Full Report
Wyden’s bill would require the FCC to implement security requirements for telecom carriers that were originally included in a 1994 federal law but that the agency never fully acted upon.
Analysis Summary
# Regulation/Compliance: Proposed FCC Cybersecurity Standards for Telecom Carriers
## Overview
This legislation, currently in draft form proposed by Senator Ron Wyden, mandates the Federal Communications Commission (FCC) to establish and enforce specific cybersecurity standards for telecommunications carriers. This action is prompted by large-scale ongoing breaches of U.S. phone networks by foreign actors (specifically referencing the Salt Typhoon campaign). The goal is to prevent unauthorized interceptions of communications and records by foreign spies, addressing prior failures where telecom companies were allowed to self-regulate.
## Key Details
- Issuing Authority: Federal Communications Commission (FCC), in consultation with CISA and the Director of National Intelligence (DNI).
- Effective Date: Not yet established; dependent on legislative passage.
- Jurisdiction: United States telecommunications carriers.
- Status: Proposed (Draft Legislation).
## Requirements
### Mandatory Requirements
1. **Standard Setting:** The FCC must create and implement specific digital security standards for telecom carriers designed to prevent unauthorized interceptions of calls, messages, and phone records. These standards must be developed in consultation with CISA and the DNI.
2. **Annual Testing:** Carriers are required to conduct annual tests of their security measures.
3. **Vulnerability Patching:** Carriers must work to patch any vulnerabilities uncovered during security testing.
4. **Annual Reporting:** Carriers must submit annual reports to the FCC, including documentation of their internal security tests and audits.
5. **Management Attestation:** Senior management of each carrier must submit a formal statement to the FCC affirming that the firm is in compliance with the established FCC cybersecurity standards.
6. **Third-Party Audits:** Carriers must submit to yearly assessments carried out by an outside auditor to verify compliance with the established cybersecurity rules.
### Recommended Practices
1. Adherence to security requirements that were included in a 1994 federal law but never fully implemented by the FCC.
2. Consideration of other pending legislation aimed at securing government and personal digital defenses against foreign nations.
## Affected Organizations
- Industries: Telecommunications Carriers (companies operating U.S. phone networks).
- Organization Size: All carriers falling under FCC jurisdiction.
- Geographic Scope: United States.
## Compliance Timeline
- **Upcoming Weeks (Estimated):** Congressional briefing for House members regarding the current threat landscape (Salt Typhoon). Possible initial legislative action if Congress does not adjourn.
- **Next Year (Post-Adjournment):** Substantive push for the bill's passage and subsequent implementation timeline set by the FCC following enactment.
- **Final deadline:** To be determined upon the bill and subsequent FCC rulemaking adoption.
## Implementation Guidance
### Assessment Phase
- Review existing security posture against the forthcoming mandated FCC technical standards (once proposed following the bill's passage).
- Identify existing gaps concerning monitoring, testing, external auditing capabilities, and senior management reporting readiness.
### Implementation Phase
- Consult with CISA and DNI security guidance when developing technical controls.
- Establish formal processes for mandatory annual internal security testing and documentation.
- Contract accredited, independent third parties to establish yearly compliance audit procedures.
- Develop robust, standardized annual reporting templates for submission to the FCC.
### Validation Phase
- External auditors must annually verify adherence to the FCC-mandated security standards.
- Senior management must certify compliance annually based on independent and internal audit findings.
## Technical Requirements
Specific technical controls are yet to be defined by the FCC rulemaking process but must be designed with the explicit goal of **preventing unauthorized interceptions** of customer communications and phone records, informed by consultation with national security agencies.
## Penalties & Enforcement
- Fines: Not explicitly detailed in the summary, but the mandate for stricter regulation implies significant financial penalties for non-compliance, especially given the national security context.
- Other Consequences: Potential operational restrictions or escalating regulatory scrutiny resulting from sustained non-compliance.
- Enforcement: The FCC will be the primary enforcement body, utilizing annual internal reports, required self-testing documentation, and mandatory external auditor assessments.
## Related Standards
- Existing FCC Regulations (to be updated/superseded).
- Cybersecurity requirements derived in consultation with **CISA** and the **Director of National Intelligence (DNI)**, suggesting alignment with federal critical infrastructure guidance.
## Resources
- Official Documentation: Draft Legislation linked via Senator Wyden's office (hypothetically: `[Secure American Communications Act Draft Legislation Link]`).
- Guidance Documents: FCC Chairwoman Rosenworcel's previously released draft proposal for telecom cybersecurity regulation.
- Tools: Compliance management tools focused on meeting federal infrastructure mandates.
## Practical Recommendations
1. **Advocacy/Monitoring:** Telecom entities should actively monitor the progress of this draft legislation in the Senate and House.
2. **Pre-compliance Auditing:** Begin gap analyses based on the established *intent* (preventing unauthorized interception) and anticipate coming technical mandates based on CISA/DNI input.
3. **Governance Review:** Prepare to elevate cybersecurity sign-off responsibilities to senior management and the board level, as annual management attestations will be required.