Full Report
An FCC ruling issued days before Donald Trump took office was an "ineffective response" to the Salt Typhoon intrusions into U.S. telecom networks, the agency's new leadership said in announcing plans to rescind it.
Analysis Summary
# Regulation/Compliance: Rescission of FCC Cybersecurity Declaratory Ruling Post-Salt Typhoon Intrusions
## Overview
This summary focuses on the Federal Communications Commission's (FCC) announced plan to rescind a previous declaratory ruling. This ruling, established following the "Salt Typhoon" intrusions into U.S. telecom networks (which resulted in the theft of correspondence belonging to high-profile figures), was intended to mandate improved cybersecurity measures and annual compliance certifications for telecommunications carriers. The new leadership argues the ruling was "ineffective," "legally erroneous," and imposed inflexible requirements.
## Key Details
- Issuing Authority: Federal Communications Commission (FCC)
- Effective Date: **To be determined** (The resolution is *planned* as a vote to rescind the existing ruling.)
- Jurisdiction: United States telecommunications carriers.
- Status: **Proposed to be Rescinded** (The initial declaratory ruling was previously In Effect, but the FCC is moving to reverse it.)
## Requirements
*Note: The following requirements reflect the **rescinded ruling's mandates** which the FCC is currently moving to eliminate. The practical regulatory status is shifting towards **Recommended Practices** based on voluntary steps.*
### Mandatory Requirements (Under the ruling being rescinded)
1. **Network Security Mandate:** Telecommunications carriers were required to better secure their networks against unlawful access or interception, based on interpretations of CALEA obligations.
2. **Annual Certification:** Carriers were mandated to submit annual certifications attesting to the creation of a formal cybersecurity risk management plan.
### Recommended Practices (As advocated by current FCC leadership in place of the ruling)
1. **Pursue Agile and Collaborative Approach:** Engage actively in federal-private partnerships regarding cybersecurity.
2. **Targeted Rulemaking and Enforcement:** Rely on more targeted, legally sound rulemaking rather than broad mandates.
3. **Implement Foundational Security Controls:** (Inferred from official statements regarding what would have prevented the attack): Utilize secure configurations, timely patching, and architecting systems to monitor for anomalous behavior.
4. **MFA Implementation:** Manage administrator accounts using Multi-Factor Authentication (MFA).
## Affected Organizations
- Industries: Telecommunications carriers (ISPs, major telecom giants like Verizon, AT&T, T-Mobile, Lumen, and others).
- Organization Size: The rescinded ruling was criticized for applying "the same inflexible, across-the-board cybersecurity requirements to all telecommunications carriers without regard to their risk, size, or organizational posture."
- Geographic Scope: United States.
## Compliance Timeline
- **December 2024:** Salt Typhoon intrusions revealed, leading to calls for immediate cybersecurity standards.
- **January [Year Unspecified, preceding current announcement]:** The original declaratory ruling was published, mandating new security measures and certifications.
- **October 31, 2025 (Approximate):** FCC announced plans for a vote to rescind the declaratory ruling.
- **Post-Rescission:** Compliance timelines for the *rescinded* requirements cease. Future requirements would depend on new, legally sound FCC action or industry voluntary adoption.
## Implementation Guidance
### Assessment Phase
- **For the Rescinded Rule:** Assess whether current security practices meet the (now expiring) mandate for network security under CALEA interpretations and if the annual risk management certification process is in place.
- **For Current Posture:** Assess current security posture against commonly cited best practices (secure configurations, patching, MFA) that could have mitigated the Salt Typhoon attack for more targeted rulemaking.
### Implementation Phase
1. **Monitor FCC Action:** Organizations must actively track the formal vote to rescind the declaratory ruling.
2. **Document Voluntary Steps:** Since the FCC favors voluntary action, document existing or enhanced security investments made in response to the Salt Typhoon incidents.
### Validation Phase
- **If ruling is rescinded:** Validation shifts from proving compliance with the specific ruling to demonstrating due diligence through voluntary security programs and adherence to existing general obligations (e.g., CALEA statutory duties).
## Technical Requirements
The ruling being rescinded focused on comprehensive network security. Specific technical controls that were implied or necessary to satisfy the old ruling—and are now recommended best practices—include:
1. Network segmentation.
2. Secure configuration management.
3. Up-to-date patching regimes.
4. Anomaly detection architecture.
5. Administrator account management enforced with MFA.
## Penalties & Enforcement
- **Prior State (Under the rescinded ruling):** Failure to adhere to the mandated security practices could result in the finding that carriers were in breach of their statutory obligations under CALEA, implying potential enforcement actions by the FCC.
- **Current State (Post-Rescission):** The document does not specify penalties for the *rescission*. However, the FCC emphasized pursuing "more targeted, legally sound rulemaking and enforcement" moving forward, suggesting future, legally sound regulations could carry penalties. Voluntary non-compliance is subject to reputational risk and potential scrutiny under existing statutes.
## Related Standards
- **CALEA (Communications Assistance for Law Enforcement Act):** The original ruling was based on the view that CALEA required telecommunications carriers to secure networks against unlawful access. The rescission implicitly argues this interpretation was an overreach.
- **General Cybersecurity Frameworks:** Organizations are expected to align with industry-standard risk management practices, even if regulatory mandates are lifted (e.g., implied alignment with NIST Cybersecurity Framework principles regarding identification and protection).
## Resources
- Official Documentation: Regulatory document published by FCC Secretary Marlene Dortch outlining the decision to rescind the ruling (DOC-415190A1.pdf).
- Guidance Documents: Chairman Brendan Carr's public statement regarding the reversal.
- Tools: *None specified related to the rescission process itself.*
## Practical Recommendations
1. **Confirm Rescission Status:** Organizations must immediately confirm the final outcome of the FCC vote to ensure no further action is required regarding the annual certification mandate.
2. **Prioritize Foundational Security:** Given legislative and public pressure following the Salt Typhoon incident ("worst telecom hack in our nation's history"), organizations should accelerate adoption of foundational security controls (MFA, patching, monitoring) emphasized by lawmakers, even without a specific FCC mandate.
3. **Maintain Documentation:** Document existing or enhanced security measures, framing them as proactive steps necessary to meet statutory duties and protect sensitive communications data, preparing for any future, targeted rulemaking efforts.