Full Report
The U.S. Federal Communications Commission (FCC) is conducting its first comprehensive review of submarine cable rules since 2001... The post FCC proposes new cybersecurity mandates for submarine cable operators in major rule review, seeks public input appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: FCC Review of Submarine Cable Rules and Cybersecurity Certification
## Overview
The U.S. Federal Communications Commission (FCC) is conducting its first comprehensive review of submarine cable rules since 2001 to enhance the security and resilience of the nation’s submarine cable infrastructure against evolving national security threats. Key proposals center on mandating the implementation and certification of Cybersecurity Risk Management (CRM) plans for license applicants and existing licensees.
## Key Details
- **Issuing Authority:** Federal Communications Commission (FCC)
- **Effective Date:** Pending finalization of the review (current dates relate to the public comment period).
- **Jurisdiction:** U.S. submarine cable landing licenses and licensees.
- **Status:** Proposed (Currently in public comment phase).
## Requirements
### Mandatory Requirements
1. **Cybersecurity Risk Management (CRM) Plan Development:** All applicants for cable landing licenses and existing licensees must develop and implement comprehensive CRM plans.
2. **Certification of CRM Plan Implementation:** Applicants and licensees must certify to the FCC that they have developed and implemented their CRM plans. Existing licensees must provide this certification according to a prioritization schedule.
3. **System Protection Measures:** Applicants and licensees must confirm they take reasonable measures to protect the **confidentiality, integrity, and availability (CIA)** of their systems.
4. **CRM Plan Content:** The cybersecurity plan must explicitly outline identified risks, mitigation controls, and how these controls are effectively applied.
5. **Senior Officer Attestation:** The CRM plan must be signed by a senior officer responsible for security governance (e.g., CEO, CFO, CTO) to ensure the plan encompasses all necessary elements and is executed.
6. **Data Preservation:** Applicants and licensees must preserve data and records related to their CRM plans and certifications for **two years** from the submission date of the certification.
### Recommended Practices
1. **Framework Utilization:** Licensees are encouraged, but potentially could satisfy the requirement by following an established risk management framework, such as the **NIST Cybersecurity Framework (CSF)**.
2. **Tailored Structure:** The CRM plan should be structured in a manner tailored to the specific organization, provided it demonstrates affirmative steps to analyze risks and improve security posture.
## Affected Organizations
- **Industries:** Telecommunications, critical infrastructure providers operating submarine cable systems.
- **Organization Size:** No explicit exemptions mentioned, although the FCC proposes not to require small entities to file plans annually.
- **Geographic Scope:** Entities operating or applying for licenses for submarine cable landing points within U.S. jurisdiction.
## Compliance Timeline
- **Call for Comments Deadline:** April 14, 2025
- **Reply Comments Deadline:** May 12, 2025
- **Paperwork Reduction Act Feedback Deadline:** May 12, 2025
- **Existing Licensee Certification:** Following a prioritization schedule (Specific dates TBD upon rule finalization).
- **Future Reporting (Proposed):** Three-year reporting requirement for landing licenses.
## Implementation Guidance
### Assessment Phase
- **Risk Identification:** Current security posture must be assessed to identify risks to the confidentiality, integrity, and availability of the submarine cable systems.
- **Framework Review:** Determine which risk management framework (e.g., NIST CSF or an alternative) will be utilized to structure the CRM plan.
### Implementation Phase
- **Plan Development:** Develop the CRM plan detailing identified risks and specific mitigation controls.
- **Control Implementation:** Implement the necessary technical and administrative controls outlined in the CRM plan to safeguard systems.
- **Officer Alignment:** Secure sign-off from a senior governance officer (CEO/CFO/CTO).
### Validation Phase
- **Certification Submission:** Submit formal certification of CRM plan implementation to the FCC based on the required prioritization schedule.
- **Data Maintenance:** Establish rigorous procedures for preserving records related to plan implementation for the stipulated two-year period post-certification.
## Technical Requirements
- Affirmative steps must be taken to analyze security risks.
- Reasonable measures must be in place to protect the CIA triad of the submarine cable systems.
- The design of the CRM plan must support the overall goal of establishing baseline security requirements for safeguarding systems against threats.
## Penalties & Enforcement
- **Fines:** Not explicitly detailed in the summary, but non-compliance with FCC mandates typically results in statutory fines. The FCC noted an estimated additional cost associated with certifying compliance.
- **Other Consequences:** Failure to certify, adhere to mandated protective measures, or preserve required data could lead to license revocation or modification, and potential regulatory actions.
- **Enforcement:** Enforcement will likely involve audits or requests for documentation, given the proposal that plans only need to be submitted *upon request* (not routinely filed annually for all entities).
## Related Standards
- **NIST Cybersecurity Framework (CSF):** Proposed as a potential acceptable structure for the CRM plan, although the FCC is seeking comment on mandating this or allowing other frameworks.
- **National Cybersecurity Strategy:** The proposed rules are stated as being consistent with this broader government strategy.
## Resources
- **Official Documentation:** Federal Register notice calling for comments (Date referenced as "Thursday").
- **Guidance Documents:** Input sought on alternative risk management frameworks.
- **Tools:** Guidance is sought regarding tools organizations use to demonstrate steps taken to improve security posture.
## Practical Recommendations
1. **Initiate CRM Plan Drafting:** Immediately begin drafting a comprehensive CRM plan, incorporating risk assessment and control implementation tailored to submarine cable infrastructure security.
2. **Select a Framework:** Review the NIST CSF and other recognized frameworks to structure the initial plan draft, noting the FCC’s stated preference for flexibility while seeking input on formal mandates.
3. **Assign Accountability:** Formally designate the senior executive (CEO, CTO, etc.) who will be responsible for signing and attesting to the plan’s implementation.
4. **Monitor Deadlines:** Prepare initial public comments for submission by April 14, 2025, specifically addressing proposed documentation requirements and desired levels of compliance flexibility.
5. **Establish Recordkeeping:** Implement robust data retention policies to ensure all documentation supporting CRM plan implementation is securely stored for at least two years following certification submission.