FCC Releases WEA Cybersecurity NPRM

On October 27, 2022, the FCC released a Notice of Proposed Rulemaking (“NPRM”) seeking comment on updates to the Emergency Alert System (“EAS”) and Wireless Emergency Alerts (“WEA”) to ensure these systems are secure against cybersecurity attacks, which was adopted at the October Open Meeting.  With regard to WEA, the NPRM seeks comment on the following proposals aimed at strengthening the operational readiness of WEA:

  • Cybersecurity Risk Management Plan: The NPRM proposes to require Participating CMS Providers to certify that they are creating, annually updating, and implementing a cybersecurity risk management plan.
    • Plan Contents: The NPRM proposes that such a plan should include security controls sufficient to ensure the confidentiality, integrity, and availability of WEA, as demonstrated by implementing controls like the CISA Cybersecurity Baseline or appropriate CIS Implementation Group.  The plans must include a baseline of security measures that address changing default passwords prior to operation, installing security updates, securing equipment behind properly configured firewalls, requiring multifactor authentication where applicable, addressing the replacement of end-of-life equipment, and wiping, clearing, or encrypting user information before disposing of old devices.
    • Request for Comments: In addition, the NPRM seeks comment on specific risks to WEA the FCC should be aware of, whether providers already have cybersecurity risk management plans, the least burdensome means to submit the certifications, and whether there are specific measures the FCC should mandate are implemented, among other things.
    • Compliance: The Commission proposes to require compliance with this requirement within 12 months of Federal Register notice of OMB approval.  The NPRM also asks whether the Commission should provide Participating CMS providers who are small businesses an additional 12 months to comply.
  • Displaying Only Valid WEA Messages on Mobile Devices: The NPRM proposes to require Participating CMS Providers to transmit sufficient authentication information to allow mobile devices to present WEA alerts only if they come from valid base stations.
    • Proposed Authentication Methodology: The NPRM suggests that providers could achieve this outcome by transmitting sufficient authentication information to allow mobile devices to authenticate either the alert or the base station itself, for example through a unique identifier or encryption key.
    • Request for Comments: The NPRM seeks comment on whether providers have already implemented such authentication methods, the feasibility of implementing such authentication methods, limits on marketing devices as WEA-capable unless they are able to perform authentication, available technological approaches to protect the public from false alerts, and the cost of implementing this proposal, among other things.
    • Compliance:  The Commission proposes to require compliance with this requirement 30 months from the publication of the rules in the Federal Register.  The FCC concluded this was sufficient based upon the following premise: “Participating CMS Providers require 12 months to work through appropriate industry bodies to publish relevant standards, another 12 months for Participating CMS Providers and mobile device manufacturers to develop, test, and integrate software upgrades consistent with those standards, and then 6 more months to deploy this new technology to the field during normal technology refresh cycles.”  The NPRM seeks comment on the compliance timing and asks whether urgent public safety needs necessitate an expedited compliance timeframe.
  • WEA Infrastructure Functionality:  The WEA rules provide that WEA functionality, both in Participating CMS Provider’s and in mobile devices, “are dependent upon the capabilities of the delivery technologies implemented by a Participating CMS Provider” and certain WEA protocols “are defined and controlled by each Participating CMS Provider.”  The FCC believes these statements may create the mistaken impression that Participating CMS Providers’ compliance would be conditioned on their delivery technology and proposes to remove these statements from the WEA rules.
    • Refresh the Record: The FCC proposed the removal of this language in 2016.  At that time, the only commenters to address this proposal, T-Mobile, ATIS and CTIA, urged the FCC not to adopt it because “the rules should maximize the technological flexibility of CMS Providers participating in WEA.”  The FCC seeks to refresh the record on it now, particularly in light of the adoption of cell broadcast as the wireless technology used to transmit WEA alerts and ATIS standardized system performance.
    • Compliance: The NPRM proposes to remove the language from the WEA infrastructure and mobile device rules effective 30 days after the rules’ publication in the Federal Register.  The FCC states that it does not believe Participating CMS Providers will need to make any changes to comply with the rules as revised because they already offer a WEA service that is consistent with the rules as otherwise written.

Comments will be due 30 days after the date of publication in the Federal Register and reply comments will be due 60 days after the date of publication in the Federal Register.

Please Contact Us if you have any questions.

Recent Posts