February 24, 2021 FCC FACT SHEET* Amendments to Part 4 of the Commission s Rules Concerning Disruptions to Communications Second Report and Order - PS Docket No. 15-80 Background: The Commission supports the Nation s incident preparedness and emergency response efforts by collecting and providing accurate and timely communications outage and infrastructure status information via its Network Outage Reporting System (NORS) and Disaster Information Reporting System (DIRS). The Commission s experience with recent major outages from the 2017 hurricanes, tornadoes, and flooding, to power shutdowns in California and the latest earthquakes in Puerto Rico underscore the value of reliable and timely outage information to the rapid restoration of communications and the crucial role that state and other government authorities play in this restoration. This Second Report and Order would adopt a framework to provide state and federal agencies with access to outage information to improve their situational awareness, enhance their ability to respond more quickly to outages impacting their communities, and help save lives, while safeguarding the confidentiality of this data. What the Second Report and Order Would Do: ·ð Provide direct, read-only access to NORS and DIRS filings to agencies of the 50 states, the District of Columbia, tribal nations, territories, and federal government that have official duties that make them directly responsible for emergency management and first responder support functions. ·ð Allow these agencies to share NORS and DIRS information with agency officials, first responders, and other individuals with a  need to know who cannot directly access NORS and DIRS and yet play a vital role in preparing for, or responding to, events that threaten public safety. ·ð Allow participating agencies to publicly disclose aggregated and anonymized information derived from NORS or DIRS filings. ·ð Condition a participating agency s direct access to NORS and DIRS filings on their agreement and ability to preserve the confidentiality of the filings and not disclose them absent a finding by the Commission allowing the disclosure. ·ð Establish an application process that would grant eligible agencies access to NORS and DIRS after those agencies certify to certain requirements related to maintaining the confidentiality of the data and the security of the databases. * This document is being released as part of a  permit-but-disclose proceeding. Any presentations or views on the subject expressed to the Commission or its staff, including by email, must be filed in PS Docket No. 15-80, which may be accessed via the Electronic Comment Filing System (https://www.fcc.gov/ecfs/). Before filing, participants should familiarize themselves with the Commission s ex parte rules, including the general prohibition on presentations (written and oral) on matters listed on the Sunshine Agenda, which is typically released a week prior to the Commission s meeting. See 47 CFR § 1.1200 et seq. Federal Communications Commission FCC-CIRC2103-01 Before the Federal Communications Commission Washington, D.C. 20554 In the Matter of ) ) Amendments to Part 4 of the Commission s Rules ) PS Docket No. 15-80 Concerning Disruptions to Communications ) SECOND REPORT AND ORDER* Adopted: [] Released: [] By the Commission: TABLE OF CONTENTS Heading Paragraph # I.  INTRODUCTION .................................................................................................................................. 1  II.  BACKGROUND .................................................................................................................................... 4  III.  SECOND REPORT AND ORDER ...................................................................................................... 16  A.  Sharing NORS filings with State, Federal and Other Agencies ..................................................... 18  B.  Sharing DIRS filings with State, Federal and Other Agencies ...................................................... 20  C.  Scope of Direct Access .................................................................................................................. 22  D.  Confidentiality Protections ............................................................................................................ 43  E.  Preemption and its Relation to State, Federal and Other Reporting Requirements ....................... 56  F.  Safeguards for Direct Access to NORS and DIRS Filings ............................................................ 58  1.  Read-Only Direct Access to NORS and DIRS and Limits on Access to Historical Filings ...................................................................................................................................... 60  2.  Disclosing Aggregated NORS and DIRS Information ............................................................ 66  3.  Direct Access to NORS and DIRS Filings Based on Jurisdiction ........................................... 74  4.  Limiting the Number of User Accounts Per Participating Agency ......................................... 87  5.  Training Requirements ............................................................................................................ 96  6.  Sharing of Confidential NORS and DIRS Information ......................................................... 111  G.  Procedures for Requesting Direct Access to NORS and DIRS ................................................... 138  H.  Effective Dates ............................................................................................................................ 151  IV. PROCEDURAL MATTERS .............................................................................................................. 153  V.  ORDERING CLAUSES ..................................................................................................................... 158  Appendix A: Final Rule Appendix B: Final Regulatory Flexibility Analysis Appendix C: Certification Form Appendix D: Exemplar Aggregated Data * This document has been circulated for tentative consideration by the Commission at its March open meeting. The issues referenced in this document and the Commission s ultimate resolutions of those issues remain under consideration and subject to change. This document does not constitute any official action by the Commission. However, the Acting Chairwoman has determined that, in the interest of promoting the public s ability to understand the nature and scope of issues under consideration, the public interest would be served by making this document publicly available. The Commission s ex parte rules apply, and presentations are subject to  permit-but-disclose ex parte rules. See, e.g., 47 CFR §§ 1.1206, 1.1200(a). Participants in this proceeding should familiarize themselves with the Commission s ex parte rules, including the general prohibition on presentations (written and oral) on matters listed on the Sunshine Agenda, which is typically released a week prior to the Commission s meeting. See 47 CFR §§ 1.1200(a), 1.1203. Federal Communications Commission FCC-CIRC2103-01 Appendix E: List of Commenting Parties I. INTRODUCTION 1. Section 1 of the Communications Act of 1934, as amended (the Act), charges the Commission with  promoting safety of life and property through the use of wire and radio communications. 1 This statutory objective and statutory authorities cited below2 have supported the Commission s institution of outage reporting requirements, codified in Part 4 of our rules, that require providers to report network outages that exceed specified magnitude and duration thresholds.3 The outage data that the Commission collects pursuant to Part 4 provide critical situational awareness that enables the Commission to be an effective participant in emergency response and service restoration efforts, particularly in the early stages of communications disruption. Indeed, recent natural and manmade disasters, including hurricanes, tornadoes, floods wildfires, and most recently severe winter storms, that have caused outages to communications networks demonstrate the need for reliable outage data. Whether partial or complete, outages can lead to preventable loss of life and damage to property by causing delays and errors in emergency response and disaster relief efforts. 2. Currently, the Commission collects network outage information in the Network Outage Reporting System (NORS) and infrastructure status information in the Disaster Information Reporting System (DIRS). This information is sensitive for reasons concerning national security and commercial competitiveness, and the Commission thus treats it as presumptively confidential. The Commission makes this information available to the Department of Homeland Security s (DHS) National Cybersecurity and Communications Integration Center but does not share the information more broadly with other federal, state, or local partners.4 However, in a 2016 Report and Order and Further Notice, the Commission found that state and federal agencies would benefit from direct access to NORS data and that  such a process would serve the public interest if implemented with appropriate and sufficient safeguards. 5 3. Today s Order bridges this gap and promotes better information sharing and awareness during times of emergency. It creates a framework to provide state, federal, local, and Tribal partners with access to the critical NORS and DIRS information they need to ensure the public s safety while preserving the presumptive confidentiality of the information. Today s actions will ensure that these public safety officials can appropriately and effectively leverage the same reliable and timely network outage and infrastructure status information as the Commission when responding to emergencies. II. BACKGROUND 4. Network Outage Reporting System or NORS. In 2004, the Commission adopted rules that require outage reporting for communications providers, including wireline, wireless, paging, cable, satellite, VoIP, and Signaling System 7 service providers, to address  the critical need for rapid, complete, and accurate information on service disruptions that could affect homeland security, public health or safety, and the economic well-being of our Nation, especially in view of the increasing importance of 1 47 U.S.C. § 151. 2 Infra para. 158. 3 See 47 CFR pt. 4. 4 New Part 4 of the Commission s Rules Concerning Disruptions to Communications, ET Docket No. 04-35, Report and Order and Further Notice of Proposed Rulemaking, 19 FCC Rcd 16830, 16856, para. 47 (2004) (2004 Part 4 Report and Order) (making NORS reports available to DHS  in encrypted form and immediately upon receipt ). 5 Amendments to Part 4 of the Commission s Rules Concerning Disruptions to Communications, et al., PS Docket No. 15-80 et al., Report and Order, Further Notice of Proposed Rulemaking, and Order on Reconsideration, 31 FCC Rcd 5817, 5853, para. 88 (2016) (2016 Report and Order and Further Notice). 2 Federal Communications Commission FCC-CIRC2103-01 non-wireline communications in the Nation s communications networks and critical infrastructure. 6 These rules currently do not extend to broadband networks.7 5. Under these rules, certain service providers must submit outage reports to NORS for outages that exceed specified duration and magnitude thresholds.8 Service providers are required to submit a notification to NORS generally within two hours of determining that an outage is reportable to provide the Commission with timely preliminary information.9 The service provider must then either (i) provide an initial report within three calendar days, followed by a final report with complete information on the outage within 30 calendar days of the notification;10 or (ii) withdraw the notification and initial reports if further investigation indicates that the outage did not in fact meet the applicable reporting thresholds. 11 6. All three types of NORS filings notifications, initial reports, and final reports contain service disruption or outage information that, among other things, include: the reason the event is reportable, incident date/time and location details, state affected, number of potentially affected customers, and whether enhanced 911 (E911) was affected.12 The Commission analyzes NORS outage reports, in the short-term, to assess the magnitude of major outages and, in the long-term, to identify network reliability trends and determine whether the outages likely could have been prevented or mitigated had the service providers followed certain network reliability best practices. Information collected in NORS has contributed to several of the Commission s outage investigations and recommendations for improving network reliability.13 7. NORS filings are presumed confidential and thus are withheld from routine public inspection.14 The Commission grants read-only access to outage report filings in NORS to the National 6 2004 Part 4 Report and Order (adopting 47 CFR Part 4). 7 In 2016, the Commission sought comment on whether its part 4 rules should be updated to implement a proposed system for the mandatory reporting of broadband network outages and other disruptions, including those based on performance degradation. See 2016 Report and Order and Further Notice, 31 FCC Rcd at 5863-76. The proposals in the 2016 Report and Order and Further Notice remain pending. 8 47 CFR § 4.9. 9 See 47 CFR § 4.9. 10 See 47 CFR § 4.9 (describing the outage reporting requirements for communications service providers). Interconnected VoIP service providers do not file initial reports but instead file a notification and then a final report. 47 CFR § 4.9(g). 11 See 47 CFR § 4.9. 12 FCC, Network Outage Reporting System User Manual, version 3 (2018), https://www.fcc.gov/file/12265/download. 13 See, e.g., FCC, Public Safety and Homeland Security Bureau, December 27, 2018 CenturyLink Network Outage Report (PSHSB 2018), https://docs.fcc.gov/public/attachments/DOC-359134A1.pdf; FCC, Public Safety and Homeland Security Bureau, March 8th, 2017 AT&T VoLTE 911 Outage Report and Recommendations, PS Docket No. 17-68, (PSHSB 2017) https://docs.fcc.gov/public/attachments/DOC-344941A1.pdf; FCC, Public Safety and Homeland Security Bureau, April 2014 Multistate 911 Outage: Cause and Impact, Report and Recommendations, PS Docket No. 14-72, (PSHSB 2014) https://docs.fcc.gov/public/attachments/DOC-330012A1.pdf; FCC, Public Safety and Homeland Security Bureau, Impact of the June 2012 Derecho on Communications Networks and Services, Report and Recommendations, (PSHSB 2013) https://docs.fcc.gov/public/attachments/DOC- 318331A1.pdf. 14 47 CFR §§ 0.457(d)(vi), 4.2. See 2004 Part 4 Report and Order, 19 FCC Rcd at 16834, 16852-53, 16855-56, 16922, paras. 3, 40, 45-46 and Appendix A; Amendments to Part 4 of the Commission s Rules Concerning Disruptions to Communications, et al., PS Docket No. 15-80 et al., Notice of Proposed Rulemaking, Second Report and Order, and Order on Reconsideration, 30 FCC Rcd 3206, 3224, para. 51 (2015) (2015 Notice); Amendments to Part 4 of the Commission s Rules Concerning Disruptions to Communications, et al., PS Docket No. 15-80 et al., (continued& .) 3 Federal Communications Commission FCC-CIRC2103-01 Cybersecurity and Communications Integration Center at DHS,15 but does not directly grant access to other federal agencies, state governments, or other entities.16 The Commission also publicly shares limited analyses of aggregated and anonymized data to address collaboratively industry-wide network reliability issues and improvements. 8. Disaster Information Reporting System or DIRS. In the wake of Hurricane Katrina, the Commission established DIRS as a means for service providers, including wireless, wireline cable service providers, and broadcasters, to voluntarily report to the Commission their communications infrastructure status and situational awareness information during times of crises.17 DIRS, like NORS, is a web-based filing system. The Commission analyzes infrastructure status information submitted in DIRS to provide public reports on communications status during DIRS activation periods,18 as well as to help inform investigations about the reliability of post-disaster communications.19 9. DIRS filings are also presumed confidential and disclosure of information derived from those filings is limited. The Commission grants direct access to the DIRS database to the National Cybersecurity and Communications Integration Center at DHS.20 The Commission also prepares and provides aggregated DIRS information, without company identifying information, to the National Cybersecurity and Communications Integration Center, which then distributes the information to a DHS- led group of federal agencies tasked with coordinating disaster response efforts, including other units in DHS, during incidents.21 Agencies use the analyses for their situational awareness and for determining restoration priorities for communications infrastructure in affected areas.22 The Commission also Report and Order, Further Notice of Proposed Rulemaking, and Order on Reconsideration, 31 FCC Rcd 5817, 5848- 49, 5875-76 paras. 81,144 (2016) (2016 Part 4 Order and Further Notice). 15 Department of Homeland Security, National Cybersecurity and Communications Integration Center, https://www.dhs.gov/cisa/national-cybersecurity-communications-integration-center (last visited Dec. 12, 2019). 16 2004 Part 4 Report and Order, 19 FCC Rcd at 16856, para. 47 (making NORS reports available to DHS  in encrypted form and immediately upon receipt ). DHS, however, may share relevant information with other federal agencies at its discretion. See id. 17 See Public Safety and Homeland Security Bureau Launches Disaster Information Reporting System (DIRS), DA 07-3871, Public Notice, 22 FCC Rcd 16757 (PSHSB 2007); Recommendations of the Independent Panel Reviewing the Impact of Hurricane Katrina on Communications Networks, Order, EB Docket No. 06-119 et al., 22 FCC Rcd at 10547-49, paras. 19-21 (2007). The Commission recently required a subset of service providers that receive Stage 2 funding from the Uniendo a Puerto Rico Fund or the Connect USVI Fund to report in DIRS when it is activated in the respective territories. The Uniendo a Puerto Rico Fund and the Connect USVI Fund, et al., WC Docket No. 18- 143, et al., Report and Order and Order on Reconsideration, 34 FCC Rcd 9109, 9174, 9176-77, paras. 133,138-140 (2019) (Puerto Rico & USVI USF Fund Report and Order). 18 See FCC, Public Safety and Homeland Security Bureau, Operations and Emergency Management Division, FCC Hurricane Response (Oct. 11, 2018), https://www.fcc.gov/fcc-hurricane-response. 19 See FCC, Public Safety and Homeland Security Bureau, October 2018 Hurricane Michael s Impact on Communications: Preparation, Effect, and Recovery (May 2019), https://docs.fcc.gov/public/attachments/DOC- 357387A1.pdf. 20 FCC, Communications Disaster Information Reporting System (DIRS), 3060-1003, Supporting Statement (2018). 21 This DHS-led group is the Emergency Support Function #2, which is composed of other participants including the Department of Agriculture, Department of Commerce, Department of Defense, General Services Administration, Department of Interior, and the Federal Communications Commission. See Federal Emergency Management Agency, Emergency Support Function #2, Communications Annex at 1 (June 2016), https://www.fema.gov/media- library-data/1473679033823-d7c256b645e9a67cbf09d3c08217962f/ESF_2_Communications_FINAL.pdf. 22 Chris Anderson, Chief, Operations and Emergency Management Division, Public Safety and Homeland Security Bureau, FCC, Response to Hurricanes Harvey, Irma, and Maria, Presentation at Commission Open Meeting at 2, (PSHSB 2017), https://docs.fcc.gov/public/attachments/DOC-346920A2.pdf (describing FEMA and other federal (continued& .) 4 Federal Communications Commission FCC-CIRC2103-01 provides aggregated data, without company-identifying information, to the public during disasters. 10. Expanding Access to NORS and DIRS. In a 2015 Notice, the Commission proposed to grant state governments  read-only access to those portions of the NORS database that pertain to communications outages in their respective states. 23 The Commission also asked if this access should extend beyond states and include  the District of Columbia, U.S. territories and possessions, and Tribal nations. 24 The Commission proposed to condition access on a state or other agency s certification that it  will keep the data confidential and that it has in place confidentiality protections at least equivalent to those set forth in the federal Freedom of Information Act (FOIA). 25 The Commission sought comment on other key implementation details, including how to  ensure that the data is shared with officials most in need of the information while maintaining confidentiality and assurances that the information will be properly safeguarded. 26 Similarly, the Commission sought comment on sharing NORS filings with federal agencies besides the Department of Homeland Security pursuant to certain safeguards to protect presumptively confidential information.27 11. In a 2016 Report and Order and Further Notice, the Commission found that the record reflected broad agreement that these agencies would benefit from direct access to NORS data and that  such a process would serve the public interest if implemented with appropriate and sufficient safeguards. 28 The Commission determined that providing agencies with direct access to NORS filings would have public benefits but concluded that the process required more development for  a careful consideration of the details that may determine the long-term success and effectiveness of the NORS program. 29 12. Finding that the record was not fully developed and that the  information sharing proposals raise[d] a number of complex issues that warrant[ed] further consideration, 30 the Commission directed the Public Safety and Homeland Security Bureau (PSHSB) to further study and develop proposals regarding how NORS filings could be shared with agencies in real time, keeping in mind the information sharing privileges already granted to DHS.31 The Bureau subsequently conducted ex parte meetings to solicit additional viewpoints from industry, state public service commissions, trade associations, and other public safety stakeholders on the issue of granting state and federal government agencies direct access to NORS and DIRS filings.32 agencies use of DIRS information  to understand the status of communications infrastructure in& impacted areas and to set restoration priorities ). 23 2015 Notice, 30 FCC Rcd at 3224, para. 51. 24 Id. at 3224, para. 51, n.101. 25 Id. at 3224, para. 51. 26 Id. at 3224, para. 52. 27 Id. at 3224-25, para. 54. 28 2016 Part 4 Order and Further Notice, 31 FCC Rcd at 5850-53, paras. 84-88. 29 Id. at 5853, para. 88. 30 Id. at 5853-54, para. 89. 31 Id. at 5853-54, para. 89. 32 See generally Letter from Jill Canfield, Vice President of Legal & Industry, Assistant General Counsel, NCTA to Marlene H. Dortch, Secretary, FCC, PS Docket No. 15-80 et al., (filed Nov. 1, 2018); Letter from James Bradford Ramsay, General Counsel, NARUC, to Marlene H. Dortch, Secretary, FCC, PS Docket No. 15-80 et al., (filed Nov. 1, 2018) (NARUC Ex Parte); Letter from Hien Vo Winter, Staff Counsel, California Public Utilities Commission, to Marlene H. Dortch, Secretary, FCC, PS Docket No. 15-80 et al. (filed Nov. 5, 2018); Letter from Francisco Sanchez, Jr., Deputy Emergency Management Coordinator, Harris County Office of Homeland Security & Emergency Management, to Marlene H. Dortch, Secretary, FCC, PS Docket No. 15-80 et al. (filed Nov. 26, 2018); Letter from (continued& .) 5 Federal Communications Commission FCC-CIRC2103-01 13. In a February 2020 Second Further Notice, the Commission proposed to: (i) grant direct, read-only access to the Commission s NORS and DIRS filings to agencies acting on behalf of the federal government, the 50 states, the District of Columbia, Tribal Nations, and the U.S. territories that demonstrate that they reasonably require access to prepare for, or respond to, an event that threatens public safety pursuant to their official duties (i.e., that have a  need to know ); (ii) authorize participating agencies to share copies of these filings, and any other confidential information derived from the filings, within or outside their agencies when a recipient also has a  need to know, subject to certain safeguards, (iii) allow the recipient to further share the confidential NORS and DIRS information, directly or in summarized form, with additional recipients; and (iv) authorize any recipient to freely share aggregated and anonymized information derived from the NORS and DIRS filings of at least four service providers.33 14. The Commission proposed to safeguard the confidentiality of NORS and DIRS information by conditioning an agency s direct access on agreements to: (i) treat NORS and DIRS filings as confidential and not disclose them, absent a finding by the Commission allowing the disclosure; and (ii) provide timely notification to the Commission when the agency receives a request from a third party to release NORS or DIRS filings or related records and when changes to statutes or rules would affect the agency s ability to adhere to the Commission s required confidentiality protections. 15. In response to the Second Further Notice, the Commission received 27 comments and 22 reply comments, representing 37 different entities and individuals, including a range of public safety organizations, state and local entities, service providers, and trade and advocacy organizations. III. SECOND REPORT AND ORDER 16. With this Order, we conclude that directly sharing NORS data with state and federal agencies, subject to appropriate and sufficient safeguards, is in the public interest, and we extend this finding to include the sharing of DIRS data. We limit eligibility for direct access to our NORS and DIRS databases to  need to know agencies acting on behalf of the federal government, the 50 states, the District of Columbia, Tribal Nations, and the U.S. territories. We also decide which agency responsibilities constitute a  need to know and limit a participating agency s use of this information to those purposes. We allow these agencies to share confidential information derived from NORS and DIRS filings with non-credentialed individuals at the participating agency and at non-participating agencies on a strict  need to know basis. We also allow recipients to release aggregated and anonymized NORS and DIRS information to the public and offer guidance on how that aggregation and anonymization should be performed. 17. To preserve the sensitive nature of NORS and DIRS filings, we adopt various safeguards, including limiting agency access to events occurring within an agency s jurisdiction; limiting access to five user accounts; requiring initial and annual security training; and requiring agencies to certify that they will take appropriate steps to safeguard the information contained in the filings, including notifying the Commission of unauthorized or improper disclosure. We require that participating agencies certify they will treat the information as confidential and not disclose the information absent a finding by the Commission that allows them to do so. We decline to allow non-participating agencies to further share the information with others. Under today s Order, we hold participating agencies responsible for any inappropriate disclosures of information by the non-participating agencies with which they share information, including by retaining the ability to terminate participating agencies direct access to NORS and DIRS. A. Sharing NORS filings with State, Federal and Other Agencies 18. In the Second Further Notice, the Commission tentatively concluded  that sharing NORS Robert G. Morse, Associate General Counsel, Federal Regulatory and Legal Affairs, Verizon, to Marlene H. Dortch, Secretary, FCC, PS Docket No. 15-80 et al., at 1-2 (filed Oct. 31, 2018) (Verizon Ex Parte). 33 Amendments to Part 4 of the Commission s Rules Concerning Disruptions to Communications, Second Further Notice of Proposed Rulemaking, 35 FCC Rcd 2239, 2239-94 (2020) (Second Further Notice). 6 Federal Communications Commission FCC-CIRC2103-01 data with state and federal agencies would serve the public interest provided that appropriate and sufficient safeguards were implemented and sought to refresh the record to inform next steps.34 We now observe that industry, public safety organizations, and government agency commenters overwhelmingly support the Commission s proposal. We agree with commenters concluding that sharing NORS filings with other agencies will improve situational awareness during and after disasters, enable agencies to better assess the public s ability to access emergency communications, and assist with the coordination of emergency response efforts.35 19. The Alliance for Telecommunications Industry Solutions (ATIS), however, maintains that while it  supports efforts that aid in restoral of communications services and that help save lives, the sharing of NORS reports will  generally not serve such purposes and NORS reports contain information that is not relevant to public safety.36 We reject ATIS s view as it is controverted by a number of commenters explaining, with detailed examples and based on knowledge of their own day to day responsibilities and operations, why the information contained in NORS filings is relevant to public safety by assisting in rapid communications service restoration and enhancing situational awareness.37 For example, the Montrose Emergency Telephone Service Authority (METSA) believes that if the Colorado Public Utilities Commission (COPUC) had been granted NORS access following a July 2019 fiber cut,  the COPUC could have assisted with generalized information regarding areas which were truly impacted by the outage. 38 In another example, Massachusetts Department of Telecommunications and Cable (MDTC) believes that direct access to NORS data would have provided it, local official and town residents, businesses, and government offices with  timely, and therefore, actionable information about a recent wireline telephone service outage. MDTC also believes that access would have helped providers avoid the burden of being contacted multiple times by multiple parties.39 B. Sharing DIRS filings with State, Federal and Other Agencies 20. In the Second Further Notice, the Commission also proposed sharing DIRS filings with eligible state and federal agencies and sought comment on the anticipated benefits of sharing DIRS filings.40 We adopt this proposal, finding that sharing DIRS filings will enhance public safety by improving participating agencies situational awareness regarding infrastructure status and helping to inform their decisions on how to allocate resources. No commenters oppose the Commission s DIRS proposal. Rather, many agree that sharing DIRS filings will provide the benefits cited by the Commission in the Second Further Notice, including improving the effectiveness of response and recovery efforts during and after disasters and providing stakeholders with actionable status of communications outages.41 Communications Workers of America (CWA) states that  information contained in the DIRS will be very helpful to understand the status of communications infrastructure in the impacted area and to set 34 Second Further Notice, 35 FCC Rcd at 2244, at para. 16. 35 See, e.g., NYPSC April 30, 2020 Comments at 2; see also NASNA April 30, 2020 Comments at 2-3; BRETSA April 30, 2020 Comments at 6-9; DCPSC June 1, 2020 Reply Comments at 2; MPSC April 30, 2020 Comments at 2-3; AT&T April 30, 2020 Comments at 2; Verizon April 30, 2020 Comments at 3-4. 36 ATIS April 30, 2020 Comments at 2. ATIS also argues that specific NORS fields should not be shared with agencies. 37 CWA April 30, 2020 Comments at 2-3; MPSC April 30, 2020 Comments at 2; METSA April 30, 2020 Comments at 1. 38 METSA April 30, 2020 Comments at 2. 39 MDTC April 30, 2020 Comments at 5-6. 40 Second Further Notice, 35 FCC Rcd at 2245-46, paras. 19-20. 41 Second Further Notice, 35 FCC Rcd at 2246 at para. 22; see also NYPSC April 30, 2020 Comments at 1-2; CTIA April 30, 2020 Comments at 4-5; CoPUC April 30, 2020 Comments at 3; NARUC June 1, 2020 Reply Comments at 5. 7 Federal Communications Commission FCC-CIRC2103-01 restoration priorities following major events such as wildfires and flooding.42 Other commenters underscore that access to both DIRS and NORS are vital to aid in situational awareness and emergency response initiatives because in the counties where DIRS has been activated, NORS reporting obligations are typically suspended for the duration of the DIRS activation.43 21. Some commenters urge the Commission to make DIRS reporting mandatory.44 We decline to do so, as this issue is outside of the scope of this rulemaking. We agree with T-Mobile that such action would go  beyond the question of sharing NORS and DIRS data and the manner in which the information should be shared. 45 We also note that as our priority with this proceeding is ensuring that agencies begin to receive critical information about service outages to assist them in their service restoration initiatives, technical changes that may be necessitated by making DIRS reporting mandatory could delay such access. C. Scope of Direct Access 22. Eligibility for direct access. In the Second Further Notice, the Commission proposed that direct access to NORS and DIRS be limited to agencies acting on behalf of the federal government, the 50 states, the District of Columbia, Tribal Nations, and the U.S. territories (including Puerto Rico and the U.S. Virgin Islands).46 We adopt this proposal. 23. The majority of commenters agree with this proposal, typically without significant comment.47 For example, T-Mobile remarks that limiting direct access in this way strikes an appropriate balance between disseminating NORS and DIRS information to those who most need it (i.e., to save lives and property) and safeguarding the information s confidential nature.48 The California Public Utilities Commission believes that Tribal Nation eligibility is appropriate since Tribal Nation governments have oversight responsibility for public safety matters in their lands in the same manner as the other entities that the Commission has identified for direct access.49 We find that limiting direct access to NORS and DIRS filings is necessary to limit the risk for the over disclosure of sensitive and confidential information and to ensure administrative efficiency.50 24. We reject Colorado Public Utilities Commission s view that Tribal Nation entities should be eligible for direct access only if they do not participate directly in a state 911 program or have their 42 CWA April 30, 2020 Comments at 3. 43 CoPUC April 30, 2020 Comments at 3; NASNA April 29, 2020 Comments at 6-7; NYPSC April 30, 2020 Comments at 1-2 (stating that for areas where DIRS is activated,  having access to both systems will provide a more complete and actionable status of outages ); METSA April 30, 2020 Comments at 2 (stating that  access to DIRS would help mitigate the lack of NORS reporting while DIRS is activated during disasters, enabling these agencies to provide enhanced emergency responses and coordination with local emergency notification system operators ). 44 See, e.g. MDTC April 30, 2020 Comments at 3; BRETSA June 1, 2020 Reply Comments at 12; Free Press April 30, 2020 Comments at 3. 45 T-Mobile June 1, 2020 Reply Comments at 8-9. 46 Second Further Notice, 35 FCC Rcd at 2247-48, at paras 23, 25 and 27. 47 E.g., Verizon April 30, 2020 Comments at 8-10; NASNA April 29, 2020 Comments at 8; CoPUC April 29, 2020 Comments at 4; T-Mobile April 30, 2020 Comments at 3-4; NCTA April 30, 2020 Comments at 1-2. 48 T-Mobile April 30, 2020 Comments at 3-5; CPUC April 30, 2020 Comments at 5. 49 CPUC April 30, 2020 Comments at 5. 50 Second Further Notice, 35 FCC Rcd at 2247, at para. 24. While the Commission proposed to disallow direct access by local agencies, it proposed mechanisms to ensure that local agencies and related entities and individuals could indirectly access NORS and DIRS information on a case-by-case basis. Second Further Notice at paras 37-46. We adopt some of these mechanisms today. 8 Federal Communications Commission FCC-CIRC2103-01 own 911 program.51 We find no reason to treat Tribal Nations differently than state agencies with respect to NORS or DIRS information sharing, and commenters have offered no new evidence to warrant such a departure. The Colorado Public Utilities Commission s approach appears to assume that NORS and DIRS information is only beneficial as it relates to improving 911 service. In contrast, we find that jurisdictions, including Tribal lands, can benefit from NORS and DIRS information for uses beyond improved 911 performance.52 This is corroborated, for example, by The Utility Reform Network s comments evidencing that agencies serving Tribal lands would have been better able to transmit emergency evacuation alerts during the 2019 California wildfire event had they had access to outage information.53 We find that Tribal Nations have a need for NORS and DIRS information regardless of their participation in a state s 911 program. 25. We reject the position of some commenters that at the state or local level, only state- based fusion centers (i.e., state-owned and operated centers that serve as focal points in states and major urban areas for the receipt, analysis, gathering and sharing of threat-related information among state, local, Tribal, territorial, federal and private sector partners) should be eligible to directly access NORS and DIRS data.54 These commenters argue that fusion centers are uniquely qualified for direct access because they work closely with state public safety agencies, are familiar with handling, analyzing, and summarizing sensitive information, and typically operate around the clock or because of their  connection to the federal government. 55 We are not persuaded. 26. Our experience over many years indicates that many other types of agencies have experience in coordinating with public safety agencies, handling sensitive information, and working tirelessly when disasters strike. No commenter has argued or provided evidence that fusion centers have specific expertise in interpreting NORS and DIRS outage information such that they alone should disseminate it. Fusion centers are not uniquely or solely qualified in this regard. We therefore find no reason to preclude otherwise eligible state agencies from accessing NORS and DIRS information, especially if such access would enhance public safety response and situation awareness. Contrary to views posited by the IACP, we find no administrative benefit in limiting accessibility to NORS and DIRS information to fusion centers. Instead, by exercising our administrative oversight for reviewing each application for access to NORS and DIRS, as detailed in today s Order,56 the Commission will be better able to ensure that NORS and DIRS information is used appropriately. 27. Local Agencies. We are not persuaded by commenters who argue that local agencies should be eligible for direct access to NORS and DIRS because they have the primary responsibility for responding to emergencies.57 We find the potential benefits of doing so are outweighed by the substantial 51 CoPUC April 29, 2020 Comments at 5. 52 NORS reporting generally encompasses outages occurring on wireline, wireless, paging, cable, satellite, VoIP, and Signaling System 7 service provider s networks, and is used by the Commission to assess the magnitude of major outages, identify trends, and promote network reliability best practices that can prevent or mitigate future disruptions over these network types. See, e.g., FCC, Network Outage Reporting System (NORS), https://www.fcc.gov/network-outage-reporting-system-nors (last visited Aug. 31, 2020). 53 TURN April 30, 2020 Comments at 2-3. 54 IACP April 30, 2020 Comments at 5-6; SIA June 1, 2020 Reply Comments at 2-3; Brad Young March 16, 2020 Comments at 1. The Department of Homeland Security, Fusion Centers, https://www.dhs.gov/fusion-centers (Sept. 19, 2019). 55 IACP April 30, 2020 Comments at 5-6; SIA June 1, 2020 Reply Comments at 2-3; see also SIA July 17, 2020 ex parte at 2. 56 Infra at § III.G. 57 City of New York June 1, 2020 Reply Comments at 1; see also BRETSA April 30, 2020 Comments at 5-6 (describing that local entities play a primary role in emergency response); see also CPUC April 30, 2020 Comments at 6-9. 9 Federal Communications Commission FCC-CIRC2103-01 risks and burdens of providing local agencies with direct access. 28. As noted by some commenters, local entity governments typically do not have the level of experience navigating the kinds of outage and infrastructure status information contained in NORS and DIRS filings that state agencies do.58 We agree with USTelecom that providing direct access to local entities would likely exponentially increase the number of participating entities,59 thus complicating administration and increasing opportunities for erroneous disclosure of confidential information.60 We believe such a large increase would render it difficult or impossible for the Commission to effectively administer the sharing framework. Instead, we believe that providing local entities indirect access, through participating agencies with direct access, will sufficiently support the public safety needs of localities while striking a fair balance between sharing NORS and DIRS information and minimizing the potential for unauthorized disclosure.61 29. We similarly reject the views of some commenters that request that the Commission provide local entities with direct access purportedly so that state agencies are not burdened by, and delays are not created in, requiring them to provide this information to local entities themselves.62 Today s framework does not require, but only allows, these agencies to share NORS and DIRS information with local entities. As the National Association of Regulatory Utility Commissioners (NARUC) points out, agencies collectively have more resources dispersed across the country than the Commission.63 We find that the responsibility of disseminating information to local entities is most efficiently placed on this range of state and other agencies, each with specific knowledge and incentives to further public safety in its own jurisdiction. 30. We also are not convinced that allowing an agency with direct access to share its credentials with an associated local entity would alleviate our administrative burdens and disclosure risk concerns, as opined by the Texas 9-1-1 Entities.64 We reject this approach because it would allow direct access to NORS and DIRS by local agencies whose certifications have not been reviewed and approved by the Commission and are not directly accountable to the Commission. We find that a credential sharing scheme would unacceptably increase the risk that our training and other procedural safeguards would not be implemented, which would make it more likely that NORS and DIRS filings could be improperly used or disclosed. 31. We also find unconvincing, the view of one commenter that  advocates, researchers and the public, among others, should be eligible for direct access purportedly  to hold telecommunications providers accountable and monitor the communications rights of impacted communities. 65 This approach fails to address the Commission s findings that have long treated NORS and DIRS filings as presumptively confidential to further national security and protect commercially sensitive information. We find that granting such broad access to NORS and DIRS information would effectively render that treatment moot and thereby detract from these objectives. 32. Eligible agencies must have a  need to know. In the Second Further Notice, the Commission proposed that direct access to NORS and DIRS be limited to eligible agencies that have a  need to know, which was defined as  reasonably requir[ing] access to the information in order to 58 CoPUC April 29, 2020 Comments at 4; NASNA April 29, 2020 Comments at 8. 59 USTelecom April 30, 2020 Comments at 2. 60 Second Further Notice, 35 FCC Rcd at 2247, at para. 24. 61 USTelecom April 30, 2020 Comments at 2; see also CoPUC April 29, 2020 Comments at 4. 62 E.g., CPUC April 30, 2020 Comments at 6. 63 NARUC June 1, 2020 Reply Comments at 3. 64 Texas 9-1-1 Entities June 1, 2020 Reply Comments at 6-7. 65 Free Press, April 30, 2020 Comments at 2. 10 Federal Communications Commission FCC-CIRC2103-01 prepare for, or respond to, an event that threatens public safety, pursuant to its official duties. 66 We today adopt a modified definition of  need to know that includes only agencies that have official duties that make them directly responsible for emergency management and first responder support functions. 33. Most commenters agree that direct access should be limited to agencies with a  need to know to prevent the over-disclosure of sensitive NORS and DIRS information,67 though commenters differ in their views on the appropriate definition of the term. We are persuaded by Verizon that a  need to know should be defined to refer to an agency  having official duties making it directly responsible for emergency management and first responder support functions. 68 We find that this definition best achieves the goal of ensuring that only agencies with the greatest and most relevant public safety needs have access to the sensitive information contained in our NORS and DIRS databases. We note that this definition for  need to know is more specific and narrow than what the Commission proposed in the Second Further Notice and will minimize the number of disputes over which agencies qualify for access, thus preserving public safety resources.69 While we do not exhaustively enumerate here every type of agency that may qualify for access under our adopted  need to know standard, we expect that qualifying agencies will include state homeland security and emergency management departments, state first responder departments (including fire and law enforcement departments), and state public utility (or public service) commissions.70 34. In view of the record, we disagree with the views of the Competitive Carriers Association and T-Mobile who argued that the Commission s earlier proposed definition of  need to know struck an appropriate balance between ensuring that an appropriate set of agencies will have access to NORS and DIRS data for their public safety efforts and reducing the likelihood of improper disclosure.71 For the reasons noted above, we find that a more objective and narrower standard is necessary for today s program to be administrable and to ensure that the sensitive information in NORS and DIRS filings is not disseminated broadly beyond a small set of core agencies in each state or other jurisdiction. 35. Demonstrating a  need to know. An agency applying for direct access to NORS and DIRS must demonstrate its  need to know by citing to statutes or other regulatory authority that establishes it has official duties making it directly responsible for emergency management and first responder support functions. 36. We agree with Verizon and NCTA that an objective showing of legal authority, in the form of statues or other regulatory bases, is necessary as part of the application process to ensure that only qualified agencies have direct access to NORS and DIRS filings.72 We find that the approach we adopt today will avoid protracted disputes and subjective interpretations about what roles and responsibilities an agency may have during an emergency and will guard against the over-disclosure of sensitive NORS and DIRS information. 37. Scope of Use. In the Second Further Notice, the Commission proposed that NORS and 66 Second Further Notice, 35 FCC Rcd at 2247, at para. 23. 67 CCA April 30, 2020 Comments at 4; T-Mobile April 30, 2020 Comments at 3-4; CoPUC April 29, 2020 Comments at 8; METSA April 30, 2020 Comments at 2; Verizon April 30, 2020 Comments 13. 68 Verizon April 30, 2020 Comments 13. 69 NCTA April 30, 2020 Comments at 3. We confirm NCTA s view that an  event giving rise to a  need to know may be either natural or  manmade. Id. 70 We agree with New York State Public Service Commission and the Public Service Commission of the District of Columbia that state public utility and service commissions typically support public safety and emergency response efforts, including by coordinating the restoration of telecommunications in their jurisdictions. NYPSC April 30, 2020 Comments at 3; DCPSC June 1, 2020 Reply Comments at 2. 71 CCA April 30, 2020 Comments at 4; T-Mobile April 30, 2020 Comments at 4. 72 Verizon April 30, 2020 Comments 13; NCTA June 1, 2020 Reply Comments at 1-2. 11 Federal Communications Commission FCC-CIRC2103-01 DIRS information accessed by participating agencies be used only for public safety purposes.73 We adopt this proposal and clarify that the only valid public safety purposes are the same purposes that would give rise to a  need to know, i.e., carrying out emergency management and first responder support functions that an agency is directly responsible for pursuant to its official duties. 38. Several commenters seek confirmation that certain use cases are permitted. We confirm commenters views that a participating agency s dissemination of information to other individuals responsible for preparing and responding to disasters is an acceptable use.74 We also confirm commenters views that the assessment of emergency notification options available in areas impacted by an outage or disaster, including determining whether Wireless Emergency Alert messages can be delivered and, if not, coordinating alternate methods of notification, is an acceptable use.75 We further confirm the views of the Telecommunications Regulatory Bureau of Puerto Rico and other commenters that identifying trends and performing analyses designed to make long-term improvements in public safety outcomes are acceptable uses. We agree that these long-term efforts are critical for preparing for events that threaten public safety in ways that will reduce the loss of life and property in future outage and disaster scenarios.76 We are similarly persuaded by the Massachusetts Department of Telecommunications and Cable, which explains the potential value of NORS and DIRS information in its analyses used to improve service and avoid future outages,77 and the Michigan Public Service Commission, which explains that the information would assist in understanding the nature of outages, ultimately resulting in more resilient networks.78 We find that these uses reflect carrying out emergency management and first responder support functions by informing the public of danger, or preparing in advance for such danger, to avoid the loss of life and property. 39. We expressly forbid the use of NORS and DIRS information obtained through the procedures we adopt today for non-emergency-related regulatory purposes, including merger review, consumer protection activities, contract disputes with a state, or the release of competitive information to the public. We agree with commenters that such uses of NORS and DIRS data would be inconsistent with the public safety purposes for which the sharing framework was created.79 Moreover, such uses could create counter-productive incentives for providers to supply superfluous information in their NORS and DIRS disclosures thereby diminishing the public safety value of these filings.80 40. 911 fee diversion. In the Second Further Notice, the Commission sought comment on whether it should exclude from eligibility agencies located in states that have diverted or transferred 911 fees for purposes other than 911 and how it should address agency access in states that have inadequately responded to Commission inquiries about their practices for using 911 fees.81 We decline to exclude agencies located in fee diverting states from eligibility in today s information sharing framework. 41. Nearly all commenters reject the exclusion of agencies on grounds that they are located in states that have engaged in fee diversion or provided an inadequate disclosure of their fee practices to the 73 Second Further Notice, 35 FCC Rcd at 2247, at para. 23. 74 CoPUC April 29, 2020 Comments at 4; METSA April 30, 2020 Comments at 2. 75 METSA April 30, 2020 Comments at 3; NASNA April 29, 2020 Comments at 14-15. 76 TRBPR April 29, 2020 Comments at 2. 77 MDTC April 29, 2020 Comments at 8. 78 MPSC April 30, 2020 Comments at 3; MPSC June 1, 2020 Reply Comments at 2. 79 Verizon June 1, 2020 Reply Comments at 7-9; see also AT&T Comments at 3; ATIS April 30, 2020 Comments at 5-6; NCTA April 30, 2020 Comments at 4, 8; NCTA Oct. 20, 2020 ex parte at 2. 80 ATIS April 30, 2020 Comments at 5-6. 81 Second Further Notice, 35 FCC Rcd at 2248, at para. 26. 12 Federal Communications Commission FCC-CIRC2103-01 Commission.82 We agree with those commenters who remark that access to NORS and DIRS information, and the important public safety benefits associated therewith, should not be conditioned on whether a state engages in 911 fee diversion.83 We find this point particularly compelling since, as noted by Colorado Public Utilities Commission and NASNA, diversion may be an act of the state legislature rather than the agency seeking access to NORS and DIRS information.84 42. We find that the benefits of providing NORS and DIRS information to entities in these states outweigh the possibility that withholding this information may incentivize legislatures to reconsider fee diversion decisions, particularly as no commenters offered evidence supporting this view.85 We are not persuaded otherwise by T-Mobile s conclusory statement supporting the exclusion of agencies, which in relying on comments filed in an unrelated proceeding, fails to address the potential negative impacts of withholding NORS and DIRS information from agencies or the extent to which doing so would motivate legislatures to reconsider their fee diversion decisions.86 D. Confidentiality Protections 43. Direct access conditioned on confidential treatment by agencies. In the Second Further Notice, the Commission proposed that the Commission make all confidentiality determinations implicating the release of confidential NORS and DIRS information pursuant to today s program.87 The Commission proposed that a participating agency only receive direct access to NORS and DIRS filings if it could agree, under its governing laws, that when it received a request to release NORS or DIRS information under open record laws in its jurisdiction, it would defer to and comply with a Commission determination and not disclose the filings other than as expressly allowed in today s Order or any subsequent Commission determinations.88 We adopt this proposal. 44. The majority of commenters, including state and local entities, and industry advocacy organizations, support this approach.89 We agree with Verizon that this approach is  essential to protecting NORS and DIRS information, because requests for disclosure of confidential information would be determined uniformly rather than being left to a patchwork of varying open records law standards among jurisdictions.90 We also agree with the IACP, which stresses that without the Commission s role in reviewing requests, public safety entities could face  nuisance lawsuits and have their scarce public safety resources diverted as they become  embroiled in legal challenges or extended discussions regarding the confidentiality of NORS and DIRS information. 91 We find that our approach would create a necessary, simple mechanism to control the flow of confidential NORS and DIRS 82 Free Press April 30, 2020 Comments at 9-10; NASNA April 29, 2020 Comments at 9; BRETSA April 30, 2020 Comments at 20-21; CoPUC April 29, 2020 Comments at 4-5; METSA April 30, 2020 Comments at 3. 83 CoPUC April 29, 2020 Comments at 4-5; NASNA April 29, 2020 Comments at 9; BRETSA April 30, 2020 Comments at 20-21; METSA April 30, 2020 Comments at 3. 84 CoPUC April 29, 2020 Comments at 4-5; NASNA April 29, 2020 Comments at 9. 85 On September 30, 2020, the Commission adopted a Notice of Inquiry seeking comment on ways to dissuade states and territories from diverting fees collected for 911 to other purposes, and on the effects of 911 fee diversion. See 911 Fee Diversion, PS Docket Nos. 20-291 and 09-14, Notice of Inquiry, FCC 20-134 (Sept. 30, 2020). 86 T-Mobile April 30, 2020 Comments at 4. 87 Id. 88 Second Further Notice, 35 FCC Rcd at 2249, at para. 31. 89 CPUC April 30, 2020 Comments at 8; MDTC April 29, 2020 Comments at 7-8; MPSC April 30, 2020 Comments at 4-5; ATIS April 30, 2020 Comments at 6; CWA April 30, 2020 Comments at 4; CCA April 30, 2020 Comments at 4. 90 Verizon April 30, 2020 Comments at 11. 91 IACP April 30, 2020 Comments at 6-7. 13 Federal Communications Commission FCC-CIRC2103-01 information, even when state and other open records laws vary. 45. Commenters confirm that this proposal is workable in practice. A number of state public utility commissions identify exemptions in their open records laws that allow them to defer to the Commission s FOIA determination in place of making their own.92 Moreover, no commenter contends that there is a jurisdiction that would not be able to defer to the Commission pursuant to the jurisdiction s open records and other relevant laws. We agree with The Utility Reform Network that state, federal and Tribal Nation entities are well versed in handling confidential material based on their other programs and that they would therefore be able to adhere to today s confidentiality requirements.93 We similarly agree with the California Public Utilities Commission and Massachusetts Department of Telecommunications and Cable, which bolster this point by noting that today s confidentiality requirements are familiar to many participating agencies because they resemble ones the Commission separately established for the sharing of presumptively confidential data with states in separate programs involving the Form 477 database and the North American Numbering Plan Administrator database. 94 46. We disagree with commenters that argue that the presumption of confidentiality on NORS and DIRS information is not fully warranted.95 While these commenters contend that NORS and DIRS information often does not contain information that is sensitive for national security reasons, no commenter provides practical guidance on how to distinguish at an operational level those reports that contain such sensitive information from those that do not. We also find that this argument fails to address the possibility that a collection of NORS and DIRS filings could reflect patterns that implicate national security, even when filings taken individually may not.96 Moreover, given that we maintain the presumption of confidentiality as to our own use of NORS and DIRS data, we find it logical to require that participating agencies, and those who receive information from them, be held to the same type of confidentiality standards. To do otherwise would allow these entities to disclose the data in ways that would contradict and render meaningless the Commission s own presumptively confidential treatment. Based on the lack of new information on the record, we agree with a number of commenters who corroborate the Commission s long-held view that NORS and DIRS information implicates national security concerns. 47. We also find unpersuasive the view of the California Public Utilities Commission that  industry s perception of the confidentiality of NORS and DIRS data is changing, merely because Verizon and other service providers have decided to increase their public disclosure of outage information around major communications outage events.97 On the contrary, we believe that a rollback of the Commission s presumption of confidentiality of NORS and DIRS data would actually have the opposite effect of discouraging companies from voluntarily taking meaningful incremental steps to make more information available.98 48. We also reject NTCA s position that today s framework should go further and shield NORS and DIRS filings from any disclosure in response to a request filed under state-level FOIA-type laws.99 The approach we adopt today permits disclosure only when the state defers to the Commission 92 E.g., DCPSC June 1, 2020 Reply Comments at 5; Pa. PUC April 30, 2020 Comments at 9-10. 93 TURN April 30, 2020 Comments at 3. 94 CPUC April 30, 2020 Comments at 8; MDTC April 29, 2020 Comments at 7-8. 95 NASNA April 29, 2020 Comments at 9-11; see also CoPUC April 29, 2020 Comments at 5-6; BRETSA April 30, 2020 Comments at 21-22. 96 Cf. Open Government Data Act, 44 U.S.C. § 3511(a)(2)(E) (recognizing that even if information in isolation may not pose a security risk, it may pose a risk when combined with other available information). 97 CPUC April 30, 2020 Comments at 9-11; see also NASUCA June 1, 2020 Reply Comments at 5-6. 98 Verizon June 1, 2020 Reply Comments at 3. 99 NTCA April 30, 2020 Comments at 2. 14 Federal Communications Commission FCC-CIRC2103-01 and the Commission makes a determination, based on the Federal FOIA standard, permitting the disclosure. Because the Commission will consider requests made under state-level open records laws identically to requests made under FOIA, NORS and DIRS information would not be better protected from inappropriate disclosure by specifically blocking from consideration any requests received by participating agencies under their open records laws. We also reject NARUC s view that the Commission s proposal is unnecessary since  to avoid concerns [in] the tiny minority of States that have arguably deficient FOIA-type protections in-place, the Commission need only condition access to the data on states providing some level of confidential treatment.100 We have not found any practical way to identify the purported  tiny minority of states that have deficient open records laws. Even among states that have  non-deficient laws, we expect that the substance of those laws is likely to vary in ways that would result in the different treatment of certain NORS and DIRS data fields from jurisdiction to jurisdiction. In contrast, the Commission s proposal would advantageously provide a uniform confidentiality standard and thus better protect confidential NORS and DIRS information from unauthorized disclosure. 49. Agency notifications to the Commission proposed in the Second Further Notice. In the Second Further Notice, the Commission proposed to require that a participating agency notify the Commission: (i) within 14 calendar days from the date the agency receives a request from third parties to disclose NORS filings and DIRS filings, or related records, pursuant to its jurisdiction s open record laws or other legal authority that could compel it to do so, and (ii) at least 30 calendar days prior to the effective date of any change in relevant statutes or rules (e.g., its open records laws) that would affect the agency s ability to adhere to the confidentiality protections in this information sharing framework.101 We adopt these proposals. 50. Commenters generally support these proposals and no commenter expressly opposes them.102 We find that the 14-day notification we adopt today will allow the Commission take appropriate action, including (at the Commission s option) notifying an affected service provider so that the provider can supply its comments on the matter if permitted under the jurisdiction s open records law. We find that the 30-day notification we adopt today will provide the Commission with an opportunity to determine whether to terminate an agency s access to NORS or DIRS filings or take other appropriate steps as necessary to protect this information. As noted in the Second Further Notice, we find that these proposals will help ensure consistency in disclosure by many disparate agencies that will receive this information under the terms of today s Order and will instill confidence that submitted information will continue to be protected as it is today. 51. Additional notifications proposed by commenters. We reject the views of commenters that additional notifications from the Commission or participating agencies are necessary to ensure that service providers can dispute various types of requests for NORS and DIRS information and thus protect the confidentiality of their shared information. ATIS argues that we should require a notification from a participating agency within 14 days of when it receives a request to share NORS and DIRS data with a local agency.103 ATIS also argues that for both this notification and the 14-day disclosure request notification the Commission proposed in the Second Further Notice, the Commission should be required (as opposed to have the option) to notify service providers to allow them sufficient opportunity to provide any input.104 ATIS further argues that we should also require participating agencies to notify service providers at least 30 calendar days prior to the effective date of any change in relevant statutes or rules 100 NARUC June 1, 2020 Reply Comments at 11. 101 Second Further Notice, 35 FCC Rcd at 2250, at para. 33. 102 NYPSC April 30, 2020 Comments at 3; T-Mobile April 30, 2020 Comments at 6. 103 ATIS April 30, 2020 Comments at iii and 6-7 104 ATIS April 30, 2020 Comments at iii and 6-7; see also T-Mobile April 30, 2020 Comments at 7-8 (arguing that a non-participating agency s request for access be subject to public notice prior to granting the access). 15 Federal Communications Commission FCC-CIRC2103-01 that could implicate the providers filings.105 CenturyLink similarly argues that service providers should be made aware when a local agency receives access to NORS and DIRS data.106 ACA Connect contends that an agency should be required to submit, apparently to the Commission, the name of all recipients that it shares information with.107 52. We reject these views. Our rules require that the Commission provide notice to service providers, and allow them an opportunity for comment, when it receives FOIA requests for their NORS and DIRS filings.108 Today s rules further require that a participating agency provide the Commission notice when it receives a request for the NORS and DIRS filings under its state or other open-records laws. No commenter has suggested that a participating agency would have difficulty providing such notice, or determining whether it may provide such notice, under its applicable laws. Given this, we find that the burden of requiring the Commission or participating agencies to provide a voluminous number of new notifications to service providers on receipt of sharing requests (which are likely to be received when major outages or other public safety events are on-going) to be an unwarranted diversion of scarce public safety resources from state, Tribal Nation, and local agencies, the Commission, and potentially service providers when they may be needed most. We note that the Commission retains the option to provide such notifications to providers when warranted under the circumstances but we reject a requirement that the Commission do so. We note that providers have the ability and incentive to monitor potential changes in confidentiality laws (where the providers operate) as a matter of general business practice, and we find it redundant and inefficient to ask participating agencies to commit their limited resources to this task. 53. We recognize, however, based on these comments, a need for increased accountability in how participating and non-participating agencies use NORS and DIRS information. We therefore adopt the requirement that each participating agency make available for Commission inspection, upon Commission request, a list of all localities for which the agency has disclosed NORS and DIRS data.109 While this requirement falls short of some commenters requests for additional notifications, we find that it appropriately balances maintaining accountability on the part of participating agencies with minimizing the day-to-day burden on agencies for participating in the sharing program. 54. The Commission is aware that agencies that voluntarily elect to participate in this information sharing framework may incur some costs due to the obligation to notify the Commission when they receive requests for NORS filings, DIRS filings, or related records and when there is a change in relevant statutes or laws that would affect the agency s ability to adhere to confidentiality protections. These costs include modest initial costs to review and revise their confidentiality protections in accordance with the framework we adopt in today s Order, and minimal reoccurring costs to notify the Commission as described above. We cannot quantify agency costs for these activities, which would vary based on each participating agency s particular circumstances, including the number of requests or changes in law that would necessitate notifications, as we lack the record evidence to quantify such benefits.110 This lack of quantification, however, does not diminish in any way the advantages of providing access to NORS and DIRS information to improve the safety of residents during times of telecommunications outage infrastructure distress. We conclude that the benefits of participation would likely exceed the costs for any agency electing to participate in today s framework; otherwise, such an 105 ATIS April 30, 2020 Comments at 7. 106 CenturyLink June 1, 2020 Reply Comments at 5. 107 ACA Connects April 30, 2020 Comments at 5. 108 47 CFR § 0.461(d)(3). 109 Second Further Notice, 35 FCC Rcd at 2253, at para. 42 (proposing such a list be prepared in advance of sharing rather made available on the Commission s request). 110 Office of Management and Budget, Circular A-4, at 27 (2003) https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A4/a-4.pdf (discussing benefits and costs that are difficult to quantify). 16 Federal Communications Commission FCC-CIRC2103-01 agency could avoid such costs altogether by deciding not to participate in this information sharing. We find that the benefits attributable to providing NORS and DIRS access to these agencies and other parties are substantial and may have significant positive effects on the abilities of these entities to safeguard the health and safety of residents during times of natural disaster or other unanticipated events that impair telecommunications infrastructure. 55. Moreover, we are unaware of any alternative approaches with lower costs, nor have any been identified by commenters, that would still ensure that the Commission promptly and reliably learns of the actions described above that may lead to the disclosure of NORS or DIRS-related information. Lessening the promptness or reliability of notifications to the Commission would disincentivize providers from supplying robust and fulsome NORS and DIRS reports and therefore reduce the benefits that those filings would provide to the Commission and participating agencies alike. We find that this reduction in benefits would outweigh the expected modest cost savings to those participating agencies that would be required to provide notifications under the framework we adopt today. E. Preemption and its Relation to State, Federal and Other Reporting Requirements 56. We reject requests from commenters that urge the Commission to preempt state outage reporting requirements.111 Some industry commenters, including T-Mobile and CenturyLink, generally favor preemption as they believe it will, among other considerations, promote uniformity in the outage reporting requirements they must observe.112 For example, T-Mobile states that  [c]onsistent with its recognition that there should be consistency with regard to outage information available to the public, the Commission should preempt state laws requiring the submission of outage data by wireless carriers. These laws often establish different thresholds for trigging outage reporting and could cause public confusion. 113 CenturyLink also comments that  [a]pproximately 34 states have outage reporting requirements that, in most cases, do not align with the FCC s reporting criteria. Complying with these various state rules poses both a resource burden and a systems burden that would lack a corresponding benefit if states obtain outage information by accessing NORS/DIRS. 114 57. We note that the actions we take today would not place any new NORS, DIRS or state- level filing requirements on service providers and we find no compelling reasons to upset our information sharing framework by implementing any additional requirements for service providers at this time. We further agree with the California Public Utilities Commission that  preemption is not an issue in the FNPRM, 115 and acknowledge that because the Commission did not seek comment on this issue, the record on this significant federalism question is not fully developed. For this reason, we also agree with the California Governor s Office of Emergency Services that  the FCC should decline any invitation to broadly preempt state law because the question is outside the scope of the present proceeding. 116 Moreover, the Commission is persuaded by commenters, including NASUCA, NARUC and California Governor s Office of Emergency Services, underscoring that, currently, states can determine what outage 111 E.g., CenturyLink June 1, 2020 Comments at 7; T-Mobile April 30, 2020 Comments at 10-11; NCTA April 30, 2020 Comments at 9 (stating that  [a]s part of any decision that gives Qualifying Governmental Agencies the opportunity to access NORS and DIRS data, the Commission should make clear that states may not impose outage reporting obligations on providers that are duplicative of, inconsistent with, or exceed the Commission s requirements. Such additional reporting requirements create unnecessary regulatory obligations that unjustifiably cause providers to shift their focus from essential restoration of outages to excessive administrative compliance. Moreover, outage reporting should be uniform to be useful to the coordination efforts of the agencies reviewing such information ). See also USTelecom April 30, 2020 Comments at 5-6; SIA June 1, 2020 Reply Comments at 2. 112 E.g., T-Mobile April 30, 2020 Comments at 10-11; Verizon April 30, 2020 Comments at 4. 113 T-Mobile April 30, 2020 Comments at 10. 114 CenturyLink June 1, 2020 Comments at 7. 115 CPUC June 1, 2020 Reply Comments at 2. 116 Cal OES May 27, 2020 Reply Comments at 4-6. 17 Federal Communications Commission FCC-CIRC2103-01 reporting requirements are most appropriate for their jurisdictions.117 F. Safeguards for Direct Access to NORS and DIRS Filings 58. We adopt specific safeguards to ensure the continued confidentiality, appropriate sharing, and limited disclosure of NORS and DIRS information. These safeguards include providing read-only access to NORS and DIRS filings, limiting the number of users with access to NORS and DIRS filings at participating agencies, requiring participating agencies to receive training on their privileges and obligations under the framework (such as reporting any known or reasonably suspected breach of protocol to the Commission and service providers), and potentially terminating access to agencies that misuse or improperly disclose NORS and DIRS data. 59. As several record commenters express overall concerns about adequately securing NORS and DIRS information, our safeguards strategically respond to potential NORS and DIRS data security threats. For example, our training requirements are intended to set clear parameters for how agencies use NORS and DIRS filings, our limits on agency user accounts will help us control account access, and our measures to audit account access will enable us to detect and quickly investigate potential misuse. We expect that, collectively, these safeguards will protect the NORS and DIRS data we will share under our framework from inappropriate use and minimize the potential harm from data breaches as noted by certain record commenters. Based on our review of the record, we find that the safeguards we adopt today appropriately balance the need to preserve the confidentiality of NORS and DIRS information against the need to provide agencies with critical information to assist them with protecting public safety. 1. Read-Only Direct Access to NORS and DIRS and Limits on Access to Historical Filings 60. the Second Further Notice, the Commission renewed the Commission s proposal, first made in the 2016 Report and Order and Further Notice, that participating state and federal agencies be granted direct access to NORS and DIRS filings in a read-only manner to help prevent the improper manipulation of NORS and DIRS data.118 We now adopt this proposal, finding that this approach is vital to protecting NORS and DIRS filings from improper use. We observe that all industry, public safety organizations, and state and local government parties commenting on the Commission s read-only proposal agree with it, with some specifically noting that they believe it will be an effective safeguard against the improper manipulation of NORS and DIRS data.119 Further, ATIS states that it strongly supports read-only access as a means  to further enhance confidentiality. 120 We agree with commenters that granting read-only access will help reduce the risk that participating agencies employees or others could make unauthorized modifications to the filings, whether unintentional or malicious, and ensure the accuracy of information shared via the information sharing framework.121 61. Some commenters encourage the implementation of additional technological measures to prevent the improper use of information, including mechanisms to limit the manipulation and improper access of printouts and downloadable NORS and DIRS data, such as placing confidentiality notifications 117 NASUCA June 1, 2020 Reply Comments at 7; see also NARUC June 1, 2020 Reply Comments at 7-9; Cal OES May 27, 2020 Reply Comments at 4-6; see also NARUC June 1, 2020 Reply Comments at 8, citing New Part 4 of the Commission's Rules Concerning Disruptions to Communications, ET Docket No. 04-35, Report and Order and Further Notice of Proposed Rulemaking, 19 FCC Rcd 16830, 16909, para. 158 (2004). 118 Second Further Notice, 35 FCC Rcd at 2250, para. 34. 119 E.g., CCA April 30, 2020 Comments at 5; CoPUC April 30, 2020 Comments at 6; ATIS April 30, 2020 Comments at 7-8; USTelecom June 1, 2020 Reply Comments at 5; METSA April 30, 2020 Comments at 3; Pa. PUC April 30, 2020 Comments at 7; CTIA April 30, 2020 Comments at 10. 120 ATIS April 30, 2020, Comments at iii. 121 Second Further Notice, 35 FCC Rcd at 2250, para. 34. See, e.g., NCTA April 30, 2020 Comments at 10; ATIS April 30, 2020, Comments at 9, 13. 18 Federal Communications Commission FCC-CIRC2103-01 or headers and watermarks on viewable and printable documents.122 We acknowledge that these recommendations would serve as useful safeguards against the improper use of outage data and delegate authority to PSHSB to seek further information on the cost and manner of their implementation and their technical feasibility to determine whether to implement them into NORS and DIRS. 62. The Commission also acknowledges the proposal from the Massachusetts Department of Telecommunications and Cable that the Commission  establish a mechanism for Authorized State Agencies to comment on and give feedback to the FCC on the shared data, as the Massachusetts Department of Telecommunications and Cable believes that  states may have information that does not appear in or that contradicts NORS or DIRS data, information which could allow the FCC to improve its data collection. 123 We find that it is premature to determine whether this would be a useful feature for participating agencies, and we believe it is appropriate to wait until these agencies have had experience with NORS and DIRS before building this functionality into those systems. We suggest that participating agencies that wish to share information related to contents of NORS and DIRS filings instead informally contact Commission staff with their concerns. 63. Access to Historical Filings. The Commission proposed in the Second Further Notice to grant participating agencies access only to those NORS and DIRS filings made after the effective date of this proposed information sharing framework, even if the agency begins its participation at a later date.124 We adopt this approach today. 64. We are persuaded by industry commenters who argue that the Commission should not make available NORS and DIRS filings submitted before the effective date of the framework because the Commission should honor the expectation of confidentiality that providers had at the time they submitted them. For example, NTCA asserts that  providers submitted their NORS and DIRS filings with the expectation that only the Commission would have access to those filings. 125 We agree, and believe it would be inappropriate in this context to adopt rules to allow retroactive carte blanche access to these filings by agencies joining the framework as providers had no notice that we would share such confidential information with participating agencies and maintained an expectation that we would withhold them from disclosure. We also find that providing access to filings submitted before the effective date of the proposal would be technically difficult to implement, as it would require the modification of tens of thousands of previously filed outage reports to ensure that access can be limited by jurisdiction. Nonetheless, while we decline to adopt proposals to share filings submitted before the effective date of the framework, we also agree with public safety and state government commenters that having access to past filings could help identify trends in outages and be useful to agencies in planning and responding to outages to improve network reliability,126 and we reject industry commenters like CenturyLink, that argue to the contrary.127 On balance, however, we find that the need to preserve the confidentiality of filings submitted before the effective date of the framework is stronger than any rationale posited to support access to these filings. We believe that providing participating agencies with direct access to filings submitted after the effective date of the framework, even if their participation begins at a later date, is the optimal approach as it provides fair notice to service providers while also providing agencies with information to assist them with identifying outage trends over time and enhance 122 See, e.g., NCTA April 30, 2020 Comments at 10; ATIS April 30, 2020, Comments at 13. 123 MDTC April 29, 2020 Comments at 9. 124 Second Further Notice, 35 FCC Rcd at 2251, para. 35. 125 NTCA June 1, 2020, Reply Comments at 4-5. 126 CPUC April 30, 2020 Comments at 7; see also IACP April 30, 2020 Comments at 7; NASNA April 29, 2020 Comments at 11-12; Pa. PUC April 30, 2020 Comments at 9. 127 See, e.g., CenturyLink June 1, 2020 Reply Comments at 4. 19 Federal Communications Commission FCC-CIRC2103-01 128 their preparedness and recovery efforts as noted above and in the Second Further Notice. 65. We further note that ATIS argues that it  does not believe that it is necessary to provide access to filings made before a state has been granted access, but  should access to prior reports be made available, access to past reports should be limited to  no earlier than 90 days, and ATIS proposes that should additional NORS and DIRS data be needed by participating agencies, the Commission could grant it  upon a showing of reasonable necessity.129 We reject ATIS s argument as we do not find that ATIS provides a compelling explanation regarding why limiting access to reports to no earlier than 90 days is an appropriate window (as opposed to another window of time). Moreover, the Commission does not find any harm in sharing filings older than 90 days so long as they were made after the effective date of the framework, consistent with our decision today, as filers would be on notice of the prospect that their filings could become available to states that subsequently demonstrate their eligibility for access. The Commission also finds that requiring participating agencies to demonstrate a reasonable necessity for additional NORS and DIRS reports, as ATIS suggests, could impede efficient access to available NORS and DIRS filings. 2. Disclosing Aggregated NORS and DIRS Information 66. In the Second Further Notice, the Commission proposed to allow participating agencies to provide aggregated NORS and DIRS information to any entity including the broader public.130 In doing so,  aggregated NORS and DIRS information was defined to refer to information from the NORS and DIRS filings of at least four service providers that has been aggregated and anonymized to avoid identifying any service providers by name or in substance. 131 The Second Further Notice articulated several potential public safety benefits stemming from the public disclosure of aggregated NORS and DIRS information, including its use in keeping the  public informed of on-going emergency and network outage situations, timelines for recovery, and geographic areas to avoid while disaster and emergency events are ongoing. 132 67. Based on our review of the record, we continue to expect that the Commission s proposal will yield these benefits and adopt it today. We agree with commenters that assert that appropriate use of aggregation can provide useful information to public safety entities and the public while still maintaining the confidentiality of data submitted by providers. 133 We disagree that agencies should be permitted to publicly disclose NORS and DIRS data that are not aggregated and anonymized as proposed, and accordingly, the rules we adopt today do not permit data to be treated as disclosable under the definition of  aggregated NORS and DIRS information unless the data has been drawn from at least four service providers. Based on our experience in determining whether aggregated disclosure is appropriate in other contexts, we believe that where there are fewer than four service providers, the disclosure of aggregated outage information, particularly in combination with providers specific knowledge of competitors in the region, could inadvertently reveal one service provider s commercially sensitive information to another. Even where the data is aggregated from four service providers, however, under the approach to disclosure we adopt today, agencies are prohibited from publicly disclosing such data if they cannot ensure that no one can derive the information of any individual company from the aggregation.134 128 Second Further Notice, 35 FCC Rcd at 2251, para. 35. 129 ATIS April 30, 2020, Comments at 8. 130 Second Further Notice, 35 FCC Rcd at 2254, paras. 44-45. 131 Second Further Notice, 35 FCC Rcd at 2254, paras. 44-45. 132 Second Further Notice, 35 FCC Rcd at 2254, para. 44. 133 AT&T April 30, 2020 Comments at 5-6 ; ACA Connects April 30, 2020 Comments at 7, fn. 17. 134 For example, aggregating the data from four service providers may not sufficiently anonymize the data if one provider s data constitutes an overwhelming share of the total. 20 Federal Communications Commission FCC-CIRC2103-01 68. To help mitigate concerns regarding improper aggregation due to lack of expertise, we include exemplar aggregated and anonymized reports based on hypothetical data in Appendix D. This Appendix also contains non-binding guidelines for aggregating NORS and DIRS data. We expect this Appendix will show participating agencies how to aggregate users and cell sites affected by outages from NORS and DIRS reports in a manner that ensures anonymization to prevent misuse and address any potential confusion participating agencies have about aggregating NORS and DIRS data. As stated in this Appendix, we note that aggregated data may not reflect the exact number of users affected by a service provider s outage and is only used for situational awareness, and agencies failure to properly aggregate data could lead to the improper disclosure of service providers confidential information and may result in termination of their access to NORS and DIRS filings by the Commission. We believe that with the guidance we provide agencies today, they will be able to aggregate and anonymize NORS and DIRS data in accordance with our rules. 69. Several commenters have urged the Commission to adopt a broader definition of aggregation to enable aggregation in what they have described as the numerous areas that have fewer than four providers.135 For example, the California Public Utilities Commission comments that the  proposal fails to consider aggregation in the many instances where an area is only served by two major wireline service providers. 136 Allowing the public dissemination of NORS and DIRS information where there are only two providers, for example, however, would unnecessarily reveal confidential information about each of those providers to the other. We believe that the dangers posed by such disclosure substantially outweigh the benefits of disclosure to the public, given the availability of the data to participating agencies. We recognize that an agency s ability to provide aggregated information may depend on the types (e.g., wireless or wireline) and numbers of providers serving a region and the unique circumstances of an outage; there, however, aggregated disclosure may be possible without an unauthorized disclosure of confidential information given the multiple providers of each type and at least four providers overall. Even so, there may be situations where, for an example, an outage affects only the two wireline providers in an area, and not the two wireless providers. In that case, only the two wireline providers would be filing reports, and any aggregation of their data would fall short of the four-or-more provider requirement for public disclosure. We find that this approach is necessary to ensure the confidentiality of NORS and DIRS information and strikes a reasonable balance between the relevant policy considerations.137 70. We reject one commenter s proposal that, if aggregated data may not be disclosed because of an insufficient number of providers, then the Commission should first conduct a  risk assessment to determine how adversely affected the public would be by not receiving such data, and second, if the risk assessment shows harm, then the Commission should modify its  need to know approach by disclosing information under a protective order to  public safety officials, researchers, and public interest representatives. 138 As a threshold matter, it is unclear what this commenter means by 135 E.g., CPUC April 30, 2020 Comments at 12; see also CoPUC April 30, 2020 Comments at 9; Pa. PUC April 30, 2020 Comments at 10-11; METSA April 30, 2020 Comments at 3. See also Free Press April 30, 2020 Comments at 4-5. 136 CPUC April 30, 2020, Comments at 12. The Montrose Emergency Telephone Service Authority also states that the proposal  overlooks the fact that many rural regions have fewer than four providers, and urges that for  the noted purposes of keeping the public informed of on-going outages, recovery, and areas to avoid, provision should be made for reasonably decreased levels of information aggregation in those regions. METSA April 30, 2020 Comments at 3. See also NASNA April 29, 2020 Comments at 16-17 (stating that  [M]any rural areas of the United States only have coverage from one or two wireless providers, and urging  the FCC to relax confidentiality for the duration of disasters and emergencies. ) 137 This policy does not override agreements certain wireless providers have made with the Commission regarding the use of aggregated DIRS data consistent with the Wireless Network Resiliency Cooperative Framework. See, e.g. FCC, Public Safety and Homeland Security Bureau, Wireless Network Resiliency Cooperative Framework, https://www.fcc.gov/wireless-resiliency-cooperative-framework (last visited Sept. 14, 2020). 138 Free Press April 30, 2020 Comments at 4-5. 21 Federal Communications Commission FCC-CIRC2103-01  risk assessment, what specific metrics this commenter believes the  risk assessment would use to measure what it refers to as  the impact of disparate access, and what costs are associated with such an assessment to the Commission. To the extent this commenter is suggesting that such a risk assessment be used to identify parties that would qualify under the  need-to-know standard as recipients of confidential information, we believe it is more appropriate to rely on state agencies to employ our new rules to share outage information downstream to the extent necessary to address an emergency situation for all affected within the community. We anticipate that, in the appropriate circumstances, public safety officials downstream from a participating state agency might have a  need to know and may thus obtain confidential outage information from such an agency that has determined it permissible under our rules to share such information in this manner. It is perhaps less likely, however, that public interest organizations or researchers would qualify for such sharing under our rules. Insofar as this commenter would have us relax the  need-to know requirements to allow such expanded sharing, we reject that proposal, as we believe that the balance we have struck between disclosure of some information to facilitate localized responses to emergencies and service outages caused by them, on the one hand, and the protection of sensitive data from unnecessary disclosure, on the other, will best serve the overall public interest. We also note that no commenter has recommended a practical alternative to the Commission s proposal that would enable aggregation at a lower threshold while ensuring that national security and competitive concerns are addressed. Additionally, we note that under the Commission s proposal, participating agencies in areas with fewer than four communications providers have access to this data for public safety purposes consistent with the rules we adopt today; they simply may not disclose the data publicly. 71. ATIS and SIA argue that the Commission, instead of participating agencies, should produce or approve aggregated reports for public dissemination consistent with its existing practices and because of the Commission s expertise with issuing these reports.139 We reject these proposals. As dozens or hundreds of agencies might participate in the information sharing framework, and there could be several potential emergencies, and the need for prompt resolution of those emergencies and related outages, we find that it would be impractical and administratively burdensome for the Commission to produce aggregated and anonymized reports on behalf of all participating agencies seeking to publicly disseminate aggregated reports under the Commission s proposal. 72. We note that T-Mobile also contends that aggregated data should be disclosed only by the Commission because, among other considerations,  public disclosure by agencies other than the FCC could ultimately mislead or confuse the public during times of crises.140 T-Mobile asserts that agencies unfamiliarity with the data can lead to agencies either misinterpreting the data or producing aggregated data reports that differ from each other, and that  these disparate reports would most likely cause confusion and potentially hinder, rather than help, situational awareness. 141 T-Mobile further argues that as an alternative, the Commission should share data it already aggregates, such as the aggregated DIRS reports it publishes on its website.142 We reject T-Mobile s arguments. We find that, like the Commission, participating agencies with a  need to know have or will quickly develop the necessary expertise to be able to understand NORS and DIRS information, coordinate with the Commission and regional partners where necessary, and release information to the public in a responsible way. For example, while NORS and DIRS filings often estimate the potential impact of service disruptions rather than reflect the exact number of users affected by an outage, those estimates can still effectively inform the public s understanding about the effect outages across several providers following a disaster and we expect that participating agencies will be able to communicate that information to the public in a 139 ATIS April 30, 2020 Comments at 11; see also SIA June 1, 2020 Reply Comments at 3. 140 T-Mobile April 30, 2020 Comments at 8-10. 141 T-Mobile April 30, 2020 Comments at 9. 142 T-Mobile April 30, 2020 Comments at 9-10. 22 Federal Communications Commission FCC-CIRC2103-01 productive way. 73. We do not agree that existing Commission data aggregations can replace state and local agencies needs to inform the public about outages and infrastructure status. For example, we anticipate that some agencies will determine it is appropriate to release information to the public more frequently than once a day or in specific regions not covered by the Commission s public DIRS reports or any aggregations of outage data that it might prepare. Also, as we stated above, we believe that it would be impractical and administratively burdensome for the Commission itself to fulfill requests to aggregate NORS and DIRS data from potentially numerous participating agencies, and such an approach could delay the Commission s assistance with resolution of the underlying emergencies prompting the need to share the reports. To the extent that the Commission identifies any instances of an agency using NORS or DIRS information in an improper way, it will take steps to ensure that improper disclosure does not occur in the future. 3. Direct Access to NORS and DIRS Filings Based on Jurisdiction 74. In the Second Further Notice, the Commission acknowledged that outages and disasters can cross multiple jurisdictional boundaries and therefore proposed enabling a participating agency to receive direct access to all NORS notifications, initial reports, and final reports and all DIRS filings for events reported to occur at least partially in their jurisdiction including multistate outages.143 We also proposed enabling participating agencies to receive access to NORS and DIRS filings for outage events and disasters that occur in portions of their jurisdictions but also span across additional states.144 We sought comment on, inter alia, whether participating agencies would make use of NORS and DIRS filings that affect states beyond their own, whether participating agencies have a  need to know about the effects of multistate outages and infrastructure status outside their jurisdiction, and whether any harms could potentially arise from granting a participating agency access to multistate outage and infrastructure information. 145 75. We adopt these proposals today as we expect they will enhance public safety by providing agencies with thorough information regarding outages to aid in their response and recovery coordination efforts. Several public safety and state government commenters support granting participating agencies multistate outage information about outages occurring at least partially in their jurisdictions.146 We agree with these commenters that access to this information would ensure that participating agencies have a complete picture of outages and their causes and would improve coordination between jurisdictions in response to disasters. We also agree with the Pennsylvania Public Utility Commission that participating agencies are ultimately in the best position to determine what effects of multistate outages and infrastructure status outside their jurisdiction are relevant to informing their responses to the event.147 76. We disagree with commenters that argue that state access should be restricted to outage reports for those portions of events occurring in that state.148 For example, the Competitive Carriers Association contends that  any decision to allow access to information about adjacent states should be 143 Second Further Notice, 35 FCC Rcd at 2254, para 47. 144 Second Further Notice, 35 FCC Rcd at 2254, para 47. 145 Second Further Notice, 35 FCC Rcd at 2254, para 48. 146 CPUC April 30, 2020 Comments at 8; NASNA April 29, 2020 Comments at 17-18; CoPUC April 30, 2020 Comments at 9; Pa. PUC April 30, 2020 Comments at 7-8; MDTC April 29, 2020 Comments at 9. See also DCPSC June 1, 2020 Reply Comments at 5 (stating that  any regional disaster would probably affect the telecommunications networks of the District of Columbia and its neighboring jurisdictions, so having access to multijurisdictional reports would greatly assist the Commission in responding to outages caused by these disasters ). 147 Pa. PUC April 30, 2020 Comments at 8. 148 See, e.g., ATIS April 30, 2020 Comments at iii; USTelecom April 30, 2020 Comments at 4. 23 Federal Communications Commission FCC-CIRC2103-01 made on a case-by-case basis only upon a showing of need, as it believes  such geographic limitation is an important mechanism for the Commission to ensure that data is used only for intended purposes. 149 We find that participating agencies would be better able to address public safety matters, including by improving their outreach and coordination with other jurisdictions in response to disasters, if they have a more complete picture of outages and their causes. ATIS further urges the Commission to prohibit the sharing of data from multistate events with agencies until it addresses how to effectuate this change in NORS.150 We also find that modifying NORS forms to allow users to select more than one state when submitting a NORS filing, as discussed further below, will be adequate to allow the Commission to ensure that participating agencies can only access filings for outages that at occur least partially in their jurisdiction. 77. Sharing of Complete NORS and DIRS Reports and Filings. In their comments concerning the scope and type of confidential information that should be shared with participating agencies, some industry commenters opine that some reports and fields in NORS and DIRS, such as root cause analyses, sympathy reports, reports on simplex events, contact information, and equipment types, are irrelevant and likely to cause confusion and contain confidential information.151 ATIS also states information regarding  special offices and facilities in Telecommunications Service Priorities (TSP) 1 and 2 in NORS filings  provide no relevant public safety information and should therefore not be shared with state agencies. 152 CTIA and Verizon recommend the Commission convene a workshop to discuss practices for inter-jurisdictional sharing of information,153 which USTelecom supports as a way to determine what information is necessary to share.154 78. On review, we reject most commenters proposals to share only certain types of outage filings made in NORS and DIRS and reject proposals to convene workshops to identify the appropriate types of NORS and DIRS data to share. We agree with ATIS that reports related to simplex events as contained in NORS filings should not be shared with participating agencies. These reports contain information that helps identify which diversity of resources prevented a failure in a network from causing a loss of service, which could be helpful for analyzing trends in outages, but we find that this information is not immediately relevant to emergency response. However, we note that sympathy reports and reports 149 CCA April 30, 2020 Comments at 3-4. 150 ATIS April 30, 2020, Comments at 12 (stating that it  would like to work with Commission to address this and enhance how multistate events are reported. This work could result in further changes to multistate outage reporting. Until that time, however, ATIS thinks it would be premature to permit the sharing of data from multistate events with state agencies ). 151 AT&T April 30, 2020 Comments at 2-5; CenturyLink June 1, 2020 Reply Comments at 3-4; Verizon April 30, 2020 Comments at 10; NCTA April 30, 2020, Comments at 2-3; CTIA June 1, 2020 Reply Comments at 6; USTelecom April 30, 2020 Comments at 3-5; CenturyLink June 1, 2020 Reply Comments at 3-4; Verizon April 30, 2020 Comments at 15. 152 ATIS April 30, 2020 Comments at 2-3. A sympathy report contains information regarding a service outage that was caused by a failure in the network of another company. A simplex report contains information about which diversity of resources prevented a failure in a network from causing a loss of service. TSP is an FCC program that directs telecommunications service providers to give preferential treatment to users enrolled in the program when they need to add new lines or have their lines restored following a disruption of service, regardless of the cause. FCC, Public Safety and Homeland Security Bureau, Telecommunications Service Priority, https://www.fcc.gov/general/telecommunications-service-priority (last visited Sept. 10, 2020). In NORS, providers can indicate if TSP was involved during service restoration. A root cause analysis indicates the underlying reason why the outage occurred or why the outage was reportable. 153 Verizon April 30, 2020 Comments at 10; CTIA argues that  a Commission-convened group of subject matter experts could help identify relevant categories of outage information that would further situational awareness of public safety stakeholders and, conversely, categories of information inapplicable to this effort. CTIA June 1, 2020 Reply Comments at 6. See also CTIA April 30, 2020 Comments at 8-9. 154 USTelecom June 1, 2020 Reply Comments at 4-5. 24 Federal Communications Commission FCC-CIRC2103-01 containing information about TSPs contain actionable information on outages that could be of use to public safety officials for emergency response or service restoration and we decline to exclude these reports from NORS filings. For example, sympathy reports contain information regarding service outages that, while caused by a failure in the network of another provider, nonetheless have an effect on the reporting service provider that may have public safety implications. Moreover, information about TSPs may be helpful to emergency response officials to indicate which repairs are being prioritized by service providers. 79. For the NORS filings that are shared with participating agencies, including notifications, initial and final reports, we find that their contents about service outages, such as dates and times of incidents, geographic areas affected, effects of outages on 911 service, the numbers of potentially affected users, and causes (including information about any affected equipment) are highly relevant to agencies that seek to increase their situational awareness of emergency events and coordinate disaster response and recovery efforts. Furthermore, in response to several commenters position that some fields in NORS reports are too sensitive or confusing to share and should be excluded, we expect participating agencies will be able to discern which information from various types of NORS and DIRS filings is relevant to their own circumstances during various stages of public safety events, particularly as we expect that participating agencies will possess sufficient technical and operational expertise to understand the information that some commenters maintain could be confusing. We also find that the confidentiality requirements and safeguards we adopt today will protect sensitive NORS information from improper use and disclosure. We recognize that, once the information sharing framework becomes effective, participating agencies may initially engage the Commission (and potentially service providers, through their existing relationships) with questions about NORS and DIRS data, which will lead to more effective use of all types NORS and DIRS filings over time. 80. We specifically reject the view that service providers contact information should be excluded in the NORS and DIRS filings we share. As noted by the Michigan Public Service Commission,155 we expect that agencies technical staff will review NORS and DIRS filings and that the staff will occasionally require contact with providers experiencing outages in their jurisdiction to better understand and resolve issues.156 Because we expect that agencies will analyze NORS and DIRS information in similar ways to the Commission, we disagree with ATIS s view that a contact supplied to the Commission with a filing would not also be an appropriate front-line contact for another agency participating in today s sharing framework. Also, we note that, currently, NORS and DIRS give providers the option to list multiple contacts for an outage, which could include federal government affairs staff, along with front-line or region-specific staff. 81. Tribal Nation Government Agency/State Agency Access to Multistate Event Data. In the Second Further Notice, the Commission asked whether a participating federally recognized Tribal Nation agency that receives direct access to NORS and DIRS filings has a  need to know about events that occur entirely outside of its borders but within the border of the state where the Tribal land is located, or if a state agency should  receive direct access to NORS and DIRS filings reflecting events occurring entirely within Tribal land located in the state s boundaries.157 The Commission further asked whether any harms could  arise from granting Tribal Nation authorities access to outage and infrastructure information outside of their territories, and sought comment on whether  Tribal Nation authorities access to NORS and DIRS filings should be limited only to those aspects of multistate outages that occur 155 MPSC April 30, 2020 Comments at 3. 156 Verizon, for example, explains that an agency may need to make inquiry to a filing service provider to  calibrate its response appropriately after the service provider has explained the scope and practical impact of the outage described in NORS and DIRS filings. Verizon April 30, 2020 Comments at 6; see also id. at 8 (describing a need for state and local agencies to coordinate directly with a service provider s network personnel during outages and disaster events). 157 Second Further Notice, 35 FCC Rcd at 2255, para 49. 25 Federal Communications Commission FCC-CIRC2103-01 solely in their territories. 158 82. NASNA and the Colorado Public Utilities Commission, the only two commenters opining specifically on this issue, both agree that a federally recognized Tribal Nation agency that receives direct access to NORS and DIRS filings can have a  need to know about events that occur entirely outside of its borders but within the border of the state where the Tribal land is located.159 We are persuaded by NASNA and the Colorado Public Utilities Commission s comments and note that no commenter opposes this approach. We adopt the proposal that a federally recognized Tribal Nation agency may receive direct access to NORS and DIRS filings for events that occur entirely outside of its borders but within the borders of the state where the Tribal land is located and, conversely, that a state agency receive direct access to these filings reflecting events occurring entirely within Tribal land located in the state s boundaries to the extent these filings are available, and access would not impinge upon Tribal sovereignty. We also grant Tribal Nation agencies direct access to NORS and DIRS filings for outage events and disasters that occur in portions of their jurisdictions but also span across additional states. As the Commission stated in the Second Further Notice, because of the technical nature of many outages, equipment located in a Tribal land could impact service in the states in which Tribal lands are located, and we expect this action to enhance the situational awareness of Tribal Nations, and the states in which they are located, regarding service outages and thereby improve public safety.160 We note that NASNA supports the Commission s proposal to give state agencies direct access to NORS and DIRS filings for events occurring entirely within Tribal land located in a state s boundaries to improve information sharing between states and Tribal nations. NASNA states that  it would be most efficient to allow direct access to data that relates to incidents within a state agency s state boundaries, and to a tribal entity s tribal jurisdiction, and comments that this approach  gives the states and tribal entities the ability to share data when it is appropriate. 161 We note that this approach does not impact Tribal sovereignty as under our framework, outage data will be provided in the first instance by the provider to the FCC, and only thereafter shared with a Tribal entity. 83. Technical Implementation. In the Second Further Notice, the Commission sought comment on aspects of the technical implementation of its proposals regarding direct access to NORS and DIRS filings based on jurisdiction, including its assertion that service providers would incur minimal, if any, burdens related to DIRS because they would not need to modify their DIRS reporting processes to accommodate multistate reporting.162 The Commission also proposed changing the Commission s NORS form to allow users to select more than one state when submitting a NORS filing,163 consistent with the proposal to allow access to outages that span multiple states. The Commission estimated the cost of such a change for the nation s service providers to be $3.2 million and sought comment on this proposal and any potential alternatives, including any necessary adjustments to account for Tribal land borders.164 While a few commenters expressed concerns about the accuracy of estimated costs to service providers,165 158 Second Further Notice, 35 FCC Rcd at 2255, para 49. 159 NASNA April 29, 2020 Comments at 18; CoPUC April 30, 2020 Comments at 10. NASNA, as an example, states that  an outage affecting cell phone coverage on the main highway into a tribal jurisdiction is something the tribal entity needs to know about, particularly if it is related to a wildfire or other natural disaster or emergency the entity needs to warn its residents away from. NASNA April 29, 2020 Comments at 18. 160 Second Further Notice, 35 FCC Rcd at 2255, para 49. 161 NASNA April 29, 2020, Comments at 18. 162 Second Further Notice, 35 FCC Rcd at 2255, para 50. 163 Second Further Notice, 35 FCC Rcd at 2256, para 52. 164 Second Further Notice, 35 FCC Rcd at 2255-56, paras 51-53. 165 E.g., NASNA April 29, 2020 Comments at 18-19 (arguing that the cost of changing the NORS forms to implement the framework would be less than $3.2 million); CoPUC April 30, 2020 Comments at 10 (implying that the cost of changing the NORS forms to implement the framework would be less than $3.2 million). 26 Federal Communications Commission FCC-CIRC2103-01 no commenters provided cost data or analysis to support their concerns or rebut the Commission s cost estimates. Similarly, while some state agency and advocacy organizations expressed concerns that it will be burdensome for voluntarily participating agencies to relay information they retrieve from the NORS and DIRS databases to  downstream entities, none of these entities attempt to quantify the costs associated with these activities.166 In the absence of any cost analyses or other cost data quantifying alternative cost estimates, the Commission continues to rely upon the estimates discussed in the Second Further Notice indicating that the nation s service providers will incur total initial set up costs of $3.2 million based on the Commission s estimate of 1,000 service provider incurring costs of $80 per hour and spending 40 hours to implement update or revise their software used to report outages to the Commission in NORS and DIRS. 84. We thus adopt this proposal consistent with our view that it will allow the Commission to effectuate our provision of access to filings for outages that span more than one state, and we conclude that the benefits of today s program far exceed the costs. We note that commenters did not address the Commission s assessment that service providers would likely incur minimal to no costs to accommodate DIRS reporting as DIRS form already requests filers to include data at the county level.167 However, most parties commenting on the Commission s proposed NORS modification support the NORS modification.168 For example, NCTA supports this approach because it allows the Commission to limit participating agencies access to information about those outages that occur within their jurisdiction.169 Furthermore, CenturyLink states that also it prefers this approach, provided that the Commission does not require state-specific impacts to be broken out for each reported outage. 170 This change in NORS reporting can be accomplished without revising section 4.2 of our rules as section 4.11 of our rules already requires that, inter alia, communications providers supply, in their NORS filings to the Commission, information on the geographic area affected by an outage using the Commission s approved Web-based outage reporting templates. Here, the Commission is merely updating the form of its templates to further facilitate jurisdiction-specific access. 85. We note that NTCA  recommends the Commission undertake a cost benefit analysis of any proposed changes to the method in which providers submit information into the NORS and DIRS systems to ensure any burdens imposed on providers caused by having to modify the way they report outages and any additional time needed to report outages to meet any new requirements are outweighed by the benefit to public safety. 171 As we note above, we have performed this analysis and find that the changes we adopt today ensure that the burdens imposed on providers are outweighed by the public safety benefits of our information sharing framework. We further acknowledge commenters proposals to include Tribal Nation agencies in the list of jurisdictions for providers to choose from in NORS. However, we decline to adopt these proposals because we find that it would be administratively burdensome and difficult to continuously track the full extent of existing Tribal Nation agencies to include and update in NORS. However, we note that the approach we adopt above, to give Tribal Nation agencies access to outage reports within the border of the state where the Tribal land is located, would achieve the same goals in a less burdensome manner. 86. Additionally, in the Second Further Notice, the Commission asked, as an alternative, whether it should require service providers to submit several state-specific filings instead of submitting 166 E.g., CPUC April 30, 2020 Comments at 6. 167 Second Further Notice, 35 FCC Rcd at 2255, para. 50. 168 NCTA April 30, 2020 Comments at 7; CenturyLink June 1, 2020 Reply Comments at 6. 169 NCTA April 30, 2020 Comments at 7. 170 CenturyLink June 1, 2020 Reply Comments at 6. 171 NTCA April 30, 2020 Comments at 3-4. 27 Federal Communications Commission FCC-CIRC2103-01 single aggregated filings for each outage that list all affected states.172 All parties commenting on this issue disagree with this approach and assert that it would increase reporting burdens on service providers.173 Based on our review of the record, we are persuaded by comments underscoring the burdens this approach would impose on service providers and, thus, we decline to adopt it. 4. Limiting the Number of User Accounts Per Participating Agency 87. Presumptive Limits on User Accounts. In the Second Further Notice, the Commission proposed to presumptively limit the number of user accounts granted to a participating agency to five accounts for NORS and DIRS access per state or federal agency with additional accounts permitted on an agency s reasonable showing of need.174 Furthermore, to  reduce the reliance of any one agency on another by allowing each to apply for direct access to NORS and DIRS filings, the Commission also proposed, in the Second Further Notice, that the Commission review all reasonable requests from state and federal agencies, rather than proposing a presumptive limit on the number of participating agencies eligible for direct access to NORS and DIRS filings.175 88. We adopt the Commission s proposals today as we find that that they will limit access to NORS and DIRS information to the employees that are intended to receive it and allow participating agencies to identify misuse by specific employees.176 We note that the majority of record commenters support the Commission s proposal to presumptively limit the number of user accounts, underscoring the Second Further Notice s assertion that it is an important safeguard to minimize the potential for over- disclosure of sensitive information.177 For example, ACA Connects notes that implementing this measure will  limit the risk of improper use or disclosure of the data. 178 However, we disagree with ATIS that we should  better define what a  reasonable showing of need would entail for granting additional accounts to agencies.179 While some factors that we expect could help demonstrate a reasonable showing of need include the jurisdictional area that an agency serves or the number of public safety functions for which it is responsible, we decline to require or define specific factors and will decide all requests on a case-by- case basis. 89. NASNA and the Colorado Public Utilities Commission support the Commission s proposals to review all requests for direct access from eligible agencies and not to restrict the number of potentially participating agencies.180 Verizon argues that the  Commission should adopt a presumption that two agencies within a state may have access to the reports, as it asserts this action  would better reflect that most states maintain both a single regulatory commission with some public safety-related 172 Second Further Notice, 35 FCC Rcd at 2256, para. 53. 173 CenturyLink June 1, 2020 Reply Comments at 6-7; ATIS April 30, 2020 Comments 12-13. NASNA notes that this proposal  certainly seems less efficient and more time consuming for the providers than making the proposed change to the Commission s reporting form, but since the end result to the participating state agencies is the same, NASNA leaves it to the providers to express its preference on this matter. NASNA April 29, 2020 Comments at 19. CoPUC s comments echo NASNA s on this issue. CoPUC April 30, 2020 Comments at 10. 174 Second Further Notice, 35 FCC Rcd at 2256, para. 54. 175 Second Further Notice, 35 FCC Rcd at 2257, para. 57. 176 Colorado Public Utilities Commission and NASNA recommend that the language of the Commission s proposal be clarified to read that  access should be up to five employees per agency, not per state. NASNA April 29, 2020 Comments at 20; see also CoPUC April 30, 2020 Comments at 11. We adopt this clarification today for precision. 177 NASNA April 29, 2020 Comments at 20; DCPSC June 1, 2020 Reply Comments at 6; ACA Connects April 30, 2020 Comments at 6; NCTA April 30, 2020 Comments at 4. 178 ACA Connects April 30, 2020 Comments at 6. 179 ATIS April 30, 2020 Comments at 14. 180 NASNA April 29, 2020 Comments at 20; CoPUC April 30, 2020 Comments at 11. 28 Federal Communications Commission FCC-CIRC2103-01 responsibilities and a statewide executive branch emergency management agency. 181 Verizon further argues that the  Commission would have discretion to expand this number upon a good faith showing as this governance structure may vary among states, but reducing the presumptive number would help incent different state agencies to coordinate their information gathering efforts in advance of major outage events. 182 90. We reject Verizon s proposal that the Commission adopt a presumption that two agencies within a state may have access to NORS and DIRS filings. We expect that participating agencies will indicate, in their application for access, the legal authority that charges them with promoting the protection of life or property. This showing will allow us to best assess whether specific state agencies should have access to these filings. We also find that allowing only two entities to have access to NORS and DIRS filings could necessitate a competitive process to determine which agency would get selected, which would delay access, not have clear standards, and may lead to disharmony among agencies that need to coordinate and cooperate. Additionally, we find that granting access to all qualifying agencies will make each of those entities more accountable to the Commission as they would have to bind themselves to the program s requirements when signing the certification. 91. Agency Assignment and Management of User Accounts. The Second Further Notice proposed requiring that  an agency assign each user account to a unique employee and manage the process of reassigning user accounts as its roster of employees changes. 183 As we continue to find that these proposals will minimize the improper use of NORS and DIRS information and give participating agencies flexibility for managing user accounts, we adopt them with certain modifications to further strengthen our account management requirements.184 We note that while ATIS specifically expresses support for the Second Further Notice s proposal that agencies assign user accounts to employees and manage the reassignment process for these accounts,185 most commenters do not rebut the necessity of these proposals to protect against improper disclosure. However, some industry commenters propose placing additional limitations on agency access to prevent improper use, which we adopt or reject infra. 92. AT&T recommends the Commission designate a  coordinator to be responsible for  an agency s access to confidential NORS/DIRS information, as it believes this will  ensure that each potential recipient has a  need to know basis for access to the information, the recipient understands the duty to maintain confidentiality, and the information will be destroyed in a secure manner when there is no longer a need to know. 186 AT&T states that after designation  the coordinator would have the ability to approve additional requests for access credentials for personnel from that agency, and that this  approach would allow downstream sharing of information by the coordinator who would be best positioned to ensure that recipients have a  need to know.  187 AT&T further argues that a  similar procedure has worked well in the context of the 911 Reliability Certification System, and states that for that procedure,  the potential information recipient sends a request to a designated FCC staff member to receive coordinator status and these requests are handled on case-by-case basis. 188 No commenters oppose AT&T s recommendation. 93. We adopt AT&T s recommendation as we find that it would help facilitate the efficient 181 Verizon April 30, 2020 Comments at 12. 182 Verizon April 30, 2020 Comments at 12. 183 Second Further Notice, 35 FCC Rcd at 2256, para. 54. 184 The Commission will retain for its records the unique account identifiers associated with each agency. 185 ATIS April 30, 2020 Comments at 13. 186 AT&T April 30, 2020 Comments at 6. 187 AT&T April 30, 2020 Comments at 6-7. 188 AT&T April 30, 2020 Comments at 6, fn.5. 29 Federal Communications Commission FCC-CIRC2103-01 administration of our framework and provide additional safeguards to protect NORS and DIRS data for the reasons it describes. Therefore, we will require participating agencies, in the Certification Form (Appendix C) we adopt today, to indicate the name and contact information of their agency coordinator. We will require this agency employee to serve as their agency s point of contact for all matters related to their agency s framework access, including managing agency accounts, submitting requests for additional user accounts, coordinating downstream sharing consistent with our rules, coordinating with the Commission to manage any unauthorized access incidents, and taking reasonable efforts to make available for Commission inspection a list of all localities for which the agency has disclosed NORS and DIRS data. 94. Several commenters recommend the implementation of auditing and reporting measures to minimize improper use. For example, ATIS recommends that  the Commission require states to conduct an internal audit every six months . . . of individuals with access to determine whether these accounts are still necessary and to require personnel to regularly update passwords, and that  the results of this audit should be shared with the Commission. 189 CTIA recommends that the Commission  develop a process for regularly auditing accounts it has granted to public safety stakeholder agencies and sharing the results of this process with providers that file reports to NORS and DIRS. 190 USTelecom proposes that the framework  contain regular reports that provide a record of how many active accounts are maintained by each agency and the number of reports accessed by each, and that  upon request, and in a reasonable time frame, the Commission  provide reports to carriers listing which federal or state government agency accounts have accessed their NORS or DIRS outage data. 191 Moreover, NCTA recommends suspending  individual user access if an individual has not accessed NORS or DIRS within a 12-month period. 192 We reject all commenters auditing and report production proposals as they would place undue obligations on the Commission and participating agencies and could be financially prohibitive. We further find that requiring the suspension of access to users that are inactive over 12 months is too prescriptive. For example, given the sporadic nature of disasters and emergency events, users at some participating agencies might not access NORS and DIRS filings for over a year. 95. Additionally, to increase account security, several parties make proposals that recommend the tracking of how users access NORS and DIRS filings. For instance, NTCA recommends requiring  agencies accessing the filings to track the name of the authorized individual within the agency that accessed information and when. 193 CTIA states that the  Commission should ensure that adequate tools are available to aid investigations after data breaches, and opines that  one such tool is an audit log 194 for the NORS and DIRS database, recording which data was accessed, when, and by whom. NCTA recommends that  reporting service providers should be able through online access to obtain information identifying both the agencies and the user accounts that accessed their information. 195 We adopt CTIA s approach and will develop auditing capabilities into NORS and DIRS that track which reports specific users access and when they are accessed. We note that no commenters oppose this approach. We believe this will allow the Commission to maintain effective oversight as to how NORS and DIRS are used, including following an incident involving unauthorized access. We believe that this approach will be less burdensome on participating agencies and service providers than the approaches recommended by NTCA and NCTA, respectively. 189 ATIS April 30, 2020 Comments at 13. 190 CTIA April 30, 2020 Comments at 10. 191 USTelecom April 30, 2020 Comments at 5. 192 NCTA April 30, 2020 Comments at 9. 193 NTCA April 30, 2020 Comments at 3. 194 CTIA April 30, 2020 Comments at 10. 195 NCTA April 30, 2020 Comments at 4. 30 Federal Communications Commission FCC-CIRC2103-01 5. Training Requirements 96. In the Second Further Notice, the Commission proposed that each individual granted a user account for direct access to NORS and DIRS filings be required to complete security training on the proper access, use of, and compliance with safeguards to protect these filings prior to being granted initial access, and that this training occur on an annual basis thereafter to make the framework more effective and reduce the risk of over-disclosure of NORS and DIRS information.196 Furthermore, the Commission sought comment on whether anyone who receives confidential NORS and DIRS information, including downstream recipients, be required to complete formal training.197 We adopt a proposed training requirement today, and note that an overwhelming number of commenters submit that some form of training is necessary for participating agencies to ensure the appropriate uses of NORS and DIRS data and minimize over-disclosure, and believe participating agencies should certify that they have undertaken security training consistent with the Commission s requirements. 198 For example, the Public Service Commission of the District of Columbia opines that it  agrees with the FCC and many commenters that training of authorized state agency staff about NORS and DIRS reporting is important to ensure proper treatment of NORS and DIRS information. 199 The Competitive Carriers Association states that it  supports the Commission s proposal to mandate annual security trainings to agency personnel accessing the data, and that  considering the sensitive nature of NORS and DIRS data, regular security trainings will help ensure safeguards are adhered to and that information remains protected. 200 97. We acknowledge that the Michigan Public Service Commission states that it  does not support the proposal for annual training requirements as currently discussed in the FNPRM, as it contends that if  there are to be annual certifications to access NORS and DIRS outage information, the MPSC believes that any required training should be free of charge to applicants and centrally located or made available online. 201 As we decline to prescribe specific training or platforms that agencies must use to facilitate training, we respond to the Michigan Public Service Commission s concerns by noting that we expect that the implementation of our training requirements, as discussed below, will give agencies the opportunity to tailor training programs to their unique needs, including considerations of cost. 98. Furthermore, in the Second Further Notice, the Commission sought comment on whether anyone who receives confidential NORS and DIRS information, including downstream recipients, should be required to complete formal training. 202 While we decline to adopt a formal training requirement for downstream recipients, we will require participating agencies to instruct downstream recipients to keep NORS and DIRS information they receive as confidential and obtain a certification from downstream entities that they will treat the information as confidential. 99. We note that commenters are divided on this issue. For example, while the Pennsylvania Public Utilities Commission and the Satellite Industry Association maintain that downstream training should be required to ensure that downstream recipients understand the consequences of downstream 196 Second Further Notice, 35 FCC Rcd at 2257, para. 58. 197 Second Further Notice, 35 FCC Rcd at 2258, para. 63. 198 E.g., IACP April 30, 2020 Comments at 8; CCA April 30, 2020 Comments at 5; Pa. PUC April 30, 2020 Comments at 8-9; ACA Connects June 1, 2020 Reply Comments at 4-5; NCTA April 30, 2020 Comments at 9; NTCA April 30, 2020 Comments at 3. 199 DCPSC June 1, 2020 Reply Comments at 6. 200 CCA April 30, 2020 Comments at 5. 201 MPSC April 30, 2020 Comments at 4. The IACP also recommends that  any required training be accessible on- line and be time limited to that which is necessary to cover the points required. IACP April 30, 2020 Comments at 9. 202 Second Further Notice, 35 FCC Rcd at 2258, para. 63. 31 Federal Communications Commission FCC-CIRC2103-01 sharing and to reduce the risk of the mishandling of NORS and DIRS information.203 NASNA and the Colorado Public Utilities Commission disagree.204 For example, the Colorado Public Utilities Commission states that  there are potentially hundreds of individual agencies throughout the state that may have a  need to know during a disaster or large-scale emergency, and requiring each of those agencies to have individuals undertake a multi-hour training prior to receiving the information is unreasonable, and further argues that it  would also be unduly burdensome for the participating state agency to keep track of who has had training, who hasn t, and whether annual refresher training has been maintained. 205 As an alternative to downstream training, the Colorado Public Utilities Commission and NASNA suggest that a participating agency  be allowed to develop an affidavit to be signed by subrecipients prior to the receipt of confidential information, acknowledging that they understand that un- anonymized data is confidential and that it is not to be shared. 206 100. We are persuaded by NASNA and the Colorado Public Utilities Commission s assertion that a downstream training requirement would be unreasonable, given the potentially hundreds of downstream entities that might receive information through the framework. However, we find that providing downstream access with insufficient safeguards could amplify the possibility of unauthorized disclosure, particularly because downstream entities will have less experience with protecting NORS and DIRS data than participating agencies. Therefore, we also agree with NASNA and the Colorado Public Utilities Commission s alternative approach. 101. We will require participating agencies sharing data with entities that have a  need to know to instruct these entities that they must treat the information as confidential, not disclose it absent a finding by the Commission that allows it to do so, report any unauthorized access, and securely destroy the information when the public safety event that warrants its access to the information has concluded. We delegate authority to PSHSB to develop a certification for use by participating agencies. Furthermore, as we explain infra, we will hold participating agencies responsible for inappropriate disclosures of NORS and DIRS information by the non-participating agencies with which they share it.207 We will also require participating agencies to obtain non-participating agencies certification, under the penalty of perjury, that they will abide by these restrictions. 102. We note that NTCA  encourages the Commission to adopt rules requiring any local, state or federal personnel with access to NORS and DIRS filings sign a certification attesting they have undertaken security training consistent with the Commission s recommendation . . . and will access and use the information only for the public safety purposes for which it is intended. 208 We find that our downstream training requirements that we adopt today, along with the required Certification Form we discuss infra, provides for adequate training of personnel, enables us to obtain appropriate acknowledgment from agencies regarding their efforts to train employees on the appropriate uses of NORS and DIRS information.209 Consistent with NCTA s proposal, the Certification Form as described infra will require participating agencies granted access to certify that they have completed security training and will use NORS and DIRS information for public safety purposes only. However, we decline to adopt this requirement for local personnel through the Certification Form as we are not requiring training for downstream entities granted access to NORS and DIRS information by participating agencies, and we will require participating agencies to obtain a separate certification from these entities regarding 203 See, e.g., Pa. PUC April 30, 2020 Comments at 8-9; SIA June 1, 2020 Reply Comments at 2. 204 CoPUC April 30, 2020 Comments at 12; NASNA April 29, 2020 Comments at 21-22. 205 CoPUC April 30, 2020 Comments at 12. 206 See, e.g., CoPUC April 30, 2020 Comments at 12. 207 See infra para. 132. 208 NTCA April 30, 2020 Comments at 3. 209 See Appendix C. 32 Federal Communications Commission FCC-CIRC2103-01 the appropriate use of NORS and DIRS information as described above. 103. Agency Compliance with Training Requirements. In the Second Further Notice, the Commission sought comment on requiring third-party audits to  ensure that state and federal agencies training programs comply with the Commission s proposed required program elements 210 and asked  what specific steps should the Commission take, if any, to ensure the adequacy of such programs. 211 ATIS  urges the Commission to consider reviewing and formally approving all training programs to ensure that they are effective and address all relevant issues. 212 NASNA and the Colorado Public Utilities Commission believe that in lieu of requiring third-party audits of partner training programs, participating agencies should provide a copy of their training curriculum to the FCC.213 For example, NASNA states that if  the FCC requires reassurance that participating agencies are meeting training requirements, those agencies could be required to provide a copy of its training curriculum to the FCC and attest that all employees within the agency are required to complete the training prior to applying for an account, and that the  same requirement could exist for the annual refresher training requirement. 214 104. We adopt a requirement, consistent with NASNA and the Colorado Public Utilities Commission s proposal, to require participating agencies to make copies of their training curriculum available for the Commission s review upon request. We are persuaded that is approach will be the most effective way for the Commission to confirm the adequacy of state and federal training programs, and mandate remediation as necessary, without burdening participating agencies with a requirement to procure third-party audits. We will not require advance review and approval of agencies training materials by the Commission, as we find that doing so would be administratively burdensome to the Commission and prevent efficient access to NORS and DIRS information. We also find that requiring advance review is unnecessary, as we believe that requiring agencies to certify to the adequacy of their training programs, as discussed infra, is sufficient to ensure that the plans adequacy. 105. Training Program Required Elements and Exemplars. In the Second Further Notice, the Commission proposed that rather than mandating an agency s use of a specific training program, agencies  develop their own training program or rely on an outside training program that covers, at a minimum, specific topics or  program elements.215 Additionally, the Commission proposed  that [it] direct PSHSB to identify one or more exemplar training programs which would satisfy the required program elements. 216 We adopt these proposals today with slight modifications as we continue to find that they are critical to ensuring participating agencies comprehensive understanding of our information sharing framework. Specifically, we adopt a requirement that participating agencies training programs must cover the five program elements that the Commission identified in the Second Further Notice; we enable agencies to develop their own training program or rely on an outside training program that includes these 210 Second Further Notice, 35 FCC Rcd at 2258, para. 63. 211 Second Further Notice, 35 FCC Rcd at 2258, para. 63. 212ATIS April 30, 2020 Comments at 15. 213 NASNA April 29, 2020 Comments at 21-22; CoPUC April 20, 2020 Comments at 12. 214 NASNA April 29, 2020 Comments at 21; See also CoPUC April 20, 2020 Comments at 12. 215 Second Further Notice, 35 FCC Rcd at 2257, paras. 58-60. These program elements are:  (i) procedures and requirements for accessing NORS and DIRS filings; (ii) parameters by which agency employees may share confidential and aggregated NORS and DIRS information; (iii) initial and continuing requirements to receive trainings; (iv) notification that failure to abide by the required program elements will result in personal or agency termination of access to NORS and DIRS filings and liability to service providers and third-parties under applicable state and federal law; and (v) notification to the Commission, at its designated e-mail address, concerning any questions, concerns, account management issues, reporting any known or reasonably suspected breach of protocol and, if needed, requesting service providers contact information upon learning of a known or reasonably suspected breach. Second Further Notice at para. 60. 216 Second Further Notice, 35 FCC Rcd at 2258, para. 62. 33 Federal Communications Commission FCC-CIRC2103-01 program elements; and delegate authority to PSHSB the duty to consult with diverse stakeholders to identify an exemplar training program or develop exemplar training materials that include these program elements. 106. We observe that ATIS, the only commenter specifically addressing the proposed training program s required elements, supports those elements.217 Moreover, some commenters underscore their belief that to help facilitate uniformity of training materials and reduce burdens on participating agencies, the Commission should identify exemplar training programs that participating agencies can use in their efforts to train staff on the proper uses of NORS and DIRS filings.218 107. The Second Further Notice also sought comment on  the benefits and drawbacks to the Commission potentially working with one or more external partners, such as ATIS, to develop exemplar training programs. 219 ATIS states that it would  be happy to assist with development of a training program, 220 and would  work collaboratively with other associations so that this training would be completed within a reasonable time after the release of the final rules. 221 The Boulder Regional Emergency Telephone Service Authority urges  the Commission to decline the ATIS s offer to develop training which ATIS proposes to focus solely on limitations on use of the materials and penalties for misuse, because it believes that  training should  focus on interpretation and utility of data. 222 Verizon states that training for the confidentiality requirements it recommends  would be appropriate, in coordination with Commission staff, ATIS and public safety stakeholders. 223 108. We find that many stakeholders, including ATIS, possess significant technical and operational expertise that could benefit the Commission in the development of exemplar training. Thus, to identify an exemplar training program or develop exemplar training materials, the Commission delegates authority to PSHSB to consult with diverse stakeholders with a range of perspectives, including state governments, the public safety community, service providers, and other industry representatives. We find that this approach will foster a collaborative process to ensure training materials reflect the needs of all information sharing framework participants. We note that ATIS also recommends that the training specifically provide guidance on six specific guidance topics.224 We decline to adopt these recommendations at this time but note that ATIS has the opportunity to recommend these specific guidance topics if it works with the Commission and other stakeholders to develop exemplar training materials. 109. Some commenters also suggest the Commission convene stakeholder workshops, or facilitate other collaborative measures, before initiating the sharing framework to further develop data 217 ATIS April 30, 2020 Comments at 14-15. 218 E.g., DCPSC June 1, 2020 Reply Comments at 6; CoPUC April 30, 2020 Comments 11-12; NASNA April 29, 2020 Comments at 20-21. 219 Second Further Notice at 62. 220 ATIS April 30, 2020 Comments at 15. 221 ATIS April 30, 2020 Comments at 15. 222 BRETSA June 1, 2020 Reply Comments at 12-13. 223 Verizon April 30, 2020 Comments at 13. Verizon also states that the framework safeguards it supports in its comments  should be another subject of the workshops it recommends. Verizon April 30, 2020 Comments at 13. 224 ATIS April 30, 2020 Comments at 14-15. These topics are  (1) The purpose of NORS and DIRS; (2) Appropriate use of confidential and aggregated data; (3) Who would be deemed to have a  need to know; (4) What would qualify as a public safety purpose; (5) Proper distribution and use of printouts, including a requirement that users not delete the notification proposed by ATIS informing readers that the information in the document may be shared only with authorized users with a  need to know, only for public safety purposes, etc.; and (6) The requirement that, should there be a known or suspect breach as noted above, the party whose data was breached must be immediately notified. 34 Federal Communications Commission FCC-CIRC2103-01 sharing protocol and other features of the framework as necessary. For instance, Verizon contends that  to ensure that any new rules are implemented collaboratively among the service providers and government agencies involved, the Commission should convene stakeholder workshops in the months preceding adoption of final rules. 225 According to Verizon, these workshops could allow stakeholders to, in part,  work through IT implementation challenges to ensure compatibility with providers and state agencies systems,  establish practices and guidance for permissible uses and sharing of information with employees and local government stakeholders, and  help educate state and local governments on the information not included in NORS and DIRS reports, and on how service providers obtain information to include in the reports. 226 Verizon further opines that to establish practices for downstream sharing and use of information, the Commission could initiate  workshops of its own and encourage  other collaborative discussions involving industry and public safety trade associations and standards groups, and incorporate  those practices into training. 227 Furthermore, AT&T recommends that  before initiating agency and public disclosures, the Commission should give providers and government agencies the opportunity to review an example of the information to be made available through this process, and states that  [i]t would be useful for the providers that submit information to NORS/DIRS to see a mock- up format, any template, and online access tools to be used so that they have an opportunity to raise any concerns and recommend changes. 228 110. We find that workshops are not an appropriate venue to develop requirements for our framework as the open record has provided all interested parties with an opportunity to comment on our, and other parties , proposals in this proceeding. Thus, we reject all recommendations that workshops be used, in any way, to develop our framework rules, including rules regarding downstream and inter- jurisdictional sharing. We further reject AT&T s proposal to enable providers and participating agencies to review and provide feedback on information to be made available through the framework before its initiation. We expect that the exemplar training materials supplied to agencies, which will be developed with the input of diverse stakeholders, will provide information to help guide agencies on the proper ways to access and use NORS and DIRS information, which they can choose to integrate into any training materials they develop. However, we delegate authority to PSHSB to host one or more workshops before the effective date of the framework to educate stakeholders about NORS and DIRS filings generally and the requirements we adopt today, including our rules regarding the appropriate uses of NORS and DIRS data, training measures, and aspects of IT implementation of the framework. 6. Sharing of Confidential NORS and DIRS Information 111. Responsibilities of Participating Agencies. In the Second Further Notice, the Commission proposed to allow individuals granted credentials for direct access to NORS and DIRS 225 Verizon April 30, 2020 Comments at 4. Several other commenters support workshops proposals. See, e.g., Texas 9-1-1 Entities June 1, 2020 Reply Comments at 3-5 (stating that  the Texas 9-1-1 Entities support the proposed implementation workshops suggested by Verizon, but urge that such implementation workshops, at a minimum, confirm the circumstances when the PSHSB would consider granting 9-1-1 agencies access to some final NORS reports, when those final reports involve the provision of 9-1-1 service ); NCTA June 1, 2020 Reply Comments at 2-4; USTelecom June 1, 2020 Reply Comments at 4-5. 226 Verizon April 30, 2020 Comments at 1-2. 227 Verizon June 1, 2020 Reply Comments at 5. CTIA also argues that  the Commission should convene a broad group of subject matter experts to identify processes to protect data confidentiality while advancing outage information sharing with public safety stakeholders. CTIA June 1, 2020 Reply Comments at 5-8. 228 AT&T April 30, 2020 Comments at 7. AT&T also states that  [s]imilarly, feedback from government agencies would ensure that the Commission s final framework provides the state-specific information sought by these parties, while potentially minimizing multiple operationally redundant reporting regimes across providers service footprints, and  [s]uch a collaborative process is most likely to achieve the Commission s dual purposes of giving government agencies useful information while also preserving confidentiality of sensitive data. AT&T April 30, 2020 Comments at 7. USTelecom states that it agrees with this approach. See USTelecom June 1, 2020 Reply Comments at 5. 35 Federal Communications Commission FCC-CIRC2103-01 filings to share copies of the filings, in whole or part, and any confidential information derived from the filings within their agency, on a strict  need to know basis. 229 We adopt this proposal. 112. Commenters generally support allowing individuals with direct access credentials at a participating agency to share confidential NORS and DIRS information with individuals within their agencies on a  need to know basis. 230 We agree with the Pennsylvania Public Utility Commission that this mechanism is especially important given the many individuals involved in coordinating emergency response, many of whom will not be credentialed for access, and we agree with T-Mobile that it is prudent to ensure that non-participating agency officials are able to receive NORS and DIRS information to steer their agency in improving public safety outcomes.231 Moreover, we find the proposed approach to be a practical way to enable the individuals who are credentialed to login to our databases and thereby access NORS and DIRS filings to convey this filed information to their agency s decision makers. We find significant public safety benefits in ensuring that all  need to know individuals at any agency, including key executives, decision-makers and potentially first responders, have access to NORS and DIRS information and we find this will allow an agency to make collectively informed decisions on how to use the information, ultimately lowering rather than increasing the chance of misuse of the information. 113. We reject CTIA s contrasting view that restricting access to credentialed users at an agency is a necessary safeguard for encouraging service providers to provide robust disclosures of relevant information in their NORS and DIRS filings.232 To the contrary, we find that if credentialed users could not coordinate with non-credentialed decision-making officials and other expert agency personnel on the substance of NORS and DIRS reports, this would likely lead to more instances of impermissible use and improper disclosure (and worse public safety outcomes), rather than fewer instances. For example, if a credentialed user cannot share NORS and DIRS information with specialized emergency management experts within their own agency, they would potentially use the information to make recommendations on public safety matters that they are not qualified to make. If a credentialed user cannot share NORS and DIRS information with agency decision-makers, they would potentially make decisions on allocating resources in response to a public safety threat that they would not have the authority to make. We find that the risks of improper disclosure would increase as credentialed users would be forced to work outside of their agency s normal chain of command in acting on confidential NORS and DIRS information. We believe that service providers will recognize that this observation, along the many safeguards implemented today, provide assurances the presumptively confidential NORS and DIRS filings the supply to the Commission will continue to be protected, and we believe that service providers will remain motivated in supplying robust NORS and DIRS filings to resolve network reliability and outage issues, as they have historically done.233 114. We are also unpersuaded by NCTA s concern that  increasing the number of people who have access to the data inherently increases the risk of breach or accidental disclosure 234 because this conceptual possibility of an increased risk is outweighed by the harms that arise from disallowing intra- agency sharing, which would make it less likely that an agency s staff and leadership will use NORS and DIRS information to take action, thereby frustrating the purposes of the information sharing framework 229 Second Further Notice, 35 FCC Rcd at 2251-52, at para. 37. 230 E.g., Pa. PUC April 30, 2020 Comments at 7. 231 T-Mobile April 30, 2020 Comments at 4-5. 232 CTIA April 30, 2020 Comments at 9-10. 233 We note that service providers are required to submit NORS reports that meet all the requirements of our part 4 rules. While DIRS reporting is voluntary, our experience with DIRS activations provides us with the insight that providers are likely to provide complete DIRS reports in order to take advantage of the Commission s waiver of the NORS reporting obligations in those regions where DIRS has been activated. 234 NCTA April 30, 2020 Comments at 10. 36 Federal Communications Commission FCC-CIRC2103-01 we adopt today. 115. Based on concerns of commenters, we bar the sharing of confidential NORS and DIRS information with contractors. While we recognize that an agency s contractors can engage in public safety functions in times of crises, we find that sharing with contractors should be barred given the potential for conflicts of interest among contractors, who may work on behalf of service providers as well as public safety agencies.235 As no commenter has identified how NORS and DIRS information can be shared in ways that would appropriately address these potential conflicts of interest, we decline to make this information available to contractors. 116. With respect to a participating agency s sharing of reports with downstream entities (described infra), in the Second Further Notice, the Commission proposed that the sharing agency determine whether a  need to know exists on the part of the recipient.236 We adopt this proposal, which most commenters support without significant comment.237 As previously noted in the Second Further Notice, we find that this approach is appropriate because the sharing agency is in a strong position, particularly in comparison to the Commission, to make this determination based on its  on the ground knowledge of the public safety-related activities, and trustworthiness, of the downstream entities with which it elects to share, e.g., based on its prior interactions with such agencies.238 117. We reject ATIS s view that we should  not leave it entirely in the hands of state agencies to determine whether a local agency has a  need to know  as ATIS believes this could result in misuse or unauthorized access to the information.239 ATIS suggests a scheme where agencies with direct access to NORS and DIRS would inform the Commission of whom they may plan to share information with in advance of a public safety event and we would then use this information to seek input from filers, including objections, prior to any information sharing.240 We find that the public safety benefits of our adopted approach outweigh ATIS s concerns of misuse or improper access to NORS and DIRS information. Our adopted approach ensures that decisions on how to best resolve public safety problems are in the hands of those closest to the issues (i.e., participating agencies). Requiring the Commission receive notifications and solicit comments from filers, as ATIS favors, creates delays in decision making that would make NORS and DIRS information significantly less useful to participating agencies in the context of exigencies.241 We instead agree with Colorado Public Utilities Commission that participating agencies can make this decision more effectively and quickly given their familiarity with on the ground facts.242 Moreover, we find that the many safeguards that we have imposed on downstream sharing today to be directly responsive to ATIS s concerns as we believe they are sufficient to protect these sensitive filings from misuse and unauthorized access. 118. We also reject ATIS s view that we should require that participating agencies make advance arrangements with agencies they choose to share downstream with (and that the Commission be notified of the existence of these arrangements) prior to dealing with an on-going public safety event.243 We are instead persuaded by the International Association of Chiefs of Police s remark that these 235 E.g., Verizon April 30, 2020 Comments at 13 (opining that sharing with contractors presents risks of improper use or disclosure). 236 Second Further Notice, 35 FCC Rcd at 2252-53, at para. 40. 237 With regard to potential costs burdens, we reiterate that participating agencies are not required to share NORS and DIRS information but instead are permitting to do so. 238 Second Further Notice, 35 FCC Rcd at 2252-53, at para. 40. 239 ATIS April 30, 2020 Reply Comments at 4-5. 240 ATIS April 30, 2020 Reply Comments at 4-5. 241 E.g., TRBPR April 29, 2020 Comments at 3 (arguing that even a one-day delay in access DIRS data is too much). 242 CoPUC April 3030303029, 2020 Comments at 8. 243 ATIS April 30, 2020 Comments at 4. 37 Federal Communications Commission FCC-CIRC2103-01 requirements would present a  barrier to access as they would consume additional resources that agencies often do not have.244 We decline to require that a participating agency make advance arrangements, or share at all, with other entities in light of the burden concerns expressed in the record. We find, however, that advance arrangements would likely reduce long term burdens on all parties. We therefore encourage, but do not require, participating agencies to make advance arrangements where they deem it practical and in the interests of public safety to do so. 119. We reject the views of the International Association of Chiefs of Police that we go further and require that participating agencies share information with local police agencies having a  need to know. 245 While we share the view that police agencies play a vital role in resolving many public safety issues, we decline to require participating agencies share confidential NORS and DIRS information with police agencies or any other local entity. We find that requiring federal, state, territory, and Tribal Nation agencies to share information with other entities is incompatible with our decision today to hold the participating agency accountable for the way information is used by those entities. To maintain the reasonableness of this accountability measure, we find it critical that participating agencies be able to evaluate and select the entities (if any) with which they share information. As a practical matter, however, we expect that participating agencies will, in many cases, voluntarily share information with police agencies when a  need to know exists. 120. We also reject the views of NCTA and other commenters that a participating agency should not be allowed to share directly with others outside the agency on grounds that this would risk over-disclosure.246 As noted above, we place safeguards on such direct sharing that will minimize the risk of unauthorized disclosure, which we find strikes an appropriate balance between disseminating NORS and DIRS information to those who can act on it, thereby savings lives and property, and protecting the sensitive nature of these filings. We also reject ACA Connects view that the  need to know of a recipient must be determined in advance of any sharing event (as opposed to in real-time during the event).247 We find that this provision would likely create significant and impractical delays in the transfer of critical information to non-participating agencies, particularly during times of severe exigency,248 and we find that the many safeguards that we ve introduced on direct sharing today appropriately balance disseminating NORS and DIRS information with protecting the sensitive nature of these filings. 121. In the Second Further Notice, the Commission proposed to allow individuals granted credentials for direct access to NORS and DIRS filings to share copies of particular filings, in whole or part, and any confidential information derived from the filings outside their agency on a strict  need to know basis. 249 We adopt this proposal and clarify that not only must there be a  need to know for downstream sharing, but that need must pertain to a specific imminent or on-going public safety event. 122. Many state, local and industry commenters support allowing credentialed individuals at a participating agency to directly share confidential NORS and DIRS information with others outside their agency, including individuals working for local entities, on a  need to know basis.250 We agree with 244 IACP April 30, 2020 Comments at 7. 245 IACP April 30, 2020 Comments at 6. 246 NCTA April 30, 2020 Comments at 10. 247 ACA Connects June 1, 2020 Reply Comments at 3. 248 E.g., Cal OES May 27, 2020 Reply Comments at 6 (opining that state agencies should have the ability to share outage data with local agencies  as events are occurring in order for them to appropriately respond to public safety events). 249 Second Further Notice, 35 FCC Rcd at 2251-52, at para. 37. 250 Pa. PUC April 30, 2020 Comments at 7; DCPSC June 1, 2020 Reply Comments at 4; IACP April 30, 2020 Comments at 6; USTelecom May 29, 2020 Reply Comments at 6; CenturyLink June 1, 2020 Reply Comments at 5; Verizon April 30, 2020 Comments at 9-10. 38 Federal Communications Commission FCC-CIRC2103-01 Verizon and the City of New York that, while state agencies are a good initial dissemination point, effectively addressing public safety requires collaboration between state agencies and local entities (among others).251 We also agree with the Public Service Commission of the District of Columbia that this proposal will  assist in developing a coordinated response to a disaster or other major outage, 252 and with the Pennsylvania Public Utility Commission, which supports this proposal as necessary to ensure that information can be disseminated from participating agencies to county emergency agencies, as they are often  the key decision-makers and first responders who need this information given their  vital role . . . in ensuring public safety during times of crisis. 253 We find that the proposed approach would provide a targeted and efficient way to put relevant information in the hands of local entities while minimizing the risk of over disclosure of confidential NORS and DIRS information. We also find that the proposed approach would be an effective way to ensure that PSAPs and 911 authorities that do not qualify as participating agencies can obtain relevant NORS and DIRS information.254 123. We clarify, however, that not only must there be a  need to know for downstream sharing, but that it must pertain to a specific imminent or on-going public safety event. Thus, in contrast with today s restrictions on sharing within a participating agency, we exclude a participating agency from sharing confidential information downstream when a potential recipient is seeking to use the information to identify trends and perform analyses related to long-term improvements in public safety outcomes. Many commenters express concerns that downstream sharing raises additional risks and would thus appear to support today s decision to further restrict the conditions on which it is permitted. We agree with commenters there is generally less accountability and an increased risk of over-disclosure when NORS and DIRS information is shared outside of those participating agencies that have been granted direct access.255 We similarly agree with ATIS and T-Mobile that the risks of improper use are heightened since outside recipients are not directly accountable to the Commission through our Certification Form (Appendix C).256 We find that these observations justify our further restriction on a  need to know in the context of downstream sharing. Moreover, without this restriction in place, a participating agency could simply share all (or vast amounts) of NORS and DIRS filings with a non- participating agency on grounds of a general  need to know, which would frustrate our decision to limit direct access to the many filings housed in our NORS and DIRS databases to participating agencies only. 124. Responsibilities of Non-Participating Agencies. The Commission proposed in the Second Further Notice to require that non-participating agencies that seek NORS and DIRS information first provide certification, to the supplying participating agency, that they will treat the information as confidential, not publicly disclose it absent a finding by the Commission that allows them to do so, and securely destroy the information when the public safety event that warrants its access to the information has concluded.257 We adopt this proposal while also requiring that non-participating agencies certify that they have completed security training using participating agencies training materials before being granted access to NORS and DIRS filings and clarifying the meaning of  secure destruction. 125. Some commenters, including state utility commissions that would incur much of the 251 Verizon April 30, 2020 Comments at 9-10; City of New York June 1, 2020 Reply Comments at 1. 252 DCPSC June 1, 2020 Reply Comments at 4. 253 Pa. PUC April 30, 2020 Comments at 7. 254 Washington APCO-NENA Chapter April 28, 2020 Comments at 1 and King County E-911 May 7, 2020 Comments at 1 (each advocating for state agencies to be permitted to share NORS and DIRS information with PSAPs and 911 authorities). 255 E.g., ACA Connects June 1, 2020 Reply Comments at 4 (opining that that participating agencies and their designated personnel have limited ability to control the flow of the information once it is out of their hands). 256 ATIS April 30, 2020 Comments at 10; T-Mobile April 30, 2020 Comments at 6-7. 257 Second Further Notice, 35 FCC Rcd at 2251-52, at paras. 37-39. 39 Federal Communications Commission FCC-CIRC2103-01 burden associated with these proposals, agree with the Commission s approach and find it workable.258 We agree with the Pennsylvania Public Utility Commission that requiring a non-participating agency s agreement to treat filings as confidential will help maintain NORS and DIRS filers trust in the confidentiality of submitted information and ensure the continued success of our NORS and especially voluntary DIRS programs.259 We also agree with both the Colorado Public Utilities Commission and NASNA that each of these requirements is workable and can be implemented in practice even if they do impose some burden.260 126. Moreover, while no commenter questioned what  secure destruction would entail, we find that clarifying this term will simplify implementation of this program for non-participating agencies that are required to securely destroy information according to its terms. We clarify that the secure destruction of confidential NORS and DIRS information requires, at a minimum, securely cross-cut shredding, or machine-disintegrating, paper copies of the information, and irrevocably clearing and purging digital copies, when the public safety event that warrants access to the information has concluded. 127. We reject the Colorado Public Utilities Commission s view that a non-participating agency has a need to keep  descriptions related to NORS and DIRS information in their possession to the extent it would violate our requirement for the secure destruction of the confidential NORS and DIRS information after the conclusion of a public safety event.261 We agree with Telecommunications Regulatory Bureau of Puerto Rico s representation from its own practice, that such reports can (and should) be  general in nature and not reflect confidential NORS and DIRS information.262 We find that to allow a non-participating agency to keep more granular information on file is outweighed by the need to restrict the dissemination of sensitive NORS and DIRS information. 128. As noted above, we will require downstream agencies to certify that they have completed security training using participating agencies training materials before being granted access to NORS and DIRS filings. We find that providing downstream access without any safeguards could amplify the possibility of unauthorized disclosure, particularly because downstream entities will have less experience with protecting NORS and DIRS data than participating agencies. 129. Further downstream sharing. In the Second Further Notice, the Commission proposed that the sharing of confidential NORS and DIRS information be allowed further downstream as well. According to this proposal, once an agency with direct NORS and DIRS access shared confidential NORS and DIRS information with a recipient, that recipient could further summarize and/or share the information with others that also had a  need to know. 263 Based on the record before us, we decline to adopt this proposal. 130. We find that the further downstream sharing proposal implicates several legitimate concerns around the ability to safeguard the confidentiality of the information and foster accountability among individuals and entities that would receive information.264 We agree with ACA Connects that the proposed approach would have made it hard to control the flow of information and maintain 258 CoPUC April 29, 2020 Comments at 7; DCPSC June 1, 2020 Reply Comments at 4. 259 Pa. PUC April 30, 2020 Comments at 6. 260 CoPUC April 29, 2020 Comments at 7; NASNA April 29, 2020 Comments at 12-13. 261 CoPUC April 29, 2020 Comments at 9. 262 TRBPR April 29, 2020 Comments at 3. 263 Second Further Notice, 35 FCC Rcd at 2252, at para. 38. 264 ACA Connects June 1, 2020 Reply Comments at 4; ATIS April 30, 2020 Comments at 10; USTelecom May 29, 2020 Reply Comments at 4, n.12; AT&T April 30, 2020 Comments at 6-7; T-Mobile April 30, 2020 Comments at 6-7; T-Mobile June 1, 2020 Reply Comments at 5-6. 40 Federal Communications Commission FCC-CIRC2103-01 accountability when improper disclosure occurred.265 We agree with ATIS and T-Mobile that the risks of improper use would be heightened if sharing were extended to those further downstream, i.e., to those not closely associated with agencies subject to our accountability measures, including as signatories to our Certification Form (Appendix C).266 Moreover, while some commenters suggest that these issues could be addressed through the imposition of additional safeguards, such as instituting a Commission  coordinator (who would be responsible for releasing the information that is to be shared downstream and ensuring that recipients indeed have a  need to know ) and allowing public comment on a proposed disclosure-by-disclosure basis. We reject these views as we find the proposed additional safeguards to be highly burdensome since, by adding delay to decision making, they would significantly diminish the value of the associated NORS and DIRS information in the context of exigencies.267 131. We reject the views of some local entities that believe that the further downstream sharing proposal would be workable as-is.268 We reject these views in the context of further downstream sharing. As noted by the industry commenters, the Commission s further downstream sharing proposal would require responsible practices not just by participating agencies and those that are one  hop removed from these agencies, but from a larger set of entities potentially many hops removed from the participating agency and generally not approved or cleared by the participating agency (or the Commission) in advance. We find that these public safety risks heighten, as do the difficulties of identifying the source of impermissible disclosure as information continues to be shared downstream with additional parties. Even if each individual entity taken alone has strong incentives to protect NORS and DIRS information, as Boulder Regional Emergency Telephone Service Authority contends, the risk of improper disclosure increases as a larger number of entities gains access to the information. To minimize that risk at the launch of today s new information sharing framework, we find that it is prudent to allow participating agencies to share NORS and DIRS confidential information under the conditions established in this order but not to allow further downstream sharing. 132. Penalties and Remedies. The Commission proposed in the Second Further Notice to hold participating agencies responsible for inappropriate disclosures of NORS and DIRS information by the non-participating agencies with which they share it and noted that consequences for improper disclosures by a participating agency or non-participating agency (with which the participating agency shares information) could result in termination of access to NORS and DIRS data for the participating agency.269 We adopt this proposal. We find that the risk of losing access is a necessary safeguard that will incentivize participating agencies to make judicious selections up-front on with whom they share NORS and DIRS information, if anyone. 133. In doing so, we reject the views of some commenters that believe that it would be unfair and a disservice to terminate a participating agency s access to NORS and DIRS information because of the potential bad actions of a non-participating entity which it cannot directly control.270 To further address the concerns in the record, however, we confirm that in any decision to terminate access, and set a length of time that the termination is effective, the Commission will consider the totality of the circumstances, including the reasonableness of the participating entity s decision to share information with a non-participating agency, the severity of the misuse of shared information, and the implementation 265 ACA Connects June 1, 2020 Reply Comments at 4. 266 ATIS April 30, 2020 Comments at 10; T-Mobile April 30, 2020 Comments at 6-7. 267 E.g., TRBPR April 29, 2020 Comments at 3 (noting that even a one-day delay in access DIRS data is too much in its view). 268 NYPSC April 30, 2020 Comments at 3; BRETSA April 30, 2020 Comments at 11-12. 269 Second Further Notice, 35 FCC Rcd at 2251-52, at paras. 33, 37-39. 270 MPSC April 30, 2020 Comments at 3-4; Pa. PUC June 1, 2020 Reply Comments at 4-7; CoPUC April 30, 2020 Comments at 7-8. 41 Federal Communications Commission FCC-CIRC2103-01 of other appropriate safeguards by the implicated participating agency. 134. To address concerns of record, to the extent that a participating agency is unclear on whether specific downstream individuals or entities have a  need to know, despite the clarity we have provided on the scope of the term in today s Order, we encourage (but do not require) the agency to contact the Commission at NORS_DIRS_information_sharing@fcc.gov to discuss its potential sharing with the individuals and entities well in advance of a relevant public safety event. 135. We reject NASNA s suggestion that when a participating agency s direct access is terminated by the Commission, it be terminated for exactly three years, as we find this to be an unnecessarily rigid approach.271 We agree with Colorado Public Utilities Commission and Montrose Emergency Telephone Service Authority that a decision to terminate access need not be permanent.272 136. We encourage participating agencies to proactively monitor and terminate access to non- participating agencies when they find such action warranted, but we reject Colorado Public Utilities Commission s view that the Commission should defer to participating agencies on termination decisions.273 The Commission has a strong incentive to safeguard all NORS and DIRS information that it receives to ensure that providers provide detailed reports on a nationwide basis. 137. The Commission will provide its remediation decisions, including its reasoning and actions to be taken to hold the participating agency accountable in a letter to the agency s coordinator, which may also be released on the Commission s website. If the Commission terminates an agency s access, the Commission will specify in the letter the time duration of this penalty as well as any conditions that must be met prior to reinstatement of access. G. Procedures for Requesting Direct Access to NORS and DIRS 138. In the Second Further Notice, the Commission proposed requiring eligible state, Tribal Nation and federal agencies to apply for direct access to NORS and DIRS filings by sending a request to the Commission s designated e-mail address and completing a Certification Form.274 We adopt these application procedures today, subject to the modification we have discussed above to require applying agencies to identify legal authority that charges them with promoting the protection of life or property.275 We find that, generally, commenters opining on the proposed procedures for requesting NORS and DIRS access raise no concerns with them.276 For example, the Competitive Carriers Association opines that the  FNPRM s proposed procedures for requesting data would help to ensure data is accessed on a limited, as-needed basis. 277 NASNA notes the Second Further Notice s proposed  procedure for potential 271 NASNA April 29, 2020 Comments at 14. 272 CoPUC April 29, 2020 Comments at 7-8; see also METSA April 30, 2020 Comments at 3. 273 CoPUC April 29, 2020 Comments at 7-8; see also METSA April 30, 2020 Comments at 3. 274 Second Further Notice, 35 FCC Rcd at 2257-58, paras. 65-66. The request would include: (i) a signed statement from an agency official, on the agency s official letterhead, including the official s full contact information and formally requesting access to NORS and DIRS filings; (ii) a description of why the agency has a need to access NORS and DIRS filings and how it intends to use the information in practice; (iii) if applicable, a request to exceed the proposed presumptive limits on the number of individuals (i.e., user accounts) permitted to access NORS and DIRS filings with an explanation of why this is necessary and (iv) a completed copy of a Certification Form, a template of which is provided in this item as Appendix C. On receipt, the Commission would review the request, follow-up with the agency official with any potential questions or issues. Once the Commission has reviewed the application and confirmed the application requirements are satisfied, the Commission would grant NORS and DIRS access to the agency by issuing the agency NORS and DIRS user accounts. 275 See supra at paras. 35-36. 276 CCA April 30, 2020 Comments at 5; NASNA April 29, 2020 Comments at 22; DCPSC June 1, 2020 Reply Comments at 7; CoPUC April 30, 2020 Comments at 12. ATIS April 30, 2020 Comments at iv. 277 CCA April 30, 2020 Comments at 5. 42 Federal Communications Commission FCC-CIRC2103-01 participating agencies to apply for direct access to NORS and DIRS data, and states that it  has no objections to the procedure outlined. 278 139. Other commenters urge additional modifications to the proposed procedures, which we reject. For example, ACA Connects urges the Commission  to require agencies as part of their application to explain precisely the public safety need that justifies access to NORS or DIRS data, and to grant such access only to that extent necessary to meet that need, and also argues that  a participating agency should be required to submit to the Commission the names of all individuals with whom it will share the data, along with an explanation why each individual  needs to know the information. 279 We decline to adopt this proposal as we expect our application requirement that legal authority be identified and certified to by agencies will address the issue of public safety need and find that requiring agencies to submit the names of all individuals with whom it will share data is inflexible and disregards that agencies might not know the full extent of individuals it will provide access to at the time of application. Furthermore, we note that Verizon suggests that applications  could include point of contact information for localities seeking access to information in the reports. 280 We also reject this recommendation as our application process is focused on reviewing the eligibility of agencies under the sharing framework and ensuring that they will adhere to the framework s safeguards and we defer to participating agencies to determine whether and how they want to establish a point of contact for requests by local agencies. 140. Moreover, some commenters propose that the Commission notify service providers when a particular agency applies for access to allow the provider to raise any concerns.281 For example, Verizon argues that  if service providers have concern for the confidentiality protections available in a particular state or have other issues appropriate for the Commission s consideration, such notification would give the service provider an opportunity to raise those concerns. 282 We find that, if implemented, this approach could lead to protracted disputes between service providers and participating agencies and impede efficient access to NORS and DIRS information. While Verizon does not indicate what  other issues could be raised for the Commission s consideration through a notification process in its comments, the Commission expects that its objective application process and its safeguards for protecting the confidentiality of NORS and DIRS data will help prevent improper use and disclosure.283 141. Furthermore, we find that eligible agencies, which have public safety duties, are unlikely to release sensitive information in ways that undermine national security or other public safety purposes. These agencies are also not in competition with service providers, and thus lack anticompetitive motives to use the information improperly. Moreover, we find that potentially contesting an agency s eligibility under our framework could detract from service provider and public safety resources that should be more immediately directed to using NORS and DIRS information to improve public safety. However, we encourage service providers to inform the Commission about any laws that would prevent any eligible agencies in a jurisdiction from maintaining the confidentiality of NORS and DIRS information, as well as any specific concerns regarding participating agencies that may be improperly accessing, using, or disclosing NORS and DIRS information. 142. Although we will not notify providers when an agency requests access to NORS and DIRS information for the aforementioned reasons, we find that providers should be kept apprised of the entities granted direct access to NORS and DIRS filings to track the use of network outage data. 278 NASNA April 29, 2020 Comments at 22 279 ACA Connects April 30, 2020 Comments at 4-5. 280 Verizon April 30, 2020 Comments at 10. 281 Verizon April 30, 2020 Comments at 9; T-Mobile April 30, 2020 Comments at 2; ATIS April 30, 2020 Comments at 8. 282 Verizon April 30, 2020 Comments at 9. 283 See, e.g., supra, Sections 4-5. 43 Federal Communications Commission FCC-CIRC2103-01 Therefore, we will develop a general list of participating agencies granted access to filings under our information sharing framework that will made available to relevant service providers. This list will be updated on a periodic basis. We delegate authority to PSHSB to develop, update, and make available this list. 143. Certification Form. In the Second Further Notice, the Commission proposed the adoption of a Certification Form  to address the certifications and acknowledgments required for direct access to NORS and DIRS filings, and sought comment on the various elements and requirements of the Certification Form.284 Based on our review of the record, we adopt the proposed Certification Form today, with slight modifications we discuss below, as we expect that it will provide for adequate acknowledgment of the confidential nature of the NORS and DIRS filings and help protect against the unauthorized use of NORS and DIRS information. We note that several commenters support the proposed Certification Form.285 144. Many commenters offer various proposals for modifications intended to strengthen the safeguarding of NORS and DIRS information by requiring notice of data breaches to the Commission and service providers. We agree with commenters that it will further public safety to require participating agencies to certify that they will immediately notify the Commission and affected service providers of data breaches or the unauthorized or improper disclosure of NORS/DIRS data.286 We find that in addition to enabling service providers to minimize the negative effects of improper disclosure, this modification to the Certification Form would allow the Commission to quickly identify misuse of NORS and DIRS information, further investigate violations of information sharing rules, and, if necessary, restrict continued access by offending participating agencies. NCTA also argues that  as AT&T has previously suggested, after any improper access to or use of NORS or DIRS data by an employee, the Qualifying Governmental Agency should agree  to perform an investigation of that employee and report the results of its investigation to the Commission and, possibly, to law enforcement. 287 As we expect that the approach we adopt today will enable the Commission to coordinate the swift investigation of potentially improper uses of NORS and DIRS data, which could include investigation of personnel at participating agencies, we decline to adopt this proposal. 145. Other commenters make additional Certification Form proposals intended to ensure confidentiality and the proper use of NORS and DIRS filings, which we reject. We decline to adopt NCTA s recommendation that the Commission require participating agencies  to certify that NORS and DIRS filings will not be accessed by individuals who are not designated employees, 288 or are no longer employed by the agency.289 We note that non-participating agencies that receive NORS and DIRS information from participating agencies will be required to complete a certification that they will treat the information as confidential. We also expect that the training and safeguard requirements we adopt today 284 Second Further Notice, 35 FCC Rcd at 2259, para. 66. 285 NASNA April 29, 2020 Comments at 22; see also CoPUC April 30, 2020 Comments at 12; CCA April 30, 2020 Comments at 5. 286 NCTA April 30, 2020 Comments at 5. CenturyLink also comments that  State and local agencies should be required to immediately report to the service provider and the FCC any unauthorized or improper disclosure of NORS/DIRS data. CenturyLink June 1, 2020 Reply Comments at 5. ACA Connects further states that  the Commission should require participating agencies to notify the Commission and affected communications providers in the event of a data breach, and should set forth appropriate penalties, including revocation of the agreement, for an agency that fails to protect or misuses the data, and that [a]t minimum, an agency that demonstrates a pattern of misuse or improper disclosure of NORS or DIRS data should be cut off from any further access. ACA Connects April 30, 2020, Comments at 7. 287 NCTA April 30, 2020 Comments at 5-6, citing Comments of AT&T, PS Docket Nos. 15-80 and 11-82, ET Docket No. 04-35, at 23-24 (Aug. 26, 2016). 288 NCTA April 30, 2020 Comments at 4. 289 NCTA April 30, 2020 Comments at 8 44 Federal Communications Commission FCC-CIRC2103-01 will be sufficient to prevent unauthorized access to filings. We further find that the addition of this provision could be confusing as we note that pursuant to the rules we adopt today, participating agencies can share copies of NORS and DIRS filings, within or outside their participating agency. NCTA also recommends that a participating agency certify that, among other things, it will only use NORS and DIRS information for public safety responsibilities.290 CenturyLink also agrees with NCTA that  a certifying agency should also describe  how it intends to use the information in practice. 291 We further find that the limitations on NORS and DIRS data described in the Certification Form which requires agencies to certify that they will comply with the restrictions we adopt today and our application procedures including procedures that require agencies to identify the legal authority that charges them with public safety responsibilities as adopted adequately address the remaining issues referenced in NCTA and other commenter s proposals. 146. In addition to these arguments, some commenters urge the Commission to adopt a certification process similar to the process the Commission has implemented to grant state access to North American Numbering Plan data, require state agencies to certify that they have adequate confidentiality protections in place, or describe the safeguards they have implemented to protect NORS and DIRS data.292 We reject all proposals regarding these issues to the extent that they differ from the provisions in the Certification Form we adopt today. We note that the proposed Certification Form was modeled after the certification that we require for access to North American Numbering Plan data, but enhanced to protect NORS and DIRS information, which if mishandled, implicates national security and competitive sensitivity concerns. For example, the Certification Form requires agencies to certify and acknowledge that NORS and DIRS filings are sensitive and presumed confidential for national security and commercial competitiveness reasons and report any suspected breaches to the Commission immediately. 147. In addition, we will require agencies to certify that they have implemented practical data protection safeguards including assigning user accounts to single employees, promptly reassigning user accounts to reflect changes as their rosters of designated employees change, and periodically changing user account passwords to ensure that user account credentials are not used by individuals who are not the agency s designated employees. Furthermore, the requirements we adopt today will obligate participating agencies to implement effective confidentiality safeguards regardless of the level of safeguards that exist in their states. For example, we require all participating agencies to certify that they will  treat NORS and DIRS filings and information in accordance with procedural and substantive protections that are equivalent to or greater than those afforded under federal confidentiality statutes and rules, including but not limited to the federal Freedom of Information Act, and to  the extent that federal confidentiality statutes and rules impose a higher standard of confidentiality than applicable state law or regulations provide, the agencies must certify that they will  adhere to the higher federal standard. 293 148. Commenters also make proposals intended to ensure the Certification Form clarifies the limitations of NORS and DIRS filings and the scope of entities eligible to receive them. For example, Verizon proposes that the Certification Form state that the recipient of filings  further acknowledges that information reported in DIRS and NORS filings is subject to revision and correction by the reporting service provider. 294 However, we find that the proposed Certification Form accounts for potential errors and inaccuracies in NORS and DIRS filings by requiring participating agencies to  acknowledge that the 290 NCTA April 30, 2020 Comments at 8. ATIS also urges that the Certification Form be modified to  specifically require agencies to certify that they have  need to know this information and that they agree to use this information only for public safety purposes. ATIS June 30, 2020 Comments at 16, fn.33. 291 CenturyLink June 1, 2020 Reply Comments at 5. 292 See, e.g., CPUC April 30, 2020 Comments at 9; CenturyLink June 1, 2020 Reply Comments at 5; CTIA April 30, 2020 Comments at 10; MPSC April 30, 2020 Comments at 4-5; NCTA April 30, 2020 Comments at 6-8. 293 See Appendix C. 294 Verizon April 30, 2020 Comments at 8. 45 Federal Communications Commission FCC-CIRC2103-01 Commission does not guarantee the accuracy of either the NORS or DIRS filings. 295 We note that providers can share revised and corrected filings with us, which we will in turn make available to participating agencies granted access to the framework. Additionally, ATIS proposes that the Certification Form be modified to  avoid confusion by clarifying in the opening paragraph that state agencies may get access only to reports for that state and cannot request nationwide filings. 296 ATIS states that  one way to achieve this would be replace the bracketed language with  [for state agencies, name of states; for federal agencies, name of states or nationwide].  297 We agree with ATIS that we should revise the Certification Form to clarify the scope of entities that we intend to provide with access to our framework. Therefore, we add bracketed language to the Certification Form to indicate that states, the District of Columbia, Tribal Nations, and U.S. territories may be granted access only for reports of outages connected to their jurisdictions consistent with our rules. 149. We note that in addition to the Certification Form revisions we describe above, and consistent with the requirements we adopt today, we add an additional provision to the form to require the designated agency contact for each participating agency to serve as the coordinating point of contact for the agency consistent with the requirements we have described.298 150. Finally, in the Second Further Notice, the Commission proposed to  direct PSHSB to promulgate any additional procedural requirements that may be necessary to implement the Commission s proposals for the sharing of NORS and DIRS information, consistent with the Administrative Procedure Act. The Commission also stated that  we foresee that such procedural requirements may include implementation of agency application processing procedures, necessary technical modifications to the NORS and DIRS databases (including, potentially, modifications designed to improve data protection and guard against unauthorized disclosure), and reporting guidelines to ensure that the Commission receives the notifications identified in Appendix C. 299 The Commission sought comment on these proposals, and asked whether there were additional safeguards it should adopt for the application process or any other procedural requirements that would be necessary to implement the Commission s proposals.300 No commenters addressed these proposals or provided any evidence to rebut their necessity. Thus, we adopt them and we are confident that PSHSB s technical and administrative expertise will help facilitate the efficient implementation of the information sharing framework to further enhance public safety as contemplated by the rules we adopt today. H. Effective Dates 151. In the Second Further Notice, the Commission proposed to have the Public Safety and Homeland Security Bureau issue a Public Notice that would (a) announce OMB approval of any new information collection requirements that the Commission might adopt in modifying the DIRS and NORS regime; and (b) set a date on which (i) service providers would be required to conform any new filings in NORS and DIRS to any newly adopted reporting protocols; and (ii) agencies could file certification forms requesting access to those reports.301 Moreover, the Commission proposed that the date set by the Bureau would be a date after the technical adjustments necessary to facilitate sharing had been made to the Commission s NORS and DIRS databases.302 The Commission tentatively concluded in the Second 295 See Appendix C. 296 ATIS June 30, 2020 Comments at 16, fn. 33. 297 ATIS June 30, 2020 Comments at 16, fn. 33. 298 Supra at para. 93. 299 Second Further Notice, 35 FCC Rcd at 2259, at para. 67. 300 Second Further Notice, 35 FCC Rcd at 2259, at para. 67. 301 Second Further Notice, 35 FCC Rcd at 2259-60, at paras. 68-69. Thus, direct NORS and DIRS access would become available to eligible agencies as of the specified date. Id. 302 Second Further Notice, 35 FCC Rcd at 2260, at para. 69. 46 Federal Communications Commission FCC-CIRC2103-01 Further Notice that adoption of this proposal would give interested agencies ample time to prepare their certifications and give service providers sufficient time to adjust their NORS and DIRS filing processes to conform with technical changes required by today s final rule changes. While no commenter opposed our proposals, we find it in the public interest to adopt the proposals with one modification, i.e., to specify an effective date, subject to extension, as part of today s decision. 152. We find that this approach provides the Commission adequate time to implement the regime contemplated by today s rules and will permit the Bureau time to account for contingencies, i.e., the readiness of the databases and the OMB approval that facilitates the implementation of the revised regime. Our experience in other contexts informs our estimate that the NORS and DIRS database adjustments and related transition to implement the new requirements will require approximately 18 months. Accordingly, we set an effective date below of September 30, 2022 for the revisions to Section 4.2. We delegate authority to the Public Safety and Homeland Security Bureau, which will seek OMB review and make adjustments to the databases, to extend this effective date if necessary by Public Notice published in the Federal Register (e.g., if database adjustments take longer than we estimate here or if the required OMB review of the modified information collections under the new rule provisions is delayed). IV. PROCEDURAL MATTERS 153. Final Regulatory Flexibility Analysis. The Regulatory Flexibility Act of 1980, as amended (RFA),303 requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that  the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities. 304 Accordingly, the Commission has prepared a Final Regulatory Flexibility Analysis (FRFA) concerning the possible impact of the rule changes contained in this Second Report and Order on small entities. The FRFA is set forth in Appendix B. 154. Paperwork Reduction Act Analysis. As described at paras. 83 and 84, supra, service providers will be required to make adjustments to their NORS reporting processes, to accommodate the Commission s adjustments to its NORS web-based form, pursuant to section 47 CFR 4.11 of the Commission rules. These adjustments and today s new requirement that agencies file certification forms, pursuant to section 4.2, to request access to NORS and DIRS reports, constitute a modified information collection. They require that service providers modify their NORS reporting processes to provide the Commission with jurisdiction-specific reports and that participating agencies begin to provide the Commission with certification forms and reports and information related to known or reasonably suspected unauthorized use or improper disclosure of confidential NORS and DIRS information. These modified information collections will be submitted to the Office of Management and Budget (OMB) for review under section 3507(d) of the Paperwork Reduction Act of 1995 (PRA).305 OMB, the general public, and other Federal agencies are invited to comment on the new or modified information collection requirements contained in this proceeding. This document will be submitted to OMB for review under section 3507(d) of the PRA. In addition, we note that, pursuant to the Small Business Paperwork Relief Act of 2002,306 the Commission previously sought, but did not receive, specific comment on how the Commission might further reduce the information collection burden for small business concerns with fewer than 25 employees. The Commission does not believe that the new or modified information 303 See 5 U.S.C. § 604. The RFA, 5 U.S.C. §§ 601 612, was amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). 304 5 U.S.C. § 605(b). 305 44 U.S.C. § 3507(d). 306 Pub. L. No. 107-198, 116 Stat. 729 (2002) (codified at 44 U.S.C. § 3506(c)(4)). 47 Federal Communications Commission FCC-CIRC2103-01 collection requirements will be unduly burdensome on small businesses.307 Applying these new or modified information collections will promote public safety response efforts, to the benefit of all size governmental jurisdictions, businesses, equipment manufacturers, and business associations by providing better situational information related to the nation s network outages and infrastructure status. We describe impacts that might affect small businesses, which includes most businesses with fewer than 25 employees, in the FRFA in Appendix B. 155. Congressional Review Act. [[The Commission will submit this draft Second Report and Order to the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, for concurrence as to whether these rules are  major or  non-major under the Congressional Review Act, 5 U.S.C. § 804(2).]] The Commission will send a copy of this Second Report and Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. § 801(a)(1)(A). 156. The Commission has determined that these rules are non-major under the Congressional Review Act, 5 U.S.C. § 804(2). The Commission will send a copy of this Report and Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. § 801(a)(1)(A). 157. Further Information. For further information, contact Saswat Misra, Attorney-Advisor, Cybersecurity & Communications Reliability Division, Public Safety and Homeland Security Bureau, (202) 418-0944 or via e-mail at Saswat.Misra@fcc.gov. V. ORDERING CLAUSES 158. ACCORDINGLY IT IS ORDERED that, pursuant to the authority contained in sections 1, 4(i), 4(j), 4(o), 251(e)(3), 254, 301, 303(b), 303(g), 303(r), 307, 309(a), 309(j), 316, 332, and 403, of the Communications Act of 1934, as amended, and section 706 of the Telecommunications Act of 1996, 47 U.S.C. §§ 151, 154(i)-(j) & (o), 251(e)(3), 254, 301, 303(b), 303(g), 303(r), 332, 403, and 1302, this Second Report and Order in PS Docket No. 15-80 is ADOPTED. 159. IT IS FURTHER ORDERED that the amendments of the Commission s rules as set forth in Appendix A ARE ADOPTED, effective September 30, 2022, as described at § III.H, above. 160. IT IS FURTHER ORDERED that the Commission s Consumer and Governmental Affairs Bureau, Reference Information Center, SHALL SEND a copy of the Second Report and Order, including the Final Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration. 161. The Commission will submit this Second Report and Order to the Administrator of the Office of Information and Regulatory Affairs, Office of Management and Budget, for concurrence as to whether these rules are  major or  non-major under the Congressional Review Act, 5 U.S.C. § 804(2). The Commission will send a copy of this Second Report and Order to Congress and the Government Accountability Office pursuant to 5 U.S.C. § 801(a)(1)(A). 307 The Commission anticipates the burden and cost levels of these requirements to be similar to the existing collections which OMB approved under OMB Control No. 3060-0484, ICR Reference No: 201911-3060-010 (NORS) and 3060-1003, ICR Reference No: 202004-3060-036 (DIRS). See generally Exec. Office of the President, Office of Info. & Regulatory Affairs, View ICR  OIRA Conclusion, https://www.reginfo.gov/public/do/PRAViewICR?ref_nbr=201801-3060-010 (OIRA review for Wireless E911 Location Accuracy Requirements, OMB Control No. 3060-1210). The Commission seeks comment on these costs in its upcoming Paperwork Reduction Act comment periods. 48 Federal Communications Commission FCC-CIRC2103-01 FEDERAL COMMUNICATIONS COMMISSION Marlene H. Dortch Secretary 49 Federal Communications Commission FCC-CIRC2103-01 Appendix A: Final Rule For the reasons set forth above, Part 4 of Title 47 of the Code of Federal Regulations is amended as follows: PART 4  DISRUPTIONS TO COMMUNICATIONS 1. The authority citation for part 4 continues to read as follows: Authority: [To be inserted prior to Federal Register publication.] 2. Section 4.2 is revised to read as follows: § 4.2 Availability of reports filed under this part. Reports filed under this part will be presumed to be confidential under § 0.457(d)(1) of this chapter. Notice of any requests for inspection of outage reports will be provided pursuant to § 0.461(d)(3) of this chapter except that the Chief of the Public Safety and Homeland Security Bureau may grant, without providing such notice, an agency of the states, the District of Columbia, U.S. territories, federal government, or Tribal Nations direct access to portions of the information collections affecting its respective jurisdiction after the requesting agency has certified to the Commission that it has a need to know this information and has protections in place to safeguard and limit the disclosure of this information as described in the Commission s Certification Form for NORS and DIRS Sharing (Certification Form). Sharing is restricted by the following terms: (a) Requesting Agencies granted direct access to information collections must report immediately to any affected service providers and to the Commission any known or reasonably suspected unauthorized use or improper disclosure, manage their agency s access to outage reports by managing user accounts in accordance with the Commission s rules, coordinate with the Commission to manage an unauthorized access incident, and answer any questions from the Commission regarding their agency s access, use, or sharing of reports. (b) Agencies granted direct access to information collections may share copies of the filings, and any confidential information derived from the filings, outside their agency on a strict need-to-know basis when doing so pertains to a specific imminent or on-going public safety event. The agency must condition the recipients receipt of confidential NORS and DIRS information on the recipients certification, on a form separate from the Certification Form, that they will treat the information as confidential, not publicly disclose it absent a finding by the Commission that allows them to do so, and securely destroy the information by, at a minimum, securely cross-cut shredding, or machine-disintegrating, paper copies of the information, and irrevocably clearing and purging digital copies, when the public safety event that warrants access to the information has concluded. (c) Except as permitted pursuant to paragraph (b) of this section, agencies granted direct access to information collections may not share filings, or any confidential information derived from the filings, with non-employees of the agency, including agency contractors, unless such sharing is expressly authorized in writing by the Commission. (d) Agencies granted direct access to information collections may disseminate aggregated and anonymized information to the public. Such information must be aggregated from at least four service providers and must be sufficiently anonymized so that it is not possible to identify any service providers by name or in substance. (e) Consequences for an Agency s failure to comply with these terms may result in, 50 Federal Communications Commission FCC-CIRC2103-01 among other measures, termination of direct access to reports by the Commission for a time period to be determined by the Commission based on the totality of the circumstances surrounding the failure. 51 Federal Communications Commission FCC-CIRC2103-01 Appendix B Final Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA),1 an Initial Regulatory Flexibility Analysis (IRFA) was incorporated in the Amendments to Part 4 of the Commission s Rules Concerning Disruptions to Communications, Second Further Notice of Proposed Rulemaking (Second Further Notice).2 The Commission sought written public comment on the proposals in the Second Further Notice, including comment on the IRFA. No comments were received specifically addressing the IRFA. This Final Regulatory Flexibility Analysis (FRFA) conforms to the RFA.3 A. Need for, and Objectives of, the Second Report and Order 2. In the Second Report and Order, the Commission adopts various proposals made in the Second Further Notice adopted in February 2020. In particular, we conclude that directly sharing Network Outage Reporting System (NORS) data with state and federal agencies, subject to appropriate and sufficient safeguards, is in the public interest, and we extend this finding to include the sharing of Disaster Information Reporting System (DIRS) data. We take specific steps to share the Commission s network outage and infrastructure status information with state and federal government agencies and others whose official duties make them directly responsible for emergency management and first responder support functions (i.e., have a  need to know ). This newly established information sharing framework stems from our experience with outage reporting over the past many years and will enhance the ability of our federal, state and local partners to make information decisions that will help them to save lives and property. The information sharing framework adopted in the Second Report and Order: ·ð provides participating agencies of the states, the District of Columbia, U.S. territories, federal government, and Tribal Nations, hereinafter agencies, direct read-only access to outage and infrastructure status information contained in the Commission s NORS and DIRS filings, respectively; ·ð presumptively limits the number of identified and trained personnel that have direct access to NORS and DIRS filings by limiting the number of user accounts to five per agency; ·ð requires participating agencies to treat NORS and DIRS filings and data as confidential under federal and state FOIA statutes and similar laws and regulations as a condition of their direct access to these filings; ·ð requires each individual granted a user account for direct access to NORS and DIRS filings complete security training on the proper access to, use of, and compliance with safeguards to protect the information contained in the filings; ·ð limits agency access to NORS and DIRS filings for events reported to occur at least partially within their jurisdictional or geographic boundaries; ·ð allows participating agencies to share confidential NORS and DIRS information inside or outside the agency with certain recipients whose official duties that make them directly responsible for emergency management and first responder support functions; ·ð allows participating agencies to share information from the NORS and DIRS filings of at least four service providers that has been aggregated and anonymized to avoid identifying any 1 See 5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601  612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). 2 Amendments to Part 4 of the Commission s Rules Concerning Disruptions to Communications, Second Further Notice of Proposed Rulemaking, FCC 20-20 (rel. Mar. 2, 2020) (Appendix B, Initial Regulatory Flexibility Analysis). 3 See 5 U.S.C. § 604. 52 Federal Communications Commission FCC-CIRC2103-01 service provider by name or in substance with any entity, including the broader public; and ·ð requires participating agencies to complete a Certification Form4 acknowledging their obligations and certifying their agreement to protect NORS and DIRS filings from unauthorized access. 3. The information sharing framework the Commission adopts in the Second Report and Order granting direct, read-only access to relevant NORS and DIRS filings to agencies acting on behalf of the federal government, the fifty states, the District of Columbia, Tribal Nation governments, and United States territories that have official duties that make them directly responsible for emergency management and first responder support functions, but does not require these agencies to share NORS and DIRS information. Service providers covered by our part 4 rules, remain required to report information in NORS and can make DIRS filings although DIRS reporting is not mandatory. By the Commission s actions in the Second Report and Order, the Commission believes it will ensure that state, federal and local public safety officials can effectively leverage and disseminate to local entities the same reliable and timely network outage and infrastructure status information available to the Commission when responding to emergencies. B. Summary of Significant Issues Raised by Public Comments in Response to the IRFA 4. No comments were submitted specifically in response to the IRFA, however a few commenters expressed concerns about the estimated costs to service providers discussed by the Commission in the Second Further Notice.5 Despite these concerns however, none of the commenters provided any cost data or analysis to support their concerns or rebut the Commission s cost estimates in accordance with the Commission s request for such data in the Second Further Notice. Similarly, while some state agency and advocacy organizations expressed concerns that it will be burdensome for voluntarily participating agencies to relay information they retrieve from the NORS and DIRS databases to other permissible  downstream entities as allowed by the adopted information sharing framework, none of these entities attempt to quantify the costs associated with these activities.6 5. The National Association of State 911 Administrators (NASNA) opines that the cost of implementing changes to NORS forms to implement the information sharing framework we adopt would be less than the Commission s estimated value of $3.2 million.7 The Colorado Public Utilities Commission, whose comments echo those of NASNA, similarly agrees that the Commission s mandated NORS forms modifications in the Second Report and Order would likely be the best solution, and also imply that the costs for the changes would be less than $3.2 million.8 6. We maintain that the nation s service providers will incur total initial set up costs of $3.2 million based on the Commission s estimate of 1,000 service provider incurring costs of $80 per hour and spending 40 hours to implement update or revise their software used to report outages to the Commission in NORS and DIRS. We maintain that non-participating agencies will incur no costs associated with today s framework. Agencies that voluntarily elect to participate, however, are required to notify the Commission when they receive requests for NORS filings, DIRS filings, or related records and prior to the effective date of any change in relevant statutes of laws that would affect the agency s ability to adhere to the confidentiality protections that the Commission requires, may incur some costs. We maintain that participating agencies would incur initial costs to review and revise their confidentiality protections in accordance with the proposed information sharing framework and minimal reoccurring 4 See Second Report and Order, Appendix C. 5 NASNA April 29, 2020, Comments at 18-19; CoPUC April 30, 2020, Comments at 10; CPUC June 1, 2020, Reply Comments at 8. NTCA April 30, 2020, Comments at 3-4. 6 E.g., CPUC April 30, 2020 Comments at 6. 7 NASNA April 29, 2020, Comments at 18-19 8 CoPUC April 30, 2020, Comments at 10 53 Federal Communications Commission FCC-CIRC2103-01 costs to notify the Commission about a request for NORS/DIRS filings or relevant statutory changes as described above. The Commission cannot quantify the costs for these activities, which would vary based on each participating agency s particular circumstances, however, we conclude that the benefits of participation would exceed the costs for any participating agency. We find the adopted changes the Commission proposed in the Second Further Notice are the most cost-effective modifications to NORS and DIRS, and will enable the most efficient collections of data as required by our information sharing framework. With regard to the costs burdens for participating agencies to be responsible to share the information they retrieve from the NORS and DIRS databases, the Commission previously proposed and we adopted the requirement that the sharing agency determine whether a  need to know exists on the part of the recipient, because the sharing agency is in a strong position to make this determination based on their  on the ground knowledge of the public safety-related activities, and trustworthiness not to disclose. We reiterate however, that participating agencies are not required to share NORS and DIRS information but instead are permitting to do so subject to the requirements in the Second Report and Order. Overall, we find that the benefits to life and property that are derived from the information sharing framework that we adopt today, including the more rapidly restoration of disrupted communications and more efficient direction of first responder resources during times of crisis, exceed the costs. 7. The Commission is aware that agencies that voluntarily elect to participate, and decide to share NORS and DIRS information, may incur some costs due to the obligation to notify the Commission when they receive requests for NORS filings, DIRS filings, or related records and prior to the effective date of any change in relevant statutes of laws that would affect the agency s ability to adhere to the confidentiality protections that the Commission requires. Such costs participating agencies would incur, are the initial costs to review and revise their confidentiality protections in accordance with the information sharing framework we adopt in the Second Report and Order, and minimal reoccurring costs to notify the Commission about a request for NORS/DIRS filings or relevant statutory changes as described above. The Commission cannot quantify the costs for these activities, which would vary based on each participating agency s particular circumstances, however, we conclude that the benefits of participation would exceed the costs for any agency electing to participate in today s framework. However, we find that the benefits attributable to providing NORS and DIRS access to these agencies and other parties are substantial and may have significant positive effects on the abilities of the entities to safeguard the health and safety of residents during times of natural disaster or other unanticipated events that impair telecommunications infrastructure. Notwithstanding the social importance of these benefits, we lack the record evidence to quantify such benefits.9 This lack of quantification, however, does not diminish in any way the advantages of providing access as a mechanism for improving the safety and well-being of residents during times of distress due to telecommunications outage. 8. Moreover, the Commission is unaware of any alternative approaches with lower costs, nor have any been identified by commenters, that would still ensure that the Commission promptly and reliably learns of the actions described above that may lead to the disclosure of NORS or DIRS-related information. Lessening the promptness or reliability of notifications to the Commission would disincentivize providers from supplying robust and fulsome NORS and DIRS reports and therefore reduce the benefits that those filings would provide to the Commission and participating agencies alike. We find that this reduction in benefits would outweigh the expected modest cost savings to those participating agencies that would be required to provide notifications under the framework we adopt today. C. Response to Comments by Chief Counsel for Advocacy of the Small Business Administration 9. Pursuant to the Small Business Jobs Act of 2010, which amended the RFA, the Commission 9 Office of Management and Budget, Circular A-4, at 27 (2003) https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/circulars/A4/a-4.pdf (discussing benefits and costs that are difficult to quantify). 54 Federal Communications Commission FCC-CIRC2103-01 is required to respond to any comments filed by the Chief Counsel for Advocacy of the Small Business Administration (SBA), and to provide a detailed statement of any change made to the proposed rules as a result of those comments.10 D. Description and Estimate of the Number of Small Entities to Which Rules Will Apply 10. The RFA directs agencies to provide a description of, and, where feasible, an estimate of, the number of small entities that may be affected by the rules adopted herein.11 The RFA generally defines the term  small entity the same as the terms  small business,  small organization, and  small governmental jurisdiction. 12 In addition, the term  small business has the same meaning as the term  small business concern under the Small Business Act.13 A small business concern is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA).14 1. Total Small Entities 11. Small Businesses, Small Organizations, Small Governmental Jurisdictions. Our actions, over time, may affect small entities that are not easily categorized at present. We therefore describe here, at the outset, three broad groups of small entities that could be directly affected herein.15 First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the SBA s Office of Advocacy, in general a small business is an independent business having fewer than 500 employees.16 These types of small businesses represent 99.9% of all businesses in the United States which translates to 30.7 million businesses.17 12. Next, the type of small entity described as a  small organization is generally  any not- for-profit enterprise which is independently owned and operated and is not dominant in its field. 18 The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations.19 Nationwide, for tax year 2018, there were approximately 571,709 small exempt organizations in the U.S. reporting revenues of $50,000 or less 10 5 U.S.C. § 604(a)(3). 11 5 U.S.C. § 604(a)(4). 12 5 U.S.C. § 601(6). 13 5 U.S.C. § 601(3) (incorporating by reference the definition of  small business concern in the Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies  unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register. 14 15 U.S.C. § 632. 15 See 5 U.S.C. § 601(3)-(6). 16 See SBA, Office of Advocacy,  What s New With Small Business? , https://cdn.advocacy.sba.gov/wp- content/uploads/2019/09/23172859/Whats-New-With-Small-Business-2019.pdf (Sept 2019).  ) 17 Id. 18 5 U.S.C. § 601(4). 19 The IRS benchmark is similar to the population of less than 50,000 benchmark in 5 U.S.C § 601(5) that is used to define a small governmental jurisdiction. Therefore, the IRS benchmark has been used to estimate the number small organizations in this small entity description. See Annual Electronic Filing Requirement for Small Exempt Organizations  Form 990-N (e-Postcard),  Who must file, https://www.irs.gov/charities-non-profits/annual- electronic-filing-requirement-for-small-exempt-organizations-form-990-n-e-postcard. We note that the IRS data does not provide information on whether a small exempt organization is independently owned and operated or dominant in its field. 55 Federal Communications Commission FCC-CIRC2103-01 according to the registration and tax data for exempt organizations available from the IRS.20 13. Finally, the small entity described as a  small governmental jurisdiction is defined generally as  governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand. 21 U.S. Census Bureau data from the 2017 Census of Governments22 indicate that there were 90,075 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States.23 Of this number there were 36,931 general purpose governments (county24, municipal and town or township25) with populations of less than 50,000 and 12,040 special purpose governments - independent school districts26 with enrollment populations of less than 50,000.27 Accordingly, based on the 2017 U.S. Census of Governments data, we estimate that at least 48,971 entities fall into the category of  small governmental jurisdictions. 28 20 See Exempt Organizations Business Master File Extract (EO BMF),  CSV Files by Region, https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf. The IRS Exempt Organization Business Master File (EO BMF) Extract provides information on all registered tax- exempt/non-profit organizations. The data utilized for purposes of this description was extracted from the IRS EO BMF data for Region 1-Northeast Area (76,886), Region 2-Mid-Atlantic and Great Lakes Areas (221,121), and Region 3-Gulf Coast and Pacific Coast Areas (273,702) which includes the continental U.S., Alaska, and Hawaii. This data does not include information for Puerto Rico. 21 5 U.S.C. § 601(5). 22 See 13 U.S.C. § 161. The Census of Governments survey is conducted every five (5) years compiling data for years ending with  2 and  7 . See also Census of Governments, https://www.census.gov/programs- surveys/cog/about.html. 23 See U.S. Census Bureau, 2017 Census of Governments  Organization Table 2. Local Governments by Type and State: 2017 [CG1700ORG02]. https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. Local governmental jurisdictions are made up of general purpose governments (county, municipal and town or township) and special purpose governments (special districts and independent school districts). See also Table 2. CG1700ORG02 Table Notes_Local Governments by Type and State_2017. 24 See U.S. Census Bureau, 2017 Census of Governments - Organization, Table 5. County Governments by Population-Size Group and State: 2017 [CG1700ORG05]. https://www.census.gov/data/tables/2017/econ/gus/2017- governments.html. There were 2,105 county governments with populations less than 50,000. This category does not include subcounty (municipal and township) governments. 25 See U.S. Census Bureau, 2017 Census of Governments - Organization, Table 6. Subcounty General-Purpose Governments by Population-Size Group and State: 2017 [CG1700ORG06]. https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 18,729 municipal and 16,097 town and township governments with populations less than 50,000. 26 See U.S. Census Bureau, 2017 Census of Governments - Organization, Table 10. Elementary and Secondary School Systems by Enrollment-Size Group and State: 2017 [CG1700ORG10]. https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 12,040 independent school districts with enrollment populations less than 50,000. See also Table 4. Special-Purpose Local Governments by State Census Years 1942 to 2017 [CG1700ORG04], CG1700ORG04 Table Notes_Special Purpose Local Governments by State_Census Years 1942 to 2017. 27 While the special purpose governments category also includes local special district governments, the 2017 Census of Governments data does not provide data aggregated based on population size for the special purpose governments category. Therefore, only data from independent school districts is included in the special purpose governments category. 28 This total is derived from the sum of the number of general purpose governments (county, municipal and town or township) with populations of less than 50,000 (36,931) and the number of special purpose governments - independent school districts with enrollment populations of less than 50,000 (12,040), from the 2017 Census of Governments - Organizations Tables 5, 6, and 10. 56 Federal Communications Commission FCC-CIRC2103-01 2. Interconnected VoIP services 14. Internet Service Providers (Non-Broadband). Internet access service providers such as Dial-up Internet service providers, VoIP service providers using client-supplied telecommunications connections and Internet service providers using client-supplied telecommunications connections (e.g., dial-up ISPs) fall in the category of All Other Telecommunications.29 The SBA has developed a small business size standard for All Other Telecommunications which consists of all such firms with gross annual receipts of $35 million or less.30 For this category, U.S. Census Bureau data for 2012 show that there were 1,442 firms that operated for the entire year.31 Of these firms, a total of 1,400 had gross annual receipts of less than $25 million.32 Consequently, under this size standard a majority of firms in this industry firms can be considered small. 3. Wireline Providers 15. Incumbent Local Exchange Carriers (Incumbent LECs). Neither the Commission nor the SBA has developed a small business size standard specifically for incumbent local exchange services. The closest applicable NAICS Code category is Wired Telecommunications Carriers.33 Under the applicable SBA size standard, such a business is small if it has 1,500 or fewer employees.34 U.S. Census Bureau data for 2012 indicate that 3,117 firms operated the entire year.35 Of this total, 3,083 operated with fewer than 1,000 employees.36 Consequently, the Commission estimates that most providers of incumbent local exchange service are small businesses that may be affected by our actions. According to Commission data, one thousand three hundred and seven (1,307) Incumbent Local Exchange Carriers reported that they were incumbent local exchange service providers.37 Of this total, an estimated 1,006 have 1,500 or fewer employees.38 Thus, using the SBA s size standard the majority of incumbent LECs can be considered small entities. 16. Interexchange Carriers. Neither the Commission nor the SBA has developed a small business size standard specifically for Interexchange Carriers. The closest applicable NAICS Code 29 See U.S. Census Bureau, 2017 NAICS Definition,  517919 All Other Telecommunications , https://www.census.gov/cgi-bin/sssd/naics/naicsrch?input=517919&search=2017+NAICS+Search&search=2017. 30 See 13 CFR § 121.201, NAICS Code 517919. 31 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ4, Information: Subject Series - Estab and Firm Size: Receipts Size of Firms for the U.S.: 2012, NAICS Code 517919, https://data.census.gov/cedsci/table?text=EC1251SSSZ4&n=517919&tid=ECNSIZE2012.EC1251SSSZ4&hidePrev iew=false. 32 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 33 See U.S. Census Bureau, 2017 NAICS Definition,  517311 Wired Telecommunications Carriers , See https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. 34 See 13 CFR § 121.201, NAICS Code 517311 (previously 517110). 35 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110, https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev iew=false. 36 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 37 See Trends in Telephone Service, Federal Communications Commission, Wireline Competition Bureau, Industry Analysis and Technology Division at Table 5.3 (Sept. 2010) (Trends in Telephone Service). 38 Id. 57 Federal Communications Commission FCC-CIRC2103-01 category is Wired Telecommunications Carriers.39 The appropriate size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees.40 U.S. Census Bureau data for 2012 indicate that 3,117 firms operated for the entire year.41 Of that number, 3,083 operated with fewer than 1,000 employees.42 Thus, under this size standard, the majority of firms in this industry can be considered small. According to internally developed Commission data, 359 companies reported that their primary telecommunications service activity was the provision of interexchange services.43 Of this total, an estimated 317 have 1,500 or fewer employees.44 Consequently, the Commission estimates that the majority of interexchange service providers are small entities. 17. Operator Service Providers (OSPs). Neither the Commission nor the SBA has developed a small business size standard specifically for operator service providers. The closest applicable size standard under SBA rules is for the category of Wired Telecommunications Carriers.45 Under that size standard such a business is small if it has 1,500 or fewer employees.46 U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated that year.47 Of this total, 3,083 operated with fewer than 1,000 employees.48 Consequently, the Commission estimates that the majority of OSPs are small entities. According to Commission data, 33 carriers have reported that they are engaged in the provision of operator services. Of these, an estimated 31 have 1,500 or fewer employees and 2 has more than 1,500 employees.49 Consequently, the Commission estimates that the majority of operator service providers are small entities. 4. Wireless Providers  Fixed and Mobile 18. To the extent the wireless services listed below are used by wireless firms for fixed and mobile broadband Internet access services, the NPRM s proposed rules may have an impact on those small businesses as set forth above and further below. Accordingly, for those services subject to auctions, we note that, as a general matter, the number of winning bidders that claim to qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Also, the Commission does not generally track subsequent business size unless, in the context of 39 See U.S. Census Bureau, 2017 NAICS Definition,  517311 Wired Telecommunications Carriers , https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. 40 See 13 CFR § 121.201, NAICS Code 517311 (previously 517110). 41 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110, https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev iew=false. 42 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 43 See Trends in Telephone Service at Table 5.3. 44 Id. 45 See U.S. Census Bureau, 2017 NAICS Definition,  517311 Wired Telecommunications Carriers , https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. 46 13 CFR § 121.201, NAICS Code 517311 (previously 517110). 47 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110, https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev iew=false. 48 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 49 Trends in Telephone Service at Table 5.3. 58 Federal Communications Commission FCC-CIRC2103-01 assignments and transfers or reportable eligibility events, unjust enrichment issues are implicated. 19. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services.50 The appropriate size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees.51 For this industry, U.S. Census Bureau data for 2012 show that there were 967 firms that operated for the entire year.52 Of this total, 955 firms had employment of 999 or fewer employees and 12 had employment of 1000 employees or more.53 Thus under this category and the associated size standard, the Commission estimates that the majority of wireless telecommunications carriers (except satellite) are small entities. 20. Wireless Communications Services. This service can be used for fixed, mobile, radiolocation, and digital audio broadcasting satellite uses. The Commission defined  small business for the wireless communications services (WCS) auction as an entity with average gross revenues of $40 million for each of the three preceding years, and a  very small business as an entity with average gross revenues of $15 million for each of the three preceding years.54 The SBA has approved these small business size standards.55 In the Commission s auction for geographic area licenses in the WCS there were seven winning bidders that qualified as  very small business entities, and one winning bidder that qualified as a  small business entity.56 21. 1670 1675 MHz Services. This service can be used for fixed and mobile uses, except aeronautical mobile.57 An auction for one license in the 1670 1675 MHz band was conducted in 2003. One license was awarded. The winning bidder was not a small entity. 22. Wireless Telephony. Wireless telephony includes cellular, personal communications services, and specialized mobile radio telephony carriers. The closest applicable SBA category is Wireless Telecommunications Carriers (except Satellite).58 Under the SBA small business size standard, a business is small if it has 1,500 or fewer employees.59 For this industry, U.S. Census Bureau data for 50 See U.S. Census Bureau, 2017 NAICS Definition,  517312 Wireless Telecommunications Carriers (except Satellite) , https://www.census.gov/cgi- bin/sssd/naics/naicsrch?input=517312&search=2017+NAICS+Search&search=2017. 51 See 13 CFR § 121.201, NAICS Code 517312 (previously 517210). 52 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information: Subject Series: Estab and Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517210, https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517210&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev iew=false&vintage=2012. 53 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 54 Amendment of the Commission s Rules to Establish Part 27, the Wireless Communications Service (WCS), Report and Order, 12 FCC Rcd 10785, 10879, para. 194 (1997). 55 Letter from Aida Alvarez, Administrator, SBA, to Amy Zoslov, Chief, Auctions and Industry Analysis Division, Wireless Telecommunications Bureau, FCC (filed Dec. 2, 1998) (Alvarez Letter 1998). 56 WCS Auction Closes; Winning Bidders in the Auction of 128 Wireless Communications Licenses; FCC Form 600s Due May 12, 1997, 12 FCC Rcd 21653, DA-97-886, Report No. AUC-997-14-E (Auction No.14) (April 28, 1997). 57 47 CFR § 2.106; see generally 47 CFR §§ 27.1 .70. 58 See U.S. Census Bureau, 2017 NAICS Definition,  517312 Wireless Telecommunications Carriers (except Satellite) , https://www.census.gov/cgi- bin/sssd/naics/naicsrch?input=517312&search=2017+NAICS+Search&search=2017. 59 See 13 CFR § 121.201, NAICS Code 517312 (previously 517210). 59 Federal Communications Commission FCC-CIRC2103-01 2012 show that there were 967 firms that operated for the entire year.60 Of this total, 955 firms had fewer than 1,000 employees and 12 firms had 1000 employees or more.61 Thus under this category and the associated size standard, the Commission estimates that a majority of these entities can be considered small. According to Commission data, 413 carriers reported that they were engaged in wireless telephony.62 Of these, an estimated 261 have 1,500 or fewer employees and 152 have more than 1,500 employees.63 Therefore, more than half of these entities can be considered small. 23. Broadband Personal Communications Service. The broadband personal communications services (PCS) spectrum is divided into six frequency blocks designated A through F, and the Commission has held auctions for each block. The Commission initially defined a  small business for C- and F-Block licenses as an entity that has average gross revenues of $40 million or less in the three previous calendar years.64 For F-Block licenses, an additional small business size standard for  very small business was added and is defined as an entity that, together with its affiliates, has average gross revenues of not more than $15 million for the preceding three calendar years.65 These small business size standards, in the context of broadband PCS auctions, have been approved by the SBA.66 No small businesses within the SBA-approved small business size standards bid successfully for licenses in Blocks A and B. There were 90 winning bidders that claimed small business status in the first two C-Block auctions. A total of 93 bidders that claimed small business status won approximately 40 percent of the 1,479 licenses in the first auction for the D, E, and F Blocks.67 On April 15, 1999, the Commission completed the re-auction of 347 C-, D-, E-, and F-Block licenses in Auction No. 22.68 Of the 57 winning bidders in that auction, 48 claimed small business status and won 277 licenses. 24. On January 26, 2001, the Commission completed the auction of 422 C and F Block Broadband PCS licenses in Auction No. 35. Of the 35 winning bidders in that auction, 29 claimed small business status.69 Subsequent events concerning Auction 35, including judicial and agency determinations, resulted in a total of 163 C and F Block licenses being available for grant. On February 15, 2005, the Commission completed an auction of 242 C-, D-, E-, and F-Block licenses in Auction No. 60 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information: Subject Series: Estab and Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517210, https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517210&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev iew=false&vintage=2012. 61 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 62 See Trends in Telephone Service at Table 5.3. 63 Id. 64 Amendment of Parts 20 and 24 of the Commission s Rules  Broadband PCS Competitive Bidding and the Commercial Mobile Radio Service Spectrum Cap et al., Report and Order, 11 FCC Rcd 7824, 7850 52, paras. 57 60 (1996) (PCS Report and Order); see also 47 CFR § 24.720(b). 65 PCS Report and Order, 11 FCC Rcd at 7852, para. 60. 66 See Alvarez Letter 1998. 67 See Broadband PCS, D, E and F Block Auction Closes, Public Notice, Doc. No. 89838 (rel. Jan. 14, 1997). 68 See C, D, E, and F Block Broadband PCS Auction Closes, Public Notice, 14 FCC Rcd 6688 (WTB 1999). Before Auction No. 22, the Commission established a very small standard for the C Block to match the standard used for F Block. Amendment of the Commission s Rules Regarding Installment Payment Financing for Personal Communications Services (PCS) Licensees, WT Docket No. 97-82, Fourth Report and Order, 13 FCC Rcd 15743, 15768, para. 46 (1998). 69 C and F Block Broadband PCS Auction Closes; Winning Bidders Announced, Public Notice, 16 FCC Rcd 2339 (2001). 60 Federal Communications Commission FCC-CIRC2103-01 58. Of the 24 winning bidders in that auction, 16 claimed small business status and won 156 licenses.70 On May 21, 2007, the Commission completed an auction of 33 licenses in the A, C, and F Blocks in Auction No. 71.71 Of the 12 winning bidders in that auction, five claimed small business status and won 18 licenses.72 On August 20, 2008, the Commission completed the auction of 20 C-, D-, E-, and F-Block Broadband PCS licenses in Auction No. 78.73 Of the eight winning bidders for Broadband PCS licenses in that auction, six claimed small business status and won 14 licenses.74 25. Specialized Mobile Radio Licenses. The Commission awards  small entity bidding credits in auctions for Specialized Mobile Radio (SMR) geographic area licenses in the 800 MHz and 900 MHz bands to firms that had revenues of no more than $15 million in each of the three previous calendar years.75 The Commission awards  very small entity bidding credits to firms that had revenues of no more than $3 million in each of the three previous calendar years.76 The SBA has approved these small business size standards for the 900 MHz Service.77 The Commission has held auctions for geographic area licenses in the 800 MHz and 900 MHz bands. The 900 MHz SMR auction began on December 5, 1995, and closed on April 15, 1996. Sixty bidders claiming that they qualified as small businesses under the $15 million size standard won 263 geographic area licenses in the 900 MHz SMR band. The 800 MHz SMR auction for the upper 200 channels began on October 28, 1997, and was completed on December 8, 1997. Ten bidders claiming that they qualified as small businesses under the $15 million size standard won 38 geographic area licenses for the upper 200 channels in the 800 MHz SMR band.78 A second auction for the 800 MHz band was held on January 10, 2002 and closed on January 17, 2002 and included 23 BEA licenses. One bidder claiming small business status won five licenses.79 26. The auction of the 1,053 800 MHz SMR geographic area licenses for the General Category channels began on August 16, 2000, and was completed on September 1, 2000. Eleven bidders won 108 geographic area licenses for the General Category channels in the 800 MHz SMR band and qualified as small businesses under the $15 million size standard.80 In an auction completed on December 5, 2000, a total of 2,800 Economic Area licenses in the lower 80 channels of the 800 MHz SMR service were awarded.81 Of the 22 winning bidders, 19 claimed small business status and won 129 licenses. Thus, combining all four auctions, 41 winning bidders for geographic licenses in the 800 MHz SMR band 70 Broadband PCS Spectrum Auction Closes; Winning Bidders Announced for Auction No. 58, Public Notice, 20 FCC Rcd 3703 (2005). 71 Auction of Broadband PCS Spectrum Licenses Closes; Winning Bidders Announced for Auction No. 71, Public Notice, 22 FCC Rcd 9247 (2007). 72 Id. 73 Auction of AWS-1 and Broadband PCS Licenses Closes; Winning Bidders Announced for Auction 78, Public Notice, 23 FCC Rcd 12749 (WTB 2008). 74 Id. 75 47 CFR § 90.814(b)(1). 76 Id. 77 Letter from Aida Alvarez, Administrator, SBA, to Thomas Sugrue, Chief, Wireless Telecommunications Bureau, FCC (filed Aug. 10, 1999) (Alvarez Letter 1999). 78 Correction to Public Notice DA 96-586  FCC Announces Winning Bidders in the Auction of 1020 Licenses to Provide 900 MHz SMR in Major Trading Areas, Public Notice, 18 FCC Rcd 18367 (WTB 1996). 79 Multi-Radio Service Auction Closes, Public Notice, 17 FCC Rcd 1446 (WTB 2002). 80 800 MHz Specialized Mobile Radio (SMR) Service General Category (851 854 MHz) and Upper Band (861 865 MHz) Auction Closes; Winning Bidders Announced, Public Notice, 15 FCC Rcd 17162 (2000). 81 800 MHz SMR Service Lower 80 Channels Auction Closes; Winning Bidders Announced, Public Notice, 16 FCC Rcd 1736 (2000). 61 Federal Communications Commission FCC-CIRC2103-01 claimed status as small businesses. 27. In addition, there are numerous incumbent site-by-site SMR licenses and licensees with extended implementation authorizations in the 800 and 900 MHz bands. We do not know how many firms provide 800 MHz or 900 MHz geographic area SMR service pursuant to extended implementation authorizations, nor how many of these service providers have annual revenues of no more than $15 million. In addition, we do not know how many of these firms have 1,500 or fewer employees, which is the SBA-determined size standard.82 We assume, for purposes of this analysis, that all of the remaining extended implementation authorizations are held by small entities, as defined by the SBA. 28. Lower 700 MHz Band Licenses. The Commission previously adopted criteria for defining three groups of small businesses for purposes of determining their eligibility for special provisions such as bidding credits.83 The Commission defined a  small business as an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $40 million for the preceding three years.84 A  very small business is defined as an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $15 million for the preceding three years.85 Additionally, the lower 700 MHz Service had a third category of small business status for Metropolitan/Rural Service Area (MSA/RSA) licenses  entrepreneur  which is defined as an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $3 million for the preceding three years.86 The SBA approved these small size standards.87 An auction of 740 licenses (one license in each of the 734 MSAs/RSAs and one license in each of the six Economic Area Groupings (EAGs)) commenced on August 27, 2002, and closed on September 18, 2002. Of the 740 licenses available for auction, 484 licenses were won by 102 winning bidders. Seventy-two of the winning bidders claimed small business, very small business or entrepreneur status and won a total of 329 licenses.88 A second auction commenced on May 28, 2003, closed on June 13, 2003, and included 256 licenses: 5 EAG licenses and 476 Cellular Market Area licenses.89 Seventeen winning bidders claimed small or very small business status and won 60 licenses, and nine winning bidders claimed entrepreneur status and won 154 licenses.90 On July 26, 2005, the Commission completed an auction of 5 licenses in the Lower 700 MHz band (Auction No. 60). There were three winning bidders for five licenses. All three winning bidders claimed small business status. 29. In 2007, the Commission reexamined its rules governing the 700 MHz band in the 700 MHz Second Report and Order.91 An auction of 700 MHz licenses commenced January 24, 2008 and closed on March 18, 2008, which included, 176 Economic Area licenses in the A Block, 734 Cellular Market Area licenses in the B Block, and 176 EA licenses in the E Block.92 Twenty winning bidders, claiming small business status (those with attributable average annual gross revenues that exceed $15 million and do not exceed $40 million for the preceding three years) won 49 licenses. Thirty-three 82 See generally 13 CFR § 121.201, NAICS code 517210. 83 See Reallocation and Service Rules for the 698 746 MHz Spectrum Band (Television Channels 52 59), Report and Order, 17 FCC Rcd 1022 (2002) (Channels 52 59 Report and Order). 84 Channels 52 59 Report and Order, 17 FCC Rcd at 1087-88, para. 172. 85 See id. 86 See id., 17 FCC Rcd at 1088, para. 173. 87 Alvarez Letter 1999. 88 Lower 700 MHz Band Auction Closes, Public Notice, 17 FCC Rcd 17272 (WTB 2002). 89 Lower 700 MHz Band Auction Closes, Public Notice, 18 FCC Rcd 11873 (WTB 2003). 90 See id. 91 700 MHz Second Report and Order, Second Report and Order, 22 FCC Rcd 15289, 15359 n.434 (2007). 92 Auction of 700 MHz Band Licenses Closes, Public Notice, 23 FCC Rcd 4572 (WTB 2008). 62 Federal Communications Commission FCC-CIRC2103-01 winning bidders claiming very small business status (those with attributable average annual gross revenues that do not exceed $15 million for the preceding three years) won 325 licenses. 30. Upper 700 MHz Band Licenses. In the 700 MHz Second Report and Order, the Commission revised its rules regarding Upper 700 MHz licenses.93 On January 24, 2008, the Commission commenced Auction 73 in which several licenses in the Upper 700 MHz band were available for licensing: 12 Regional Economic Area Grouping licenses in the C Block, and one nationwide license in the D Block.94 The auction concluded on March 18, 2008, with 3 winning bidders claiming very small business status (those with attributable average annual gross revenues that do not exceed $15 million for the preceding three years) and winning five licenses. 31. 700 MHz Guard Band Licensees. In 2000, in the 700 MHz Guard Band Order, the Commission adopted size standards for  small businesses and  very small businesses for purposes of determining their eligibility for special provisions such as bidding credits and installment payments.95 A small business in this service is an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $40 million for the preceding three years.96 Additionally, a very small business is an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $15 million for the preceding three years.97 SBA approval of these definitions is not required.98 An auction of 52 Major Economic Area licenses commenced on September 6, 2000, and closed on September 21, 2000.99 Of the 104 licenses auctioned, 96 licenses were sold to nine bidders. Five of these bidders were small businesses that won a total of 26 licenses. A second auction of 700 MHz Guard Band licenses commenced on February 13, 2001, and closed on February 21, 2001. All eight of the licenses auctioned were sold to three bidders. One of these bidders was a small business that won a total of two licenses.100 32. Air-Ground Radiotelephone Service. The Commission has previously used the SBA s small business size standard applicable to Wireless Telecommunications Carriers (except Satellite).101 The appropriate size standard under SBA rules is that such a business is small if it has 1,500 or fewer employees.102 For this industry, U.S. Census Bureau data for 2012 show that there were 967 firms that operated for the entire year.103 Of this total, 955 firms had fewer than 1,000 employees and 12 had 93 700 MHz Second Report and Order, 22 FCC Rcd 15289. 94 Auction of 700 MHz Band Licenses Closes, Public Notice, 23 FCC Rcd 4572 (WTB 2008). 95 Service Rules for the 746 764 MHz Bands, and Revisions to Part 27 of the Commission s Rules, Second Report and Order, 15 FCC Rcd 5299 (2000) (746 764 MHz Band Second Report and Order). 96 746 764 MHz Band Second Report and Order, 15 FCC Rcd at 5343, para. 108. 97 See id. 98 See id. at 5343, para. 108 n.246 (for the 746 764 MHz and 776 794 MHz bands, the Commission is exempt from 15 U.S.C. § 632, which requires Federal agencies to obtain SBA approval before adopting small business size standards). 99 700 MHz Guard Bands Auction Closes: Winning Bidders Announced, Public Notice, 15 FCC Rcd 18026 (WTB 2000). 100 700 MHz Guard Bands Auction Closes: Winning Bidders Announced, Public Notice, 16 FCC Rcd 4590 (WTB 2001). 101 See U.S. Census Bureau, 2017 NAICS Definition,  517312 Wireless Telecommunications Carriers (except Satellite) , https://www.census.gov/cgi- bin/sssd/naics/naicsrch?input=517312&search=2017+NAICS+Search&search=2017. 102 See 13 CFR § 121.201, NAICS Code 517312 (previously 517210). 103 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information: Subject Series: Estab and Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517210, (continued& .) 63 Federal Communications Commission FCC-CIRC2103-01 employment of 1000 employees or more.104 There are approximately 100 licensees in the Air-Ground Radiotelephone Service, and under that definition, we estimate that almost all of them qualify as small entities under the SBA definition. For purposes of assigning Air-Ground Radiotelephone Service licenses through competitive bidding, the Commission has defined  small business as an entity that, together with controlling interests and affiliates, has average annual gross revenues for the preceding three years not exceeding $40 million.105 A  very small business is defined as an entity that, together with controlling interests and affiliates, has average annual gross revenues for the preceding three years not exceeding $15 million.106 These definitions were approved by the SBA.107 In May 2006, the Commission completed an auction of nationwide commercial Air-Ground Radiotelephone Service licenses in the 800 MHz band (Auction No. 65). On June 2, 2006, the auction closed with two winning bidders winning two Air-Ground Radiotelephone Services licenses. Neither of the winning bidders claimed small business status. 33. AWS Services (1710 1755 MHz and 2110 2155 MHz bands (AWS-1); 1915 1920 MHz, 1995 2000 MHz, 2020 2025 MHz and 2175 2180 MHz bands (AWS-2); 2155 2175 MHz band (AWS- 3)). For the AWS-1 bands, 108 the Commission has defined a  small business as an entity with average annual gross revenues for the preceding three years not exceeding $40 million, and a  very small business as an entity with average annual gross revenues for the preceding three years not exceeding $15 million.109 For AWS-2 and AWS-3, although we do not know for certain which entities are likely to apply for these frequencies, we note that the AWS-1 bands are comparable to those used for cellular service and personal communications service. The Commission has not yet adopted size standards for the AWS-2 or AWS-3 bands but has proposed to treat both AWS-2 and AWS-3 similarly to broadband PCS service and AWS-1 service due to the comparable capital requirements and other factors, such as issues involved in relocating incumbents and developing markets, technologies, and services.110 34. 3650 3700 MHz band. In March 2005, the Commission released a Report and Order and Memorandum Opinion and Order that provides for nationwide, non-exclusive licensing of terrestrial operations, utilizing contention-based technologies, in the 3650 MHz band (i.e., 3650 3700 MHz).111 As of April 2010, more than 1270 licenses have been granted and more than 7433 sites have been registered. The Commission has not developed a definition of small entities applicable to 3650 3700 MHz band nationwide, non-exclusive licensees. We estimate however that the majority of these licensees are https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517210&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev iew=false&vintage=2012. 104 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 105 Amendment of Part 22 of the Commission s Rules to Benefit the Consumers of Air-Ground Telecommunications Services et al., Order on Reconsideration and Report and Order, 20 FCC Rcd 19663, paras. 28 42 (2005). 106 Id. 107 Letter from Hector V. Barreto, Administrator, SBA, to Gary D. Michaels, Deputy Chief, Auctions and Spectrum Access Division, Wireless Telecommunications Bureau, FCC (filed Sept. 19, 2005). 108 The service is defined in section 90.1301 et seq. of the Commission s Rules, 47 CFR § 90.1301 et seq. 109 Service Rules for Advanced Wireless Services in the 1.7 GHz and 2.1 GHz Bands, Report and Order, 18 FCC Rcd 25,162, App. B (2003), modified by Service Rules for Advanced Wireless Services In the 1.7 GHz and 2.1 GHz Bands, Order on Reconsideration, 20 FCC Rcd 14,058, App. C (2005). 110 Service Rules for Advanced Wireless Services in the 1915 1920 MHz, 1995 2000 MHz, 2020 2025 MHz and 2175 2180 MHz Bands et al., Notice of Proposed Rulemaking, 19 FCC Rcd 19,263, App. B (2005); Service Rules for Advanced Wireless Services in the 2155 2175 MHz Band, Notice of Proposed Rulemaking, 22 FCC Rcd 17,035, App. (2007); Service Rules for Advanced Wireless Services in the 2155-2175 MHz Band, Further Notice of Proposed Rulemaking, 23 FCC Rcd 9859, App. B (2008). 111 The service is defined in section 90.1301 et seq. of the Commission s Rules, 47 CFR § 90.1301 et seq. 64 Federal Communications Commission FCC-CIRC2103-01 Internet Access Service Providers (ISPs) and that most of those licensees are small businesses. 35. Fixed Microwave Services. Microwave services include common carrier,112 private- operational fixed,113 and broadcast auxiliary radio services.114 They also include the Local Multipoint Distribution Service (LMDS),115 the Digital Electronic Message Service (DEMS),116 and the 24 GHz Service,117 where licensees can choose between common carrier and non-common carrier status.118 The Commission has not yet defined a small business with respect to microwave services. There are approximately 66,680 common carrier fixed licensees, 69,360 private and public safety operational-fixed licensees, 20,150 broadcast auxiliary radio licensees, 411 LMDS licenses, 33 24 GHz DEMS licenses, 777 39 GHz licenses, and five 24 GHz licenses, and 467 Millimeter Wave licenses in the microwave services.119 The Commission has not yet defined a small business with respect to microwave services. The closest applicable SBA category is Wireless Telecommunications Carriers (except Satellite)120 and the appropriate size standard for this category under SBA rules is that such a business is small if it has 1,500 or fewer employees.121 For this industry, U.S. Census Bureau data for 2012 show that there were 967 firms that operated for the entire year.122 Of this total, 955 firms had employment of 999 or fewer employees and 12 had employment of 1000 employees or more.123 Thus under this SBA category and the associated size standard, the Commission estimates that a majority of fixed microwave service licensees can be considered small. 36. The Commission does not have data specifying the number of these licensees that have more than 1,500 employees, and thus is unable at this time to estimate with greater precision the number of fixed microwave service licensees that would qualify as small business concerns under the SBA s small business size standard. Consequently, the Commission estimates that there are up to 36,708 common carrier fixed licensees and up to 59,291 private operational-fixed licensees and broadcast auxiliary radio licensees in the microwave services that may be small and may be affected by the rules and policies discussed herein. We note, however, that the common carrier microwave fixed licensee category does include some large entities. 112 47 CFR Part 101, Subparts C and I. 113 47 CFR Part 101, Subparts C and H. 114 Auxiliary Microwave Service is governed by Part 74 of Title 47 of the Commission s Rules. See 47 CFR Part 74. Available to licensees of broadcast stations and to broadcast and cable network entities, broadcast auxiliary microwave stations are used for relaying broadcast television signals from the studio to the transmitter, or between two points such as a main studio and an auxiliary studio. The service also includes mobile TV pickups, which relay signals from a remote location back to the studio. 115 47 CFR Part 101, Subpart L. 116 47 CFR Part 101, Subpart G. 117 See id. 118 47 CFR §§ 101.533, 101.1017. 119 These statistics are based on a review of the Universal Licensing System on September 22, 2015. 120 See U.S. Census Bureau, 2017 NAICS Definition,  517312 Wireless Telecommunications Carriers (except Satellite) , https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517312&search=2017%20NAICS%20Search. 121 See 13 CFR § 121.201, NAICS Code 517312 (previously 517210). 122 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information: Subject Series, Estab and Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517210, https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517210&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev iew=false&vintage=2012. 123 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 65 Federal Communications Commission FCC-CIRC2103-01 37. Local Multipoint Distribution Service. Local Multipoint Distribution Service (LMDS) is a fixed broadband point-to-multipoint microwave service that provides for two-way video telecommunications.124 The Commission established a small business size standard for LMDS licenses as an entity that has average gross revenues of less than $40 million in the three previous years.125 An additional small business size standard for  very small business was added as an entity that, together with its affiliates, has average gross revenues of not more than $15 million for the preceding three years.126 The SBA has approved these small business size standards in the context of LMDS auctions.127 There were 93 winning bidders that qualified as small entities in the LMDS auctions. A total of 93 small and very small businesses won approximately 277 A Block licenses and 387 B Block licenses. In 1999, the Commission re-auctioned 161 licenses and there were 32 small and very small businesses that won 119 licenses. 38. Broadband Radio Service and Educational Broadband Service. Broadband Radio Service systems, previously referred to as Multipoint Distribution Service (MDS) and Multichannel Multipoint Distribution Service (MMDS) systems, and  wireless cable, transmit video programming to subscribers and provide two-way high speed data operations using the microwave frequencies of the Broadband Radio Service (BRS) and Educational Broadband Service (EBS) (previously referred to as the Instructional Television Fixed Service (ITFS)).128 39. BRS - In connection with the 1996 BRS auction, the Commission established a small business size standard as an entity that had annual average gross revenues of no more than $40 million in the previous three calendar years.129 The BRS auctions resulted in 67 successful bidders obtaining licensing opportunities for 493 Basic Trading Areas (BTAs). Of the 67 auction winners, 61 met the definition of a small business. BRS also includes licensees of stations authorized prior to the auction. At this time, we estimate that of the 61 small business BRS auction winners, 48 remain small business licensees. In addition to the 48 small businesses that hold BTA authorizations, there are approximately 392 incumbent BRS licensees that are considered small entities.130 After adding the number of small business auction licensees to the number of incumbent licensees not already counted, we initially find that there are currently approximately 440 BRS licensees that are defined as small businesses under either the SBA or the Commission s rules. In 2009, the Commission conducted Auction 86, the sale of 78 licenses in the BRS areas.131 The Commission offered three levels of bidding credits: (i) a bidder with attributed average annual gross revenues that exceed $15 million and do not exceed $40 million for the preceding three years (small business) will receive a 15 percent discount on its winning bid; (ii) a bidder with attributed average annual gross revenues that exceed $3 million and do not exceed $15 million for the 124 Local Multipoint Distribution Service, Second Report and Order, 12 FCC Rcd 12545 (1997). 125 See LMDS Second Report and Order, 12 FCC Rcd at 12689-90, para. 348. 126 See id. 127 See Letter to D. Phythyon, Chief, Wireless Telecommunications Bureau, Federal Communications Commission, from Aida Alvarez, Administrator, SBA (Jan. 6, 1998) (Alvarez to Phythyon Letter 1998). 128 Amendment of Parts 21 and 74 of the Commission s Rules with Regard to Filing Procedures in the Multipoint Distribution Service and in the Instructional Television Fixed Service and Implementation of Section 309(j) of the Communications Act Competitive Bidding, MM Docket No. 94-131, PP Docket No. 93-253, Report and Order, 10 FCC Rcd 9589, 9593, para. 7 (1995). 129 47 CFR § 21.961(b)(1). 130 47 U.S.C. § 309(j). Hundreds of stations were licensed to incumbent MDS licensees prior to implementation of Section 309(j) of the Communications Act of 1934, 47 U.S.C. § 309(j). For these pre-auction licenses, the applicable standard is SBA s small business size standard of 1500 or fewer employees. 131 Auction of Broadband Radio Service (BRS) Licenses, Scheduled for October 27, 2009, Notice and Filing Requirements, Minimum Opening Bids, Upfront Payments, and Other Procedures for Auction 86, Public Notice, 24 FCC Rcd 8277 (2009). 66 Federal Communications Commission FCC-CIRC2103-01 preceding three years (very small business) will receive a 25 percent discount on its winning bid; and (iii) a bidder with attributed average annual gross revenues that do not exceed $3 million for the preceding three years (entrepreneur) will receive a 35 percent discount on its winning bid.132 Auction 86 concluded in 2009 with the sale of 61 licenses.133 Of the ten winning bidders, two bidders that claimed small business status won 4 licenses; one bidder that claimed very small business status won three licenses; and two bidders that claimed entrepreneur status won six licenses. 40. EBS - Educational Broadband Service has been included within the broad economic census category and SBA size standard for Wired Telecommunications Carriers since 2007. Wired Telecommunications Carriers are comprised of establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired telecommunications networks. Transmission facilities may be based on a single technology or a combination of technologies. 134 The SBA s small business size standard for this category is all such firms having 1,500 or fewer employees.135 U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated that year.136 Of this total, 3,083 operated with fewer than 1,000 employees.137 Thus, under this size standard, the majority of firms in this industry can be considered small. 41. In addition to U.S. Census Bureau data, the Commission s Universal Licensing System indicates that as of March 2019 there are 1,300 licensees holding over 2,190 active EBS licenses. The Commission estimates that of these 2,190 licenses, the majority are held by non-profit educational institutions and school districts, which are by statute defined as small businesses.138 5. Satellite Service Providers 42. Satellite Telecommunications. This category comprises firms  primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications. 139 Satellite telecommunications service providers include satellite and earth station operators. The category has a small business size standard of $35 million or less in average annual receipts, under SBA rules.140 For this category, U.S. Census Bureau data for 2012 show 132 Id. at 8296. 133 Auction of Broadband Radio Service Licenses Closes, Winning Bidders Announced for Auction 86, Down Payments Due November 23, 2009, Final Payments Due December 8, 2009, Ten-Day Petition to Deny Period, Public Notice, 24 FCC Rcd 13572 (2009). 134 See U.S. Census Bureau, 2017 NAICS Definition,  517311 Wired Telecommunications Carriers, http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. 135 See 13 CFR § 121.201, NAICS Code 517311 (previously 517110). 136 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110, https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev iew=false. 137 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 138 The term  small entity within SBREFA applies to small organizations (non-profits) and to small governmental jurisdictions (cities, counties, towns, townships, villages, school districts, and special districts with populations of less than 50,000). 5 U.S.C. §§ 601(4)-(6). 139 See U.S. Census Bureau, 2017 NAICS Definition  517410 Satellite Telecommunications ; https://www.census.gov/cgi-bin/sssd/naics/naicsrch?input=517410&search=2017+NAICS+Search&search=2017. 140 See 13 CFR § 121.201, NAICS Code 517410. 67 Federal Communications Commission FCC-CIRC2103-01 that there was a total of 333 firms that operated for the entire year.141 Of this total, 299 firms had annual receipts of less than $25 million.142 43. All Other Telecommunications. The  All Other Telecommunications category is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation.143 This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems.144 Establishments providing Internet services or voice over Internet protocol (VoIP) services via client-supplied telecommunications connections are also included in this industry.145 The SBA has developed a small business size standard for All Other Telecommunications, which consists of all such firms with annual receipts of $35 million or less.146 For this category, U.S. Census Bureau data for 2012 show that there were 1,442 firms that operated for the entire year.147 Of those firms, a total of 1,400 had annual receipts less than $25 million and 15 firms had annual receipts of $25 million to $49, 999,999.148 Thus, the Commission estimates that the majority of  All Other Telecommunications firms potentially affected by our action can be considered small. 6. Cable Service Providers 44. Because Section 706 requires us to monitor the deployment of broadband regardless of technology or transmission media employed, we know that some broadband service providers do not provide voice telephony service. Accordingly, we describe below other types of firms that may provide broadband services, including cable companies, MDS providers, and utilities, among others. 45. Wired Telecommunications Carriers. The U.S. Census Bureau defines this industry as  establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired telecommunications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services; wired (cable) audio and video programming distribution; and wired broadband Internet services. By exception, establishments providing satellite television distribution services using facilities 141 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ4, Information: Subject Series - Estab and Firm Size: Receipts Size of Firms for the U.S.: 2012, NAICS Code 517410, https://data.census.gov/cedsci/table?text=EC1251SSSZ4&n=517410&tid=ECNSIZE2012.EC1251SSSZ4&hidePrev iew=false&vintage=2012. 142 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 143 See U.S. Census Bureau, 2017 NAICS Definition,  517919 All Other Telecommunications , https://www.census.gov/cgi-bin/sssd/naics/naicsrch?input=517919&search=2017+NAICS+Search&search=2017. 144 Id. 145 Id. 146 See 13 CFR § 121.201, NAICS Code 517919. 147 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ4, Information: Subject Series - Estab and Firm Size: Receipts Size of Firms for the U.S.: 2012, NAICS Code 517919, https://data.census.gov/cedsci/table?text=EC1251SSSZ4&n=517919&tid=ECNSIZE2012.EC1251SSSZ4&hidePrev iew=false. 148 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 68 Federal Communications Commission FCC-CIRC2103-01 and infrastructure that they operate are included in this industry. 149 The SBA has developed a small business size standard for Wired Telecommunications Carriers, which consists of all such companies having 1,500 or fewer employees.150 U.S. Census Bureau data for 2012 show that there were 3,117 firms that operated that year.151 Of this total, 3,083 operated with fewer than 1,000 employees.152 Thus, under this size standard, the majority of firms in this industry can be considered small. 46. Cable Companies and Systems (Rate Regulation). The Commission has also developed its own small business size standards, for the purpose of cable rate regulation. Under the Commission s rules, a  small cable company is one serving 400,000 or fewer subscribers nationwide.153 Industry data indicate that there are 4,600 active cable systems in the United States.154 Of this total, all but five cable operators nationwide are small under the 400,000-subscriber size standard.155 In addition, under the Commission s rate regulation rules, a  small system is a cable system serving 15,000 or fewer subscribers.156 Commission records show 4,600 cable systems nationwide.157 Of this total, 3,900 cable systems have fewer than 15,000 subscribers, and 700 systems have 15,000 or more subscribers, based on the same records.158 Thus, under this standard as well, we estimate that most cable systems are small entities. 47. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, also contains a size standard for small cable system operators, which is  a cable operator that, directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000. 159 As of 2019, there were approximately 48,646,056 basic cable video subscribers in the United States.160 Accordingly, an operator serving fewer than 486,460 subscribers shall be deemed a small operator if its annual revenues, when combined with the total annual revenues of all its affiliates, 149 See U.S. Census Bureau, 2017 NAICS Definition,  517311 Wired Telecommunications Carriers , https://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517311&search=2017. 150 See 13 CFR § 121.201, NAICS Code 517311 (previously 517110). 151 See U.S. Census Bureau, 2012 Economic Census of the United States, Table ID: EC1251SSSZ5, Information: Subject Series - Estab & Firm Size: Employment Size of Firms for the U.S.: 2012, NAICS Code 517110, https://data.census.gov/cedsci/table?text=EC1251SSSZ5&n=517110&tid=ECNSIZE2012.EC1251SSSZ5&hidePrev iew=false. 152 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 153 47 CFR § 76.901(e). The Commission determined that this size standard equates approximately to a size standard of $100 million or less in annual revenues. Implementation of Sections of the 1992 Cable Act: Rate Regulation, Sixth Report and Order and Eleventh Order on Reconsideration, 10 FCC Rcd 7393, 7408 (1995). 154 The number of active, registered cable systems comes from the Commission s Cable Operations and Licensing System (COALS) database on August 15, 2015. See FCC, Cable Operations and Licensing System (COALS), www.fcc.gov/coals (last visited Dec. 13, 2019). 155 S&P Global Market Intelligence, Top Cable MSOs as of 12/2019, https://platform.marketintelligence.spglobal.com/ (Dec 2019). The five cable operators all had more than 486,460 basic cable subscribers. 156 47 CFR § 76.901(c). 157 See FCC, Cable Operations and Licensing System (COALS), www.fcc.gov/coals (last visited Dec. 13, 2019). 158 Id. 159 47 U.S.C. § 543(m)(2); see 47 CFR § 76.901(f) & nn.1 3. 160 S&P Global Market Intelligence, U.S. Cable Subscriber Highlights, Basic Subscribers(actual) 2019, U.S. Cable MSO Industry Total, see also U.S. Multichannel Industry Benchmarks, U.S. Cable Industry Benchmarks, Basic Subscribers 2019Y, https://platform.marketintelligence.spglobal.com. 69 Federal Communications Commission FCC-CIRC2103-01 do not exceed $250 million in the aggregate.161 Based on available data, we find that all but five cable operators are small entities under this size standard.162 We note that the Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million.163 Therefore we are unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Communications Act. E. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 48. Service Providers. The rules adopted in the Second Report and Order require service providers to make minor adjustments to their existing reporting process to account for new or refined multistate reporting for the NORS filings. We estimate that the nation s service providers will incur total initial set up costs of $3.2 million based on the Commission s estimate of 1,000 service provider incurring costs of $80 per hour and spending 40 hours to implement update or revise their software used to report outages to the Commission in NORS and DIRS. We find that this initial cost to be a set up cost which is outweighed by the benefits provided by the rules adopted today in improving the safety and well-being of residents during times of telecommunications outage infrastructure distress. Moreover, small entity providers will collectively incur only a fraction of the estimated cost of $3.2 million (the remaining amount will be incurred by non-small entities). Accordingly, we expect that small entities will only be slightly impacted by the rule changes adopted today. 49. Voluntarily participating agencies. Pursuant to the confidential protections adopted in the Second Report and Order, voluntarily participating agencies, including those that are small entities, will be required to notify the Commission when they receive requests for NORS filings, DIRS filings, or related records, and prior to the effective date of any change in relevant statutes of laws that would affect the agency s ability to adhere to the confidentiality protections that the Commission requires. These agencies will incur initial costs to review and revise their confidentiality protections in accordance with the information sharing framework, and minimal reoccurring costs to notify the Commission about a request for NORS/DIRS filings or relevant statutory changes as described above. Under the adopted information sharing framework, voluntarily participating agencies will also be required to submit to the Commission requests for direct access to NORS and DIRS filings which include a description of why the agency has a need to access NORS and DIRS filings ( need to know )164 and how it intends to use the information in practice. 50. Additionally, participating agencies will be required to implement initial and annual security training to each person granted a user account for NORS and DIRS filings, and certify that they will take appropriate steps to safeguard the information contained in the filings, including notifying the Commission of unauthorized or improper disclosure. In the event of any known or reasonably suspected breach of protocol involving NORS and DIRS filings participating agencies will be required to report this information to the Commission and all affected providers immediately. Participating agencies will also be required to maintain and make available for inspection, upon Commission request, a list of all 161 47 CFR § 76.901(f) and notes ff. 1, 2, and 3. 162 S&P Global Market Intelligence, Top Cable MSOs as of 12/2019, https://platform.marketintelligence.spglobal.com. The five cable operators all had more than 486,460 basic cable subscribers. 163 The Commission does receive such information on a case-by-case basis if a cable operator appeals a local franchise authority s finding that the operator does not qualify as a small cable operator pursuant to § 76.901(f) of the Commission s rules. See 47 CFR § 76.909(b). 164 Agencies applying for direct access to NORS and DIRS are required to demonstrate their  need to know by citing to legal authority, in the form of a statutes, rules, court decisions, or other binding legal provisions, establishing that it has official duties involving preparing for, or responding to, an event that threatens public safety. 70 Federal Communications Commission FCC-CIRC2103-01 localities for which the agency has disclosed NORS and DIRS data. 51. In the Second Report and Order, the Commission allows participating agencies to share confidential NORS and DIRS information within an outside the agency subject to certain limitations. A participating agency will likely incur initial and on-going costs to determine how to appropriately maintain and disseminate confidential NORS and DIRS information consistent with the new information sharing framework. Participating agencies will also be required to execute an annual attestation form certifying and acknowledging compliance with requirements of the information sharing framework that the Commission adopts. Both small entity service providers and voluntarily participating agencies will incur costs and may have to hire operational or other professionals to comply with the requirements of the information sharing framework adopted in the Second Report and Order. The Commission cannot quantify the costs for these activities, which will vary based on each entities particular circumstances, including the adequacy of an agency s existing confidentiality protections and the frequency of changes in its relevant statues and rules. However, we conclude the costs are outweighed by the public safety benefits of implementing the adopted framework to facilitate the sharing of NORS & DIRS information. F. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered 52. The RFA requires an agency to describe any significant, specifically small business, alternatives that it has considered in reaching its approach, which may include (among others) the following four alternatives: (1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance or reporting requirements under the rule for such small entities; (3) the use of performance, rather than design, standards; and (4) an exemption from coverage of the rule, or any part thereof, for such small entities.165 53. The Commission has taken the specific steps discussed below to minimize costs for both service providers and voluntarily participating agencies in the NORS and DIRS information sharing framework adopted in the Second Report and Order. 54. Service Providers. As an initial matter, the Commission did not make DIRS reporting mandatory as urged by some commenters in the proceeding. Such a determination is beyond the scope of this proceeding and the question of whether and how NORS and DIRS information should be shared. Moreover, while the Commission adopted changes to the NORS form filing to allow users to select more than one state when submitting a request for NORS information that modified the method in which service providers report outage information in NORS, this change did not impose additional levels of reporting to require disaggregation to provide a breakout of state-specific impacts by submitting state specific filings. With the modifications adopted in the Second Report and Order, the Commission can effectuate the provision of access to filings for outages that span across more than one state and minimize the costs for service providers which are discussed in Section E. All service providers commenting on this issue asserted that the submission of several state specific filings instead of a single aggregate filing for each outage that lists all affected states would increase the reporting burdens for service providers.166 We note that service providers will not need to modify their DIRS reporting processing to accommodate multistate reporting. The new and updated reporting requirements adopted in the Second Report and Order are minimally necessary to assure that the presumptively confidential nature of NORS and DIRS filings is protected when these filings are disseminated to our partners based on the adopted information sharing framework. 55. Voluntarily Participating Agencies. To provide participating agencies maximum flexibility and reduce potential costs of compliance with the training requirements, rather than mandate an agency s use of a specific training program, as proposed in the Second Further Notice, we adopted 165 5 U.S.C. § 604(a)(6). 166 Cite to Commenters - This information came from paragraph 70  Technical Implementation  of the 2nd R&O. 71 Federal Communications Commission FCC-CIRC2103-01 requirements that allow agencies to develop their own training program or rely on an outside training program that covers, at a minimum, each of the following topics or  program elements : (i) procedures and requirements for accessing NORS and DIRS filings; (ii) parameters by which agency employees may share confidential and aggregated NORS and DIRS information; (iii) initial and continuing requirements to receive trainings; (iv) notification that failure to abide by the required program elements will result in personal or agency termination of access to NORS and DIRS filings and liability to service providers and third-parties under applicable law; and (v) notification to the Commission, at its designated e-mail address, concerning any questions, concerns, account management issues, reporting any known or reasonably suspected breach of protocol and, if needed, requesting service providers contact information upon learning of a known or reasonably suspected breach. 56. In addition, rather than requiring third-party audits of training programs to ensure that state and federal agencies training programs comply with the Commission s proposed required program elements, participating agencies are required to make copies of their training curriculum available for the Commission s review upon demand which will significantly minimize costs associated with the required training programs. The Commission also declined to adopt a  downstream training requirement which would have required any entity receiving NORS & DIRS information from a participating agency to complete formal training. Similarly, the Commission declined to adopt a requirement for participating agencies to obtain an affidavit on confidentiality from local entities prior to receipt NORS and DIRS information. To further assist and reduce the burden on small entities and other participating agencies with meeting the training requirements the Commission adopted in the Second Report and Order, the Commission will consult with diverse stakeholders with a range of perspectives, including state governments, the public safety community, service providers, and other industry representatives to develop exemplar training materials, that can be used by participating agencies to training their staffs on the proper uses of NORS and DORS filings. 57. The Commission also declined to grant local agencies direct access to NORS and DIRS considering among other things the burdens that would result for local entities, many of which may be small entities. Providing direct access to local entities would have potentially exponentially increased the number of participating entities, in contrast to the relatively limited number of state, federal, and other entities that the Commission identified for eligibility in the Second Report and Order. These local entities would have to comply with requirements of the information sharing framework and would incur the associated costs. Further, because local entity governments typically do not have the level of experience navigating the kinds of outage and infrastructure status information contained in NORS and DIRS filings as compared to state agencies, developing this experience would likely increase their cost of compliance as well as increase the risk of improper disclosure of NORS & DIRS information. 58. Additionally, the Commission has adopted a single form to address the certifications and acknowledgments required for direct access to NORS and DIRS.167 The use of a single form, coupled with the fact that the proposed certification form is similar to one that the Commission currently requires for sharing sensitive numbering data with states using FCC Form 477 data, should help minimize preparation time and costs, specifically for those smaller agencies since these agencies should be familiar with the existing requirements and have comparable operational processes and procedures already in place. Report to Congress 59. The Commission will send a copy of the Second Report and Order, including this FRFA, in a report to be sent to Congress pursuant to the Congressional Review Act.168 In addition, the Commission will send a copy of the Second Report and Order, including this FRFA, to the Chief Counsel for Advocacy of the SBA. A copy of the Second Report and Order and FRFA (or summaries thereof) 167 See Appendix C. 168 See 5 U.S.C. § 801(a)(1)(A). 72 Federal Communications Commission FCC-CIRC2103-01 will also be published in the Federal Register.169 169 See 5 U.S.C. § 604(b). 73 Federal Communications Commission FCC-CIRC2103-01 Appendix C: Certification Form Instructions: Please review and complete the form below. Please send your completed form to NORS_DIRS_information_sharing@fcc.gov. On review, the Commission will contact you to resolve any questions with your application papers or issue your agency login credentials for accessing NORS and DIRS. [NAME OF AGENCY] CERTIFICATION FORM FOR NORS AND DIRS SHARING [your title] [name of agency] [address] [address] Dear Commission: [Agency name] requests access to Network Outage Reporting System (NORS) and Disaster Information Reporting System (DIRS) filings involving [for states, the District of Columbia, or U.S. Territories, the name of state(s) or jurisdiction(s); for federal agencies, the name of state(s) or nationwide; for Tribal nations, the name of the Tribal Government or component thereof] (filings).1 I hereby certify and acknowledge that I am authorized to act on behalf of the [name of agency] and that [name of agency] is willing and able to be bound by the terms and conditions provided in this document. On behalf of [agency name], I acknowledge and certify that [agency name] agrees to the terms below. I hereby certify and acknowledge that each user account is to be assigned to a single employee and that [agency name] will promptly reassign user accounts to reflect changes as its roster of designated employees changes (e.g., due to employee departure and arrival). I hereby certify and acknowledge that [agency name] will change user account passwords and take other reasonable measures to ensure that user account credentials are not used by individuals who are not [agency name] s designated employees. I hereby certify and acknowledge that NORS and DIRS filings, and the information contained therein (collectively, NORS and DIRS filings and information) are sensitive and presumed confidential for national security and commercial competitiveness reasons.2 I hereby certify that [agency name] will treat NORS and DIRS filings and data as confidential under federal and state Freedom of Information Act statutes and similar laws and regulations and not disclose them absent a finding by the Commission that allows [agency name] to do so. I hereby certify that [agency name] will treat NORS and DIRS filings and information in accordance with procedural and substantive protections that are equivalent to or greater than those afforded under federal 1 These filings are made pursuant to the Commission s reporting rules and practices. See, e.g., 47 CFR Part 4; see also, e.g., The FCC s Public Safety & Homeland Security Bureau Launches Disaster Information Reporting System (DIRS), Public Notice, DA 07-3871, 22 FCC Rcd 16757 (PSHSB 2007). 2 The Commission has noted that the outage reports  will contain sensitive data and that this data  could be used by hostile parties to attack those networks, which are part of the Nation s critical information infrastructure. 2004 Part 4 Report and Order, 19 FCC Rcd at 16852-53, para. 40. Further, the Commission stated that the  national defense and public safety goals sought with outage reporting would be  seriously undermined if [the Commission] were to permit these reports to fall into the hands of terrorists who seek to cripple the nation s communications infrastructure. 2004 Part 4 Report and Order, 19 FCC Rcd at 16855, para. 45. 74 Federal Communications Commission FCC-CIRC2103-01 confidentiality statutes and rules, including but not limited to the federal Freedom of Information Act.3 To the extent that federal confidentiality statutes and rules impose a higher standard of confidentiality than applicable state, U.S. territory, or Tribal law or regulations provide, I represent that the [name of agency] is legally able to and will adhere to the higher federal standard. I agree that the [name of agency] will notify the Commission, within 14 calendar days via the e-mail, NORS_DIRS_information_sharing@fcc.gov, when [name of agency] receives a request from a third party to disclose NORS filings and DIRS filings, or related records, pursuant to a state s open record laws or other legal authority that could compel [name of agency] to do so. I agree to notify the Commission via the e-mail, NORS_DIRS_information_sharing@fcc.gov, at least 30 calendar days prior to the effective date of any change in relevant statutes of laws that would affect [name of agency] s ability to adhere to at least the federal confidentiality rules and statutes standard. I hereby certify and acknowledge that the Commission s rules place restrictions on the access to and use of NORS and DIRS filings and information. I certify that I have reviewed and agree to comply with the restrictions regarding information sharing as described in Part 4 of Title 47 of the Code of Federal Regulations. I hereby certify and acknowledge that the [name of agency] will adopt or develop a NORS and DIRS security training program, if it has not already, that satisfies each of the required training program elements identified at [cite to forthcoming Order], that the [name of agency] will administer this training to each of its designated employees prior to their access to NORS and DIRS filings and information and then at least annually thereafter. The [name of agency] will make copies of its training curriculum available for the Commission s review upon demand. I further acknowledge that [name of agency] will report immediately to any affected service providers and to the Commission, via the e-mail NORS_DIRS_information_sharing@fcc.gov and NSOC@fcc.gov, any known or reasonably suspected breach of the protocol specified in the training program or any other known or reasonably suspected unauthorized use or improper disclosure of NORS and DIRS information. I further acknowledge that if [name of agency] needs contact information for a provider, that [agency name] may request this information from the Commission at NORS_DIRS_information_sharing@fcc.gov, and that this does not toll [agency name] s obligation to immediately notify any affected service providers, using the best contact information known to [agency name]. I acknowledge on behalf of [name of agency] that the Commission does not guarantee the accuracy of either the NORS or DIRS filings as both sets of filings are submitted to the respective web-based databases by service providers pursuant to mandatory reporting timeframes for NORS filings and voluntary reporting timeframes for DIRS filings. Further, I acknowledge that there may be times access to the filings is unavailable, e.g., due to planned or unplanned service and maintenance. I hereby certify and acknowledge that [agency name s] continued access to NORS and DIRS filings and information is conditioned on its annual recertification of a current version of this form, available on the Commission s website. I acknowledge that the Public Safety and Homeland Security Bureau (Bureau) of the Commission may terminate [agency name] s access at any time, and for any reason, by giving written notice to [name of agency]. If access is terminated, I agree that [name of agency] will, upon the Commission s termination notice, cause to be securely destroyed any and all NORS and DIRS filings and information or other data received pursuant to this grant, whether electronic or hardcopy form. I hereby certify and acknowledge that all the terms and conditions provided in this document apply to past and future NORS and DIRS filings and information. 3 See 5 U.S.C. § 552(b)(4). 75 Federal Communications Commission FCC-CIRC2103-01 I hereby certify that [employee name, title, phone number and email address] will manage my agency s access to NORS and DIRS filings by managing user accounts in accordance with the Commission s rules; coordinating the downstream sharing of NORS and DIRS filings; making available for Commission inspection a list of all localities for which the agency has disclosed NORS and DIRS data; coordinating with the Commission to manage an unauthorized access incident; and answering any questions from the Commission regarding my agency s access, use, or sharing of NORS and DIRS filings. I hereby certify and acknowledge my and [agency name] s obligation to inform the Commission if I cease to be the designated representative of [agency name] with authority to obligate and bind the agency to the statements above or if the employee listed above ceases to be the designated agency contact. I acknowledge that the Bureau makes no determinations about any provisions of [name of state] law or agency regulations or your statements about such provisions. Sincerely, [name and title of official], on behalf of [name of agency] Affirmed: Lisa M. Fowlkes Chief Public Safety and Homeland Security Bureau Federal Communications Commission 76 Federal Communications Commission FCC-CIRC2103-01 Appendix D: Exemplar Aggregated Data Overview The following provides general non-binding guidelines regarding how to aggregate NORS and DIRS data, followed by examples of aggregated NORS and DIRS data based on hypothetical information. The aggregated data presented does not reflect the exact number of users affected by a service provider s outage and is only used for situational awareness. We remind agencies participating in our framework that failure to properly aggregate data in accordance with the rules adopted in the Second Order could lead to the improper disclosure of service providers confidential information and may result in termination of their access to NORS and DIRS filings by the Commission. Participating agencies with additional questions are urged to contact the Commission for guidance. General Aggregation Guidelines Aggregation  Dos ·ð It is best to aggregate only NORS and DIRS information of the same type (e.g., aggregate wireless data and wireline data separately). If information is aggregated across different types, the public release of this information should state the types of NORS or DIRS information aggregated (e.g.  This data includes wireless and wireline data ). ·ð It is best to aggregate 911 outages according to their impact (e.g., 911 call delivery affected, only 911-caller location information affected). If information is aggregated across different types of 911 outages, the public release of this information should note the approximate proportion of the effects (e.g.,  in most cases only location information is affected ). ·ð If aggregating NORS information, aggregate information related to long-term trends using final reports only. ·ð If aggregating NORS information from notifications or initial reports, please be aware that this information may change as service providers further remediate or investigate the outage. It is recommended that agencies make clear that this information is only preliminary and may change or be updated over time. ·ð If several reported outages seem very large, it is good practice to confirm the magnitude of the outage with the reporting service providers prior to releasing any aggregated information about them. In some instances, service providers may intentionally overestimate the effect of an outage out of an abundance of caution. Agencies should be aware of these circumstances prior to determining what information would be appropriate to release to the public. ·ð If an agency intends to aggregate the duration or the number of users affected by multiple outages, reporting the median is generally preferred over reporting the mean (average) because the mean may be skewed by unrepresentatively high or low outliers. ·ð When aggregating data for incidents occurring over a period of time, use the incident date/time, not the creation date or reportable date. ·ð The frequency of NORS outage reports varies by season. If aggregating for the purpose of comparing two time periods, it is advisable that the time periods be of the same season of the year (e.g., compare January to March 2020, to January to March 2019, but not to July to August 2019.) ·ð Be careful when aggregating outages with durations of all 9 s that are greater than 99 (e.g., 999, 9999, 99999). These values can be indicators that the outage is ongoing even though the report is 77 Federal Communications Commission FCC-CIRC2103-01 final. If in doubt, it is best to contact the reporting service provider and/or exclude these outages from the aggregation. ·ð Sudden increases or decreases in NORS reports may be the result of reporting rules changes or other effects. If sudden changes are noticed, the FCC should be consulted before data is made public. As a corollary, personnel responsible for data aggregation should keep up with any NORS rule changes. Aggregation  Don ts ·ð Do not release NORS data for a single outage, even if the name of the service provider is not mentioned in the release. Aggregation should always occur across at least four service providers, meaning that in most instances, agencies cannot release aggregated information about an ongoing outage. ·ð Do not aggregate data over a geographic region which has fewer than four service providers of that type in the region. For example, if a county is served by only three wireless service providers, do not report an aggregation of wireless outage data for that county. ·ð Do not aggregate NORS and DIRS data together. ·ð Do not aggregate NORS data at a scope smaller than a state, unless the reports you are aggregating all specify a smaller region (e.g., a specific county or Tribal territory). ·ð In NORS, do not aggregate non-service affecting outages (i.e., OC3 Simplex outages) with service affecting outages. ·ð Do not identify names of service providers as sources of outage data. ·ð Do not use the time zone data in NORS to determine outage location. This data is used only to identify the time zone for the incident time. ·ð Do not include Special Facilities outage reports in any aggregation. 78 Federal Communications Commission FCC-CIRC2103-01 Examples of Aggregated NORS and DIRS Data NORS Example: The following table shows the total number of wireline users affected by wireline outages in each state as reported by 4 companies or more: Wireline Incident Duration Duration Outage ID Company Reason Reportable State Affected Users Date/Time Hours Minutes Affected ON-XXXX3471 Company 1 Wireline - 900,000 user-minutes OHIO 1/4/2018 20:36 10 39 2,450 ON-XXXX3475 Company 4 Wireline - 900,000 user-minutes OHIO 1/5/2018 20:36 4 35 43,540 ON-XXXX3477 Company 3 Wireline - 900,000 user-minutes OHIO 1/6/2018 20:36 6 53 35,000 ON-XXXX3575 Company 4 Wireline - 900,000 user-minutes OHIO 1/7/2018 20:36 0 30 40,313 ON-XXXX3580 Company 3 Wireline - 900,000 user-minutes OHIO 1/8/2018 20:36 3 11 257,690 ON-XXXX3581 Company 2 Wireline - 900,000 user-minutes OHIO 1/9/2018 20:36 5 28 23,434 ON-XXXX3582 Company 3 Wireline - 900,000 user-minutes OHIO 1/10/2018 20:36 14 6 22,720 ON-XXXX3590 Company 3 Wireline - 900,000 user-minutes OHIO 1/11/2018 20:36 10 7 10,897 ON-XXXX3591 Company 5 Wireline - 900,000 user-minutes OHIO 1/12/2018 20:36 8 16 42,480 ON-XXXX3592 Company 3 Wireline - 900,000 user-minutes OHIO 1/13/2018 20:36 3 11 257,690 ON-XXXX3593 Company 2 Wireline - 900,000 user-minutes OHIO 1/14/2018 20:36 5 28 23434 ON-XXXX3598 Company 2 Wireline - 900,000 user-minutes OHIO 1/15/2018 20:36 14 6 22,720 ON-XXXX3472 Company 1 Wireline - 900,000 user-minutes PENNSYLVANIA 1/4/2018 20:36 10 7 10,897 ON-XXXX3474 Company 2 Wireline - 900,000 user-minutes PENNSYLVANIA 1/5/2018 20:36 8 16 42480 ON-XXXX3479 Company 4 Wireline - 900,000 user-minutes PENNSYLVANIA 1/6/2018 20:36 2 6 116000 ON-XXXX3481 Company 3 Wireline - 900,000 user-minutes PENNSYLVANIA 1/7/2018 20:36 26 6 1,624 ON-XXXX3560 Company 3 Wireline - 900,000 user-minutes PENNSYLVANIA 1/8/2018 20:36 21 35 234235 ON-XXXX3578 Company 1 Wireline - 900,000 user-minutes PENNSYLVANIA 1/9/2018 20:36 6 21 59,647 ON-XXXX3579 Company 2 Wireline - 900,000 user-minutes PENNSYLVANIA 1/10/2018 20:36 11 27 8,860 ON-XXXX3595 Company 1 Wireline - 900,000 user-minutes PENNSYLVANIA 1/11/2018 20:36 10 39 2450 ON-XXXX3599 Company 3 Wireline - 900,000 user-minutes PENNSYLVANIA 1/12/2018 20:36 4 35 43,540 ON-XXXX3600 Company 1 Wireline - 900,000 user-minutes PENNSYLVANIA 1/13/2018 20:36 6 53 35,000 ON-XXXX3601 Company 5 Wireline - 900,000 user-minutes PENNSYLVANIA 1/14/2018 20:36 0 30 40313 ON-XXXX3602 Company 1 Wireline - 900,000 user-minutes PENNSYLVANIA 1/15/2018 20:36 3 11 257690 ON-XXXX3603 Company 1 Wireline - 900,000 user-minutes PENNSYLVANIA 1/16/2018 20:36 5 28 23434 ON-XXXX3604 Company 1 Wireline - 900,000 user-minutes PENNSYLVANIA 1/17/2018 20:36 14 6 22720 ON-XXXX3476 Company 1 Wireline - 900,000 user-minutes VIRGINIA 1/5/2018 20:36 10 7 10,897 ON-XXXX3480 Company 2 Wireline - 900,000 user-minutes VIRGINIA 1/6/2018 20:36 8 16 42480 ON-XXXX3482 Company 3 Wireline - 900,000 user-minutes VIRGINIA 1/7/2018 20:36 2 6 116,000 ON-XXXX3485 Company 1 Wireline - 900,000 user-minutes VIRGINIA 1/8/2018 20:36 26 6 1,624 ON-XXXX3487 Company 1 Wireline - 900,000 user-minutes VIRGINIA 1/9/2018 20:36 3 11 257690 ON-XXXX3490 Company 4 Wireline - 900,000 user-minutes VIRGINIA 1/10/2018 20:36 5 28 23434 ON-XXXX3502 Company 1 Wireline - 900,000 user-minutes VIRGINIA 1/11/2018 20:36 14 6 22,720 ON-XXXX3507 Company 3 Wireline - 900,000 user-minutes VIRGINIA 1/12/2018 20:36 10 7 10,897 ON-XXXX3517 Company 2 Wireline - 900,000 user-minutes VIRGINIA 1/13/2018 20:36 8 16 42,480 ON-XXXX3530 Company 1 Wireline - 900,000 user-minutes VIRGINIA 1/14/2018 20:36 2 6 116000 ON-XXXX3531 Company 1 Wireline - 900,000 user-minutes VIRGINIA 1/15/2018 20:36 26 6 1624 . 79 Federal Communications Commission FCC-CIRC2103-01 For the NORS aggregation example table below, the number of wireline users affected from all reports above per state were added and are presented in the total number of wireline users affected per state: State Affected Wireline Users Affected OHIO 782,368 PENNSYLVANIA 898,890 VIRGINIA 645,846 80 Federal Communications Commission FCC-CIRC2103-01 DIRS Example: The following table shows the total number of cell sites were affected by a disaster in each state as reported by 4 companies or more: Percent of Cell Sites Cell Sites Cell Sites Cell Sites Cell Sites Historical Cell Sites Out Due to Out Due to ID Number Company County Affected Out Due to on Back- State Updated Capacity Served Cell Site No Power (Down) Transport Up P ower Available Damage at Cell 0XX- XXXXXXXX Company 1 County 99 164 1 0 1 0 0 CALIFORNIA 19:19.0 X1561 0XX- XXXXXXXX Company 2 County 100 26 00000CALIFORNIA19:19.0 X1562 0XX- XXXXXXXX Company 3 County 99.82 1623 30000CALIFORNIA03:53.0 X1563 0XX- XXXXXXXX Company 4 County 100 2238 4 3 1 0 0 CALIFORNIA 24:21.0 X1564 0XX- XXXXXXXX Company 1 County 100 800000FLORIDA19:19.0 X1565 0XX- XXXXXXXX Company 2 County 100 23 00000FLORIDA19:19.0 X1566 0XX- XXXXXXXX Company 3 County 100 203 00000FLORIDA19:19.0 X1567 0XX- XXXXXXXX Company 4 County 9 3 0 1 2 0 FLORIDA 56:04.0 X1568 0XX- XXXXXXXX Company 5 County 14 50230FLORIDA56:04.0 X1569 0XX- XXXXXXXX Company 1 County 148 26 0 10 16 0 FLORIDA 56:04.0 X1570 0XX- XXXXXXXX Company 2 County 100 50 00000FLORIDA02:42.0 X1571 0XX- XXXXXXXX Company 3 County 100 900000GEORGIA57:15.0 X1572 0XX- XXXXXXXX Company 4 County 100 200000GEORGIA58:09.0 X1573 0XX- XXXXXXXX Company 5 County 100 24 00000GEORGIA58:25.0 X1574 0XX- XXXXXXXX Company 3 County 100 33 00000GEORGIA58:42.0 X1575 0XX- XXXXXXXX Company4 County 95 13 0 0 13 0 GEORGIA 56:04.0 X1576 0XX- XXXXXXXX Company 2 County 233 00000GEORGIA56:04.0 X1577 0XX- XXXXXXXX Company 1 County 100 285 00001GEORGIA03:04.0 X1578 0XX- PENNSYLVAN XXXXXXXX Company 1 County 33 11 0470 56:04.0 IA X1579 0XX- PENNSYLVAN XXXXXXXX Company 2 County 126 00000 04:52.0 IA X1580 0XX- PENNSYLVAN XXXXXXXX Company 3 County 126 00000 05:36.0 IA X1581 0XX- PENNSYLVAN XXXXXXXX Company 4 County 100 28 00000 24:28.0 IA X1582 0XX- PENNSYLVAN XXXXXXXX Company 5 County 100 13 00000 24:28.0 IA X1583 0XX- PENNSYLVAN XXXXXXXX Company 3 County 100 16 00000 24:28.0 IA X1584 0XX- PENNSYLVAN XXXXXXXX Company 1 County 100 46 00000 24:28.0 IA X1585 0XX- PENNSYLVAN XXXXXXXX Company 2 County 100 1 00000 24:28.0 IA X1586 0XX- PENNSYLVAN XXXXXXXX Company 3 County 100 37 00000 58:32.0 IA X1587 81 Federal Communications Commission FCC-CIRC2103-01 For the DIRS aggregation example table below, the number of cell sites affected from all wireless reports above for each state were added and presented in the total number of affected cell sites per state in the table below. The percentage of cell sites out of service were calculated by dividing the number of cell sites served by the number of cell sites out of service for each state: Sum of  Sum of  Sum of  Sum of  Cell Sites  Percent  Sum of Cell  Cell Sites  Cell Sites  Cell Sites  Out Due  Cell Sites  State Affected Sites  Out Due  Out Due  Out of  to Cell  Out of  Served to  to No  Service Site  Service Transport Power Damage CALIFORNIA 4051 8 3 2 0 0.20% FLORIDA 455 34 0 13 21 7.47% GEORGIA 681 13 0 0 13 1.91% PENNSYLVANIA 426 11 0 4 7 2.58% 82 Federal Communications Commission FCC-CIRC2103-01 Appendix E: List of Commenting Parties Comments The Alliance for Telecommunications Industry Solutions (ATIS) America s Communications Association Connects (ACA Connects) AT&T Services, Inc. (AT&T) Boulder Regional Emergency Telephone Service Authority (BRETSA) Brad Young California Public Utilities Commission (CPUC) Colorado Public Utilities Commission (CoPUC) Communications Workers of America, District 7 (CWA) Competitive Carriers Association (CCA) CTIA Free Press International Association of Chiefs of Police (IACP) King County E-911 Massachusetts Department of Telecommunications and Cable (MDTC) Michigan Public Service Commission (MPSC) Montrose Emergency Telephone Service Authority (METSA) National Association of State 911 Administrators (NASNA) NCTA  The Internet & Television Association (NCTA) New York State Public Service Commission (NYPSC) NTCA The Rural Broadband Association (NTCA) Pennsylvania Public Utility Commission (Pa. PUC) Telecommunications Regulatory Bureau of Puerto Rico T-Mobile USA, Inc. (T-Mobile) USTelecom The Broadband Association (USTelecom) The Utility Reform Network (TURN) Verizon Washington APCO-NENA Chapter Reply Comments ACA Connects BRETSA California Governor's Office of Emergency Services (Cal OES) CPUC CenturyLink, Inc (CenturyLink) City of New York CTIA MPSC National Association of Broadcasters (NAB) National Association of Regulatory Utility Commissioners (NARUC) National Association of State Utility Consumer Advocates (NASUCA) NCTA NTCA Pa. PUC Public Service Commission of the District of Columbia Satellite Industry Association (SIA) Texas 9-1-1 Alliance, Texas State Commission on State Emergency Communications (CSEC), and Municipal Emergency Communication Districts Association (collectively, the  Texas 9-1-1 Entities ) T-Mobile USTelecom 83 Federal Communications Commission FCC-CIRC2103-01 Verizon Vermont Enhanced 911 Board Ex Parte ACA Connects SIA T-Mobile NCTA 84