Full Report
The U.S. National Telecommunications and Information Administration (NTIA) supports efforts to enhance submarine cable security but urges the... The post US NTIA backs submarine cable security push, warns FCC against redundant licensing appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: FCC Submarine Cable Security Review and Cybersecurity Certification
## Overview
This concerns the Federal Communications Commission (FCC) conducting a comprehensive review of submarine cable rules, initiated to enhance national security protections for U.S. submarine cable infrastructure amid evolving threats, particularly from foreign adversaries. The review proposes new cybersecurity certification mandates for applicants and licensees, while the National Telecommunications and Information Administration (NTIA) provides input advocating for avoiding regulatory redundancy and focusing on economic competitiveness.
## Key Details
- Issuing Authority: Federal Communications Commission (FCC), with input from the National Telecommunications and Information Administration (NTIA).
- Effective Date: Current rules reviewed; proposed changes are subject to ongoing rulemaking.
- Jurisdiction: U.S. communications infrastructure, specifically submarine telecommunications cables.
- Status: Proposed/Under Review (FCC proposal pending finalization; NTIA provided comments).
## Requirements
### Mandatory Requirements (as proposed by FCC)
1. **Cybersecurity Risk Management Certification:** All applicants for cable landing licenses and existing licensees submitting periodic reports must certify that they have developed and implemented cybersecurity risk management plans.
2. **Periodic Reporting for Ownership Clarity:** Existing licensees must provide certification following a prioritization schedule.
3. **Three-Year Periodic Review:** A proposed requirement for a recurring review (every three years) to maintain a continuous understanding of cable ownership and control.
### Recommended Practices (Advocated by NTIA to the FCC)
1. **Minimize Duplicative Work:** Requirements should rely on information already provided through existing mechanisms (e.g., agreements with the Committee for the Assessment of Foreign Participation in the nation’s telecommunications sector).
2. **Foster Information Sharing:** Improve interagency information sharing between the FCC, the Committee, Committee advisors, and the executive branch.
3. **Streamlined Certifications:** Allow for simple and streamlined certifications (e.g., "no-change" certifications) when no material changes have occurred since the previous review.
4. **Refer to Specific Terminology:** Use ‘areas beyond the limits of national jurisdiction’ instead of ‘international waters’ for legal precision relative to the Law of the Sea Convention.
## Affected Organizations
- Industries: Telecommunications sector, specifically submarine cable operations (applicants, licensees, and operators).
- Organization Size: Applicable to all entities operating or applying to operate submarine cables relevant to U.S. jurisdiction.
- Geographic Scope: U.S. jurisdiction concerning submarine cable landing stations and related infrastructure.
## Compliance Timeline
- **Pre-Proposal Phase:** FCC conducted its first comprehensive review since 2001.
- **Current Phase:** Public input is being sought/Comments are being reviewed (e.g., NTIA comments submitted).
- **Final Deadline:** Not yet established; contingent upon the FCC finalizing the rule changes proposed in the review.
## Implementation Guidance
### Assessment Phase
- **Review Existing Controls:** Organizations must assess their current Cybersecurity Risk Management Plans against the expectations of the FCC proposal.
- **Gap Analysis:** Identify overlaps or gaps between current periodic reporting and the proposed new certification requirements.
### Implementation Phase
- **Develop Certification Process:** Establish internal procedures to draft and manage the required cybersecurity risk management plan certifications for submission.
- **Coordination:** Align reporting schedules and data submission with executive branch agencies (per NTIA's advice) to minimize dual submission.
### Validation Phase
- **Auditing:** Prepare for internal or external audits to verify that implemented cybersecurity risk management plans are actively in place and meet regulatory standards.
- **Streamlining Review:** If allowed, implement "no-change" certification processes for routine compliance reporting.
## Technical Requirements
The text specifically mandates the development and implementation of **cybersecurity risk management plans**. Specific technical controls are not detailed but are implied by the nature of a risk management plan necessary to secure critical communications infrastructure against foreign adversaries.
## Penalties & Enforcement
- Fines: Not explicitly detailed for non-compliance with the *proposed* certification requirements, but regulatory non-compliance typically results in fines and enforcement actions by the FCC.
- Other Consequences: Potential denial or revocation of cable landing licenses, scrutiny over operations, and exclusion from certain markets.
- Enforcement: Through the FCC’s established enforcement mechanisms related to telecommunications licensing and reporting requirements.
## Related Standards
- **Law of the Sea Convention:** Referenced concerning precise terminology for oceanic areas.
- **Cybersecurity Risk Management Frameworks:** Implicitly requires adherence to established cybersecurity models (though not explicitly named, standard frameworks like NIST CSF would be relevant for developing the required plans).
## Resources
- Official Documentation: The NTIA's reply comments document (specific link provided in the source article, e.g., `ntia.gov/sites/default/files/2025-05/ntia-submarine-cable-comments.pdf`).
- Guidance Documents: FCC rulemaking dockets related to the comprehensive review of submarine cable rules.
- Tools: Standard cybersecurity risk assessment and management tools.
## Practical Recommendations
1. **Prioritize Existing Agreements:** Leverage all existing non-FCC regulatory agreements and reporting mechanisms (e.g., Committee reviews) to satisfy new FCC reporting requirements where possible, as advocated by the NTIA.
2. **Cost-Benefit Analysis on License Term:** Cable operators should actively comment on the proposal to shorten the 25-year license term, as NTIA strongly cautions this could severely harm investment economics.
3. **Prepare Documentation:** Immediately begin refining or developing formal Cybersecurity Risk Management Plans to prepare for the mandated certification timeline, regardless of the final effective date.
4. **Advocate for Streamlining:** Support NTIA's recommendations advocating for periodic "no-change" certifications to avoid unnecessary administrative burdens.