Federal Communications Commission Washington, DC 20554 August 2, 2021 DA 21-936 SMALL ENTITY COMPLIANCE GUIDE Amendments to Part 4 of the Commission’s Rules Concerning Disruptions to Communications PS Docket No. 15-80 FCC 21-34 Released: March 18, 2021 This Guide is prepared in accordance with the requirements of Section 212 of the Small Business Regulatory Enforcement Fairness Act of 1996. It is intended to help small entities—small businesses, small organizations (non-profits), and small governmental jurisdictions—comply with the revised rules adopted in the above-referenced Federal Communications Commission (FCC or Commission) rulemaking dockets. This Guide is not intended to replace or supersede these rules, but to facilitate compliance with the rules. Although we have attempted to cover all parts of the rules that might be especially important to small entities, the coverage may not be exhaustive. This Guide cannot anticipate all situations in which the rules apply. Furthermore, the Commission retains the discretion to adopt case-by-case approaches, where appropriate, that may differ from this Guide. Any decision regarding a particular small entity will be based on the statute and any relevant rules. In any civil or administrative action against a small entity for a violation of rules, the content of the Small Entity Compliance Guide may be considered as evidence of the reasonableness or appropriateness of proposed fines, penalties or damages. Interested parties are free to file comments regarding this Guide and the appropriateness of its application to a particular situation. The FCC will then consider whether the recommendations or interpretations in the Guide are appropriate in that situation. The FCC may decide to revise this Guide without public notice to reflect changes in the FCC’s approach to implementing a rule, or it may clarify or update the text of the Guide. Direct your comments and recommendations, or calls for further assistance, to the FCC’s Consumer Center: 1-888-CALL-FCC (1-888-225-5322) TTY: 1-888-TELL-FCC (1-888-835-5322) Videophone: 1-844-4-FCC-ASL (1-844-432-2275) Fax: 1-866-418-0232 TABLE OF CONTENTS I. OBJECTIVES OF THE PROCEEDING 1 II. COMPLIANCE REQUIREMENTS 2 A. Obligations for Participating Agencies 2 1. Eligibility for Participating Agencies 2 2. Application Procedures and Certification Form 2 3. Training 3 4. Aggregation of Data 3 5. Participating Agency Notifications to the Commission 4 B. Obligations Pertaining to Downstream Sharing 4 1. Participating Agencies 4 2. Downstream Recipients 5 C. Obligations for Service Providers 5 D. Secure Destruction of Confidential NORS/DIRS Information 5 III. RECORDKEEPING AND REPORTING REQUIREMENTS 6 IV. IMPLEMENTATION DATE 6 V. INTERNET LINKS 6 I. OBJECTIVES OF THE PROCEEDING Section 1 of the Communications Act of 1934, as amended, charges the Federal Communications Commission (FCC or Commission) with “promoting safety of life and property through the use of wire and radio communications.” 47 U.S.C. § 151.   This statutory objective supports the Commission’s institution of outage reporting requirements, codified in Part 4 of the Commission’s rules, that require providers to report network outages that exceed specified magnitude and duration thresholds. See 47 CFR pt. 4. Outage data allows for critical situational awareness that enables the Commission to be an effective participant in emergency response and service restoration efforts, particularly in the early stages of communications disruption. Currently, the Commission collects network outage information in the Network Outage Reporting System (NORS) and infrastructure status information in the Disaster Information Reporting System (DIRS). Over the last several years, natural and manmade disasters, including hurricanes, tornadoes, floods, wildfires, and severe winter storms have caused outages to communications networks and have demonstrated the need for reliable outage data. Whether partial or complete, outages can lead to preventable loss of life and damage to property by causing delays and errors in emergency response and disaster relief efforts. Outage data and network infrastructure information is sensitive for national security and commercial competitiveness reasons, therefore the Commission treats it as presumptively confidential. In a 2016 Report and Order and Further Notice the Commission found that state and federal agencies would benefit from direct access to NORS data. Amendments to Part 4 of the Commission’s Rules Concerning Disruptions to Communications, et al., PS Docket No. 15-80 et al., Report and Order, Further Notice of Proposed Rulemaking, and Order on Reconsideration, 31 FCC Rcd 5817, 5853, para. 88 (2016) (2016 Report and Order and Further Notice). Thereafter, in the Second Further Notice, the Commission concluded that directly sharing NORS data with state and federal agencies, subject to appropriate and sufficient safeguards, is in the public interest. Amendments to Part 4 of the Commission’s Rules Concerning Disruptions to Communications, Second Further Notice of Proposed Rulemaking, FCC 20-20 (rel. Mar. 2, 2020). In the Second Report and Order the Commission extended this finding to include the sharing of DIRS data and adopted a framework to provide certain state, federal, local, and Tribal partners with access to the critical NORS and DIRS information they need to ensure the public’s safety while preserving the presumptive confidentiality of the information. Amendments to Part 4 of the Commission’s Rules Concerning Disruptions to Communications, PS Docket No. 15-80, Second Report and Order, FCC 21-34, at 6 (2021) (Second Report and Order). More specifically, the framework grants direct, read-only access and details the process by which the Commission will share relevant NORS and DIRS filings with participating agencies acting on behalf of the federal government, the fifty states, the District of Columbia, Tribal Nation governments, and United States territories (collectively referred to as “state and federal agencies”) that have official duties that make them directly responsible for emergency management and first responder support functions which constitutes having a “need to know” such information. State and federal agencies can, but are not required to participate in the Commission’s NORS/DIRS information sharing framework. Service providers covered by the Commission’s part 4 rules, remain required to report information in NORS and can make DIRS filings although DIRS reporting is not mandatory. The actions taken by the Commission in the Second Report and Order to establish the network outage and infrastructure status information sharing framework will ensure that public safety officials at state and federal agencies can appropriately and effectively leverage the same reliable and timely network outage and infrastructure status information as the Commission when responding to emergencies and will enhance the ability of our federal, state and local partners to make information decisions that will help them save lives and property.     II. COMPLIANCE REQUIREMENTS The Second Report and Order updates the Commission’s rules to allow state and federal agencies direct, read only access to the Commission’s NORS/DIRS data (these agencies are also referred to as “Participating Agencies”). Participating agencies must comply with certain procedures and safeguards, and can only share this data and related confidential NORS/DIRS information with certain downstream recipients. “Downstream recipients” consist of local agencies and other related entities that work with participating agencies, such as county or municipality agencies, key decision-makers or first responders. See id. at 8, para. 23, n. 50 (citing Amendments to Part 4 of the Commission’s Rules Concerning Disruptions to Communications, et al., PS Docket No. 15-80, et al, Second Further Notice of Proposed Rulemaking, 35 FCC Rcd 2239, 2251-52, para. 37 (2020) (Second Further Notice)). In addition to participating agencies, the updated rules also impose obligations on downstream recipients and service providers. These requirements are summarized below. A. Obligations for Participating Agencies 1. Eligibility for Participating Agencies (47 CFR § 4.2) · Agencies acting on behalf of the federal government, the 50 states, the District of Columbia, Tribal Nations, and the U.S. territories (including Puerto Rico and the U.S. Virgin Islands) that have a “need to know” are eligible to apply for direct, read-only access to the Commission’s NORS and DIRS data. o “Need to know” agencies are those have official duties that make them directly responsible for emergency management and first responder support functions. · An agency’s access is limited to filings reflecting events occurring, at least partially, in the agency’s jurisdiction (e.g., geographical boundaries) and after the September 30, 2022 effective date adopted in the Second Report and Order. The effective date may be extended, if necessary, by Public Notice publication in the Federal Register if the required database adjustments take longer than the Commission has estimated or if the required Office of Management and Budget (OMB) review of the modified information collections under the new rule provisions is delayed. 2. Application Procedures and Certification Form (47 CFR § 4.2(a) & (c)) · Participating agencies seeking access to NORS/DIRS data must submit a formal request to the Commission at the Commission’s designated email address, NORS_DIRS_information_sharing@fcc.gov. The request must include: o a signed statement from an agency official, on the agency’s official letterhead, including the official’s full contact information, o a description of why the agency needs access to NORS and DIRS data and how it intends to use the information in practice, o citation to and copies of legal authority that establishes that the participating agency has a “need to know,” and o a completed copy of the Certification Form included in the Second Report and Order at Appendix C. · Participating agencies will be granted five user accounts by default, which may only be provided to employees (i.e., contractors and consultants are not permitted user accounts). If an applying agency needs additional accounts, it will need to indicate this in its request and provide an explanation of why additional accounts are necessary. · Participating agencies granted access to NORS/DIRS data must annually submit the Certification Form to the designated email address, NORS_DIRS_information_sharing@fcc.gov. 3. Training · Participating agencies must implement an annual training program that must be completed by all employees approved for user accounts before obtaining access. · Participating agencies may develop their own training program or rely on an outside training program, including the one that the Public Safety and Homeland Security Bureau intends to identify prior to the Second Report and Order’s effective date. o An annual training program must include: § procedures and requirements for accessing NORS and DIRS filings, § parameters by which agency employees may share confidential and aggregated NORS and DIRS information, § initial and continuing requirements to receive trainings, § notification that failure to abide by the required program elements may result in personal or agency termination of access to NORS and DIRS filings and liability to service providers and third parties under applicable state and federal law, and, § a process to immediately notify the Commission, at its designated e-mail address, with any questions, concerns, account management issues, reports of any known or reasonably suspected breach of protocol and, if needed, requests for service providers’ contact information upon learning of a known or reasonably suspected breach. o Participating agencies must share their training program with the Commission upon request. 4. Aggregation of Data (47 CFR § 4.2(d)) · Participating agencies are permitted to release sufficiently aggregated and anonymized NORS and DIRS information to any entity, including the public. · At a minimum, data aggregation requires combining data from at least four service providers. When determining how to aggregate data, an agency should refer to the guidelines detailed in Appendix D of the Second Report and Order. 5. Participating Agency Notification Obligations to the Commission (47 CFR § 4.2(a)) · Participating agencies must notify the Commission if they receive a third-party request for access to NORS or DIRS filings within 14 calendar days of receiving the request. · Participating agencies must notify the Commission at least 30 calendar days prior to the effective date of any change in state statutes or administrative rules, such as open records laws that would affect the agency’s ability to adhere to the confidentiality requirements outlined in the Second Report and Order. · Participating agencies will be able to notify the Commission of any third-party requests or changes to its respective state laws or state agency rules related to open records laws through the Commission’s Electronic Comment Filing System (ECFS). Any submissions in the EFCS will create a docket for that respective filing. o Service providers will be notified of any third-party requests through a posting in the Commission’s ECFS within the same docket filed by the participating agency. · Participating agencies must provide the Commission a list of all localities the agency has disclosed NORS and DIRS information to upon request and for inspection. The Commission can share this list with implicated service providers. B. Obligations Pertaining to Downstream Sharing (47 CFR § 4.2(b)) 1. Participating Agencies · Participating agencies may share confidential NORS/DIRS data and information with downstream recipients provided that the downstream recipients have a “need to know” that pertains to a specific imminent or on-going public safety event. · Participating agencies must condition the downstream recipients’ receipt of confidential NORS/DIRS data on the recipients’ certification, on a form separate from the Participating agencies' certification form. · Participating agencies will be responsible for managing and obtaining the forms from downstream recipients. · Participating agencies must determine any additional implementation procedures from those adopted in the Second Report and Order for obtaining the separate certification from downstream recipients. · Participating agencies that are unclear on whether specific downstream individuals or entities have a “need to know” should contact the Commission at NORS_DIRS_information_sharing@fcc.gov to discuss its potential sharing with the individuals and entities well in advance of a relevant public safety event. · Participating agencies will be held responsible for inappropriate disclosures of NORS/DIRS data by the downstream recipients with which they share such information. The consequences for improper disclosures of NORS/DIRS data by a participating agency or a downstream recipient with which the agency shared such information may result in termination of access to NORS and DIRS data for the participating agency. 2. Downstream Recipients · Downstream recipients must separately certify, directly to the participating agency providing the information that the recipient will comply with the following: o the recipient will treat received information as confidential, o the recipient will not publicly disclose this information unless the Commission allows them to do so, o the recipient will securely destroy the information when the on-going public safety event that warrants the information has concluded, and, o the recipient will complete security training by using the Participating Agencies’ training materials. · Downstream recipients must complete and submit the certification form prior to obtaining access to NORS/DIRS data from participating agencies. · Downstream recipients must report any unauthorized access to participating agency from which the shared information was obtained. · Downstream recipients are prohibited from further downstream sharing of shared NORS/DIRS. C. Obligations for Service Providers (47 CFR § 4.11) · By the September 30, 2022, effective date, providers must report outages that span multiple states by selecting more than one state when submitting a NORS filing. o The NORS form will change to facilitate reporting this geographic scope by prompting providers to select one or more states or other geographic areas when supplying a NORS report.  Providers may have to update or revise any software used to report outages to the Commission in NORS to accommodate this change. · Service providers can submit written requests for access to audit logs, which detail which eligible participating agencies have obtained access to a service provider’s records. This access will only be granted if the Public Safety and Homeland Security Bureau determines that doing so would be in the public interest. o The request must explain the specific circumstances that the provider believes warrants its access to audit logs and identify, with particularity, the requested date ranges and entities covered under the request. D. Secure Destruction of Confidential NORS/DIRS Information (47 CFR § 4.2(b)) · Securely destroying confidential NORS/DIRS information, at a minimum, requires destruction by securely cross-cut shredding, or machine-disintegrating, paper copies of the information, and irrevocably clearing and purging digital copies, when the public safety event that warrants access to the information has concluded. III. RECORDKEEPING AND REPORTING REQUIREMENTS The rules adopted in the Second Report and Order contain new information collection requirements for recordkeeping and reporting associated with the network outage and infrastructure status information sharing framework for NORS and DIRS confidential information. The requirements involve online submissions and retention of documentation that must be made available to the Commission upon request. The Second Report and Order also contains updated information collection requirements for service providers, which includes making minor adjustments to their existing reporting process to include multistate reporting on their NORS filings pursuant to 47 CFR § 4.11. The details and specifics of the reporting and recordkeeping requirements adopted in the Second Report and Order can be found in Section II of this guide under the Compliance Requirements. IV. IMPLEMENTATION DATE The rules in the Second Report and Order shall become effective on September 30, 2022. This effective date may be extended by the Commission, if necessary, by publication of a Public Notice in the Federal Register and review and approval by the Office of Management and Budget (OMB). V. INTERNET LINKS A copy of the Second Report and Order, is available at: https://docs.fcc.gov/public/attachments/FCC-21-34A1.pdf. A copy of the Federal Register Summary of the Second Report and Order is available at: https://www.federalregister.gov/documents/2021/04/29/2021-07457/disruptions-to-communications.