The U.S. Federal Communications Commission’s (FCC) Public Safety and Homeland Security Bureau (Bureau) has requested public input on a recent report on Cybersecurity Risk Management and Best Practices (Report) by the Communications Security, Reliability and Interoperability Council (CSRIC) for communications providers. The Report represents the latest example of the U.S. government’s continued attention to these issues following the President’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Comments are due May 29, with replies due June 26.
As background, CSRIC is a federal advisory committee with members from the private sector, academia, engineering, consumer/community/non-profit organizations, and government partners from tribal, state, local and federal agencies. The FCC tasked CSRIC with developing a report to identify best practices and voluntary mechanisms that help implement the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Framework) in the communications sector. It also asked CSRIC to develop recommendations that are: “(1) tailored by individual companies to suit their unique needs, characteristics, and risks; (2) based on meaningful indicators of successful cyber risk management; and (3) allow for meaningful assessments both internally and externally.”
The Report breaks down its review across the five key segments of the communications industry—broadcast, cable, satellite, wireless, and wireline—and outlines findings and conclusions for each segment. Each of the five segment subgroups evaluated the applicability of the Framework’s ninety-eight subcategories to their segment, prioritized the applicable subcategories on an illustrative basis, and assessed the challenges of implementation and effectiveness for each applicable subcategory. The Report also includes findings and conclusions for cross-cutting subject matter areas, such as top cyber threats and vectors, which informed each segment subgroup’s analysis.
In its Public Notice seeking comment on the Report, the Bureau specifically asked for input on several issues, including the following:
- The extent to which the recommendations are sufficient to reduce cybersecurity risk;
- Whether and how certain voluntary mechanisms—such as (1) FCC-convened confidential company-specific or other communications format; (2) a new cybersecurity component of the Communications Sector Annual Report; and (3) active and dedicated participation in DHS’s Critical Infrastructure Cyber Community C3 Voluntary Program—could be implemented to enhance cybersecurity and risk management efforts in the communications sector; and
- What barriers could inhibit efforts to enhance cybersecurity through voluntary mechanisms, and how they could be mitigated.
The Bureau also seeks comment generally on the Report’s recommendations.