October 6, 2022 FCC FACT SHEET* Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, et al. Noticed of Proposed Rulemaking - PS Docket Nos. 15-94, 15-91, and 22-329. Background: The security of the nation’s alert and warning systems is essential to helping safeguard the lives and property of all Americans. Over the years, the Federal Communications Commission (Commission) has encouraged stakeholders to ensure their systems are secure, including by providing guidance on specific steps that communications providers can take to secure their equipment. While the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) are strong, we must remain vigilant and proactive to ensure they remain so. This Notice of Proposed Rulemaking proposes a number of steps that, if adopted, would strengthen the operational readiness of EAS and WEA, including by reducing the vulnerability of these systems to cyberattacks. What the Notice of Proposed Rulemaking Would Do: • Seek comment on ways to strengthen the operational readiness of EAS equipment. • Propose to protect EAS from cyberattacks by requiring EAS Participants to report to the Commission incidents of unauthorized access of its EAS equipment within 72 hours of when it knew or should have known that the incident occurred. • Ensure the security of EAS and WEA by proposing to require EAS Participants and Commercial Mobile Service (CMS) providers that participate in WEA (Participating CMS Providers) to annually certify to having a cybersecurity risk management plan in place and to employing sufficient security measures to ensure the confidentiality, integrity, and availability of their respective alerting systems. • Propose to prevent false alerts by requiring Participating CMS Providers transmit sufficient authentication information to ensure that only valid alerts are displayed on consumer devices. • Increase alert originators’ confidence in WEA performance by refreshing the record on the Commission’s prior proposal to clarify that the Commission’s WEA functionality requirements are not optional for those CMS providers that voluntarily choose to participate in WEA. * This document is being released as part of a “permit-but-disclose” proceeding. Any presentations or views on the subject expressed to the Commission or its staff, including by email, must be filed in PS Docket Nos. 15-94, 15-91 and 22-329, which may be accessed via the Electronic Comment Filing System (https://www.fcc.gov/ecfs/). Before filing, participants should familiarize themselves with the Commission’s ex parte rules, including the general prohibition on presentations (written and oral) on matters listed on the Sunshine Agenda, which is typically released a week prior to the Commission’s meeting. See 47 CFR § 1.1200 et seq. Federal Communications Commission FCC-CIRC2210-04 Before the Federal Communications Commission Washington, D.C. 20554 In the Matter of ) ) Amendment of Part 11 of the Commission’s Rules ) PS Docket No. 15-94 Regarding the Emergency Alert System ) ) Wireless Emergency Alerts ) PS Docket No. 15-91 ) Protecting the Nation’s Communications Systems ) PS Docket No. 22-329 from Cybersecurity Threats ) NOTICE OF PROPOSED RULEMAKING* Adopted: [ ] Released: [ ] Comment Date: (30 days after date of publication in the Federal Register) Reply Comment Date: (60 days after date of publication in the Federal Register) By the Commission: TABLE OF CONTENTS Para. I. INTRODUCTION .................................................................................................................................. 1 II. BACKGROUND .................................................................................................................................... 2 A. Emergency Alert System ................................................................................................................. 2 B. Wireless Emergency Alerts .............................................................................................................. 6 III. DISCUSSION ........................................................................................................................................ 9 A. Promoting the Operational Readiness of EAS Equipment .............................................................. 9 B. Improving Awareness of Unauthorized Access to EAS Equipment .............................................. 13 C. Protecting the Nation’s Alerting Systems through the Development, Implementation, and Certification of a Cybersecurity Risk Management Plan ............................................................... 22 1. EAS Security ........................................................................................................................... 22 2. WEA Security.......................................................................................................................... 33 D. Displaying Only Valid WEA Messages on Mobile Devices ......................................................... 37 E. WEA Infrastructure Functionality ................................................................................................. 41 * This document has been circulated for tentative consideration by the Commission at its October 2022 open meeting. The issues referenced in this document and the Commission’s ultimate resolution of those issues remain under consideration and subject to change. This document does not constitute any official action by the Commission. However, the Chairwoman has determined that, in the interest of promoting the public’s ability to understand the nature and scope of issues under consideration, the public interest would be served by making this document publicly available. The Commission’s ex parte rules apply and presentations are subject to “permit-but- disclose” ex parte rules. See, e.g., 47 C.F.R. §§ 1.1206, 1.1200(a). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules, including the general prohibition on presentations (written and oral) on matters listed on the Sunshine Agenda, which is typically released a week prior to the Commission’s meeting. See 47 CFR §§ 1.1200(a), 1.1203. Federal Communications Commission FCC-CIRC2210-04 F. Promoting Digital Equity ............................................................................................................... 42 G. Compliance Timeframes ................................................................................................................ 44 IV. PROCEDURAL MATTERS ................................................................................................................ 49 V. ORDERING CLAUSES ....................................................................................................................... 55 APPENDIX A - Proposed Rules APPENDIX B - Initial Regulatory Flexibility Analysis I. INTRODUCTION 1. The security of the nation’s alert and warning systems is essential to helping safeguard the lives and property of all Americans. Over the years, the Federal Communications Commission (Commission) has encouraged stakeholders to ensure their systems are secure, including by providing guidance on specific steps that communications providers can take to secure their equipment. While the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) programs are strong, we must remain vigilant and proactive to ensure they remain so. In this Notice of Proposed Rulemaking (Notice), we seek comment on ways to strengthen the operational readiness of EAS equipment. We also propose to require EAS Participants1 to report compromises of their EAS equipment, communications systems, and services to the Commission. In addition, we propose to require EAS Participants and Commercial Mobile Service (CMS) providers that participate in WEA (Participating CMS Providers) to annually certify to having a cybersecurity risk management plan in place and to employ sufficient security measures to ensure the confidentiality, integrity, and availability of their respective alerting systems. We also propose to require Participating CMS Providers to take steps to ensure that only valid alerts are displayed on consumer devices. II. BACKGROUND A. Emergency Alert System 2. The EAS is a national public warning system through which broadcasters, cable systems, and other EAS Participants deliver alerts to the public to warn them of impending emergencies and dangers to life and property.2 The primary purpose of the EAS is to provide the President with “the capability to provide immediate communications and information to the general public at the National, State and Local Area levels during periods of national emergency.”3 The EAS is also used to distribute 1 The Commission’s rules define EAS Participants as analog radio broadcast stations, including AM, FM, and Low- power FM stations; digital audio broadcasting stations, including digital AM, FM, and Low-power FM stations; Class A television and Low-power TV stations; digital television broadcast stations, including digital Class A and digital Low-power TV stations; analog cable systems; digital cable systems; wireline video systems; wireless cable systems; direct broadcast satellite service providers; and digital audio radio service providers. See 47 CFR § 11.11(a). 2 See, e.g., Review of the Emergency Alert System; Independent Spanish Broadcasters Association, The Office of Communication of the United Church of Christ, Inc., and the Minority Media and Telecommunications Council, Petition for Immediate Relief, ET Docket No. 04-296, Fifth Report and Order, 27 FCC Rcd 642, 646, para. 6 (2012) (Fifth Report and Order); Review of the Emergency Alert System, EB Docket No. 04-296, Notice of Proposed Rulemaking, 19 FCC Rcd 15775, 15776-77, paras. 6-8 (2004). 3 47 CFR § 11.1. Under the Part 11 rules, national activation of the EAS for a Presidential alert message, initiated by the transmission of an Emergency Action Notification (EAN) event code, is designed to provide the President the capability to transmit an alert message (in particular, an audio alert message) to the American public within ten minutes from any location at any time and must take priority over any other alert message and preempt other alert messages in progress. See, e.g., Review of the Emergency Alert System, First Report and Order, 20 FCC Rcd. 18625, 18628, para. 8 (2005) (First Report and Order). See also, e.g., 47 CFR §§ 11.33(a)(11), 11.51(m), (n). 2 Federal Communications Commission FCC-CIRC2210-04 alerts issued by state, local, Tribal, and territorial governments, as well as by the National Weather Service (NWS). Although EAS Participants are required to broadcast Presidential alerts, they participate in broadcasting state and local EAS alerts on a voluntary basis.4 The Commission, the Federal Emergency Management Agency (FEMA), and the NWS implement the EAS at the federal level.5 3. The EAS is a broadcast-based, hierarchical alert message distribution system in which an alert message originator at the local, state, or national level encodes (or arranges to have encoded) a message in the EAS Protocol.6 The alert is then broadcast from one or more EAS Participants, and subsequently relayed from one station to another until all affected EAS Participants have received the alert and delivered it to the public.7 Authorized emergency alert authorities also distribute EAS alerts over the Internet to EAS Participants by formatting those alerts in the Common Alerting Protocol (CAP), and delivering those alerts through the FEMA-administered Integrated Public Alert and Warning System (IPAWS) Open Platform for Emergency Networks (IPAWS-OPEN).8 The integrity of the EAS is maintained through the Commission’s EAS rules, which set forth the parameters and frequency with which EAS Participants must test the system,9 prohibit the unauthorized use of the EAS Attention Signal and codes,10 and require EAS Participants to keep their EAS equipment in good working order.11 4. In the last decade, the Commission has become aware of several incidents that raise concerns about the security of the EAS. The Commission previously highlighted a 2013 incident in which malicious actors accessed EAS equipment at several TV stations to perpetrate a “zombie attack” hoax that affected television stations in Great Falls, Montana, the vicinity of Marquette, Michigan, and other stations in Michigan, Utah, New Mexico and California.12 The Commission observed that the attack could have been prevented had the EAS Participants changed manufacturer default passwords on their EAS equipment, installed firewalls, or taken other appropriate security measures.13 In 2020, hackers compromised the EAS systems of an EAS Participant in Jefferson County, Washington and caused the transmission of false EAS alerts describing a false Radiological Hazard Warning that affected 4 See 47 CFR § 11.55(a); First Report and Order, 20 FCC Rcd at 18628, para. 8. 5 The respective roles of the Commission, FEMA, and NWS are defined in a series of Executive documents. See 1981 State and Local Emergency Broadcasting System (EBS) Memorandum of Understanding Among the Federal Emergency Management Agency (FEMA), Federal Communications Commission (FCC), the National Oceanic and Atmospheric Administration (NOAA), and the National Industry Advisory Committee (NIAC) reprinted as Appendix K to Partnership for Public Warning Report 2004-1, The Emergency Alert System (EAS): An Assessment; Memorandum, Presidential Communications with the General Public During Periods of National Emergency, The White House (Sept. 15, 1995) (1995 Presidential Statement); and Public Alert and Warning System, Exec. Order No. 13407, 71 Fed. Reg. 36975 (June 26, 2006). 6 See 47 CFR § 11.31. 7 See Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System; Wireless Emergency Alerts, PS Docket Nos. 15-94 and 15-91, Notice of Proposed Rulemaking and Notice of Inquiry, 36 FCC Rcd 6266, 6271, paras. 8-9 (March 17, 2021) for a description of this process. 8 See 47 CFR § 11.56; see also Fifth Report and Order, 27 FCC Rcd at 644-45, para. 4. 9 See 47 CFR § 11.61. 10 See 47 CFR §§ 11.45(a), 11.46. 11 See 47 CFR § 11.35; see also 47 CFR § 11.32 (EAS Encoder); 47 CFR § 11.33 (EAS Decoder) (collectively describing the minimum operating requirements for EAS equipment). 12 Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, Wireless Emergency Alerts, PS Docket Nos. 15-94 and 15-91, Notice of Proposed Rulemaking, 31 FCC Rcd 594, 638, para. 98 (2016) (2016 Notice). 13 Id. 3 Federal Communications Commission FCC-CIRC2210-04 approximately 3,000 homes.14 In 2020, the Commission became aware of instances in which EAS equipment connected to the Internet were potentially vulnerable to IP-based attacks due to inadequate network security or unsecure device settings.15 The Commission warned all EAS Participants of this vulnerability, encouraging them to secure their EAS equipment by installing current security patches, and using firewalls.16 Most recently, on August 1, 2022, FEMA issued an advisory on a potential vulnerability in certain EAS encoder/decoder devices that have not been updated to most recent software versions.17 FEMA observed that if EAS devices are not up-to-date, an unauthorized actor could issue false EAS alerts over the EAS Participant’s infrastructure. The FCC’s Public Safety and Homeland Security Bureau (PSHSB or Bureau) subsequently released a Public Notice that identified this vulnerability as the same one from 2020, urging all EAS Participants, regardless of the make and model of their EAS equipment, to upgrade their equipment software and firmware to the most recent versions recommended by the manufacturer and secure their equipment behind a properly configured firewall as soon as possible.18 5. In 2016, the Commission adopted a Notice of Proposed Rulemaking that proposed several improvements to EAS, including improvements that could potentially secure the EAS against accidental misuse and malicious intrusion.19 Specifically, the Commission proposed to require EAS Participants to certify as to the performance of certain security measures that demonstrated implementation of the best practices recommended by the Communications Security, Reliability, and Interoperability Council (CSRIC) IV’s EAS Security Report;20 require reporting for false alerts and “lockouts”; and ensure the proper authentication and validation of alerts to protect against malicious or accidental misuse of alerting platforms.21 The 2016 Notice also sought comment on whether there were additional measures that the Commission could leverage to help make the EAS more secure and resilient, such as adoption of a software-defined networking approach to EAS infrastructure design.22 The Commission followed up in 2018 by adopting new rules related to false alert reporting,23 alert 14 Peninsula Daily News, False Emergency Alerts Sent to Jefferson County Cable Users, https://www.peninsuladailynews.com/news/false-emergency-alerts-sent-to-jefferson-county-cable-users/ (last visited Aug. 10, 2022); KOMO News, Viewers Sent Apparent Hacked Emergency Broadcast Message in Jefferson County, https://komonews.com/news/local/viewers-sent-apparent-hacked-emergency-broadcast-message-in-jefferson-county (last visited Aug. 10, 2022). 15 See E-mail from Lisa M. Fowlkes, Chief, PSHSB, FCC to EAS Participants (April 24, 2020 2:03 am EDT). 16 Id. 17 See FEMA, IPAWS Advisory: Emergency Alert System Vulnerability (Aug. 1, 2022), https://content.govdelivery.com/accounts/USDHSFEMA/bulletins/3263326. 18 Public Safety and Homeland Security Bureau Urges Emergency Alert System (EAS) Participants to Take Immediate Steps to Secure EAS Equipment, PS Docket No. 15-94, Public Notice, DA 22-828 (PSHSB Aug. 5, 2022). 19 2016 Notice. 20 CSRIC IV, Emergency Alert System, EAS Security Subcommittee, Initial Report (2014), http://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG-3_Initial-Report_061814.pdf (CSRIC IV Initial EAS Security Report). See also CSRIC IV, Emergency Alert System, EAS Security Subcommittee, Final Report, (2015), https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG3-EAS_SECURITY_FINAL_011316.pdf (CSRIC IV Final EAS Security Report). 21 2016 Notice, 31 FCC Rcd at 596-97, para. 4. 22 Id. 23 Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, Wireless Emergency Alerts, PS Docket Nos. 15-94 and 15-91, Report and Order and Further Notice of Proposed Rulemaking, 33 FCC (continued….) 4 Federal Communications Commission FCC-CIRC2210-04 authentication,24 and alert validation,25 but did not act on the other security proposals from the 2016 Notice.26 B. Wireless Emergency Alerts 6. WEA is a tool for authorized federal, state, local, tribal, and territorial government entities to geographically target alerts and warnings to WEA-capable mobile devices of Participating CMS Providers’ subscribers. The Warning Alert and Response Network (WARN) Act establishes WEA as a voluntary system in which CMS providers may elect to participate and gives the Commission authority to adopt “relevant technical standards, protocols, procedures and other technical requirements . . . necessary to enable commercial mobile service alerting capability for commercial mobile service providers that voluntarily elect to transmit emergency alerts.”27 Pursuant to this authority, the Commission has adopted requirements to prescribe WEA capabilities, WEA testing, and WEA election procedures.28 While participation by wireless providers is voluntary, those that offer the service must adhere to the technical and operational requirements established by the Commission. 7. WEA works as follows: an alert originator29 uses FEMA-approved alert origination software to send a WEA Alert Message30 in the Common Alerting Protocol (CAP) to IPAWS.31 There, the alert is authenticated, validated, and delivered to FEMA’s Alert Gateway for dissemination to Participating CMS Providers’ Alert Gateways.32 Currently, FEMA only transmits to Participating CMS (Continued from previous page) Rcd 7086, 7094-95, paras. 17-18 (2018) (2018 Order) (requiring that EAS Participants notify the FCC within 24 hours of their discovery that it has transmitted or otherwise sent a false alert to the public). 24 Id. at 7095-96, paras. 19-22 (requiring that EAS Participants configure their systems to reject all CAP-formatted EAS messages that contain an invalid digital signature, but declining to adopt authentication requirements for EAS Protocol-formatted EAS messages). 25 Id. at 7097-99, paras. 23-29. 26 Id. at 7087, n.1 (deferring on consideration of issues not described in the 2018 Order). 27 Warning, Alert and Response Network (WARN) Act, Pub. L. No. 109-347, title VI, 120 Stat. 1936, § 602(a) (2006) (WARN Act) (codified at 47 U.S.C. § 1201(a)); see also 47 U.S.C. § 1201(b)(2)(d) (instructing the Commission to establish a procedure for mobile service providers to withdraw their election to participate in WEA without penalty or forfeiture). 28 See, e.g., The Commercial Mobile Alert System, PS Docket No. 07-287, First Report and Order, 23 FCC Rcd 6144 (2008); The Commercial Mobile Alert System, PS Docket No. 07-287, Second Report and Order and Further Notice of Proposed Rulemaking, 23 FCC Rcd 10765 (2008); The Commercial Mobile Alert System, PS Docket 07-287, Third Report and Order, 23 FCC Rcd 12561 (2008) revised by Erratum (Sep. 5, 2008). 29 The term “alert originator” refers to a federal, state, territorial, tribal, or local entity authorized by FEMA to use the Integrated Public Alert and Warning System (IPAWS) to issue critical public alerts and warnings in emergency situations. See FEMA, Alerting Authorities, https://www.fema.gov/alerting-authorities (last visited Oct. 26, 2017). For the purposes of this proceeding, the term “alert originator” is coextensive with the terms “emergency manager” and “emergency management agency” unless otherwise specified. 30 See 47 CFR § 10.10(a) (defining an “Alert Message” as “a message that is intended to provide the recipient information regarding an emergency, and that meets the requirements for transmission by a Participating Commercial Mobile Service Provider under this part”). 31 CAP is an open, interoperable, XML-based standard that can include multimedia such as streaming audio or video. See OASIS CAP v1.2 (IPAWS Profile for the OASIS Common Alerting Protocol IPAWS USA). CAP messages contain standardized fields that facilitate interoperability between and among devices. See id. 32 The WEA system, as it is deployed currently, is based on standards created by the Alliance for Telecommunications Industry Solutions (ATIS), the Telecommunications Industry Association (TIA) (jointly, ATIS/TIA), and the 3rd Generation Partnership Project (3GPP). See CSRIC IV WEA Messaging Report at 7. 5 Federal Communications Commission FCC-CIRC2210-04 Providers information about the Alert Message that is necessary for mobile devices to present Alert Messages to subscribers (e.g., message content, geographic target area coordinates if applicable, and a unique message identifier). FEMA removes all other metadata from the Alert Message (e.g., the time at which the Alert Message was initiated by the alert originator).33 Participating CMS Providers are required to log all of the Alert Message data that they receive at their Alert Gateways, including the time of receipt, maintain those logs for at least 12 months, and make them available upon request to the Commission, FEMA, and emergency management agencies that offer sufficient confidentiality protection.34 While the Commission’s WEA rules are technologically neutral, most Participating CMS Providers currently use one-way cell broadcast technology to transmit WEA Alert Messages to their subscribers.35 When the Alert Message is received by a WEA-capable mobile device, it is prominently presented to the subscriber as long as the subscriber has not opted out of receiving Alert Messages of that type.36 The Commission requires WEA-capable mobile devices to preserve Alert Messages in a consumer-accessible format and location for at least 24 hours or until deleted by the subscriber, but does not specifically require WEA-capable mobile devices to log information about Alert Messages that they receive.37 8. As with the EAS, without sufficient security measures in place, the WEA system is vulnerable to interference by actors with malicious intent. The CSRIC V reviewed WEA Security issues in 2016 and identified several potential security risks in the WEA network.38 Potential risks identified by CSRIC include, among others, the blocking of valid WEA messages to the public, changing the content of a valid WEA message, injecting false WEA alerts into operator equipment, and sending false alerts from false base stations—all of which pose a serious threat to public safety. Following the first nationwide test of WEA in 2018, concerns have been raised about circumstances under which malicious actors could block alerts from reaching the public or send false WEA alerts to the public. For example, researchers at the University of Colorado, Boulder published a paper in 2019 that described a hypothetical attack that could allow an adversary to send a false WEA message nationwide that could reach 90 percent of the 33 Target area coordinates are only transmitted to mobile devices for Alert Messages with a target area specified by a circle or polygon, not a code describing an entire state or county. 34 See 47 CFR 10.320(g) (requiring Participating CMS Providers to provide this information to emergency management agencies only insofar as those logs pertain to alerts initiated by that emergency management agency). 35 See CTIA, Letter from Scott Bergmann, Senior Vice President, Regulatory Affairs, to Marlene Dortch, Secretary, Federal Communications Commission, PS Docket Nos. 15-91, 15-94, at 4 (Apr. 13, 2022) (CTIA Ex Parte) (recommending that the draft WEA FNPRM add a detailed discussion of the cell broadcast architecture of the current WEA system); see also CSRIC V, Working Group Two, Wireless Emergency Alerts – Recommendations to Improve Geo-targeting and Offer Many-to-One Capabilities, Final Report and Recommendations at 8 (2016); but see Letter from Rebecca Murphy Thompson, EVP and General Counsel, Competitive Carriers Association, to Marlene Dortch, Secretary, Federal Communications Commission, PS Docket No. 15-91, at 2 (Oct. 6, 2017) (stating that some carriers offer WEA using a software application, rather than cell broadcast). 36 See ATIS, Enhanced Wireless Emergency Alert (eWEA) Mobile Device Behavior (MDB) Specification (A Revised Version of J-STD-100) at 18-19 (2018); ATIS, Joint ATIS/TIA CMAS Mobile Device Behavior Specification (ATIS-TIA-J-STD-100) (2009). Subscribers’ right to opt out of WEA Alert Message receipt extends to all but the Presidential Alert. See 47 CFR § 10.280. We note that nothing in the WARN Act or the Commission’s rules requires WEA to be a cell broadcast-based service. 37 See 47 CFR 10.500(h). 38 Communications Security, Reliability and Interoperability Council, Emergency Alerting Platforms WEA Security Sub-Working Group Final Report – WEA Security (March 2016), https://transition.fcc.gov/bureaus/pshs/advisory/csric5/WG2_WEA-Sec-Sub_FinalReport_0316.docx (CSRIC WEA Security Report). 6 Federal Communications Commission FCC-CIRC2210-04 public in the broadcast range of an unauthorized (“false”) base station.39 In 2021, the National Telecommunications Commission of the Philippines ordered an investigation into an incident in which consumer devices in a localized area displayed an emergency alert that included a political advertisement, which may have been transmitted by an unauthorized base station.40 In July 2022, researchers at New York University Abu Dhabi released a paper that demonstrated five attacks that could affect Commercial Mobile Alerting Systems on 5G networks.41 We acknowledge that the 3GPP SA3 (Security) working group has published a study on 5G security enhancements against false base stations,42 which identifies key issues and multiple candidate solutions.43 The report, however, acknowledges these solutions as only “potentially enhanc[ing] 5G system’s resistance to false base stations.”44 III. DISCUSSION A. Promoting the Operational Readiness of EAS Equipment 9. We observe that, according to the Bureau’s last nationwide EAS test report, an appreciable number of EAS Participants were unable to participate in testing due to equipment failure – despite advance notice that such test was to take place – suggesting that equipment failures are not addressed by EAS Participants as swiftly as reasonably possible and that more needs to be done to improve EAS operational readiness.45 Today, EAS Participants may continue operations for a period of 60 days despite having defective equipment that preclude their participation in EAS.46 We seek comment on whether this approach is effective at ensuring the operational readiness of EAS. How frequently does EAS equipment encounter defects that prevent it from receiving or retransmitting alerts? What are the most common types of defects that are experienced? What steps are necessary to repair these defects, and 39 Gyuhong Lee, et al., This is Your President Speaking: Spoofing Alerts in 4G-LTE Networks (2019), https://dl.acm.org/doi/pdf/10.1145/3307334.3326082 (using for their research experiment a COTS eNodeB with 0.1 Watt transmission power to send a false alert to Samsung Galaxy S8 and Motorola G6 handsets within a 70 to 120 meter range). 40 See Zacarian Sarao, NTC orders probe into Bongbong Marcos’ emergency alert stunt (Oct. 6, 2021), https://newsinfo.inquirer.net/1498110/ntc-orders-probe-on-bongbong-marcos-emergency-alert-stunt; Aika Rey, Telcos deny Bongbong Marcos text ad; NTC points to portable cell sites (Oct. 6, 2021), https://www.rappler.com/nation/elections/telcos-ntc-statements-bongbong-marcos-text-ad-coc-filing-october-6- 2021/. 41 Evangelos Bitsikas and Christina Pöpper, You have been warned: Abusing 5G’s Warning and Emergency Systems (2022), https://arxiv.org/pdf/2207.02506.pdf. 42 See 3GPP TR 33.809 v0.18.0 (2022-2), Study on 5G Security Enhancement against False Base Stations (FBS) (release 18). 43 We note that this study does not require the implementation of any solutions, nor provide specifications for how solutions should be implemented. 44 Id. at 14. 45 FCC, Report: August 11, 2021 Nationwide EAS Test at 14, 16 and 19 (2021), https://docs.fcc.gov/public/attachments/DOC-378861A1.pdf (describing that, out of 19,174 test participants in an August 11, 2021 nationwide test of EAS conducted by FEMA in coordination with the Commission, 389 test participants reported equipment performance issues on receipt and 565 on retransmission, with these participants generally reporting that equipment was out for repair, failed during the test, was missing, or malfunctioned). 46 Under Section 11.35(b) of the Commission’s rules, an EAS Participant may continue its operations for 60 days without seeking further FCC authority if it is unable to transmit EAS messages because of a defective EAS Encoder, EAS Decoder, or Intermediary Device used as part of the EAS, pending the Participant’s repair or replacement of the device. See 47 CFR § 11.35(b). The EAS Participant must record the occurrence of the defect in the broadcast station log, cable system records, and records of other EAS Participants showing the date and time the equipment was removed and restored to service. Id. 7 Federal Communications Commission FCC-CIRC2210-04 how often do they typically take to repair? Do EAS Participants take prompt steps to repair their EAS equipment, or do they typically take several days or weeks before seeking repairs? Do other EAS stakeholders, such as alert originators, have concerns about equipment failures preventing the transmission of emergency alerts to the public? We encourage commenters to highlight any specific incidences in which an EAS equipment defect prevented members of the public from being alerted to an emergency. 10. We seek comment on how to better promote the operational readiness of EAS equipment. For example, instead of requiring repairs within 60 days, would it serve the public interest to require EAS Participants to conduct repairs promptly and with reasonable diligence? Are all EAS Participants already doing so? If so, what are the reasons why some EAS Participants are not able to conduct repairs promptly and diligently? What factors should we consider when determining whether repairs are made promptly and with reasonable diligence? What barriers prevent equipment from being repaired promptly and what steps can we take to remove those barriers? 11. Would it improve EAS operational readiness and public safety in general to increase the situational awareness of the Commission, alert originators, and others about the occurrence of equipment defects that might prevent alerts from reaching the public? For example, would such an approach allow us to better enforce our operational readiness rules and identify persistent technical problems, and make contingency plans for alert delivery? If so, should we adopt an EAS equipment defect notification requirement? For example, should we require EAS Participants to report EAS equipment defects and submit a follow-up notification when the equipment is repaired? Within what timeframe should they perform that notification to ensure that stakeholders are aware of possible impacts on EAS (e.g. 24 hours)? What content should the notification contain? For example, should notifications include the same information that is already included in requests for additional repair time that are required sent to the Regional Director of the FCC field office for the area that the EAS Participant serves?47 We seek comment on how, if at all, the Commission should share information to promote situational awareness among relevant stakeholders, such as alert originators State Emergency Communications Committees. We also seek comment on whether to treat this information as confidential and, if so, how to protect it. Are there other steps that we should take to better ensure that EAS is ready and available when it is needed? 12. We seek comment on any measures that the Commission could take to reduce burdens on EAS Participants if it were to take further steps to promote the operational readiness of EAS equipment. Should we remove the requirement under Section 11.35(b) that EAS Participants make entries in their own broadcast station log and cable system records showing the date and time the equipment was removed and restored to service? Would the elimination of the “60 day” rule in favor of a prompt repair rule reduce certain burdens on EAS Participants? We seek comments on the costs of any approaches to improving EAS operational readiness that commenters propose that we consider. In doing so, commenters should offer specific cost estimates where possible. For example, we seek comment on whether it would be reasonable to estimate that EAS Participants would transmit a maximum of 2,000 EAS equipment defect notifications annually under the approach discussed above, as 565 EAS Participants reported their equipment was defective during the 2021 Nationwide EAS Test?48 Would it be reasonable to estimate that 2,000 annual notifications would require one hour of labor each from a General and Operations Manager who is compensated at $82 per hour, resulting in an overall cost of 47 Cf. 47 CFR § 11.35(c) (“This request must explain what steps have been taken to repair or replace the defective equipment, the alternative procedures being used while the defective equipment is out of service, and when the defective equipment will be repaired or replaced.”). 48 FCC, Report: August 11, 2021 Nationwide EAS Test at 16, 19 (2021), https://docs.fcc.gov/public/attachments/DOC-378861A1.pdf. 8 Federal Communications Commission FCC-CIRC2210-04 $164,000?49 We seek similarly detailed analysis on potential alternatives to improve EAS operational readiness. B. Improving Awareness of Unauthorized Access to EAS Equipment 13. Section 11.45(b) of the Commission’s rules requires that an EAS Participant notify the Commission by e-mail within 24 hours of its discovery that it has transmitted or otherwise sent a false alert to the public, the notification including details concerning the event.50 We believe that it would be in the public interest to strengthen this rule in view of the increasing threats that cyber attacks pose to EAS networks and equipment. Accordingly, we propose to revise this rule to further require that an EAS Participant report any incident of unauthorized access of its EAS equipment (i.e., regardless of whether that compromise has resulted in the transmission of a false alert),51 to the Commission via NORS within 72 hours of when it knew or should have known that an incident has occurred and provide details concerning the incident.52 We seek comment on this proposal. 14. We observe that protecting EAS equipment alone is unlikely to be sufficient to protect the EAS from a cyber attack. Even without directly accessing an EAS Participant’s EAS equipment, a bad actor could send a false alert or prevent a legitimate alert with lifesaving information from reaching the public by gaining unauthorized access to EAS Participants’ communications services and services. For this reason, we also propose to require that an EAS Participant report any incident of unauthorized access to any aspects of an EAS Participant’s communications systems and services that potentially could affect their provision of EAS. This would include infrastructure that serves to prevent unauthorized access to EAS equipment, including firewalls and Virtual Private Networks. We seek comment on this proposal and on any suitable alternatives. 15. We believe the proposed rule is justified in light of the instances of false EAS alerts in recent years, caused by compromised EAS equipment being used to transmit a false message.53 As recounted above, we are aware of several situations in the past decade in which bad actors were either capable of obtaining, or actually obtained unauthorized access to EAS equipment.54 We seek comment on these views. Are there any other past or present security incidents involving EAS about which the Commission should be aware? Does unauthorized access to EAS equipment provide bad actors with the ability to disrupt EAS Participants’ regularly scheduled programming, which has the potential to inflict financial harm in relation to their advertisers and reputational harm with their audiences? Are there any other kinds of harms resulting from unauthorized access to EAS equipment that the Commission should consider? 16. We believe significant public safety benefits would accrue if EAS Participants were required to provide the Commission with notification that their EAS equipment, communications 49 The Bureau of Labor Statistics reports that the most recent hourly wage for General and Operations Managers is $55, which increases to $82 when increased by 50% to also include benefits. See https://www.bls.gov/oes/current/oes111021.htm (accessed on 8/17/22). BLS data shows that the hourly wage must be increased by approximately 50% to include employee benefits. See Employer Costs for Employee Compensation - March 2022 at https://www.bls.gov/news.release/pdf/ecec.pdf. 50 47 CFR § 11.45(b). 51 See 47 CFR § 11.32 (EAS Encoder); 47 CFR § 11.33 (EAS Decoder). 52 Cf. 6 U.S.C. § 681b(a)(1)(A) (requiring covered entity experiencing covered cyber incident to report the incident to CISA not later than 72 hours after the covered entity reasonably believes that the incident has occurred, as enacted in the Cyber Incident Reporting for Critical Infrastructure Act of 2022). 53 See, e.g., 2016 Notice at 638, para. 98. 54 Supra at para. 4. 9 Federal Communications Commission FCC-CIRC2210-04 systems, or services have been accessed without authorization, even in the absence of a subsequent transmission of a false alert. This view is based on our observation that, after a system is compromised, many attackers will position themselves to attack connected systems in several different ways. For example, we have observed that it is characteristic of some cyber attacks that an attacker will start by compromising one device and then, prior to launching a specific attack, spend time and effort to identify and compromise other devices in the network, potentially using the initially comprised device as an access point to other devices.55 The Commission could use the proposed notifications to work with providers and other government agencies to resolve an equipment compromise before the compromise is actually exploited to cause false EAS transmissions in at least some instances. We further believe that the Commission could leverage information on the frequency and nature of equipment compromise to better understand the prevalence and trends associated such attacks across the nation. The Commission and its government partners would thus be better apprised of the risks posed to EAS and in a position to use this information to inform further measures that might be necessary to secure EAS. 17. We seek comment on these views, including detailed information as to the associated costs and benefits of the proposed approach. For example, what would be a reasonable estimate of the financial harm that such a cyber attack would inflict upon an EAS Participant, and how should such estimates be calculated? We believe the cost of reporting an unauthorized access incident would tend to be similar to the cost of reporting a false alert, which the Commission has estimated to have a total cost of $11,600 per year across all EAS Participants.56 We seek comment on that estimate. Are EAS Participants already conducting investigations and gathering information about suspected incidents of unauthorized access to EAS equipment, communications systems, and services? Are there less costly alternatives to an unauthorized access reporting requirement that would achieve similar or greater benefits? We believe that the marginal costs of an unauthorized access reporting requirement are likely to be low, as the requirement parallels the requirements of an upcoming CISA rulemaking. Specifically, CISA is required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to adopt rules requiring critical infrastructure sector entities to report cyber incidents,57 but allows the requirement to be satisfied by reporting substantially similar information to another federal agency in a similar timeframe.58 We seek comment on that belief. 18. We propose to define “unauthorized access” to EAS equipment, communications systems, and services for the purposes of today’s proposal to refer to any incident involving either remote or local access to EAS equipment, communications systems, or services by an individual or other entity that either does not have permission to access the equipment or exceeds their authorized access. We seek comment on this definition. For example, does this proposed definition mirror the methods that have been, and are likely to be, used by cyber-attackers to infiltrate EAS? We seek comment on whether it is appropriate to require that EAS Participants provide notification to the Commission within 72 hours of when they knew or should have known that an incident has occurred. Is this time frame appropriate or would it, for example, put undue pressure on EAS Participants at a critical time when they may be attempting to fully diagnose and resolve the compromise to their systems? On the other hand, is this time frame too slow to provide the Commission and government partners with timely notice of an incident? 55 See Mandiant, M-Trends 2022 at 12 (2022), available at https://www.mandiant.com/m-trends (showing the median time attackers spent in compromised networks prior to detection was 17 days for the Americas); Oracle, Anatomy of a Cyber Attack at 5-6, (2017), https://www.oracle.com/us/technologies/linux/anatomy-of-cyber-attacks- wp-4124673.pdf (showing activities hackers take during the penetration and exfiltration stages of an attack to control additional network assets). 56 2018 Order at 7102, para. 38 (estimating the cost of reporting false alerts to be $11,600 per year based on an average of 290 EAS participants filing two false alerts per year). 57 See 6 U.S.C. § 681b(c). 58 See 6 U.S.C. § 681b(a)(5)(B). 10 Federal Communications Commission FCC-CIRC2210-04 For example, consistent with the NORS reporting deadlines for interconnected VoIP outages,59 should the Commission be notified within 24 hours of a reasonable belief that an incident has occurred? In the alternative, should we require EAS Participants to provide notification to the Commission within 72 hours of “its reasonable belief that an incident has occurred,” consistent with the approach to cyber incident reporting outlined by CIRCIA?60 Or, would this approach create disincentives for a provider to monitor the security of its own network? Would any alternative approach be more effective? Similar to what is contemplated by CIRCIA,61 should EAS Participants be required to submit updates to the Commission if substantial new or different information becomes available, until the date that the Commission is notified that the incident has concluded and been fully mitigated and resolved? Is the overall approach we propose today consistent with the incident reporting requirements of other federal and state government agencies, and if not, how should our proposal be harmonized to be more consistent with those requirements? 19. We seek comment on the kinds of information that should be included in reports of unauthorized access. We propose that reports include, to the extent it is applicable and available at the time of reporting, the date range of the incident, a description of the unauthorized access, the impact to the EAS Participant’s EAS operational readiness, a description of the vulnerabilities exploited and the techniques used to access the device, identifying information for each actor responsible for the incident, and contact information for the EAS Participant. We believe this information is necessary to understand the unauthorized access incident, resolve it before the compromise is actually exploited to send a false alert, and harmonize our requirements with those of other federal agencies.62 We seek comment on the proposed content of these reports and whether it should be modified. We propose that the contents of these reports be treated as presumptively confidential and only shared on a confidential basis with other Federal agencies and state government agencies that agree to protect them to the same extent and in the same manner as the Commission would and, to the extent that the policies or regulations of those agencies are stricter, to the same extent and in the same manner as they would if they had collected the information themselves.63 We also propose to allow disclosure by the Commission, or by parties with whom the Commission has shared the notifications, of anonymized information about breaches that might be useful for industry, security researchers, policymakers, and the general public.64 We seek comment on this approach to cyber incident information sharing. 20. We seek comment on how these reports should be submitted to the Commission. Should they be submitted to the FCC Operation Center by e-mail, in similar fashion to the false alert reports that EAS Participants are already required to file with the Commission? Should these reports be submitted in NORS to better capture the required contents in clearly defined fields and more easily facilitate sharing with federal partners? Or should we develop a new electronic database to collect the content of the reports? Are there other approaches we should consider? What are the costs and benefits associated with each approach? 59 47 CFR § 4.9(g)(1)(i). 60 See 6 U.S.C. § 681b(a)(1)(A). 61 See 6 U.S.C. § 681b(a)(3). 62 See 6 U.S.C. § 681b(c)(4) (outlining specific contents of cyber incident reports required by CIRCIA rulemaking). 63 See 44 U.S.C. § 3510 (directing federal agencies to share information with other federal agencies subject to confidentiality protections). 64 The Commission would make every effort to ensure that the security issue had been resolved before disclosing information about the breach that could promote the perpetration of similar attacks. Further, consistent with the Commission’s rules, we could disclose the identity of breached EAS Participants when it would serve the public interest. This disclosure would be limited to the identity of the EAS Participant and would not include the disclosure of any reports related to the unauthorized access. 11 Federal Communications Commission FCC-CIRC2210-04 21. We seek comment on whether Participating CMS Providers should also be required to report incidents of unauthorized access to their WEA systems, or services. Similar to EAS, we believe that such a requirement would allow the Commission and its government partners to better identity and evaluate risks posed to EAS and inform further measures that might be necessary to secure WEA. Should reports be required in the same timeframe and with the same content as proposed for EAS? Are there any differences between EAS and WEA that would warrant differing unauthorized access reporting requirements for WEA? If so, what are those differences and how should the requirements be modified to reflect them? C. Protecting the Nation’s Alerting Systems through the Development, Implementation, and Certification of a Cybersecurity Risk Management Plan 1. EAS Security 22. As discussed above, the EAS has faced cybersecurity risks for more than a decade, with PSHSB regularly advising EAS Participants to follow cybersecurity best practices and take other steps to improve their cybersecurity posture. Despite these admonitions, however, we have not observed meaningful security improvements. For example, PSHSB has frequently advised EAS Participants to update their EAS software to ensure that they have installed the most recent security patches, including one such round of outreach in 2020 after the discovery that certain EAS equipment was potentially vulnerable to IP-based attacks.65 However, in filings related to the Nationwide EAS Test in August 2021, the Bureau observed that more than 5,000 EAS Participants were using outdated software or using equipment that no longer supported regular software updates. In light of these failures, we believe the Commission should take action to ensure the security of EAS. 23. We propose to require EAS Participants to submit an annual certification attesting that they have created, updated, and implemented a cybersecurity risk management plan.66 The cybersecurity risk management plan would describe how the EAS Participant employs their organizational resources and processes to ensure the confidentiality, integrity, and availability of the EAS. The plan must discuss how the EAS Participant identifies the cyber risks that they face,67 the controls they use to mitigate those 65 See E-mail from Lisa M. Fowlkes, Chief, PSHSB, FCC to EAS Participants (April 24, 2020 2:03 am EDT). 66 We note that other agencies are likewise either requiring or proposing to require their regulated entities to take cybersecurity measures to protect their systems. For example, the Commodity Futures Trading Commission (CFTC) requires registrants to establish and maintain information security controls as part of their mandatory system safeguards and to implement five types of security testing through ongoing risk assessments and board oversight: (1) vulnerability testing; (2) penetration testing; (3) controls testing; (4) security incident response plan testing; and (5) enterprise technology risk assessment. See generally, CFTC, Fact Sheet - Final Rules on System Safeguards Testing Requirements (Sept. 8, 2016), http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/syssafeguard_factsheet090816.pdf. The Securities and Exchange Commission (SEC) has proposed periodic cybersecurity reporting requirements that include disclosing a registrant’s policies and procedures to identify and manage cybersecurity risks. See SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Mar. 9, 2022), https://www.sec.gov/rules/proposed/2022/33-11038.pdf. 67 Sources of threat intelligence that may be helpful to EAS Participants’ identification of threats include the Communications Information Sharing and Analysis Center (ISAC), CISA Known Exploited Vulnerabilities, and PSHSB Public Notices. See, e.g., ISAO Standards Organization, Communications ISAC, https://www.isao.org/information-sharing-group/sector/communications-isac/ (last visited Aug. 14, 2022; CISA, Reducing the Significant Risk of Known Exploited Vulnerabilities, https://www.cisa.gov/known-exploited- vulnerabilities (last visited Aug. 14, 2022); Public Safety and Homeland Security Bureau Urges Emergency Alert System (EAS) Participants to Take Immediate Steps to Secure EAS Equipment, PS Docket No. 15-94, Public Notice, DA 22-828 (PSHSB Aug. 5, 2022). 12 Federal Communications Commission FCC-CIRC2210-04 risks, and how they ensure that these controls are applied effectively to their operations.68 We believe that this certification requirement would improve the overall security of EAS by ensuring that EAS Participants are regularly taking steps to address security threats as part of their organization’s day-to-day strategic and operational planning. We also believe the creation and implementation of cybersecurity risk management plans would help to ensure EAS operational readiness and eliminate false alerts, which divert public safety and other government resources from other important activities, impose costs on EAS Participants that have to deal with many of the consequences and, ultimately, desensitize the public to legitimate alerts. We seek comment on this proposal. Do stakeholders agree this proposal would improve the security of the EAS? Are there other benefits that may accrue from the creation and implementation of cybersecurity risk management plans by EAS Participants? Is an annual certification the right frequency with which to file certifications, or are there circumstances where more (or less) frequent filings might be necessary? 24. We propose to afford each EAS Participant flexibility to structure its plan in a manner that is tailored to its organization, provided that the plan demonstrate that the EAS Participant is taking affirmative steps to analyze security risks and improve its security posture. While we believe there are many ways for EAS Participants to satisfy this requirement, we propose that EAS Participants can successfully demonstrate that they have satisfied this requirement by structuring their plans to follow an established risk management framework, such as the National Institute of Standards and Technology (NIST) Risk Management Framework69 or the NIST Cybersecurity Framework.70 We believe this flexible approach would allow EAS Participants to develop a plan that is appropriate for their organization’s size and available resources, while still ensuring that the plan results in ongoing and material improvements in EAS security.71 We also anticipate that this requirement would reduce the costs imposed on smaller EAS Participants, which may have different cybersecurity needs than larger EAS Participants. We seek comment on this proposal. Alternatively, should we require EAS Participants to 68 Similarly, the Department of Health and Human Services (HHS) requires entities to conduct a risk analysis to determine the threats or hazards to the security of electronically stored, protected health information, and requires them to implement security policies and procedures. See 45 CFR § 164.308. The Department of Defense (DoD) requires all entities within the defense supply chain to have a multi-level process to verify that DoD cybersecurity requirements have been implemented. See 48 CFR §§ 252.204-7012, 252.204-7021. The Securities and Exchange Commission (SEC) has proposed periodic cybersecurity reporting requirements that include disclosing a registrant’s policies and procedures to identify and manage cybersecurity risks. See, SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Mar. 9, 2022), https://www.sec.gov/rules/proposed/2022/33- 11038.pdf. 69 See NIST Computer Security Resource Center, About the NIST Risk Management Framework (July 14, 2022), https://csrc.nist.gov/projects/risk-management/about-rmf (providing a system development process that prepares an organization to manage security and privacy risks by categorizing the system and information processed, stored and transmitted by the system, selecting and implementing controls to protect the system, and continuously assessing the system to determine if the controls are providing the desired results). 70 See NIST Computer Security Resource Center, Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide (April 19, 2022), https://csrc.nist.gov/Projects/cybersecurity-framework/nist-cybersecurity-framework- a-quick-start-guide (providing a system development process that prepares an organization to identify, protect against, detect, respond to, and recover from cyber threats); see also CSRIC IV, Cybersecurity Risk Management and Best Practices, Final Report (2015), https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf (offering guidance to the communications sector on implementing the NIST Cybersecurity Framework). 71 Similarly, SEC and HHS have taken a flexible approach to security measures that their respective regulatees must implement. See, SEC, Cybersecurity and Resiliency Observations (Jan. 27, 2020), https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf; Summary of the HIPAA Security Rule, https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html (last visited Aug. 16, 2022). 13 Federal Communications Commission FCC-CIRC2210-04 structure their plans to follow the NIST Risk Management Framework or the NIST Cybersecurity Framework? If so, should we require EAS Participants to follow the current version of each framework (i.e., Risk Management Framework for Information Systems and Organizations, NIST Special Publication 800-37, Revision 2; NIST Cybersecurity Framework V1.1)?72 If we take this approach, we anticipate that NIST may one day release updated versions of these frameworks, and we would then expect to seek notice and comment on whether we should require EAS Participants to follow the updated versions. We seek comment on this approach. 25. We propose that each cybersecurity risk management framework include security controls sufficient to ensure the confidentiality, integrity, and availability (CIA) of the EAS.73 We expect that reasonable security measures will include measures that are commonly the subject of best practices. While we believe there are potentially many ways for EAS Participants to satisfy this aspect of the requirement, we propose that EAS Participants will have satisfied it if they demonstrate they have successfully implemented an established set of cybersecurity best practices, such as applicable CIS Critical Security Controls74 or the CISA Cybersecurity Baseline.75 To ensure that every EAS Participant implements a baseline of security controls, however, we propose to require that each plan include security measures that address changing default passwords prior to operation,76 installing security updates in a timely manner,77 securing equipment behind properly configured firewalls or using other segmentation 72 NIST, Risk Management Framework for Information Systems and Organizations, NIST Special Publication 800- 37, Revision 2 (2018), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf; NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. 73 “Confidentiality” in this context refers to assurance that information is not disclosed to unauthorized persons, processes, or devices. See ATIS, ATIS Telecom Glossary: Confidentiality, Assurance that information is not disclosed to unauthorized persons, processes, or devices https://glossary.atis.org/glossary/confidentiality (last visited Aug 9, 2022). “Integrity” refers to preventing unauthorized creation, amendment or deletion of information. See ATIS, ATIS Telecom Glossary: Integrity, https://glossary.atis.org/glossary/integrity (last visited Aug 9, 2022). Finally, “availability” refers to whether a network provides, timely, reliable access to data and information services for authorized users. See ATIS, ATIS Telecom Glossary: Availability, https://glossary.atis.org/glossary/availability (last visited Aug 9, 2022). Combined, these principles are generally referred to by cybersecurity experts as the “CIA triad.” See NIST Special Publication 1800-25A, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events (Dec. 2020), Executive Summary, https://www.nccoe.nist.gov/publication/1800-25/VolA/index.html. 74 See Center for Internet Security, Critical Security Controls version 8, https://www.cisecurity.org/controls (last visited Aug 9, 2022) (CIS Critical Security Controls or CIS) (providing security controls grouped by priority and feasibility for different sizes and resources of businesses in Implementation Groups). 75 Cybersecurity & Infrastructure Security Agency, Cross-Sector Cybersecurity Performance Goals and Objectives, https://www.cisa.gov/cpgs (last visited Aug. 5, 2020); Cybersecurity & Infrastructure Security Agency, Cross- Sector Cybersecurity Performance Goals (CPGs) Common Baseline: Controls List (Draft), https://www.cisa.gov/sites/default/files/publications/Common_Baseline_v2_Controls_List_508c.pdf (last visited Aug. 5, 2020)(CISA Baseline). See also White House, National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements- releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control- systems/ (directing the Secretary of Homeland Security to “develop and issue and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety”). 76 See, e.g., CISA Baseline 1.2 and CIS 5.2. 77 See, e.g., CISA Baseline 6.3 and CIS 2.2. 14 Federal Communications Commission FCC-CIRC2210-04 practices,78 requiring multifactor authentication where applicable,79 addressing the replacement of end-of- life equipment, and wiping, clearing, or encrypting user information before disposing of old devices.80 We expect that compliant cybersecurity risk management plans will not be limited to only these specific measures, as plans will vary based on individual providers’ needs and circumstances and will need regular updates to keep up with an evolving threat environment. We seek comment on these proposed rules. Are there other specific security measures that we should require EAS Participants to implement? For example, should we require EAS Participants to conduct network security audits or vulnerability assessments to identify potential security vulnerabilities? If so, how often should they be conducted? Should we require EAS Participants to report to the Commission when their network audits, network vulnerability assessments, or penetration testing reports reveal critical vulnerabilities? If so, how should we define a “critical vulnerability” for this purpose? Should we require EAS Participants to implement Incident Response Plans that describe how the procedures that EAS Participants would follow when respond to an ongoing cybersecurity incident? Should we require EAS Participants to conduct cybersecurity training for their employees or contractors and if so, what should the contents of that training be? What kinds of security measures have EAS Participants already implemented to protect the EAS, and how effective are they at mitigating cybersecurity risks? Should we require EAS Participants to keep records that demonstrate how they have implemented each of the baseline security controls? If so, what specific types of information should the records include and for how long should they be kept? Have EAS Participants identified unsuccessful attempts to access their systems, and if so, what specific security measures best thwarted those attempts? 26. Does this approach strike the appropriate balance between improving EAS security, complementing EAS Participants’ existing cybersecurity activities, and reducing burdens on small EAS Participants? If not, how should this requirement be modified to achieve that balance? We seek comment on whether this approach grants too much flexibility and will not result in improvements to EAS security. We also seek comment on alternative approaches that would be effective at improving EAS security. For example, should we require EAS Participants to address a specified list of cybersecurity subject matters in their risk management plans? Instead of requiring the use of a risk management plan, should we require EAS Participants to take specific steps to secure their EAS equipment? If so, could such a requirement be drafted in a way to encourage EAS Participants to continually examine and improve their cybersecurity posture, rather than merely check items off a list? Is our proposed certification requirement too burdensome on small EAS Participants? If so, what would be a more cost-effective way to promote EAS security for small EAS Participants? 27. We observe that protecting EAS equipment alone is unlikely to be sufficient to protect the EAS from a cyber attack. In addition to the risk of a bad actor sending a false alert, a bad actor could attack other elements of an EAS Participant’s systems or service as a way to prevent a legitimate alert with lifesaving information from reaching the public. For this reason, we propose to require that the cybersecurity risk management plan address not only the security of EAS equipment, but also the security of all aspects of an EAS Participant’s communications systems and services that potentially could affect their provision of EAS. We seek comment on this requirement. Are there alternative requirements that we should consider to ensure that bad actors cannot prevent the transmission of legitimate alerts (or engage in the transmission of false ones)? 28. We seek comment on whether there are industry groups, cybersecurity organizations, or other organizations that may be positioned to help EAS Participants create, implement, and maintain their cybersecurity risk management plan. What kinds of resources do these organizations offer, and how can 78 See, e.g., CISA Baseline 5.3, 5.4 and CIS 4.2, 4.4, 4.5. 79 See, e.g., CISA Baseline 1.4 and CIS 6.3, 6.4, and 6.5. 80 See, e.g., CISA Baseline and CIS 2.3. 15 Federal Communications Commission FCC-CIRC2210-04 EAS Participants make use of them? For example, are there organizations that offer, or that would be able to begin offering, authoritative sources of cybersecurity information and expertise? Are there organizations that can support EAS Participants by offering cybersecurity training, risk management plan templates, or otherwise promote the cybersecurity? If so, to what extent can these organizations help reduce the burdens related to the proposed certification requirement and make EAS more secure? 29. We propose that EAS Participants certify to creating, annually updating, and implementing a cybersecurity risk management plan by checking a box as part of its annual filing of EAS Test Reporting System Form One.81 We seek comment on whether this is the most efficient way to implement a certification requirement for EAS Participants. If not, how should the certification be implemented? While the Commission does not intend to review each individual plan for sufficiency, we propose that the cybersecurity risk management plan be made available to the Commission upon request so that the Commission may review a specific plan as needed or proactively review a sample of EAS Participants’ plans to ensure that they are sufficient to ensure the confidentiality, integrity, and availability of the EAS. In such circumstances, cybersecurity risk management plans would be treated as presumptively confidential. We propose to delegate to the Bureau the authority to request review of such cybersecurity risk management plans and to evaluate them for sufficiency. We seek comment on this approach to evaluating plans. For how long we should require EAS Participants to retain prior versions of their cybersecurity risk management plans to enable the Bureau’s review? 30. We propose that the filing of, and subsequent compliance with, a cybersecurity risk management plan would not serve as a safe harbor or excuse or any other diminishment of responsibility for negligent security practices. We believe that allowing the filing of and compliance with a plan to have such an effect could create a perverse incentive. EAS Participants must remain constantly vigilant in preventing intrusions and can only satisfy that responsibility by acting reasonably in all circumstances. Any negligence in protecting the confidentially, integrity, and availability of EAS that results in transmission of false alerts or non-transmission of valid EAS messages would establish a violation of that duty, regardless of the content of the plan. Furthermore, we propose that an EAS Participant’s failure to sufficiently develop or implement their plan, would be treated as a violation of the proposed rules. We seek comment on the criteria or indicia that we should consider when determining whether a plan is insufficient to mitigate cyber risk. We also seek comment on any measures that the Commission should take to verify whether EAS Participants have implemented of their plans. 31. We believe that the benefits of this proposal outweigh the costs. While we believe that it is impossible to quantify the precise dollar value of improvements to the public’s safety, life, and health, as a general matter,82 we nonetheless believe that very substantial public safety benefits will result from the rules we propose today: EAS will be better able to ensure that real alerts with lifesaving information are successfully delivered to the public and false alerts are prevented in order to preserve public trust and better ensure that the public takes appropriate action during real emergencies. As a consequence, we anticipate that the rule changes we adopt today will yield substantial life-saving benefits. Independent of that analysis, the Commission has previously found that “a foreign adversary’s access to American communications networks could result in hostile actions to disrupt and surveil our communications networks, impacting our nation’s economy generally and online commerce specifically, and result in the breach of confidential data.”83 Consistent with the Commission’s past analysis, our national gross 81 See 47 CFR § 11.61(a)(3)(iv)(A). 82 Resilient Networks, Report and Order, PS Docket 21-346, FCC 22-50, para. 46 (2022) (Resilient Networks Order) (“it would be impossible to quantify the precise financial value of these health and safety benefits”). 83 Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation, WC Docket No. 18-89; PS Docket Nos. 19-351 and 19-352, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 11465, para. 109 (2019). 16 Federal Communications Commission FCC-CIRC2210-04 domestic product was nearly $23 trillion last year, adjusting for inflation.84 Accordingly, if creating and implementing a cybersecurity risk management plan prevents even a 0.005% disruption to our economy, we believe our proposed requirement would generate $1.15 billion in benefits. Likewise, the digital economy accounted for $3.31 trillion of our economy in 2020,85 and so we believe preventing a disruption of even 0.05% would produce benefits of $1.66 billion. As a check on our analysis, consider the impact of existing malicious cyber activity on the U.S. economy: $57 billion to $109 billion in 2016.86 Given the incentives and documented actions of hostile nation-state actors, reducing this activity (or preventing an expansion of such damage) by even 1% would produce benefits of $0.57 billion to $1.09 billion. Given this analysis, we believe the benefits of our rule to the American economy, commerce, and consumers are likely to significantly and substantially outweigh the costs of the proposed certification requirement. We seek comment on this analysis. Is there a more appropriate way to quantify these benefits? Are there any additional ways in which the proposed rules would benefit the public that the Commission should consider? 32. We estimate that the overall cost of our proposed cybersecurity risk management plan requirement will be approximately $21 million. We believe that EAS Participants will, on average, require 10 hours annually to initially draft a plan and then update the plan and submit their certification annually. When developing this average we anticipate that many large EAS Participants already have cybersecurity risk management plans and will incur only de minimis costs to comply with this requirement. We also anticipate that many small EAS Participants will require less than 10 hours to develop or update a plan that is appropriate to the size of their organization. Based on this estimate, we believe that the overall cost for 25,644 EAS Participants to comply with the proposed certification requirement with 10 hours of labor from a General and Operations Manager who is compensated at $82 per hour will be $21,028,080.87 We seek comment on our analysis. 2. WEA Security 33. We propose to require Participating CMS Providers to certify that they are creating, annually updating, and implementing a cybersecurity risk management plan. As discussed above, WEA also faces security risks related to the transmission of false alerts and compromise of a Participating CMS Providers’ systems could disrupt the transmission of a legitimate WEA message. Are there additional cybersecurity risks to WEA about which we should be aware? To what extent do Participating CMS Providers already have cybersecurity risk management plans? We believe that the approach we propose above in the context of EAS – wherein we would afford flexibility for providers to assess what content should be in their cybersecurity risk management plans while proposing that it demonstrate how the provider identifies the cyber risks that they face, the controls they use to mitigate those risks, and how they ensure that these controls are applied effectively to their operations – lends itself to WEA as well. 84 See Press Release, Bureau of Economic Analysis, U.S. Department of Commerce, Gross Domestic Product (Third Estimate), Corporate Profits (Revised Estimate), and GDP by Industry, First Quarter 2022 (June 29, 2022), https://www.bea.gov/sites/default/files/2022-06/gdp1q22_3rd.pdf. 85 See Tina Highfill & Christopher Surfield, Bureau of Economic Analysis, U.S. Department of Commerce, New and Revised Statistics of the U.S. Digital Economy, 2005-2020 (May 2022), https://www.bea.gov/system/files/2022- 05/New%20and%20Revised%20Statistics%20of%20the%20U.S.%20Digital%20Economy%202005-2020.pdf. 86 See The Council of Economic Advisers, The Cost of Malicious Cyber Activity to the U.S. Economy at 36 (Feb. 2018), https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity- to-the-U.S.-Economy.pdf. 87 FCC, Report: August 11, 2021 Nationwide EAS Test at 6 (PSHSB 2021), https://docs.fcc.gov/public/attachments/DOC-378861A1.pdf. The Bureau of Labor Statistics reports that the most recent hourly wage for General and Operations Managers is $55, which rises to $82 when increased by 50% to also include benefits. See supra n. 49. 17 Federal Communications Commission FCC-CIRC2210-04 We seek comment on this tentative conclusion. Are there any fundamental differences in the transmission of WEA alerts or the threats that WEA faces that would require a different approach to ensuring WEA’s security? We seek comment on the least burdensome means by which Participating CMS Providers could submit their certification to the Commission, including via the Commission’s Electronic Comment Filing System, a designated Commission e-mail address, or a WEA-specific database designed for this purpose. 34. As with the EAS, we propose that a cybersecurity risk management plan should include security controls sufficient to ensure the confidentiality, integrity, and availability of WEA.88 We propose sufficient security measures could be demonstrated by implementing controls like the CISA Cybersecurity Baseline or appropriate CIS Implementation Group.89 As for EAS Participants as described above we propose to require that each plan include a baseline of security measures that address changing default passwords prior to operation, installing security updates in a timely manner, securing equipment behind properly configured firewalls or using other segmentation practices, requiring multifactor authentication where applicable, addressing the replacement of end-of-life equipment, and wiping, clearing, or encrypting user information before disposing of old devices. We expect that compliant cybersecurity risk management plans will not be limited to only these specific measures, as plans will need regular updates to keep up with an evolving threat environment. We seek comment on these proposed rules. Are there specific security measures that we should require Participating CMS Providers to implement? For example, as above, we seek comment on whether we should require Participating CMS Providers to conduct network security audits or vulnerability assessments to identify potential security vulnerabilities, implement Incident Response Plans that describe how the procedures that Participating CMS Providers would follow when respond to an ongoing cybersecurity incident, or require Participating CMS Providers to conduct cybersecurity training for their employees or contractors. 35. We believe that the benefits of this proposal for WEA outweighs the costs. As discussed above for EAS, we believe that the rules we propose today would better ensure that real WEA alerts with lifesaving information are successfully delivered to the public and false alerts are prevented in order to preserve public trust and better ensure that the public takes appropriate action during real emergencies. We estimate that the overall cost of our proposed cybersecurity risk management plan requirement will be approximately $62,320. We anticipate that many large Participating CMS Providers already have cybersecurity risk management plans and will incur only de minimis costs to comply with this requirement. We also anticipate that many small Participating CMS Providers will require less than 10 hours to develop or update a plan that is appropriate to the size of their organization. Based on this estimate, we believe that the overall cost for 76 Participating CMS Providers to comply with the proposed certification requirement with 10 hours of labor from a General and Operations Manager who is compensated at $82 per hour will be $62,320.90 We seek comment on this analysis. To what extent do Participating CMS Providers already implement a cybersecurity risk management framework? Are there alternatives that would be as effective but less burdensome, particularly to smaller providers? As with EAS above, we seek comment on whether there are industry groups, cybersecurity organizations, or other organizations that may be positioned to help Participating CMS providers create, implement, and maintain their cybersecurity risk management plan. What kinds of resources do these organizations offer, and how can Participating CMS providers make use of them? 36. We seek comment on whether there are other categories of communications service 88 See supra n. 73. 89 See supra n. 74, 75. 90 FCC, Master WEA Registry, https://www.fcc.gov/files/weamasterregistry112019xls (last visited Aug. 19, 2022) (reflecting that 76 CMS Providers participate in WEA either in whole or in part). The Bureau of Labor Statistics reports that the most recent hourly wage for General and Operations Managers is $55, which rises to $82 when increased by 50% to also include benefits. See supra n. 49. 18 Federal Communications Commission FCC-CIRC2210-04 providers (e.g., services that support 911 calling) to which a cybersecurity risk management plan certification requirement should apply. Like emergency alerting, 911 is part of the nation’s emergency services critical infrastructure.91 Similarly, like the nation’s alert and warning capability, 911 service has faced instances of compromise by cyberattacks,92 and is regularly under threat.93 In light of those threats, should services that support 911 calling also be required to annually certify to creating, updating, and implementing cybersecurity risk management plans? If so, are there differences between emergency alerting and 911 that would warrant changes to the risk management plan requirements we propose today, if applied to services that support 911 calling? Are the benefits and costs of such a requirement commensurate with the benefits and costs of certification as described above? D. Displaying Only Valid WEA Messages on Mobile Devices 37. False alerts, such as the false ballistic missile alert that the Hawaii Emergency Management Agency accidentally sent during a training exercise in 2018, can cause panic, confusion, and damage the credibility of WEA. While that false alert was sent accidentally, bad actors could potentially exploit known WEA vulnerabilities to intentionally send false alerts to the public. The Commission’s rules require Participating CMS Providers’ network infrastructure to authenticate interactions with mobile devices and require mobile devices to authenticate interactions with CMS Provider infrastructure.94 In practice, however, the security handshake between Participating CMS Providers and mobile devices does not include a process for mobile devices to ensure that the base station to which it attaches is valid. As a result, mobile devices that are not actively engaged with a valid base station are vulnerable to receiving and presenting false alerts. This threat exists when a mobile device attempts authentication with the provider, switches base stations, or returns to active from idle mode. 38. Accordingly, we propose to require Participating CMS Providers transmit sufficient authentication information to allow mobile devices to present WEA alerts only if they come from valid base stations. Ongoing work in international standards bodies suggests that Participating CMS Providers could achieve this outcome by transmitting sufficient authentication information to allow mobile devices to authenticate either the alert or the base station itself. For example, Participating CMS Providers could provide for authentication of the base station using a unique identifier or an encryption key. To what extent do Participating CMS Providers already uniquely identify legitimate base stations with a selection of base station characteristics to defend against denial-of-service attacks and fraud (i.e., through base station fingerprinting)? Could Participating CMS Providers leverage base station fingerprinting to protect the public from false WEA alerts through updates to WEA standards and mobile device firmware? Alternatively, or in addition, could WEA-capable mobile devices receive an appropriate encryption key from the network and then use that key to confirm either that an alert is authentic or that the base station transmitting it is authentic before presenting the alert? Should our rules prohibit CMS Providers and equipment manufacturers from marketing devices as WEA-capable unless they have these technical capabilities? 39. We seek comment on the trade-offs attendant to available technological approaches to protecting the public from false alerts. Could implementation of these approaches affect the ability of non-service initialized WEA-capable mobile devices, SIM-less WEA-capable mobile devices, or mobile 91 See CISA, Emergency Services Sector, https://www.cisa.gov/emergency-services-sector (last visited Aug. 22, 2022). 92 See, e.g., SOS Musings #49 - 911: We Have a Cybersecurity Emergency (May 26, 2021), https://cps- vo.org/node/76327 (describing a denial-of-service attack reportedly affecting 911 call centers in 12 states). 93 See CISA, CISA Releases Cyber Risks to 911: TDoS Fact Sheet, https://www.cisa.gov/blog/2020/06/09/cisa- releases-cyber-risks-911-tdos-fact-sheet (last visited Aug. 22, 2022). 94 47 CFR § 10.330(b); 10.500(a). 19 Federal Communications Commission FCC-CIRC2210-04 devices that are no longer contractually associated with a CMS Provider to receive WEA alerts depending on the handset technology or generation of wireless network used? If so, how could the Commission mitigate these potential drawbacks by refining its proposed rules? To the extent that technological solutions have been implemented, is it still possible for a false alert of this type to be displayed on mobile devices, and if so, under what conditions? What steps could be taken to further minimize or eliminate these kinds of false alerts? 40. We estimate that Participating CMS Providers would incur a $14.5 million one-time cost to update the WEA standards and software necessary to comply with this requirement. This figure consists of approximately a $814,000 cost to update applicable WEA standards and approximately a $13.7 million cost to update applicable software. We quantify the cost of modifying standards as the annual compensation for 30 network engineers compensated at the national average for their field ($120,650/year; $58/hour), plus annual benefits ($60,325/year; 29/hour) working for the amount of time that it takes to develop a standard (one hour every other week for one year, 26 hours) for 12 distinct standards.95 We quantify the cost of modifying software as the annual compensation for a software developer compensated at the national average for their field ($120,990/year), plus annual benefits ($60,495/year) working for the amount of time that it takes to develop software (one year) at each of the 76 CMS Providers that participate in WEA.96 We seek comment on these cost estimates and the underlying cost methodology we are using. We also seek comment on any other costs and benefits that would result from this proposal. Incidents of false WEA alerts can cause significant confusion and diminish the public’s trust in emergency alerts. For example, what harms could arise if an invalid base station sends a false alert to attendees to a public event, such as a parade or sporting event? For each technological approach considered, we urge commenters to address its effectiveness and cost of implementation, any additional latency that the measure could introduce into the delivery of WEA alerts, and the potential for the security measure to result in the suppression of legitimate alert content. E. WEA Infrastructure Functionality 41. Pursuant to the WARN Act, CMS Providers’ participation in WEA is voluntary, but CMS Providers that elect to participate in WEA must comply with all the WEA rules.97 The WEA rules 95 30 x ($58 + $29) x 26 x 12 = $814,320, a figure that we round to $814,000 to avoid the false appearance of precision in our estimate. See Bureau of Labor Statistics Employer Costs for Employee Compensation Summary, Computer Network Architect (May 2021), https://www.bls.gov/oes/current/oes151241.htm (last visited Aug. 25, 2022) (stating that the average base salary for a computer network architect is $120,730/yr); Letter from Tom Goode, General Counsel, ATIS, to Marlene Dortch, Secretary, FCC, PS Docket No. 15-91, at 1 (filed Sep. 6, 2016) (stating that, when standards need to be modified for WEA, it would be common practice for groups of approximately 30 individuals with relevant technical expertise meet approximately bi-weekly for an hour to discuss the modifications); Bureau of Labor Statistics, Employer Costs for Employee Compensation Summary (2022), https://www.bls.gov/news.release/ecec.nr0.htm (stating that, as of March 2022, civilian worker benefits accounted for approximately one third of total compensation, which in this case is $85,816/yr x. 1.5 = $26,775/yr); Wireless Emergency Alerts; Amendments to Part 11 of the Commission's Rules Regarding the Emergency Alert System, PS Docket Nos. 15-91, 15-94, Second Report and Order and Second Order on Reconsideration, 33 FCC Rcd 1320, 1344-45, para. 33, n.154 (2018) (listing the 12 WEA standards). 96 ($120,650 + $60,325) x 76 = $13,754,100, a figure that we round to $13.7 million to avoid the false appearance of precision in our estimate. See Bureau of Labor Statistics Employer Costs for Employee Compensation Summary, Software Developers, (May 2021) https://www.bls.gov/oes/current/oes151252.htm, (last visited Aug. 25, 2022) (stating that the average base salary for a software developer is $120,730/year, which results in total compensation of $180,960 when benefits are included); Verizon, PS Docket No. 15-91, Comments, PS Docket No. 15-91, at 5 (Jan. 13, 2016) (stating that it takes manufacturers and vendors 12 months to incorporate WEA standards into their products and test them); FCC, Master WEA Registry, https://www.fcc.gov/files/weamasterregistry112019xls (last visited Aug. 19, 2022) (reflecting that 76 CMS Providers participate in WEA either in whole or in part). 97 WARN Act, § 1202(a). 20 Federal Communications Commission FCC-CIRC2210-04 provide that WEA functionality, both in Participating CMS Provider's and in mobile devices, “are dependent upon the capabilities of the delivery technologies implemented by a Participating CMS Provider” and certain WEA protocols “are defined and controlled by each Participating CMS Provider.”98 The inclusion of these statements may create the mistaken impression that Participating CMS Providers’ compliance with the rules that follow, including the base station authentication rules we propose today, would be conditioned on the Participating CMS Providers’ delivery technology. Emergency management agencies expect WEA to work as intended and when needed, and this language unintentionally could create uncertainties about the quality of WEA service that Participating CMS Providers offer.99 For these reasons, the Commission proposed to remove this language from the WEA rules in 2016.100 T-Mobile, ATIS, and CTIA, the only three commenters addressing this proposal, urged the Commission not to adopt it because “the rules should maximize the technological flexibility of CMS Providers participating in WEA.”101 In the ten years since WEA’s deployment, however, Participating CMS Providers have coalesced around cell broadcast as the wireless technology used to transmit WEA alerts to capable mobile devices, and ATIS has standardized system performance.102 42. Accordingly, we seek to refresh the record on our proposal to remove these statements from the WEA rules. We believe these provisions introduce confusion and are unnecessary, particularly as we do not expect that any Participating CMS Provider would need to make changes to their WEA service as a result of this proposed amendment. We seek comment on this proposal, particularly from any CMS Provider that would need to make changes to their WEA offerings in the event that the rules were so amended. F. Promoting Digital Equity 43. The Commission, as part of its continuing effort to advance digital equity for all,103 including people of color, persons with disabilities, persons who live in rural or Tribal areas, and others who are or have been historically underserved, marginalized, or adversely affected by persistent poverty or inequality, invites comment on any equity-related considerations104 and benefits (if any) that may be 98 See 47 CFR § 10.330 (providing a caveat to the WEA infrastructure requirements); 47 CFR § 10.500 (providing a caveat to the WEA mobile device requirements). 99 City of Houston Office of Public Safety and Homeland Security Comments, PS Docket No. 15-91, at 4 (Jan. 12, 2016); Clark County Office of Emergency Management Comments, PS Docket No. 15-91, at 3 (Jan. 13, 2016); Jefferson Parish Emergency Management Comments, PS Docket 15-91, at 4 (Dec. 14, 2015). 100 See Wireless Emergency Alerts; Amendments to Part 11 of the Commission’s Rules Regarding the Emergency Alert System, PS Docket Nos. 15-91, 15-94, Report and Order and Further Notice of Proposed Rulemaking, 31 FCC Rcd 11112, 11185, para. 113 (2016) (WEA R&O and FNPRM). 101 T-Mobile USA, Inc., PS Docket No 15-91, Reply, at 10 (Jan. 8, 2017); accord Alliance for Telecommunications Industry Solutions (ATIS), PS Docket No. 15-91, Comments, at 3 (Dec. 8, 2016); CTIA, PS Docket No. 15-91, Comments, at 8 (Dec. 8, 2016). 102 See, e.g., Enhanced Wireless Emergency Alert (eWEA) via GSM/UMTS Cell Broadcast Service Specification (ATIS-0700006.v002). 103 Section 1 of the Communications Act of 1934 as amended provides that the FCC “regulat[es] interstate and foreign commerce in communication by wire and radio so as to make [such service] available, so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex.” 47 U.S.C. § 151. 104 The term “equity” is used here consistent with Executive Order 13985 as the consistent and systematic fair, just, and impartial treatment of all individuals, including individuals who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with disabilities; persons who live in rural areas; and persons (continued….) 21 Federal Communications Commission FCC-CIRC2210-04 associated with the proposals and issues discussed herein. Specifically, we seek comment on how our proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well the scope of the Commission’s relevant legal authority.105 G. Compliance Timeframes 44. Promoting the Operational Readiness of EAS Equipment. To the extent that we adopt requirements to improve the operational readiness of EAS, we seek comment on when those rules should go into effect. For example, if we were to adopt rules to hasten or improve the Commission’s visibility into the repair or replacement of non-operational EAS equipment, should those rules go into effect 30 days from publication in the Federal Register of notice that the Office of Management and Budget has completed its review of the modified information collection? What factors should we consider when determining when alternative operational readiness requirements should go into effect? 45. Improving Awareness of Unauthorized Access to EAS Equipment. We propose that the revision of Section 11.45 to require EAS Participants to report any incident of unauthorized access of its EAS equipment would be effective 60 days from publication in the Federal Register of notice that the Office of Management and Budget has completed its review of the modified information collection. We seek comment on this proposed timeframe. In the NDAA21 R&O, the Commission required EAS Participants to report false alerts to the Commission and, in a subsequent Public Notice, announced a compliance deadline approximately 60 days from publication in the Federal Register of notice that the Office of Management and Budget has approved the modified information collection.106 We seek comment on whether an EAS Participant’s process for ascertaining whether an incident of unauthorized access of its EAS equipment has occurred and reporting it to the Commission entails a level of effort comparable to compliance with the Commission’s false alert reporting requirement. Would EAS Participants’ compliance with the Commission’s false alert reporting requirement reduce the incremental burden of compliance with this proposal? 46. Certifying to the Implementation of Cybersecurity Risk Management Plans. We propose that EAS Participants and Participating CMS Providers must certify to the implementation of a cybersecurity risk management plan that includes measures sufficient to ensure the confidentiality, integrity, and reliability of their respective alerting systems within 12 months of the publication in the Federal Register of notice that the Office of Management and Budget has completed its review of the modified information collection. A 12-month timeframe would be intended to provide time for EAS Participants that do not already have a risk management place in place to create one, including by preparing the organization to manage security and privacy risks, categorizing the systems and the information that it processes, stores, and transmits, and selecting controls to protect the system. A 12- month timeframe could also provide time to implement the security controls that the plan describes, assess whether the controls are in place, operating as intended, and producing the desired results, appoint a senior official to authorize the system, and develop mechanisms to continuously monitor control implementation and risks to the system. We seek comment on these proposals. Should we offer EAS (Continued from previous page) otherwise adversely affected by persistent poverty or inequality. See Exec. Order No. 13985, 86 Fed. Reg. 7009, Executive Order on Advancing Racial Equity and Support for Underserved Communities Through the Federal Government (Jan. 20, 2021). 105 See Wireless Emergency Alerts; Amendments to Part 11 of the Commission’s Rules Regarding the Emergency Alert System, Report and Order and Further Notice of Proposed Rulemaking, FCC 16-127, PS Docket Nos. 15-191 and 15-94, Para. 176 at 11217 (Sept. 29, 2016) (2016 EAS Amendments to Part 11). 106 Amendment of the Commission’s Rules Regarding the Emergency Alert System; Wireless Emergency Alerts, PS Dockets 15-94 and 15-91, Report and Order, 36 FCC Rcd 10694 (June 17, 2021) (NDAA21 R&O); Public Safety and Homeland Security Bureau Announces Compliance Dates for Certain Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) Rules, PS Docket Nos. 15-91, 15-94, Public Notice, DA 22-600 (Jun. 6, 2022). 22 Federal Communications Commission FCC-CIRC2210-04 Participants and Participating CMS Providers who are small businesses an additional 12 months to comply with this requirement, with compliance required within 24 months of publication in the Federal Register of notice that the Office of Management and Budget has completed its review of the modified information collection? Is there any reason why EAS and Participating CMS Providers should have different implementation timeframes? 47. Displaying Only Valid WEA Messages on Mobile Devices. We propose that CMS Providers transmit sufficient authentication information to allow mobile devices to present WEA alerts only if they come from valid base stations 30 months from the publication of these rules in the Federal Register. The record in our WEA proceedings supports the premise that Participating CMS Providers require 12 months to work through appropriate industry bodies to publish relevant standards, another 12 months for Participating CMS Providers and mobile device manufacturers to develop, test, and integrate software upgrades consistent with those standards, and then 6 more months to deploy this new technology to the field during normal technology refresh cycles.107 We seek comment on the applicability of this approach and timeframe, with which Participating CMS Providers have experience, to this proposal. We seek comment, in the alternative, on whether the urgent public safety need to protect the public from false alerts necessitates an expedited compliance timeframe and, if so, what that compliance timeframe should be. 48. WEA Infrastructure Functionality. We propose to remove language from our WEA infrastructure and mobile device rules effective 30 days after the rules’ publication in the Federal Register. We do not believe that Participating CMS Providers will need to make any changes to comply with these rules as revised because they offer a WEA service that is consistent with the rules as otherwise written. We seek comment on this compliance timeframe and on this view. IV. PROCEDURAL MATTERS 49. Paperwork Reduction Act. This document contains proposed new and modified information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, invites the general public and the Office of Management and Budget (OMB) to comment on the information collection requirements contained in this document, as required by the Paperwork Reduction Act of 1995, Public Law 104-13. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might further reduce the information collection burden for small business concerns with fewer than 25 employees. 50. Ex Parte Rules - Permit-But-Disclose. This proceeding this Notice initiates shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission’s ex parte rules.108 Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter’s written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex 107 See WEA R&O and NPRM, 31 FCC Rcd at 11161-62, para. 79. 108 47 CFR §§ 1.1200 et seq. 23 Federal Communications Commission FCC-CIRC2210-04 parte presentations and must be filed consistent with Rule 1.1206(b). In proceedings governed by Rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules. 51. Regulatory Flexibility Act. The Regulatory Flexibility Act of 1980, as amended (RFA),109 requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that “the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities.”110 Accordingly, the Commission has prepared an Initial Regulatory Flexibility Analysis (IRFA) concerning the possible impact of the rule and policy changes contained in this Notice of Proposed Rulemaking. The IRFA is set forth in Appendix B. 52. Filing Requirements—Comments and Replies. Pursuant to sections 1.415 and 1.419 of the Commission’s rules, 47 CFR §§ 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission’s Electronic Comment Filing System (ECFS). See Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121 (1998). • Electronic Filers: Comments may be filed electronically using the Internet by accessing the ECFS: https://www.fcc.gov/ecfs/. • Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. • Filings can be sent by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. All filings must be addressed to the Commission’s Secretary, Office of the Secretary, Federal Communications Commission. o Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701. o Postal Service first-class, Express, and Priority mail must be addressed to 45 L Street, NE, Washington, DC 20554. • Effective March 19, 2020, and until further notice, the Commission no longer accepts any hand or messenger delivered filings. This is a temporary measure taken to help protect the health and safety of individuals, and to mitigate the transmission of COVID-19.111 • During the time the Commission’s building is closed to the general public and until further notice, if more than one docket or rulemaking number appears in the caption of a proceeding, paper filers need not submit two additional copies for each additional docket or rulemaking number; an original and one copy are sufficient. 53. People with Disabilities. To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (tty). 109 See 5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601–612, was amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). 110 Id. 111 See FCC Announces Closure of FCC Headquarters Open Window and Change in Hand-Delivery Policy, Public Notice, 35 FCC Rcd 2788 (2020). 24 Federal Communications Commission FCC-CIRC2210-04 54. Additional Information. For further information regarding Notice, please contact James Wiley, Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau, (202) 418-1678, or by email to james.wiley@fcc.gov, or Steven Carpenter, Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau, (202) 418-2313, or by email to steven.carpenter@fcc.gov. V. ORDERING CLAUSES 55. Accordingly, IT IS ORDERED that pursuant to Sections 1, 2, 4(i), 4(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403, 624(g), and 706 of the Communications Act of 1934, as amended, 47 U.S.C §§ 151, 152, 154(i), 154(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403, 544(g), and 606; The Warning, Alert and Response Network (WARN) Act, WARN Act §§ 602(a), (b), (c), (f), 603, 604, and 606, 47 U.S.C. §§ 1202(a),(b),(c), (f), 1203, 1204 and 1206; the Wireless Communications and Public Safety Act of 1999, Pub. L. No. 106-81, 47 U.S.C. §§ 615, 615a, 615b; Section 202 of the Twenty-First Century Communications and Video Accessibility Act of 2010, as amended, 47 U.S.C. § 613, this Notice of Proposed Rulemaking IS hereby ADOPTED. 56. IT IS FURTHER ORDERED that the Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, SHALL SEND a copy of this Notice, including the Initial Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration. 25 Federal Communications Commission FCC-CIRC2210-04 APPENDIX A: Proposed Rules For the reasons set forth above, Parts 10 and 11 of Title 47 of the Code of Federal Regulations are amended as follows: PART 10 – WIRELESS EMERGENCY ALERTS 1. The authority citation for part 10 continues to read as follows: Authority: [To be inserted prior to Federal Register publication.] 2. Revise § 10.330 to read as follows: § 10.330 Provider infrastructure requirements. This section specifies the general functions that a Participating CMS Provider is required to perform within its infrastructure. (a) Distribution of Alert Messages to mobile devices. (b) Authentication of interactions with mobile devices, including the transmission of sufficient authentication information to allow mobile devices to only present WEA alerts from valid base stations. (c) Reference Points D & E. Reference Point D is the interface between a CMS Provider gateway and its infrastructure. Reference Point E is the interface between a provider’s infrastructure and mobile devices including air interfaces. 3. Add § 10.360 to subpart C to read as follows: § 10.360 Cybersecurity Risk Management Plan Certification (a) Each participating CMS Providers shall submit a certification to the Commission that it is created, annually updated, and implemented a cybersecurity risk management plan. The cybersecurity risk management plan shall describe how the Participating CMS Provider employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of WEA. The plan shall discuss how the Participating CMS Provider identifies the cyber risks that it faces, the controls it uses to mitigate those risks, and how it ensures that these controls are applied effectively to its operations. The plan shall address the security of all aspects of the Participating CMS Provider’s communications systems and services that potentially could affect its provision of WEA messages. The plan shall be made available to the Commission upon request. (b) Participating CMS Providers shall employ sufficient security controls to ensure the confidentially, integrity, and availability of the EAS. In furtherance of this requirement, the cybersecurity risk management plan shall address, but not be limited to, the following security controls: (1) Changing default passwords prior to operation; (2) Installing security updates in a timely manner; (3) Securing equipment behind properly configured firewalls or using other segmentation practices; (4) Requiring multifactor authentication where applicable; (5) Addressing the replacement of end-of-life equipment; and (6) Wiping, clearing, or encrypting user information before disposing of old devices. (c) Participating CMS Providers shall take reasonable measures to protect the confidentiality, integrity, and availability of EAS to avoid the transmission of false alerts or non-transmission of valid Federal Communications Commission FCC-CIRC2210-04 Alert Messages; failure to do so shall be, in addition to a violation of any specific provisions of this section, § 11.45(a) of this chapter, or § 10.520(d), an independent breach of this duty. 4. Revise § 10.500 introductory text as follows: § 10.500 General requirements. Mobile devices are required to perform the following functions: * * * * * PART 11 – EMERGENCY ALERT SYSTEM (EAS) 5. The authority citation for part 11 continues to read as follows: Authority: [To be inserted prior to Federal Register publication.] 6. In § 11.35, add paragraph (d) to read as follows: § 11.35 Equipment operational readiness. * * * * * (d) Annual EAS Security Certification. (1) The identifying information required by the ETRS as specified in §11.61(a)(3)(iv) shall include a Certification to the Commission that the EAS Participant has created, annually updated, and implemented a cybersecurity risk management plan. The cybersecurity risk management plan shall describe how the EAS Participant employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of the EAS. The plan shall discuss how the EAS Participant identifies the cyber risks that its faces, the controls it uses to mitigate those risks, and how it ensures that these controls are applied effectively to their operations. The plan shall address the security of all aspects of an EAS Participant’s communications systems and services that potentially could affect its provision of EAS messages. The plan shall be made available to the Commission upon request. (2) EAS Participants shall employ sufficient security controls to ensure the confidentially, integrity, and availability of the EAS. In furtherance of this requirement, the cybersecurity risk management plan shall address, but not be limited to, the following security controls: (i) Changing default passwords prior to operation; (ii) Installing security updates in a timely manner; (iii) Securing equipment behind properly configured firewalls or using other segmentation practices; (iv) Requiring multifactor authentication where applicable; (v) Addressing the replacement of end-of-life equipment; and (vi) Wiping, clearing, or encrypting user information before disposing of old devices. (3) EAS Participants shall take reasonable measures to protect the confidentiality, integrity, and availability of EAS to avoid the transmission of false alerts or non-transmission of valid EAS messages; failure to do so shall be, in addition to a violation of any specific provisions of this section, § 11.45(a), or § 10.520(d) of this chapter, an independent breach of this duty. 27 Federal Communications Commission FCC-CIRC2210-04 7. Revise § 11.45 by redesignating paragraph (c) as paragraph (d) and adding a new paragraph (c) to read as follows: § 11.45 Prohibition of false or deceptive EAS transmissions. * * * * * (c) No later than seventy-two (72) hours after an EAS Participant knows or should have known that its EAS equipment, or communications systems, or services that potentially could affect their provision of EAS, have been accessed in an unauthorized manner, the EAS Participant shall provide notification to the Commission identifying, if applicable, the date range of the incident, a description of the unauthorized access, the impact to the EAS Participant’s EAS operational readiness, a description of the vulnerabilities exploited and the techniques used to access the device, identifying information for each actor responsible for the incident, and contact information for the EAS Participant. When one event or set of events gives rise to obligations under both paragraphs (b) and (c) of this section, an EAS Participant remains subject to each requirement individually. The Participant may elect to send a single notification of the Commission within 24 hours providing all the information described in both paragraphs or separate notification to the Commission within 24 hours and 72 hours. (d) * * * 28 Federal Communications Commission FCC-CIRC2210-04 APPENDIX B Initial Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA),1 the Commission has prepared this Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on a substantial number of small entities by the policies and rules proposed in the Notice of Proposed Rulemaking (Notice). Written public comments are requested on this IRFA. Comments must be identified as responses to the IRFA and must be filed by the deadlines for comments on the Notice. The Commission will send a copy of the Notice, including this IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA).2 In addition, the Notice and IRFA (or summaries thereof) will be published in the Federal Register.3 A. Need for, and Objectives of, the Proposed Rules 2. The security of the nation’s alert and warning systems is essential to helping safeguard the lives and property of all Americans. To ensure that the EAS and WEA remain strong, the Commission must act proactively in its oversight of stakeholders associated with these systems. The Commission has previously encouraged stakeholders to ensure that their systems are secure and provided guidance on specific steps that communications providers could take to secure their equipment. According to data collected by the Public Safety and Homeland Security Bureau (Bureau) during the nationwide EAS test in August 2021 however, more than 5,000 EAS Participants were using outdated software or using equipment that no longer supported regular software updates. Moreover, in the area of equipment operational readiness, the test also revealed that an appreciable number of EAS Participants were unable to participate in testing due to equipment failure. This was despite receiving advanced notice that the test was going to be conducted. The Commission therefore believes the information revealed in the nationwide EAS test signals that we should take action to ensure and enhance the security of the EAS and WEA. In the Notice, the Commission acts to improve the security and reliability of the EAS and WEA by proposing and seeking comment on rules promoting the operational readiness of EAS equipment, improving awareness of unauthorized access to EAS equipment, communications systems, or services, protecting the nation’s alerting systems through the development, implementation, and certification of a cybersecurity risk management plan and displaying only valid WEA messages on mobile devices. 3. Specific proposals upon which the Commission seeks comment include: requiring EAS Participants and Participating CMS Providers to annually certify to having a cybersecurity risk management plan in place and employing sufficient security controls to ensure the confidentiality, integrity, and availability of their respective alerting systems (including certain baseline security controls); requiring EAS Participants to report any incident of unauthorized access of its EAS equipment, communications systems, or services (i.e., regardless of whether that compromise has resulted in the transmission of a false alert) to the Commission via NORS within 72 hours of when it knew or should have known that an incident has occurred, and provide details concerning the incident and requiring that mobile devices only present WEA alerts from valid base stations. In addition, the Commission seeks comment on whether and how to promote the operational readiness of EAS. The Commission also seeks comment to refresh the record on previously proposed changes to the WEA infrastructure functionality 1 See 5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601-612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). 2 See 5 U.S.C. § 603(a). 3 See id. Federal Communications Commission FCC-CIRC2210-04 rules,4 and on how our proposals in the Notice may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well as on the scope of the Commission’s relevant legal authority. B. Legal Basis 4. The proposed action is authorized pursuant to Sections 1, 2, 4(i), 4(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403, 624(g), and 706 of the Communications Act of 1934, as amended, 47 U.S.C §§ 151, 152, 154(i), 154(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403, 544(g), and 606; The Warning, Alert and Response Network (WARN) Act, WARN Act §§ 602(a), (b), (c), (f), 603, 604, and 606, 47 U.S.C. §§ 1202(a),(b),(c), (f), 1203, 1204 and 1206; the Wireless Communications and Public Safety Act of 1999, Pub. L. No. 106-81, 47 U.S.C. §§ 615, 615a, 615b; Section 202 of the Twenty-First Century Communications and Video Accessibility Act of 2010, as amended, 47 U.S.C. § 613. C. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply 5. The RFA directs agencies to provide a description of and, where feasible, an estimate of, the number of small entities that may be affected by the proposed rules, if adopted.5 The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.”6 In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act.7 A “small business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the SBA.8 6. Small Businesses, Small Organizations, Small Governmental Jurisdictions. Our actions, over time, may affect small entities that are not easily categorized at present. We therefore describe here, at the outset, three broad groups of small entities that could be directly affected herein.9 First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the Small Business Administration’s (SBA) Office of Advocacy, in general a small business is an independent business having fewer than 500 employees.10 These types of small businesses represent 99.9% of all businesses in the United States, which translates to 32.5 million businesses.11 4 See Wireless Emergency Alerts; Amendments to Part 11 of the Commission’s Rules Regarding the Emergency Alert System, PS Docket Nos. 15-91, 15-94, Report and Order and Further Notice of Proposed Rulemaking, 31 FCC Rcd 11112, 11185, para. 113 (2016) (WEA R&O and FNPRM). 5 See id. § 603(b)(3). 6 See id. § 601(6). 7 See id.§ 601(3) (incorporating by reference the definition of “small-business concern” in the Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” 8 15 U.S.C. § 632. 9 See 5 U.S.C. § 601(3)-(6). 10 See SBA, Office of Advocacy, Frequently Asked Questions, “What is a small business?,” https://cdn.advocacy.sba.gov/wp-content/uploads/2021/11/03093005/Small-Business-FAQ-2021.pdf. (Nov 2021). 11 Id. 30 Federal Communications Commission FCC-CIRC2210-04 7. Next, the type of small entity described as a “small organization” is generally “any not- for-profit enterprise which is independently owned and operated and is not dominant in its field.”12 The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations.13 Nationwide, for tax year 2020, there were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less according to the registration and tax data for exempt organizations available from the IRS.14 8. Finally, the small entity described as a “small governmental jurisdiction” is defined generally as “governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.”15 U.S. Census Bureau data from the 2017 Census of Governments16 indicate that there were 90,075 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States.17 Of this number there were 36,931 general purpose governments (county18, municipal and town or township19) with populations of less than 50,000 and 12,040 special purpose governments - independent school districts20 with enrollment 12 See 5 U.S.C. § 601(4). 13 The IRS benchmark is similar to the population of less than 50,000 benchmark in 5 U.S.C § 601(5) that is used to define a small governmental jurisdiction. Therefore, the IRS benchmark has been used to estimate the number small organizations in this small entity description. See Annual Electronic Filing Requirement for Small Exempt Organizations — Form 990-N (e-Postcard), "Who must file," https://www.irs.gov/charities-non-profits/annual-electronic-filing-requirement-for-small-exempt-organizations- form-990-n-e-postcard. We note that the IRS data does not provide information on whether a small exempt organization is independently owned and operated or dominant in its field. 14 See Exempt Organizations Business Master File Extract (EO BMF), "CSV Files by Region," https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf. The IRS Exempt Organization Business Master File (EO BMF) Extract provides information on all registered tax- exempt/non-profit organizations. The data utilized for purposes of this description was extracted from the IRS EO BMF data for businesses for the tax year 2020 with revenue less than or equal to $50,000, for Region 1-Northeast Area (58,577), Region 2-Mid-Atlantic and Great Lakes Areas (175,272), and Region 3-Gulf Coast and Pacific Coast Areas (213,840) which includes the continental U.S., Alaska, and Hawaii. This data does not include information for Puerto Rico. 15 See 5 U.S.C. § 601(5). 16 See 13 U.S.C. § 161. The Census of Governments survey is conducted every five (5) years compiling data for years ending with “2” and “7”. See also Census of Governments, https://www.census.gov/programs- surveys/cog/about.html. 17 See U.S. Census Bureau, 2017 Census of Governments – Organization Table 2. Local Governments by Type and State: 2017 [CG1700ORG02], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. Local governmental jurisdictions are made up of general purpose governments (county, municipal and town or township) and special purpose governments (special districts and independent school districts). See also tbl.2. CG1700ORG02 Table Notes_Local Governments by Type and State_2017. 18 See id. at tbl.5. County Governments by Population-Size Group and State: 2017 [CG1700ORG05], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 2,105 county governments with populations less than 50,000. This category does not include subcounty (municipal and township) governments. 19 See id. at tbl.6. Subcounty General-Purpose Governments by Population-Size Group and State: 2017 [CG1700ORG06], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 18,729 municipal and 16,097 town and township governments with populations less than 50,000. 20 See id. at tbl.10. Elementary and Secondary School Systems by Enrollment-Size Group and State: 2017 [CG1700ORG10], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 12,040 independent school districts with enrollment populations less than 50,000. See also tbl.4. Special-Purpose Local (continued….) 31 Federal Communications Commission FCC-CIRC2210-04 populations of less than 50,000.21 Accordingly, based on the 2017 U.S. Census of Governments data, we estimate that at least 48,971 entities fall into the category of “small governmental jurisdictions.”22 9. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves.23 Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services.24 The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees.25 U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year.26 Of that number, 2,837 firms employed fewer than 250 employees.27 Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 797 providers that reported they were engaged in the provision of wireless services.28 Of these providers, the Commission estimates that 715 providers have 1,500 or fewer employees.29 Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 10. Broadband Personal Communications Service. The broadband personal communications services (PCS) spectrum encompasses services in the 1850-1910 and 1930-1990 MHz bands.30 The closest industry with a SBA small business size standard applicable to these services is Wireless Telecommunications Carriers (except Satellite).31 The SBA small business size standard for this industry (Continued from previous page) Governments by State Census Years 1942 to 2017 [CG1700ORG04], CG1700ORG04 Table Notes_Special Purpose Local Governments by State_Census Years 1942 to 2017. 21 While the special purpose governments category also includes local special district governments, the 2017 Census of Governments data does not provide data aggregated based on population size for the special purpose governments category. Therefore, only data from independent school districts is included in the special purpose governments category. 22 This total is derived from the sum of the number of general purpose governments (county, municipal and town or township) with populations of less than 50,000 (36,931) and the number of special purpose governments - independent school districts with enrollment populations of less than 50,000 (12,040), from the 2017 Census of Governments - Organizations tbls.5, 6 & 10. 23 See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. 24 Id. 25 See 13 CFR § 121.201, NAICS Code 517312. 26 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 27 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 28 Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2021), https://docs.fcc.gov/pubId.lic/attachments/DOC-379181A1.pdf. 29 Id. 30 See 47 CFR § 24.200. 31 See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. 32 Federal Communications Commission FCC-CIRC2210-04 classifies a business as small if it has 1,500 or fewer employees.32 U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year.33 Of this number, 2,837 firms employed fewer than 250 employees.34 Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 11. Based on Commission data as of November 2021, there were approximately 5,060 active licenses in the Broadband PCS service.35 The Commission’s small business size standards with respect to Broadband PCS involve eligibility for bidding credits and installment payments in the auction of licenses for these services. In auctions for these licenses, the Commission defined “small business” as an entity that, together with its affiliates and controlling interests, has average gross revenues not exceeding $40 million for the preceding three years, and a “very small business” as an entity that, together with its affiliates and controlling interests, has had average annual gross revenues not exceeding $15 million for the preceding three years.36 Winning bidders claiming small business credits won Broadband PCS licenses in C, D, E, and F Blocks.37 12. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 13. Narrowband Personal Communications Services. Narrowband Personal Communications Services (Narrowband PCS) are PCS services operating in the 901-902 MHz, 930-931 MHz, and 940-941 MHz bands.38 PCS services are radio communications that encompass mobile and ancillary fixed communication that provide services to individuals and businesses and can be integrated with a variety of competing networks.39 Wireless Telecommunications Carriers (except Satellite)40 is the closest industry with a SBA small business size standard applicable to these services. The SBA small business size 32 See 13 CFR § 121.201, NAICS Code 517312. 33 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 34 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 35 Based on a FCC Universal Licensing System search on November 16, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = CW; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 36 See 47 CFR § 24.720(b). 37 See Federal Communications Commission, Office of Economics and Analytics, Auctions, Auctions 4, 5, 10, 11, 22, 35, 58, 71 and 78, https://www.fcc.gov/auctions. 38 See 47 CFR § 24.5. 39 Id. 40 See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. 33 Federal Communications Commission FCC-CIRC2210-04 standard for this industry classifies a business as small if it has 1,500 or fewer employees.41 U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year.42 Of this number, 2,837 firms employed fewer than 250 employees.43 Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 14. According to Commission data as of December 2021, there were approximately 4,211 active Narrowband PCS licenses.44 The Commission’s small business size standards with respect to Narrowband PCS involve eligibility for bidding credits and installment payments in the auction of licenses for these services. For the auction of these licenses, the Commission defined a “small business” as an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $40 million.45 A “very small business” is defined as an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $15 million.46 Pursuant to these definitions, 7 winning bidders claiming small and very small bidding credits won approximately 359 licenses.47 One of the winning bidders claiming a small business status classification in these Narrowband PCS license auctions had an active license as of December 2021.48 15. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 41 See 13 CFR § 121.201, NAICS Code 517312. 42 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 43 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 44 Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = CN; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 45 See 47 CFR § 24.321(a)(1)-(2). 46 Id. 47 See Federal Communications Commission, Economics and Analytics, Auctions, Auction 41: Narrowband PCS, Summary, Closing Charts, License By Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/41/charts/41cls2.pdf; Auction 50: Narrowband PCS, Summary, Closing Charts, License By Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/50/charts/50cls2.pdf. 48 Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = CN; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 34 Federal Communications Commission FCC-CIRC2210-04 16. Wireless Communications Services. Wireless Communications Services (WCS) can be used for a variety of fixed, mobile, radiolocation, and digital audio broadcasting satellite services. Wireless spectrum is made available and licensed for the provision of wireless communications services in several frequency bands subject to Part 27 of the Commission’s rules.49 Wireless Telecommunications Carriers (except Satellite)50 is the closest industry with a SBA small business size standard applicable to these services. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees.51 U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year.52 Of this number, 2,837 firms employed fewer than 250 employees.53 Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 17. The Commission’s small business size standards with respect to WCS involve eligibility for bidding credits and installment payments in the auction of licenses for the various frequency bands included in WCS. When bidding credits are adopted for the auction of licenses in WCS frequency bands, such credits may be available to several types of small businesses based average gross revenues (small, very small and entrepreneur) pursuant to the competitive bidding rules adopted in conjunction with the requirements for the auction and/or as identified in the designated entities section in Part 27 of the Commission’s rules for the specific WCS frequency bands.54 18. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 19. 700 MHz Guard Band Licensees. The 700 MHz Guard Band encompasses spectrum in 746-747/776-777 MHz and 762-764/792-794 MHz frequency bands. Wireless Telecommunications Carriers (except Satellite)55 is the closest industry with a SBA small business size standard applicable to licenses providing services in these bands. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees.56 U.S. Census Bureau data for 2017 49 See 47 CFR §§ 27.1 – 27.1607. 50 See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. 51 See 13 CFR § 121.201, NAICS Code 517312. 52 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 53 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 54 See 47 CFR §§ 27.201 – 27.1601. The Designated entities sections in Subparts D – Q each contain the small business size standards adopted for the auction of the frequency band covered by that subpart. 55 See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. 56 See 13 CFR § 121.201, NAICS Code 517312. 35 Federal Communications Commission FCC-CIRC2210-04 show that there were 2,893 firms that operated in this industry for the entire year.57 Of this number, 2,837 firms employed fewer than 250 employees.58 Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 20. According to Commission data as of December 2021, there were approximately 224 active 700 MHz Guard Band licenses.59 The Commission’s small business size standards with respect to 700 MHz Guard Band licensees involve eligibility for bidding credits and installment payments in the auction of licenses. For the auction of these licenses, the Commission defined a “small business” as an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $40 million for the preceding three years, and a “very small business” an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $15 million for the preceding three years.60 Pursuant to these definitions, five winning bidders claiming one of the small business status classifications won 26 licenses, and one winning bidder claiming small business won two licenses.61 None of the winning bidders claiming a small business status classification in these 700 MHz Guard Band license auctions had an active license as of December 2021.62 21. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 22. Lower 700 MHz Band Licenses. The lower 700 MHz band encompasses spectrum in the 698-746 MHz frequency bands. Permissible operations in these bands include flexible fixed, mobile, and broadcast uses, including mobile and other digital new broadcast operation; fixed and mobile wireless commercial services (including FDD- and TDD-based services); as well as fixed and mobile wireless uses for private, internal radio needs, two-way interactive, cellular, and mobile television broadcasting 57 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 58 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 59 Based on a FCC Universal Licensing System search on December 14, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = WX; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 60 See 47 CFR § 27.502(a). 61 See Federal Communications Commission, Economics and Analytics, Auctions, Auction 33: Upper 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/33/charts/33cls2.pdf, Auction 38: Upper 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/38/charts/38cls2.pdf. 62 Based on a FCC Universal Licensing System search on December 14, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = WX; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 36 Federal Communications Commission FCC-CIRC2210-04 services.63 Wireless Telecommunications Carriers (except Satellite)64 is the closest industry with a SBA small business size standard applicable to licenses providing services in these bands. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees.65 U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year.66 Of this number, 2,837 firms employed fewer than 250 employees.67 Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 23. According to Commission data as of December 2021, there were approximately 2,824 active Lower 700 MHz Band licenses.68 The Commission’s small business size standards with respect to Lower 700 MHz Band licensees involve eligibility for bidding credits and installment payments in the auction of licenses. For auctions of Lower 700 MHz Band licenses the Commission adopted criteria for three groups of small businesses. A very small business was defined as an entity that, together with its affiliates and controlling interests, has average annual gross revenues not exceeding $15 million for the preceding three years, a small business was defined as an entity that, together with its affiliates and controlling interests, has average gross revenues not exceeding $40 million for the preceding three years, and an entrepreneur was defined as an entity that, together with its affiliates and controlling interests, has average gross revenues not exceeding $3 million for the preceding three years.69 In auctions for Lower 700 MHz Band licenses seventy-two winning bidders claiming a small business classification won 329 licenses,70 twenty-six winning bidders claiming a small business classification won 214 licenses,71 and three winning bidders claiming a small business classification won all five auctioned licenses.72 63 See Federal Communications Commission, Economics and Analytics, Auctions, Auctions 44, 49, 60: Lower 700 MHz Band, Fact Sheet, Permissible Operations, https://www.fcc.gov/auction/44/factsheet, https://www.fcc.gov/auction/49/factsheet, https://www.fcc.gov/auction/60/factsheet. 64 See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. 65 See 13 CFR § 121.201, NAICS Code 517312. 66 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 67 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 68 Based on a FCC Universal Licensing System search on December 14, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = WY, WZ; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 69 See 47 CFR § 27.702(a)(1)-(3). 70 See Federal Communications Commission, Economics and Analytics, Auctions, Auction 44: Lower 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/44/charts/44cls2.pdf. 71 See Federal Communications Commission, Economics and Analytics, Auctions, Auction 49: Lower 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/49/charts/49cls2.pdf. 72 See Federal Communications Commission, Economics and Analytics, Auctions, Auction 60: Lower 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/60/charts/60cls2.pdf. 37 Federal Communications Commission FCC-CIRC2210-04 24. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 25. Upper 700 MHz Band Licenses. The upper 700 MHz band encompasses spectrum in the 746-806 MHz bands. Upper 700 MHz D Block licenses are nationwide licenses associated with the 758- 763 MHz and 788-793 MHz bands.73 Permissible operations in these bands include flexible fixed, mobile, and broadcast uses, including mobile and other digital new broadcast operation; fixed and mobile wireless commercial services (including FDD- and TDD-based services); as well as fixed and mobile wireless uses for private, internal radio needs, two-way interactive, cellular, and mobile television broadcasting services.74 Wireless Telecommunications Carriers (except Satellite)75 is the closest industry with a SBA small business size standard applicable to licenses providing services in these bands. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees.76 U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year.77 Of that number, 2,837 firms employed fewer than 250 employees.78 Thus, under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 26. According to Commission data as of December 2021, there were approximately 152 active Upper 700 MHz Band licenses.79 The Commission’s small business size standards with respect to Upper 700 MHz Band licensees involve eligibility for bidding credits and installment payments in the auction of licenses. For the auction of these licenses, the Commission defined a “small business” as an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $40 million for the preceding three years, and a “very small business” an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $15 million for the 73 See 47 CFR § 27.4. 74 See Federal Communications Commission, Economics and Analytics, Auctions, Auction 73: 700 MHz Band, Fact Sheet, Permissible Operations, https://www.fcc.gov/auction/73/factsheet. We note that in Auction 73, Upper 700 MHz Band C and D Blocks as well as Lower 700 MHz Band A, B, and E Blocks were auctioned. 75 See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. 76 See 13 CFR § 121.201, NAICS Code 517312. 77 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 78 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 79 Based on a FCC Universal Licensing System search on December 14, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = WP, WU; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 38 Federal Communications Commission FCC-CIRC2210-04 preceding three years.80 Pursuant to these definitions, three winning bidders claiming very small business status won five of the twelve available licenses.81 27. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 28. Advanced Wireless Services (AWS) - (1710–1755 MHz and 2110–2155 MHz bands (AWS-1); 1915–1920 MHz, 1995–2000 MHz, 2020–2025 MHz and 2175–2180 MHz bands (AWS-2); 2155–2175 MHz band (AWS-3); 2000-2020 MHz and 2180-2200 MHz (AWS-4)). Spectrum is made available and licensed in these bands for the provision of various wireless communications services.82 Wireless Telecommunications Carriers (except Satellite)83 is the closest industry with a SBA small business size standard applicable to these services. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees.84 U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year.85 Of this number, 2,837 firms employed fewer than 250 employees.86 Thus, under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 29. According to Commission data as December 2021, there were approximately 4,472 active AWS licenses.87 The Commission’s small business size standards with respect to AWS involve eligibility for bidding credits and installment payments in the auction of licenses for these services. For the auction of AWS licenses, the Commission defined a “small business” as an entity with average annual gross revenues for the preceding three years not exceeding $40 million, and a “very small business” as an entity with average annual gross revenues for the preceding three years not exceeding $15 million.88 80 See 47 CFR § 27.502(a). 81 See Auction of 700 MHz Band Licenses Closes; Winning Bidders Announced for Auction 73, Public Notice, DA- 08-595, Attachment A, Report No. AUC-08-73-I (Auction 73) (March 20, 2008). The results for Upper 700 MHz Band C Block can be found on pp. 62-63. 82 See 47 CFR § 27.1(b). 83 See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. 84 See 13 CFR § 121.201, NAICS Code 517312. 85 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 86 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 87 Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = AD, AH, AT, AW; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 88 See 47 CFR §§ 27.1002, 27.1102, 27.1104, 27.1106. 39 Federal Communications Commission FCC-CIRC2210-04 Pursuant to these definitions, 57 winning bidders claiming status as small or very small businesses won 215 of 1,087 licenses.89 In the most recent auction of AWS licenses 15 of 37 bidders qualifying for status as small or very small businesses won licenses.90 30. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 31. Broadband Radio Service and Educational Broadband Service. Broadband Radio Service systems, previously referred to as Multipoint Distribution Service (MDS) and Multichannel Multipoint Distribution Service (MMDS) systems, and “wireless cable,”91 transmit video programming to subscribers and provide two-way high speed data operations using the microwave frequencies of the Broadband Radio Service (BRS) and Educational Broadband Service (EBS) (previously referred to as the Instructional Television Fixed Service (ITFS)).92 Wireless cable operators that use spectrum in the BRS often supplemented with leased channels from the EBS, provide a competitive alternative to wired cable and other multichannel video programming distributors. Wireless cable programming to subscribers resembles cable television, but instead of coaxial cable, wireless cable uses microwave channels.93 32. In light of the use of wireless frequencies by BRS and EBS services, the closest industry with a SBA small business size standard applicable to these services is Wireless Telecommunications Carriers (except Satellite).94 The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees.95 U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year.96 Of this number, 2,837 firms employed 89 See Federal Communications Commission, Economics and Analytics, Auctions, Auction 66: Advanced Wireless Services (AWS-1), Summary, Spreadsheets, https://www.fcc.gov/sites/default/files/wireless/auctions/66/charts/66cls2.pdf. 90 See Auction of Advanced Wireless Services (AWS-3) Licenses Closes; Winning Bidders Announced for Auction 97, Public Notice, DA-15-131, Attachments A-B, (Auction No. 97) (January 30, 2015). 91 The use of the term "wireless cable" does not imply that it constitutes cable television for statutory or regulatory purposes. 92 See 47 CFR § 27.4; see also Amendment of Parts 21 and 74 of the Commission’s Rules with Regard to Filing Procedures in the Multipoint Distribution Service and in the Instructional Television Fixed Service and Implementation of Section 309(j) of the Communications Act—Competitive Bidding, Report and Order, 10 FCC Rcd 9589, 9593, para. 7 (1995). 93 Generally, a wireless cable system may be described as a microwave station transmitting on a combination of BRS and EBS channels to numerous receivers with antennas, such as single-family residences, apartment complexes, hotels, educational institutions, business entities and governmental offices. The range of the transmission depends upon the transmitter power, the type of receiving antenna and the existence of a line-of-sight path between the transmitter or signal booster and the receiving antenna. 94 See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. 95 See 13 CFR § 121.201, NAICS Code 517312. 96 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, (continued….) 40 Federal Communications Commission FCC-CIRC2210-04 fewer than 250 employees.97 Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 33. According to Commission data as December 2021, there were approximately 5,869 active BRS and EBS licenses.98 The Commission’s small business size standards with respect to BRS involves eligibility for bidding credits and installment payments in the auction of licenses for these services. For the auction of BRS licenses, the Commission adopted criteria for three groups of small businesses. A very small business is an entity that, together with its affiliates and controlling interests, has average annual gross revenues exceed $3 million and did not exceed $15 million for the preceding three years, a small business is an entity that, together with its affiliates and controlling interests, has average gross revenues exceed $15 million and did not exceed $40 million for the preceding three years, and an entrepreneur is an entity that, together with its affiliates and controlling interests, has average gross revenues not exceeding $3 million for the preceding three years.99 Of the ten winning bidders for BRS licenses, two bidders claiming the small business status won 4 licenses, one bidder claiming the very small business status won three licenses and two bidders claiming entrepreneur status won six licenses.100 One of the winning bidders claiming a small business status classification in the BRS license auction has an active licenses as of December 2021.101 34. The Commission’s small business size standards for EBS define a small business as an entity that, together with its affiliates, its controlling interests and the affiliates of its controlling interests, has average gross revenues that are not more than $55 million for the preceding five (5) years, and a very small business is an entity that, together with its affiliates, its controlling interests and the affiliates of its controlling interests, has average gross revenues that are not more than $20 million for the preceding five (5) years.102 In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. (Continued from previous page) https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 97 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 98 Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service =BR, ED; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 99 See 47 CFR § 27.1218(a). 100 See Federal Communications Commission, Economics and Analytics, Auctions, Auction 86: Broadband Radio Service, Summary, Reports, All Bidders, https://www.fcc.gov/sites/default/files/wireless/auctions/86/charts/86bidder.xls. 101 Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service =BR; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 102 See 47 CFR § 27.1219(a). 41 Federal Communications Commission FCC-CIRC2210-04 35. The Educational Broadcasting Services. Cable-based educational broadcasting services fall under the broad category of the Wired Telecommunications Carriers industry.103 The Wired Telecommunications Carriers industry comprises establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired telecommunications networks.104 Transmission facilities may be based on a single technology or a combination of technologies. 105 Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services; wired (cable) audio and video programming distribution; and wired broadband Internet services.” 106 36. The SBA small business size standard for this industry classifies businesses having 1,500 or fewer employees as small.107 U.S. Census Bureau data for 2017 show that there were 3,054 firms in this industry that operated for the entire year.108 Of this total, 2,964 firms operated with fewer than 250 employees.109 Thus, under this size standard, the majority of firms in this industry can be considered small. Additionally, according to Commission data as of December 2021, there were 4,477 active EBS licenses.110 The Commission estimates that the majority of these licenses are held by non-profit educational institutions and school districts and are likely small entities. 37. Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing. This industry comprises establishments primarily engaged in manufacturing radio and television broadcast and wireless communications equipment.111 Examples of products made by these establishments are: transmitting and receiving antennas, cable television equipment, GPS equipment, pagers, cellular phones, mobile communications equipment, and radio and television studio and broadcasting equipment.112 The SBA small business size standard for this industry classifies businesses 103 See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. Examples of this category are: broadband Internet service providers (e.g., cable, DSL); local telephone carriers (wired); cable television distribution services; long-distance telephone carriers (wired); closed circuit television (CCTV) services; VoIP service providers, using owner operated wired telecommunications infrastructure; direct-to-home satellite system (DTH) services; telecommunications carriers (wired); satellite television distribution systems; and multichannel multipoint distribution services (MMDS). 104 Id. 105 Id. 106 Id. 107 See 13 CFR § 121.201, NAICS Code 517311. 108 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 109 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 110 Based on a FCC Universal Licensing System search on December 17, 2021. https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service =ED; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 111 See U.S. Census Bureau, 2017 NAICS Definition, “334220 Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing,” https://www.census.gov/naics/?input=334220&year=2017&details=334220. 112 Id. 42 Federal Communications Commission FCC-CIRC2210-04 having 1,250 employees or less as small.113 U.S. Census Bureau data for 2017 show that there were 656 firms in this industry that operated for the entire year.114 Of this number, 624 firms had fewer than 250 employees.115 Thus, under the SBA size standard, the majority of firms in this industry can be considered small. 38. Software Publishers. This industry comprises establishments primarily engaged in computer software publishing or publishing and reproduction.116 Establishments in this industry carry out operations necessary for producing and distributing computer software, such as designing, providing documentation, assisting in installation, and providing support services to software purchasers.117 These establishments may design, develop, and publish, or publish only.118 The SBA small business size standard for this industry classifies businesses having annual receipts of $41.5 million or less as small.119 U.S. Census Bureau data for 2017 indicate that 7,842 firms in this industry operated for the entire year. 120 Of this number 7,226 firms had revenue of less than $25 million.121 Based on this data, we conclude that a majority of firms in this industry are small. 39. Noncommercial Educational (NCE) and Public Broadcast Stations. Noncommercial educational broadcast stations and public broadcast stations are television or radio broadcast stations which under the Commission's rules are eligible to be licensed by the Commission as a noncommercial educational radio or television broadcast station and are owned and operated by a public agency or nonprofit private foundation, corporation, or association; or are owned and operated by a municipality which transmits only noncommercial programs for education purposes. 40. The SBA small business size standards and U.S. Census Bureau data classify radio stations122 and television broadcasting123 separately and both categories may include both noncommercial and commercial stations. The SBA small business size standard for both radio stations and television 113 See 13 CFR § 121.201, NAICS Code 334220. 114 See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 334220, https://data.census.gov/cedsci/table?y=2017&n=334220&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 115 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 116 See U.S. Census Bureau, 2017 NAICS Definition, “511210 Software Publishers,” https://www.census.gov/naics/?input=511210&year=2017&details=511210. 117 Id. 118 Id. 119 See 13 CFR § 121.201, NAICS Code 511210. 120 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 511210, https://data.census.gov/cedsci/table?y=2017&n=511210&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePrevie w=false. 121 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. 122 See U.S. Census Bureau, 2017 NAICS Definition, “515112 Radio Stations,” https://www.census.gov/naics/?input=515112&year=2017&details=515112. 123 See U.S. Census Bureau, 2017 NAICS Definition, “515120 Television Broadcasting,” https://www.census.gov/naics/?input=515120&year=2017&details=515120. 43 Federal Communications Commission FCC-CIRC2210-04 broadcasting classify firms having $41.5 million or less in annual receipts as small.124 For Radio Stations, U.S. Census Bureau data for 2017 show that 1,879 of the 2,963 firms that operated during that year had revenue of less than $25 million per year.125 For Television Broadcasting, U.S. Census Bureau data for 2017 show that 657 of the 744 firms that operated for the entire year had revenue of less than $25,000,000.126 While the U.S. Census Bureau data does not indicate the number of non-commercial stations, we estimate that under the applicable SBA size standard the majority of noncommercial educational broadcast stations and public broadcast stations are small entities. 41. According to Commission data as of March 31, 2022, there were 4,503 licensed noncommercial educational radio and television stations 127 In addition, the Commission estimates as of March 31, 2022, there were 384 licensed noncommercial educational (NCE) television stations, 383 Class A TV stations, 1,840 LPTV stations and 3,231 TV translator stations.128 The Commission does not compile and otherwise does not have access to financial information for these stations that permit it to determine how many stations qualify as small entities under the SBA small business size standards. However, given the nature of these services, we will presume that all noncommercial educational and public broadcast stations qualify as small entities under the above SBA small business size standards. 42. Radio Stations. This industry is comprised of “establishments primarily engaged in broadcasting aural programs by radio to the public.”129 Programming may originate in their own studio, from an affiliated network, or from external sources.130 The SBA small business size standard for this industry classifies firms having $41.5 million or less in annual receipts as small.131 U.S. Census Bureau 124 See 13 CFR § 121.201, NAICS Code 515112 (Radio Stations); NAICS Code 515120 (Television Broadcasting). 125 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515112, https://data.census.gov/cedsci/table?y=2017&n=515112&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePrevie w=false. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We note that the U.S. Census Bureau withheld publication of the number of firms that operated for the entire year. We also note that the U.S. Census Bureau withheld publication of the number of firms that operated with sales/value of shipments/revenue in the individual categories for less than $100,000, and $100,000 to $249,999 to avoid disclosing data for individual companies (see Cell Notes for the sales/value of shipments/revenue in these categories). Therefore, the number of firms with revenue that meet the SBA size standard would be higher that noted herein. We further note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. 126 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515120, https://data.census.gov/cedsci/table?y=2017&n=515120&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePrevie w=false. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. 127 Broadcast Station Totals as of March 31, 2022, Public Notice, DA 22-365 (rel. April 5, 2022) (March 2022 Broadcast Station Totals PN), https://www.fcc.gov/document/broadcast-station-totals-march-31-2022. 128 Id. 129 See U.S. Census Bureau, 2017 NAICS Definition, “515112 Radio Stations,” https://www.census.gov/naics/?input=515112&year=2017&details=515112. 130 Id. 131 See 13 CFR § 121.201, NAICS Code 515112. 44 Federal Communications Commission FCC-CIRC2210-04 data for 2017 show that 2,963 firms operated in this industry during that year.132 Of this number, 1,879 firms operated with revenue of less than $25 million per year.133 Based on this data and the SBA’s small business size standard, we estimate a majority of such entities are small entities. 43. The Commission estimates that as of March 31, 2022, there were 4,508 licensed commercial AM radio stations and 6,763 licensed commercial FM radio stations, for a combined total of 11,271 commercial radio stations.134 Of this total, 11,269 stations (or 99.98 %) had revenues of $41.5 million or less in 2021, according to Commission staff review of the BIA Kelsey Inc. Media Access Pro Database (BIA) on June 1, 2022, and therefore these licensees qualify as small entities under the SBA definition. In addition, the Commission estimates that as of March 31, 2022, there were 4,119 licensed noncommercial (NCE) FM radio stations, 2,049 low power FM (LPFM) stations, and 8,919 FM translators and boosters.135 The Commission however does not compile, and otherwise does not have access to financial information for these radio stations that would permit it to determine how many of these stations qualify as small entities under the SBA small business size standard. Nevertheless, given the SBA’s large annual receipts threshold for this industry and the nature of these radio station licensees, we presume that all of these entities qualify as small entities under the above SBA small business size standard. 44. We note, however, that in assessing whether a business concern qualifies as “small” under the above definition, business (control) affiliations136 must be included. Our estimate, therefore, likely overstates the number of small entities that might be affected by our action, because the revenue figure on which it is based does not include or aggregate revenues from affiliated companies. In addition, another element of the definition of “small business” requires that an entity not be dominant in its field of operation. We are unable at this time to define or quantify the criteria that would establish whether a specific radio or television broadcast station is dominant in its field of operation. Accordingly, the estimate of small businesses to which the rules may apply does not exclude any radio or television station from the definition of a small business on this basis and is therefore possibly over-inclusive. An additional element of the definition of “small business” is that the entity must be independently owned and operated. Because it is difficult to assess these criteria in the context of media entities, the estimate of small businesses to which the rules may apply does not exclude any radio or television station from the definition of a small business on this basis and similarly may be over-inclusive. 45. FM Translator Stations and Low-Power FM Stations. FM translators and Low Power 132 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515112, https://data.census.gov/cedsci/table?y=2017&n=515112&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePrevie w=false. We note that the US Census Bureau withheld publication of the number of firms that operated for the entire year. 133 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We note that the U.S. Census Bureau withheld publication of the number of firms that operated with sales/value of shipments/revenue in the individual categories for less than $100,000, and $100,000 to $249,999 to avoid disclosing data for individual companies (see Cell Notes for the sales/value of shipments/revenue in these categories). Therefore, the number of firms with revenue that meet the SBA size standard would be higher that noted herein. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. 134 Broadcast Station Totals as of March 31, 2022, Public Notice, DA 22-365 (rel. April 5, 2022) (March 2022 Broadcast Station Totals PN), https://www.fcc.gov/document/broadcast-station-totals-march-31-2022. 135 Id. 136 “[Business concerns] are affiliates of each other when one concern controls or has the power to control the other or a third party or parties controls or has the power to control both.” 13 CFR § 21.103(a)(1). 45 Federal Communications Commission FCC-CIRC2210-04 FM Stations are classified in the industry for Radio Stations.137 The Radio Stations industry comprises establishments primarily engaged in broadcasting aural programs by radio to the public.138 Programming may originate in their own studio, from an affiliated network, or from external sources.139 The SBA small business size standard for this industry classifies firms having $41.5 million or less in annual receipts as small.140 U.S. Census Bureau data for 2017 show that 2,963 firms operated during that year.141 Of that number, 1,879 firms operated with revenue of less than $25 million per year.142 Therefore, based on the SBA’s size standard we conclude that the majority of FM Translator stations and Low Power FM Stations are small. Additionally, according to Commission data, as of March 31, 2022, there were 8,919 FM Translator Stations and 2,049 Low Power FM licensed broadcast stations.143 The Commission however does not compile and otherwise does not have access to information on the revenue of these stations that would permit it to determine how many of the stations would qualify as small entities. For purposes of this regulatory flexibility analysis, we presume the majority of these stations are small entities. 46. Television Broadcasting. This industry is comprised of “establishments primarily engaged in broadcasting images together with sound.”144 These establishments operate television broadcast studios and facilities for the programming and transmission of programs to the public.145 These establishments also produce or transmit visual programming to affiliated broadcast television stations, which in turn broadcast the programs to the public on a predetermined schedule. Programming may originate in their own studio, from an affiliated network, or from external sources. The SBA small business size standard for this industry classifies businesses having $41.5 million or less in annual receipts as small.146 2017 U.S. Census Bureau data indicate that 744 firms in this industry operated for the entire year.147 Of that number, 657 firms had revenue of less than $25,000,000.148 Based on this data we 137 See U.S. Census Bureau, 2017 NAICS Definition, “515112 Radio Stations,” https://www.census.gov/naics/?input=515112&year=2017&details=515112. 138 Id. 139 Id. 140 See 13 CFR § 121.201, NAICS Code 515112. 141 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515112, https://data.census.gov/cedsci/table?y=2017&n=515112&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePrevie w=false. We note that the US Census Bureau withheld publication of the number of firms that operated for the entire year. 142 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We note that the U.S. Census Bureau withheld publication of the number of firms that operated with sales/value of shipments/revenue in the individual categories for less than $100,000, and $100,000 to $249,999 to avoid disclosing data for individual companies (see Cell Notes for the sales/value of shipments/revenue in these categories). Therefore, the number of firms with annual receipts that meet the SBA size standard would be higher that noted herein. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. 143 Broadcast Station Totals as of March 31, 2022, Public Notice, DA 22-365 (rel. April 5, 2022) (March 2022 Broadcast Station Totals PN), https://www.fcc.gov/document/broadcast-station-totals-march-31-2022. 144 See U.S. Census Bureau, 2017 NAICS Definition, “515120 Television Broadcasting,” https://www.census.gov/naics/?input=515120&year=2017&details=515120. 145 Id. 146 See 13 CFR § 121.201, NAICS Code 515120. 147 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515120, (continued….) 46 Federal Communications Commission FCC-CIRC2210-04 estimate that the majority of television broadcasters are small entities under the SBA small business size standard. 47. The Commission estimates that as of March 31, 2022, there were 1,373 licensed commercial television stations.149 Of this total, 1,280 stations (or 93.2%) had revenues of $41.5 million or less in 2021, according to Commission staff review of the BIA Kelsey Inc. Media Access Pro Television Database (BIA) on June 1, 2022, and therefore these licensees qualify as small entities under the SBA definition. In addition, the Commission estimates as of March 31, 2022, there were 384 licensed noncommercial educational (NCE) television stations, 383 Class A TV stations, 1,840 LPTV stations and 3,231 TV translator stations.150 The Commission however does not compile, and otherwise does not have access to financial information for these television broadcast stations that would permit it to determine how many of these stations qualify as small entities under the SBA small business size standard. Nevertheless, given the SBA’s large annual receipts threshold for this industry and the nature of these television station licensees, we presume that all of these entities qualify as small entities under the above SBA small business size standard. 48. Cable and Other Subscription Programming. The U.S. Census Bureau defines this industry as establishments primarily engaged in operating studios and facilities for the broadcasting of programs on a subscription or fee basis.151 The broadcast programming is typically narrowcast in nature (e.g., limited format, such as news, sports, education, or youth-oriented). These establishments produce programming in their own facilities or acquire programming from external sources.152 The programming material is usually delivered to a third party, such as cable systems or direct-to-home satellite systems, for transmission to viewers.153 The SBA small business size standard for this industry classifies firms with annual receipts less than $41.5 million as small.154 Based on U.S. Census Bureau data for 2017, 378 firms operated in this industry during that year.155 Of that number, 149 firms operated with revenue of less than $25 million a year and 44 firms operated with revenue of $25 million or more.156 Based on this data, the Commission estimates that the majority of firms operating in this industry are small. (Continued from previous page) https://data.census.gov/cedsci/table?y=2017&n=515120&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePrevie w=false. 148 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. 149 Broadcast Station Totals as of March 31, 2022, Public Notice, DA 22-365 (rel. April 5, 2022) (March 2022 Broadcast Station Totals PN), https://www.fcc.gov/document/broadcast-station-totals-march-31-2022. 150 Id. 151 See U.S. Census Bureau, 2017 NAICS Definition, “515210 Cable and Other Subscription Programming,” https://www.census.gov/naics/?input=515210&year=2017&details=515210. 152 Id. 153 Id. 154 See 13 CFR § 121.201, NAICS Code 515210. 155 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515210, https://data.census.gov/cedsci/table?y=2017&n=515210&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePrevie w=false. The US Census Bureau withheld publication of the number of firms that operated for the entire year to avoid disclosing data for individual companies (see Cell Notes for this category). 156 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We note that the U.S. Census Bureau withheld publication of the number of firms that (continued….) 47 Federal Communications Commission FCC-CIRC2210-04 49. Cable System Operators (Rate Regulation Standard). The Commission has developed its own small business size standard for the purpose of cable rate regulation. Under the Commission’s rules, a “small cable company” is one serving 400,000 or fewer subscribers nationwide.157 Based on industry data, there are about 420 cable companies in the U.S.158 Of these, only seven have more than 400,000 subscribers.159 In addition, under the Commission’s rules, a “small system” is a cable system serving 15,000 or fewer subscribers.160 Based on industry data, there are about 4,139 cable systems (headends) in the U.S.161 Of these, about 639 have more than 15,000 subscribers.162 Accordingly, the Commission estimates that the majority of cable companies and cable systems are small. 50. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, contains a size standard for a “small cable operator,” which is “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.”163 For purposes of the Telecom Act Standard, the Commission determined that a cable system operator that serves fewer than 677,000 subscribers, either directly or through affiliates, will meet the definition of a small cable operator based on the cable subscriber count established in a 2001 Public Notice.164 Based on industry data, only six cable system operators have more than 677,000 subscribers.165 Accordingly, the Commission estimates that the majority of cable system operators are small under this size standard. We note however, that the Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 (Continued from previous page) operated with sales/value of shipments/revenue in all categories of revenue less than $500,000 to avoid disclosing data for individual companies (see Cell Notes for the sales/value of shipments/revenue in these categories). Therefore, the number of firms with revenue that meet the SBA size standard would be higher than noted herein. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. 157 47 CFR § 76.901(d). 158 S&P Global Market Intelligence, S&P Capital IQ Pro, U.S. MediaCensus, Operator Subscribers by Geography (last visited May 26, 2022). 159 S&P Global Market Intelligence, S&P Capital IQ Pro, Top Cable MSOs 12/21Q (last visited May 26, 2022); S&P Global Market Intelligence, Multichannel Video Subscriptions, Top 10 (April 2022). 160 47 CFR § 76.901(c). 161 S&P Global Market Intelligence, S&P Capital IQ Pro, U.S. MediaCensus, Operator Subscribers by Geography (last visited May 26, 2022). 162 S&P Global Market Intelligence, S&P Capital IQ Pro, Top Cable MSOs 12/21Q (last visited May 26, 2022). 163 47 U.S.C. § 543(m)(2). 164 FCC Announces New Subscriber Count for the Definition of Small Cable Operator, Public Notice, 16 FCC Rcd 2225 (CSB 2001) (2001 Subscriber Count PN). In this Public Notice, the Commission determined that there were approximately 67.7 million cable subscribers in the United States at that time using the most reliable source publicly available. Id. We recognize that the number of cable subscribers changed since then and that the Commission has recently estimated the number of cable subscribers to be approximately 58.1 million. See Communications Marketplace Report, GN Docket No. 20-60, 2020 Communications Marketplace Report, 36 FCC Rcd 2945, 3049, para. 156 (2020) (2020 Communications Marketplace Report). However, because the Commission has not issued a public notice subsequent to the 2001 Subscriber Count PN, the Commission still relies on the subscriber count threshold established by the 2001 Subscriber Count PN for purposes of this rule. See 47 CFR § 76.901(e)(1). 165 S&P Global Market Intelligence, S&P Capital IQ Pro, Top Cable MSOs 12/21Q (last visited May 26, 2022); S&P Global Market Intelligence, Multichannel Video Subscriptions, Top 10 (April 2022). 48 Federal Communications Commission FCC-CIRC2210-04 million.166 Therefore, we are unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Communications Act. 51. Satellite Telecommunications. This industry comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.”167 Satellite telecommunications service providers include satellite and earth station operators. The SBA small business size standard for this industry classifies a business with $35 million or less in annual receipts as small.168 U.S. Census Bureau data for 2017 show that 275 firms in this industry operated for the entire year.169 Of this number, 242 firms had revenue of less than $25 million.170 Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 71 providers that reported they were engaged in the provision of satellite telecommunications services.171 Of these providers, the Commission estimates that approximately 48 providers have 1,500 or fewer employees.172 Consequently using the SBA’s small business size standard, a little more than of these providers can be considered small entities. 52. All Other Telecommunications. This industry is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation.173 This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems.174 Providers of Internet services (e.g. dial-up ISPs) or voice over Internet protocol (VoIP) services, via client-supplied telecommunications connections are also included in this industry.175 The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small.176 U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry 166 The Commission does receive such information on a case-by-case basis if a cable operator appeals a local franchise authority’s finding that the operator does not qualify as a small cable operator pursuant to § 76.901(e) of the Commission’s rules. See 47 CFR § 76.910(b). 167 See U.S. Census Bureau, 2017 NAICS Definition, “517410 Satellite Telecommunications,” https://www.census.gov/naics/?input=517410&year=2017&details=517410. 168 See 13 CFR § 121.201, NAICS Code 517410. 169 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517410, https://data.census.gov/cedsci/table?y=2017&n=517410&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePrevie w=false. 170 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. 171 Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2021), https://docs.fcc.gov/pubId.lic/attachments/DOC-379181A1.pdf. 172 Id. 173 See U.S. Census Bureau, 2017 NAICS Definition, “517919 All Other Telecommunications,” https://www.census.gov/naics/?input=517919&year=2017&details=517919. 174 Id. 175 Id. 176 See 13 CFR § 121.201, NAICS Code 517919. 49 Federal Communications Commission FCC-CIRC2210-04 that operated for the entire year.177 Of those firms, 1,039 had revenue of less than $25 million.178 Based on this data, the Commission estimates that the majority of “All Other Telecommunications” firms can be considered small. 53. Direct Broadcast Satellite (“DBS”) Service. DBS service is a nationally distributed subscription service that delivers video and audio programming via satellite to a small parabolic “dish” antenna at the subscriber’s location. DBS is included in the Wired Telecommunications Carriers industry which comprises establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired telecommunications networks.179 Transmission facilities may be based on a single technology or combination of technologies.180 Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution; and wired broadband internet services.181 By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry.182 54. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small.183 U.S. Census Bureau data for 2017 show that 3,054 firms operated in this industry for the entire year.184 Of this number, 2,964 firms operated with fewer than 250 employees.185 Based on this data, the majority of firms in this industry can be considered small under the SBA small business size standard. According to Commission data however, only two entities provide DBS service - DIRECTV (owned by AT&T) and DISH Network, which require a great deal of capital for operation.186 DIRECTV and DISH Network both exceed the SBA size standard for 177 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517919, https://data.census.gov/cedsci/table?y=2017&n=517919&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePrevie w=false. 178 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. 179 See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. 180 Id. 181 See id. Included in this industry are: broadband Internet service providers (e.g., cable, DSL); local telephone carriers (wired); cable television distribution services; long-distance telephone carriers (wired); closed-circuit television (CCTV) services; VoIP service providers, using own operated wired telecommunications infrastructure; direct-to-home satellite system (DTH) services; telecommunications carriers (wired); satellite television distribution systems; and multichannel multipoint distribution services (MMDS). 182 Id. 183 See 13 CFR § 121.201, NAICS Code 517311. 184 See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePrevie w=false. 185 Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. 186 See Annual Assessment of the Status of Competition in the Market for the Delivery of Video Programming, Eighteenth Report, Table III.A.5, 32 FCC Rcd 568, 595 (Jan. 17, 2017). 50 Federal Communications Commission FCC-CIRC2210-04 classification as a small business. Therefore, we must conclude based on internally developed Commission data, in general DBS service is provided only by large firms. D. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 55. We expect the actions proposed in the Notice, if adopted, will impose additional reporting, recordkeeping and/or other compliance obligations on small as well as other entities who are EAS Participants and Participating CMS Providers. More specifically, if adopted, EAS Participants and Participating CMS Providers would be required to annually certify to creating, updating, and implementing a cybersecurity risk management plan to ensure the confidentiality, integrity, and availability of their respective alerting systems. The cybersecurity risk management plan must contain among other things, a description of how organizational resources are employed to ensure the confidentiality, integrity, and availability of the alerting system. Further, any incident involving the unauthorized access to EAS equipment, communications systems, or services, regardless of whether the event resulted in the transmission of a false alert would require EAS Participants to report the unauthorized access to the Commission within 72 hours of when the EAS Participant knew or should have known that an incident has occurred. The Commission also seeks comment on whether and how to strengthen the operational readiness of the EAS. 56. In assessing the cost of compliance with our proposed rule to create a cybersecurity risk management plan, we estimate the cost for each small EAS Participant187 and each Participating CMS Providers188 to be approximately $820. These costs are based on 10 hours of labor at $82 an hour and apply to all EAS Participants and Participating CMS Providers not just small entities. We anticipate however, that many small EAS Participants and Participating CMS Providers will not require 10 hours to develop or update a cybersecurity risk management plan tailored to the size of their organization. The cost for reporting an unauthorized access incident we believe would be similar to the cost of reporting a false alert, which the Commission has estimated to have a total cost of $11,600 per year across 290 EAS Participants.189 This total cost when apportioned to each EAS Participant comes out to approximately $40 per EAS Participant.190 57. We estimate a $9.2 million one-time cost for all Participating CMS Providers, not just small providers, to update the WEA standards and software to comply necessary to comply with our proposed rule that Participating CMS Providers transmit sufficient authentication information to allow mobile devices to present WEA alerts only if they come from valid base stations. This figure consists of approximately a $500,000 cost to update applicable WEA standards and approximately an $8.7 million cost to update applicable software. We quantify the cost of modifying standards as the annual compensation for 30 network engineers compensated at the national average for their field ($85,816/year; $41.26/hour), plus annual benefits ($26,775/year; 12.87/hour) working for the amount of time that it takes to develop a standard (one hour every other week for one year, 26 hours) for 12 distinct standards. We quantify the cost of modifying software as the annual compensation for a software engineer compensated 187 We believe that the overall cost for all 25,644 EAS Participants, not just small participants, to comply with the proposed certification requirement entails 10 hours of labor that is compensated at [[$90 per hour]] will be [[$21,028,080]. 188 We believe that the overall cost for all 76 Participating CMS Providers, not just small providers, to comply with the proposed certification requirement entails 10 hours of labor that is compensated at $82 per hour will be 62,320. 189 Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, Wireless Emergency Alerts, PS Docket Nos. 15-94 and 15-91, Report and Order and Further Notice of Proposed Rulemaking, 33 FCC Rcd 7086, 7102, para. 38 (2018) This estimates the cost of reporting false alerts to be $11,600 per year based on an average of 290 EAS participants filing two false alerts per year. 190 Id. The total cost of $11,600 divided by 290 EAS Participants equals $40 per participant. 51 Federal Communications Commission FCC-CIRC2210-04 at the national average for their field ($86,998/year), plus annual benefits ($27,143/year) working for the amount of time that it takes to develop software (one year) at each of the 76 CMS Providers that participate in WEA. 58. At this time the Commission cannot quantify the cost of compliance for small entities to comply with the other proposals or approaches on which it seeks comment in the Notice. We believe that the modifications to improve and enhance the security of the EAS that we discuss in the Notice are the most efficient and least burdensome approach and do not believe small entities will have to hire professionals to meet the requirements discussed in the Notice, if adopted. To help the Commission more fully evaluate the cost of compliance for small entities should our proposals be adopted, in the Notice, we request comments on the cost implications of our proposals and ask whether there are more efficient and less burdensome alternatives (including cost estimates) for the Commission to consider. We expect the information we received in comments including cost and benefit analyses, to help the Commission identify and evaluate relevant matters for small entities, including compliance costs and other burdens that may result from the proposals and inquiries we make in the Notice. E. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered 59. The RFA requires an agency to describe any significant, specifically small business alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): “(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance or reporting requirements under the rule for such small entities; (3) the use of performance, rather than design, standards; and (4) and exemption from coverage of the rule, or any part thereof, for such small entities.”191 60. The Commission has taken steps to minimize the impact of the proposals in the Notice as a general matter, and specifically targeting small entities, has sought comment on the extent to which we can limit the overall economic impact of these proposed requirements if we provide increased flexibility for businesses classified as small under the SBA small business size standard. Below we discuss actions taken and alternatives considered by the Commission for the rules proposed promoting the operational readiness of EAS equipment, improving awareness of unauthorized access to EAS equipment, communications systems, and services, and requiring the development, implementation, and certification of a cybersecurity risk management plan. 61. To further the Commission’s objectives to promote EAS equipment operational readiness, in the Notice we seek comment on whether to require EAS Participants to repair EAS equipment with prompt and reasonable diligence, on whether the EAS Participants should notify the Commission of the status of their repairs, and, if so, on the timing, content, and means of that notification. l. 62. We seek comment on whether a compliance timeframe of 30 days from publication in the Federal Register of notice that the Office of Management and Budget (OMB) has completed its review of the modified information collection to improve the Commission’s visibility into the repair or replacement of non-operational EAS equipment would not impose a burden on small entities. Small and other EAS Participants currently make entries in their broadcast station logs and cable system records showing the date and time equipment was removed and restored to service, and therefore already have processes and procedures in place to record information about the operational status of their EAS equipment in station logs that could be utilized for the proposed notification requirement. In the event that the Commission were to alternatively require this notification to be provided through NORS, the requirement would 191 5 U.S.C. § 603(c)(1)-(4). 52 Federal Communications Commission FCC-CIRC2210-04 become effective within 30 days from publication in the Federal Register of notice that the OMB has approved the modified information collection or upon publication in the Federal Register of a Public Notice announcing that NORS is technically capable of receiving such notifications, whichever is later. Similarly, this requirement should not impose a burden on small entities for the reason stated above and since EAS Participants are already likely to be using NORS. 63. Our approach to improving awareness of unauthorized access to EAS equipment, communications systems, and services relies on our belief that significant public safety benefits will accrue if EAS Participants were required to provide the Commission with notification that their EAS equipment, communications systems, and services have been accessed without authorization, even in the absence of a subsequent transmission of a false alert. The reporting requirement we proposed in the Notice requiring EAS Participants to provide notification to the Commission via NORS within 72 hours of when an EAS Participant knew or should have known that an incident has occurred should result in low marginal costs for small and other EAS participants since our requirement parallels the reporting obligations EAS Participants may have to other government agencies that require critical infrastructure sector entities to report cyber incidents.192 This would allow the requirement to be satisfied by reporting substantially similar information to another federal agency in a similar timeframe.193 We believe the cost to report unauthorized access is comparable to the cost of reporting false alerts which further supports our belief that these costs will be relatively low for small and other EAS Participants.194 In the Notice we have requested comments and cost and benefit analyses on our proposal and beliefs. In addition, we have requested alternative proposals (accompanied by cost analyses) for unauthorized access reporting requirements that would be less costly for small and other EAS Participants while producing similar or greater benefits. 64. The requirement for EAS Participants to report any incident of unauthorized access of its EAS equipment, communications systems, or services would be effective 60 days from publication in the Federal Register of notice that the OMB has approved the modified information collection. Since we consider the requirement to report unauthorized access similar to the Commission’s false alert reporting requirement, there are likely to be compliance synergies for small and other EAS Participants, and less of a burden than there would be in the absence of the similarity. We therefore seek comment in the Notice on whether an EAS Participant’s process for ascertaining whether an incident of unauthorized access of its EAS equipment, communications systems, or services has occurred and reporting it to the Commission entails a level of effort comparable to compliance with the Commission’s false alert reporting requirement. 65. To further explore the impact of the cybersecurity risk management plan requirement proposed in the Notice which requires small and other EAS Participants and Participating CMS Providers to create, implement, and annually update a cybersecurity risk management plan and submit an annual certification attesting to compliance with requirement, Commission seeks comment on steps that it could take to limit various burdens. In particular, the Commission requests comment on whether the steps that it describes for EAS Participants and Participating CMS Providers to submit their risk management plans are the most efficient way to implement a certification requirement. In the Notice, we propose to afford each EAS Participant and Participating CMS Provider the flexibility to include content in its plan that is tailored to its organization, provided that the plan demonstrates how the EAS Participant or Participating 192 See 6 U.S.C. § 681b(c). CISA is required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to adopt rules requiring critical infrastructure sector entities to report cyber incidents. 193 See id. § 681b(a)(5)(B). 194 The total estimated cost of reporting false alerts is $11,600 per year based on an average of 290 EAS participants filing two false alerts per year. The total cost of $11,600 divided by 290 EAS Participants equals $40 per participant. 53 Federal Communications Commission FCC-CIRC2210-04 CMS Provider identifies the cyber risks that they face, the controls they use to mitigate those risks, and how they ensure that these controls are applied effectively to their operations. 66. The Commission also proposes to require that each plan include security controls sufficient to ensure the confidentiality, integrity, and availability (CIA) of the EAS. While we believe there are numerous methods to satisfy this aspect of the requirement, we have proposed to allow the requirement to be satisfied by providing evidence of the successful implementation of an established set of cybersecurity best practices, such as applicable Center for Internet Security (CIS) Critical Security Controls195 or the Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Baseline.196 We believe adopting a this flexible approach will allow EAS Participants and Participating CMS Providers to develop a plan that is appropriate for their organization’s size and available resources, while still ensuring that the plan results in ongoing and material improvements in EAS and WEA security. The Commission anticipates that this flexibility will reduce the costs imposed on small business EAS Participants and Participating CMS Providers, which will have different cybersecurity needs than larger EAS Participants and Participating CMS Providers, respectively. We do note, however, that to ensure that every EAS Participants implements a baseline of security controls, the Commission proposes to require that each plan include certain security measures: changing default passwords prior to operation, installing security updates in a timely manner, securing equipment behind properly configured firewalls or using other segmentation practices, requiring multifactor authentication where applicable, addressing the replacement of end-of-life equipment, and wiping, clearing, or encrypting user information before disposing of old devices. 67. The Commission proposes to require compliance with the requirement to implement a cybersecurity risk management plan and certification, within twelve months of the publication in the Federal Register of notice that the OMB has approved the modified information collection. We recognize that larger EAS Participants are likely to already have cybersecurity risk management plans in place. We ask whether we should allow small entities a two-year timeframe to implement this requirement. The two-year timeframe should provide sufficient time for small EAS Participants and Participating CMS Providers that do not already have a risk management plan in place to create one. The timeframe would also be sufficient to prepare their organization to manage security and privacy risks, categorize their systems and the information being processed, stored, and transmitted, and select controls to protect their systems. Further, a two-year timeframe would provide time for these entities to implement the security controls that the plan describes, assess whether the controls are in place, operating as intended, and producing the desired results, appoint a senior official to authorize the system, and develop mechanisms to continuously monitor control implementation and risks to the system. 68. In the Notice, the Commission identifies alternative approaches on several matters that might minimize the economic impact for small entities. For example, the Commission requests alternatives to providing a second notification to the Commission once repairs of EAS equipment have been completed, and the EAS Participant’s EAS systems have been tested and determined to once again be fully functional. The Commission seeks comment on potential alternatives to, and additional aspects of, the discussed approach, as well as their accompanying costs and benefits. The Commission recommends that EAS Participants file the required notifications regarding EAS equipment failures and 195 See Center for Internet Security, Critical Security Controls version 8, https://www.cisecurity.org/controls (last visited Aug 9, 2022) (CIS Critical Security Controls) (providing security controls grouped by priority and feasibility for different sizes and resources of businesses in Implementation Groups). 196 Cybersecurity & Infrastructure Security Agency, Cross-Sector Cybersecurity Performance Goals and Objectives, https://www.cisa.gov/cpgs (last visited Aug. 5, 2020); Cybersecurity & Infrastructure Security Agency, Cross- Sector Cybersecurity Performance Goals (CPGs) Common Baseline: Controls List (Draft), https://www.cisa.gov/sites/default/files/publications/Common_Baseline_v2_Controls_List_508c.pdf (last visited Aug. 5, 2020). 54 Federal Communications Commission FCC-CIRC2210-04 repairs in the NORS database, but requests comment on other means EAS Participants could use to submit the notifications such as via email to a designated e-mail address. 69. The Commission expects to more fully consider the economic impact and alternatives for small entities following the review of comments filed in response to the Notice, including costs and benefits analyses. Having data on the costs and economic impact of proposals and approaches will allow the Commission to better evaluate options and alternatives for minimization of any significant economic impact on small entities as a result of the proposals and approaches raised in the Notice. The Commission’s evaluation of this information will shape the final alternatives it considers to minimize any significant economic impact that may occur on small entities, the final conclusions it reaches and any final rules it promulgates in this proceeding. F. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules 70. None. 55