FCC CONSIDERS NEW "CYBER SECURITY" CERTIFICATION PROGRAM
FOR COMMUNICATIONS SERVICE PROVIDERS
On April 21, 2010, the Federal Communications Commission ("FCC") issued a Notice of Inquiry that kicks off a proceeding seeking comment on a "cyber security" certification program designed to encourage communication service providers (i.e., those entities providing communications services by radio, wire, cable, satellite, or lightguide for a fee to one or more unaffiliated entities) to implement a full range of cyber security best practices. The FCC is reviewing this potential program, which was recommended under the Commission’s National Broadband Plan, in an effort to counter cyber attacks and protect the communications infrastructure in the U.S. Among other things, the FCC cites a 2008 Data Breach Investigation Report that found that 87% of cyber breaches could have been avoided if reasonable security controls had been in place.
The proposed voluntary certification program would involve security assessments of service providers’ networks, to be conducted by the FCC or private sector auditors. The audit would entail a review of whether the networks comply with "stringent cyber security practices" to be developed by a public-private partnership. Those providers who successfully complete the audit would receive a special certification and then be able to market their networks as complying with these FCC network security requirements.
The inquiry is being led by the FCC’s Public Safety and Homeland Security Bureau. The FCC’s Notice of Inquiry seeks comment on a variety of topics, including:
· the costs/benefits of the program
· whether the program will really lead to an increase in security and improved cyber security practices
· whether the certification program should be open to all communication providers, or only certain types
· the composition and operating procedures of a certification authority
· whether the security criteria should be definitive or established on a case-by-case basis.
· assessment standards
· form and duration of the security certification, and the renewal process
· FCC enforcement process, if any, for the program
· education process regarding cyber security for consumers, businesses, and government agencies