time, following a prioritization schedule.
Additionally, applicants and licensees must confirm they take reasonable measures to protect the confidentiality, integrity, and availability of their systems. The cybersecurity plans should outline identified risks, mitigation controls, and how these controls are effectively applied. The Commission is seeking comments on these proposals.
The FCC review also aims to establish new rules for better safeguarding submarine cable infrastructure, including a proposed three-year reporting requirement for landing licenses and potential changes to the current 25-year license term. The FCC also seeks to clarify its jurisdiction and application requirements while aiming to improve circuit capacity data quality and facilitate information sharing with federal agencies to strengthen oversight of U.S. communications networks.
In a Federal Register notice published on Thursday, the FCC has called for comments from interested stakeholders, which must be submitted by April 14, 2025. Reply comments are due by May 12, 2025. Additionally, written feedback on the proposed information collection requirements under the Paperwork Reduction Act should be submitted by the public, the Office of Management and Budget (OMB), and other interested parties by May 12, 2025.
“Given the importance of cybersecurity, the Commission believes that the operation of submarine cable systems should meet baseline security requirements to safeguard systems against threats,” the notice explained. “The Commission believes these proposals are consistent with the National Cybersecurity Strategy and, in that connection, are in keeping with a whole-of-government effort to ‘establish cybersecurity requirements to support national security and public safety.’”
Also, the FCC expects that creating, updating, and implementing cybersecurity risk management plans would help protect applicants’ and licensees’ systems and services from serious threats to national security, public safety, and the economy. These proposals would require specific actions to protect communications networks and infrastructure and collaborating with communications sector industry members to identify best practices. The Commission seeks comment on these expectations and any national security, economic, or public safety benefits of effective cybersecurity practices and cybersecurity risk management for applicants and licensees.
The Commission proposes that each applicant or licensee have the flexibility to structure its cybersecurity risk management plan in a manner that is tailored to its organization, provided that the plan demonstrates that the applicant or licensee is taking affirmative steps to analyze security risks and improve its security posture. While the Commission believes there are many ways that applicants or licensees may satisfy this requirement, the Commission proposes that they could successfully demonstrate compliance with this proposed requirement by following an established risk management framework, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).
Furthermore, the FCC seeks comment on a flexible approach, including whether it would reduce the costs imposed on applicants and licensees, including other possible risk management frameworks that applicants and licensees implement other than the NIST CSF. To the extent commenters believe the Commission should mandate a particular risk management framework or take a less flexible approach, the Commission seeks comment on their proposed alternative, their rationale, and why it would serve the public interest.
The notice also seeks information on whether the FCC should require applicants and licensees to apply the NIST CSF, as the Commission has done in other proceedings. The Commission further seeks comment on how an applicant should demonstrate that it has taken affirmative steps to analyze security risks and improve its security posture after implementing a cybersecurity risk management plan.
The FCC proposes that an applicant’s chief executive officer (CEO), chief financial officer (CFO), chief technology officer (CTO), or a similarly situated senior officer responsible for governance of the organization’s security practices would be required to sign the applicant’s cybersecurity risk management plan. The Commission believes that a signatory with visibility into the network and organization must ensure the plan encompasses all necessary elements and is executed throughout the organization. It also seeks comment on whether to require applicants’ and licensees’ cybersecurity risk management plans to include provisions for identifying, assessing, and mitigating supply chain cybersecurity threats.
The Commission proposes to require applicants and licensees to describe in their risk management plans their implementation of security controls sufficient to ensure the confidentiality, integrity, and availability of all aspects of their communications systems and services. It proposes that applicants and licensees can meet cybersecurity requirements by demonstrating the implementation of established best practices, such as the Cybersecurity and Infrastructure Security Agency’s (CISA) cross-sector cybersecurity performance goals or the Center for Internet Security Critical Security Controls. The Commission emphasizes that cybersecurity risk management plans should be tailored to the specific needs and circumstances of each applicant or licensee to effectively protect against cyber threats. Comments on this proposal are being sought.
In conjunction with this proposal, the FCC seeks comment on whether to require applicants and licensees to implement specific security controls sufficient to protect the confidentiality, integrity, and availability of their systems and services.
In the Alerting Security NPRM, the Commission proposed to require alerting participants to implement the following six controls, among other measures changing default passwords before operation; installing security updates promptly; securing equipment behind properly configured firewalls or using other segmentation practices; requiring multifactor authentication, where applicable; addressing the replacement of end-of-life equipment; and wiping, clearing, or encrypting user information before disposing of old devices. These six controls were drawn from CISA’s common baseline of cybersecurity controls. The Commission seeks comment on whether it should require the implementation of these or some other subset of common security controls to protect applicants’ and licensees’ systems and services.
The Commission observes that applicants and licensees can benefit from free and low-cost resources that are available to help identify and implement best practices and improve their security over time without requiring the hiring of outside experts. NIST publishes guidance that could assist organizations with measuring their safeguards, including how to address ransomware, malware, malicious code, spyware, distributed denial of service (DDoS) attacks, phishing, securing networks, and threats to mobile phones. CISA offers vulnerability scanning at no cost for critical infrastructure, which includes communications providers, and also provides CPG Assessment Training with regional cybersecurity experts that will help communications providers better understand CPGs and the cybersecurity risk assessment process.
The FCC proposes that applicants and licensees submit cybersecurity risk management plans to the Commission upon request. It also puts forward that applicants and licensees must preserve data and records related to their cybersecurity risk management plans, including any information that is necessary to show how the cybersecurity risk management plan is implemented, for two years from the submission of the related risk management plan certification to the Commission.
The Commission believes it would promote neither public safety nor national security if applicants and licensees could escape responsibility for the cybersecurity of their systems and services by outsourcing the provision of those systems and services to third parties. It seeks comment on the extent to which applicants and licensees currently include minimum cybersecurity requirements in their contracts with third parties.
The FCC notice identified that the Commission proposes to require cable landing licensees to provide cybersecurity certifications in the report. Among other things, the Commission proposes that licensees certify in the report that they have created, updated, and implemented cybersecurity risk management plans. The Commission also proposes to require these applicants and licensees to certify that they take reasonable measures to protect the confidentiality, integrity, and availability of their systems and services that could affect their provision of communications services.
The Commission also estimated that applicants will incur an additional cost associated with the Commission’s proposal to certify compliance with baseline cybersecurity standards, including implementing the cybersecurity risk management plans. The Commission expects that the amount of work associated with preparing a new license application will likely be similar to the work associated with preparing a renewal application. Additionally, the licensees would be required to provide the Commission with updated information every three years.
The FCC also proposes not to require small and other entities to submit or file their cybersecurity risk management plans at a designated time each year. Instead, the Commission proposes that applicants and licensees submit cybersecurity management plans to the Commission upon request. Additionally, the Commission proposes that applicants and licensees must preserve data and records related to their cybersecurity risk management plans, including any information that is necessary to show how the cybersecurity risk management plan is implemented, for two years from the submission of the related risk management plan certification to the Commission.
In January, the FCC announced measures to protect the nation’s communication systems from major cybersecurity threats, especially those originating from state-sponsored cyber actors in the People’s Republic of China. This move follows recent reports of foreign entities successfully infiltrating U.S. communication networks. Building on earlier actions taken in December, the FCC mandated that telecom carriers strengthen their networks to improve the resilience of U.S. communications against future cyberattacks, including those orchestrated by state-sponsored groups in China. The agency remains steadfast in its commitment to ensuring that telecommunications companies effectively secure their networks.
