FCC Launches NOI on Voluntary Cybersecurity Certification Program

The Federal Communications Commission (FCC) released a Notice of Inquiry (NOI) on April 21, 2010, seeking public comment on the proposed creation of a voluntary cybersecurity certification program by which participating communications service providers would be certified—by the FCC or a third party, as determined by the FCC—as adhering to a set of cybersecurity objectives and/or practices.

The program begins the process of effectuating a recommendation in the National Broadband Plan, issued by the FCC last month, by seeking to increase the security of the nation’s broadband infrastructure, promote a culture of more vigilant cybersecurity, and offer end-users more complete information about their communication service providers’ cybersecurity practices.

Comments on the NOI will be due 60 days from the date of its publication in the Federal Register, which generally occurs several days or weeks after FCC release of an action such as this.

The NOI is the first step toward implementing the recently released National Broadband Plan’s recommendation that the FCC should create a voluntary cybersecurity certification program. The FCC’s push to secure cyberspace is fueled, in part, by recent data highlighted in the broadband plan that suggests businesses are rapidly cutting budgets for information security initiatives despite an increase in threats to their communications networks. The proposed certification program seeks to address this growing problem by providing market incentives for communications service providers to upgrade their networks’ cybersecurity measures in order to reduce the impact of operator errors and malicious cyber attacks.

Generally, the NOI seeks comment on whether the Commission should establish a voluntary incentives-based certification program. The program anticipates that participating communications service providers would receive network security assessments by approved, private-sector auditors who will examine the providers’ adherence to stringent cybersecurity practices developed, through consensus, by a broad-based public-private sector partnership. The expectation is that providers whose networks successfully complete the assessment may then market their networks as complying with stringent FCC network security requirements. 

The NOI also asks whether general security objectives could serve as a sufficient basis for the cybersecurity certification program—with the first set of possible security objectives being: (1) secure equipment management; (2) updating software; (3) intrusion prevention and detection; and (4) intrusion analysis and response.

The NOI seeks comment on a variety of other issues relating to the proposed program, such as what the program’s scope should be, including whether it should be open to all communications service providers or limited to certain types of providers; what role the FCC and private sector should have in administering the program; and what the program’s overall framework should entail, including certification criteria and certification process/procedures.

The NOI further poses questions involving the form and duration of the security certificate that will be issued, its renewal process, and permissible use by providers receiving certification. It also seeks comments on other actions the FCC should take to improve cybersecurity, including any additional volunteer incentives that should be explored.

In addition, the NOI seeks comment as a threshold matter on whether the FCC has the legal authority to create such a program, especially given the recent U.S. Court of Appeals for the D.C. Circuit decision in Comcast Corporation v. FCC, which has called into question the FCC’s authority to regulate in certain Internet-related areas. Some of these areas implicate key recommendations of the broadband plan, including those relating to cybersecurity.

The NOI thus asks (among other questions relating to the FCC’s statutory authority) whether the proposed certification program would fall within Title II or Title III of the Communications Act or whether the FCC could exercise its ancillary authority to create the program.

The FCC released the NOI on April 21, but the time for comments will not begin to run until it appears in the Federal Register. Comments are due 60 days from Federal Register publication. Davis Wright Tremaine will be participating in this proceeding on behalf of our clients.