Federal Communications Commission FCC 22-82 Before the FEDERAL COMMUNICATIONS COMMISSION WASHINGTON, D.C. 20554 In the Matter of Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System Wireless Emergency Alerts Protecting the Nation’s Communications Systems from Cybersecurity Threats ) ) ) ) ) ) ) ) ) PS Docket No. 15-94 PS Docket No. 15-91 PS Docket No. 22-329 NOTICE OF PROPOSED RULEMAKING Adopted: October 27, 2022 Released: October 27, 2022 Comment Date: (30 days after date of publication in the Federal Register) Reply Comment Date: (60 days after date of publication in the Federal Register) By the Commission: Chairwoman Rosenworcel and Commissioner Starks issuing separate statements. TABLE OF CONTENTS Para. I. INTRODUCTION 1 II. BACKGROUND 2 A. Emergency Alert System 2 B. Wireless Emergency Alerts 6 III. DISCUSSION 9 A. Promoting the Operational Readiness of EAS Equipment 9 B. Improving Awareness of Unauthorized Access to EAS Equipment 13 C. Protecting the Nation’s Alerting Systems through the Development, Implementation, and Certification of a Cybersecurity Risk Management Plan 22 1. EAS Security 22 2. WEA Security 33 D. Displaying Only Valid WEA Messages on Mobile Devices 37 E. WEA Infrastructure Functionality 41 F. Promoting Digital Equity 42 G. Compliance Timeframes 44 IV. PROCEDURAL MATTERS 49 V. ORDERING CLAUSES 55 APPENDIX A - Proposed Rules APPENDIX B - Initial Regulatory Flexibility Analysis I. INTRODUCTION 1. The security of the nation’s alert and warning systems is essential to helping safeguard the lives and property of all Americans. Over the years, the Federal Communications Commission (Commission) has encouraged stakeholders to ensure their systems are secure, including by providing guidance on specific steps that communications providers can take to secure their equipment. While the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) programs are strong, we must remain vigilant and proactive to ensure they remain so. In this Notice of Proposed Rulemaking (Notice), we seek comment on ways to strengthen the operational readiness of EAS equipment. We also propose to require EAS Participants The Commission’s rules define EAS Participants as analog radio broadcast stations, including AM, FM, and Low-power FM stations; digital audio broadcasting stations, including digital AM, FM, and Low-power FM stations; Class A television and Low-power TV stations; digital television broadcast stations, including digital Class A and digital Low-power TV stations; analog cable systems; digital cable systems; wireline video systems; wireless cable systems; direct broadcast satellite service providers; and digital audio radio service providers. See 47 CFR § 11.11(a). to report compromises of their EAS equipment, communications systems, and services to the Commission. In addition, we propose to require EAS Participants and Commercial Mobile Service (CMS) providers that participate in WEA (Participating CMS Providers) to annually certify to having a cybersecurity risk management plan in place and to employ sufficient security measures to ensure the confidentiality, integrity, and availability of their respective alerting systems. We also propose to require Participating CMS Providers to take steps to ensure that only valid alerts are displayed on consumer devices. II. BACKGROUND A. Emergency Alert System 2. The EAS is a national public warning system through which broadcasters, cable systems, and other EAS Participants deliver alerts to the public to warn them of impending emergencies and dangers to life and property. See, e.g., Review of the Emergency Alert System; Independent Spanish Broadcasters Association, The Office of Communication of the United Church of Christ, Inc., and the Minority Media and Telecommunications Council, Petition for Immediate Relief, ET Docket No. 04-296, Fifth Report and Order, 27 FCC Rcd 642, 646, para. 6 (2012) (Fifth Report and Order); Review of the Emergency Alert System, EB Docket No. 04-296, Notice of Proposed Rulemaking, 19 FCC Rcd 15775, 15776-77, paras. 6-8 (2004). The primary purpose of the EAS is to provide the President with “the capability to provide immediate communications and information to the general public at the National, State and Local Area levels during periods of national emergency.” 47 CFR § 11.1. Under the Part 11 rules, national activation of the EAS for a Presidential alert message, initiated by the transmission of an Emergency Action Notification (EAN) event code, is designed to provide the President the capability to transmit an alert message (in particular, an audio alert message) to the American public within ten minutes from any location at any time and must take priority over any other alert message and preempt other alert messages in progress. See, e.g., Review of the Emergency Alert System, First Report and Order, 20 FCC Rcd. 18625, 18628, para. 8 (2005) (First Report and Order). See also, e.g., 47 CFR §§ 11.33(a)(11), 11.51(m), (n). The EAS is also used to distribute alerts issued by state, local, Tribal, and territorial governments, as well as by the National Weather Service (NWS). Although EAS Participants are required to broadcast Presidential alerts, they participate in broadcasting state and local EAS alerts on a voluntary basis. See 47 CFR § 11.55(a); First Report and Order, 20 FCC Rcd at 18628, para. 8. The Commission, the Federal Emergency Management Agency (FEMA), and the NWS implement the EAS at the federal level. The respective roles of the Commission, FEMA, and NWS are defined in a series of Executive documents. See 1981 State and Local Emergency Broadcasting System (EBS) Memorandum of Understanding Among the Federal Emergency Management Agency (FEMA), Federal Communications Commission (FCC), the National Oceanic and Atmospheric Administration (NOAA), and the National Industry Advisory Committee (NIAC) reprinted as Appendix K to Partnership for Public Warning Report 2004-1, The Emergency Alert System (EAS): An Assessment; Memorandum, Presidential Communications with the General Public During Periods of National Emergency, The White House (Sept. 15, 1995) (1995 Presidential Statement); and Public Alert and Warning System, Exec. Order No. 13407, 71 Fed. Reg. 36975 (June 26, 2006). 3. The EAS is a broadcast-based, hierarchical alert message distribution system in which an alert message originator at the local, state, or national level encodes (or arranges to have encoded) a message in the EAS Protocol. See 47 CFR § 11.31. The alert is then broadcast from one or more EAS Participants, and subsequently relayed from one station to another until all affected EAS Participants have received the alert and delivered it to the public. See Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System; Wireless Emergency Alerts, PS Docket Nos. 15-94 and 15-91, Notice of Proposed Rulemaking and Notice of Inquiry, 36 FCC Rcd 6266, 6271, paras. 8-9 (March 17, 2021) for a description of this process. Authorized emergency alert authorities also distribute EAS alerts over the Internet to EAS Participants by formatting those alerts in the Common Alerting Protocol (CAP), and delivering those alerts through the FEMA-administered Integrated Public Alert and Warning System (IPAWS) Open Platform for Emergency Networks (IPAWS-OPEN). See 47 CFR § 11.56; see also Fifth Report and Order, 27 FCC Rcd at 644-45, para. 4. The integrity of the EAS is maintained through the Commission’s EAS rules, which set forth the parameters and frequency with which EAS Participants must test the system, See 47 CFR § 11.61. prohibit the unauthorized use of the EAS Attention Signal and codes, See 47 CFR §§ 11.45(a), 11.46. and require EAS Participants to keep their EAS equipment in good working order. See 47 CFR § 11.35; see also 47 CFR § 11.32 (EAS Encoder); 47 CFR § 11.33 (EAS Decoder) (collectively describing the minimum operating requirements for EAS equipment). 4. In the last decade, the Commission has become aware of several incidents that raise concerns about the security of the EAS. The Commission previously highlighted a 2013 incident in which malicious actors accessed EAS equipment at several TV stations to perpetrate a “zombie attack” hoax that affected television stations in Great Falls, Montana, the vicinity of Marquette, Michigan, and other stations in Michigan, Utah, New Mexico and California. Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, Wireless Emergency Alerts, PS Docket Nos. 15-94 and 15-91, Notice of Proposed Rulemaking, 31 FCC Rcd 594, 638, para. 98 (2016) (2016 Notice). The Commission observed that the attack could have been prevented had the EAS Participants changed manufacturer default passwords on their EAS equipment, installed firewalls, or taken other appropriate security measures. Id. In 2020, hackers compromised the EAS systems of an EAS Participant in Jefferson County, Washington and caused the transmission of false EAS alerts describing a false Radiological Hazard Warning that affected approximately 3,000 homes. Peninsula Daily News, False Emergency Alerts Sent to Jefferson County Cable Users, https://www.peninsuladailynews.com/news/false-emergency-alerts-sent-to-jefferson-county-cable-users/ (last visited Aug. 10, 2022); KOMO News, Viewers Sent Apparent Hacked Emergency Broadcast Message in Jefferson County, https://komonews.com/news/local/viewers-sent-apparent-hacked-emergency-broadcast-message-in-jefferson-county (last visited Aug. 10, 2022). In 2020, the Commission became aware of instances in which EAS equipment connected to the Internet were potentially vulnerable to IP-based attacks due to inadequate network security or unsecure device settings. See E-mail from Lisa M. Fowlkes, Chief, PSHSB, FCC to EAS Participants (April 24, 2020 2:03 am EDT). The Commission warned all EAS Participants of this vulnerability, encouraging them to secure their EAS equipment by installing current security patches, and using firewalls. Id. Most recently, on August 1, 2022, FEMA issued an advisory on a potential vulnerability in certain EAS encoder/decoder devices that have not been updated to most recent software versions. See FEMA, IPAWS Advisory: Emergency Alert System Vulnerability (Aug. 1, 2022), https://content.govdelivery.com/accounts/USDHSFEMA/bulletins/3263326. FEMA observed that if EAS devices are not up-to-date, an unauthorized actor could issue false EAS alerts over the EAS Participant’s infrastructure. The FCC’s Public Safety and Homeland Security Bureau (PSHSB or Bureau) subsequently released a Public Notice that identified this vulnerability as the same one from 2020, urging all EAS Participants, regardless of the make and model of their EAS equipment, to upgrade their equipment software and firmware to the most recent versions recommended by the manufacturer and secure their equipment behind a properly configured firewall as soon as possible. Public Safety and Homeland Security Bureau Urges Emergency Alert System (EAS) Participants to Take Immediate Steps to Secure EAS Equipment, PS Docket No. 15-94, Public Notice, DA 22-828 (PSHSB Aug. 5, 2022). 5. In 2016, the Commission adopted a Notice of Proposed Rulemaking that proposed several improvements to EAS, including improvements that could potentially secure the EAS against accidental misuse and malicious intrusion. 2016 Notice. Specifically, the Commission proposed to require EAS Participants to certify as to the performance of certain security measures that demonstrated implementation of the best practices recommended by the Communications Security, Reliability, and Interoperability Council (CSRIC) IV’s EAS Security Report; CSRIC IV, Emergency Alert System, EAS Security Subcommittee, Initial Report (2014), http://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG-3_Initial-Report_061814.pdf (CSRIC IV Initial EAS Security Report). See also CSRIC IV, Emergency Alert System, EAS Security Subcommittee, Final Report, (2015), https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG3-EAS_SECURITY_FINAL_011316.pdf (CSRIC IV Final EAS Security Report). require reporting for false alerts and “lockouts”; and ensure the proper authentication and validation of alerts to protect against malicious or accidental misuse of alerting platforms. 2016 Notice, 31 FCC Rcd at 596-97, para. 4. The 2016 Notice also sought comment on whether there were additional measures that the Commission could leverage to help make the EAS more secure and resilient, such as adoption of a software-defined networking approach to EAS infrastructure design. Id. The Commission followed up in 2018 by adopting new rules related to false alert reporting, Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, Wireless Emergency Alerts, PS Docket Nos. 15-94 and 15-91, Report and Order and Further Notice of Proposed Rulemaking, 33 FCC Rcd 7086, 7094-95, paras. 17-18 (2018) (2018 Order) (requiring that EAS Participants notify the FCC within 24 hours of their discovery that it has transmitted or otherwise sent a false alert to the public). alert authentication, Id. at 7095-96, paras. 19-22 (requiring that EAS Participants configure their systems to reject all CAP-formatted EAS messages that contain an invalid digital signature, but declining to adopt authentication requirements for EAS Protocol-formatted EAS messages). and alert validation, Id. at 7097-99, paras. 23-29. but did not act on the other security proposals from the 2016 Notice. Id. at 7087, n.1 (deferring on consideration of issues not described in the 2018 Order). B. Wireless Emergency Alerts 6. WEA is a tool for authorized federal, state, local, tribal, and territorial government entities to geographically target alerts and warnings to WEA-capable mobile devices of Participating CMS Providers’ subscribers. The Warning Alert and Response Network (WARN) Act establishes WEA as a voluntary system in which CMS providers may elect to participate and gives the Commission authority to adopt “relevant technical standards, protocols, procedures and other technical requirements . . . necessary to enable commercial mobile service alerting capability for commercial mobile service providers that voluntarily elect to transmit emergency alerts.” Warning, Alert and Response Network (WARN) Act, Pub. L. No. 109-347, title VI, 120 Stat. 1936, § 602(a) (2006) (WARN Act) (codified at 47 U.S.C. § 1201(a)); see also 47 U.S.C. § 1201(b)(2)(d) (instructing the Commission to establish a procedure for mobile service providers to withdraw their election to participate in WEA without penalty or forfeiture). Pursuant to this authority, the Commission has adopted requirements to prescribe WEA capabilities, WEA testing, and WEA election procedures. See, e.g., The Commercial Mobile Alert System, PS Docket No. 07-287, First Report and Order, 23 FCC Rcd 6144 (2008); The Commercial Mobile Alert System, PS Docket No. 07-287, Second Report and Order and Further Notice of Proposed Rulemaking, 23 FCC Rcd 10765 (2008); The Commercial Mobile Alert System, PS Docket 07-287, Third Report and Order, 23 FCC Rcd 12561 (2008) revised by Erratum (Sep. 5, 2008). While participation by wireless providers is voluntary, those that offer the service must adhere to the technical and operational requirements established by the Commission. 7. WEA works as follows: an alert originator The term “alert originator” refers to a federal, state, territorial, tribal, or local entity authorized by FEMA to use the Integrated Public Alert and Warning System (IPAWS) to issue critical public alerts and warnings in emergency situations. See FEMA, Alerting Authorities, https://www.fema.gov/alerting-authorities (last visited Oct. 26, 2017). For the purposes of this proceeding, the term “alert originator” is coextensive with the terms “emergency manager” and “emergency management agency” unless otherwise specified. uses FEMA-approved alert origination software to send a WEA Alert Message See 47 CFR § 10.10(a) (defining an “Alert Message” as “a message that is intended to provide the recipient information regarding an emergency, and that meets the requirements for transmission by a Participating Commercial Mobile Service Provider under this part”). in the Common Alerting Protocol (CAP) to IPAWS. CAP is an open, interoperable, XML-based standard that can include multimedia such as streaming audio or video. See OASIS CAP v1.2 (IPAWS Profile for the OASIS Common Alerting Protocol IPAWS USA). CAP messages contain standardized fields that facilitate interoperability between and among devices. See id. There, the alert is authenticated, validated, and delivered to FEMA’s Alert Gateway for dissemination to Participating CMS Providers’ Alert Gateways. The WEA system, as it is deployed currently, is based on standards created by the Alliance for Telecommunications Industry Solutions (ATIS), the Telecommunications Industry Association (TIA) (jointly, ATIS/TIA), and the 3rd Generation Partnership Project (3GPP). See CSRIC IV WEA Messaging Report at 7. Currently, FEMA only transmits to Participating CMS Providers information about the Alert Message that is necessary for mobile devices to present Alert Messages to subscribers (e.g., message content, geographic target area coordinates if applicable, and a unique message identifier). FEMA removes all other metadata from the Alert Message (e.g., the time at which the Alert Message was initiated by the alert originator). Target area coordinates are only transmitted to mobile devices for Alert Messages with a target area specified by a circle or polygon, not a code describing an entire state or county. Participating CMS Providers are required to log all of the Alert Message data that they receive at their Alert Gateways, including the time of receipt, maintain those logs for at least 12 months, and make them available upon request to the Commission, FEMA, and emergency management agencies that offer sufficient confidentiality protection. See 47 CFR 10.320(g) (requiring Participating CMS Providers to provide this information to emergency management agencies only insofar as those logs pertain to alerts initiated by that emergency management agency). While the Commission’s WEA rules are technologically neutral, most Participating CMS Providers currently use one-way cell broadcast technology to transmit WEA Alert Messages to their subscribers. See CTIA, Letter from Scott Bergmann, Senior Vice President, Regulatory Affairs, to Marlene Dortch, Secretary, Federal Communications Commission, PS Docket Nos. 15-91, 15-94, at 4 (Apr. 13, 2022) (CTIA Ex Parte) (recommending that the draft WEA FNPRM add a detailed discussion of the cell broadcast architecture of the current WEA system); see also CSRIC V, Working Group Two, Wireless Emergency Alerts – Recommendations to Improve Geo-targeting and Offer Many-to-One Capabilities, Final Report and Recommendations at 8 (2016); but see Letter from Rebecca Murphy Thompson, EVP and General Counsel, Competitive Carriers Association, to Marlene Dortch, Secretary, Federal Communications Commission, PS Docket No. 15-91, at 2 (Oct. 6, 2017) (stating that some carriers offer WEA using a software application, rather than cell broadcast). When the Alert Message is received by a WEA-capable mobile device, it is prominently presented to the subscriber as long as the subscriber has not opted out of receiving Alert Messages of that type. See ATIS, Enhanced Wireless Emergency Alert (eWEA) Mobile Device Behavior (MDB) Specification (A Revised Version of J-STD-100) at 18-19 (2018); ATIS, Joint ATIS/TIA CMAS Mobile Device Behavior Specification (ATIS-TIA-J-STD-100) (2009). Subscribers’ right to opt out of WEA Alert Message receipt extends to all but the Presidential Alert. See 47 CFR § 10.280. We note that nothing in the WARN Act or the Commission’s rules requires WEA to be a cell broadcast-based service. The Commission requires WEA-capable mobile devices to preserve Alert Messages in a consumer-accessible format and location for at least 24 hours or until deleted by the subscriber, but does not specifically require WEA-capable mobile devices to log information about Alert Messages that they receive. See 47 CFR 10.500(h). 8. As with the EAS, without sufficient security measures in place, the WEA system is vulnerable to interference by actors with malicious intent. The CSRIC V reviewed WEA Security issues in 2016 and identified several potential security risks in the WEA network. Communications Security, Reliability and Interoperability Council, Emergency Alerting Platforms WEA Security Sub-Working Group Final Report – WEA Security (March 2016), https://transition.fcc.gov/bureaus/pshs/advisory/csric5/WG2_WEA-Sec-Sub_FinalReport_0316.docx (CSRIC WEA Security Report). Potential risks identified by CSRIC include, among others, the blocking of valid WEA messages to the public, changing the content of a valid WEA message, injecting false WEA alerts into operator equipment, and sending false alerts from false base stations—all of which pose a serious threat to public safety. Following the first nationwide test of WEA in 2018, concerns have been raised about circumstances under which malicious actors could block alerts from reaching the public or send false WEA alerts to the public. For example, researchers at the University of Colorado, Boulder published a paper in 2019 that described a hypothetical attack that could allow an adversary to send a false WEA message nationwide that could reach 90 percent of the public in the broadcast range of an unauthorized (“false”) base station. Gyuhong Lee, et al., This is Your President Speaking: Spoofing Alerts in 4G-LTE Networks (2019), https://dl.acm.org/doi/pdf/10.1145/3307334.3326082 (using for their research experiment a COTS eNodeB with 0.1 Watt transmission power to send a false alert to Samsung Galaxy S8 and Motorola G6 handsets within a 70 to 120 meter range). In 2021, the National Telecommunications Commission of the Philippines ordered an investigation into an incident in which consumer devices in a localized area displayed an emergency alert that included a political advertisement, which may have been transmitted by an unauthorized base station. See Zacarian Sarao, NTC orders probe into Bongbong Marcos’ emergency alert stunt (Oct. 6, 2021), https://newsinfo.inquirer.net/1498110/ntc-orders-probe-on-bongbong-marcos-emergency-alert-stunt; Aika Rey, Telcos deny Bongbong Marcos text ad; NTC points to portable cell sites (Oct. 6, 2021), https://www.rappler.com/nation/elections/telcos-ntc-statements-bongbong-marcos-text-ad-coc-filing-october-6-2021/. In July 2022, researchers at New York University Abu Dhabi released a paper that demonstrated five attacks that could affect Commercial Mobile Alerting Systems on 5G networks. Evangelos Bitsikas and Christina Pöpper, You have been warned: Abusing 5G’s Warning and Emergency Systems (2022), https://arxiv.org/pdf/2207.02506.pdf. We acknowledge that the 3GPP SA3 (Security) working group has published a study on 5G security enhancements against false base stations, See 3GPP TR 33.809 v0.18.0 (2022-2), Study on 5G Security Enhancement against False Base Stations (FBS) (release 18). which identifies key issues and multiple candidate solutions. We note that this study does not require the implementation of any solutions, nor provide specifications for how solutions should be implemented. The report, however, acknowledges these solutions as only “potentially enhanc[ing] 5G system’s resistance to false base stations.” Id. at 14. III. DISCUSSION A. Promoting the Operational Readiness of EAS Equipment 9. We observe that, according to the Bureau’s last nationwide EAS test report, an appreciable number of EAS Participants were unable to participate in testing due to equipment failure –despite advance notice that such test was to take place – suggesting that equipment failures are not addressed by EAS Participants as swiftly as reasonably possible and that more needs to be done to improve EAS operational readiness. FCC, Report: August 11, 2021 Nationwide EAS Test at 14, 16 and 19 (2021), https://docs.fcc.gov/public/attachments/DOC-378861A1.pdf (describing that, out of 19,174 test participants in an August 11, 2021 nationwide test of EAS conducted by FEMA in coordination with the Commission, 389 test participants reported equipment performance issues on receipt and 565 on retransmission, with these participants generally reporting that equipment was out for repair, failed during the test, was missing, or malfunctioned). Today, EAS Participants may continue operations for a period of 60 days despite having defective equipment that preclude their participation in EAS. Under Section 11.35(b) of the Commission’s rules, an EAS Participant may continue its operations for 60 days without seeking further FCC authority if it is unable to transmit EAS messages because of a defective EAS Encoder, EAS Decoder, or Intermediary Device used as part of the EAS, pending the Participant’s repair or replacement of the device. See 47 CFR § 11.35(b). The EAS Participant must record the occurrence of the defect in the broadcast station log, cable system records, and records of other EAS Participants showing the date and time the equipment was removed and restored to service. Id. We seek comment on whether this approach is effective at ensuring the operational readiness of EAS. How frequently does EAS equipment encounter defects that prevent it from receiving or retransmitting alerts? What are the most common types of defects that are experienced? What steps are necessary to repair these defects, and how often do they typically take to repair? Do EAS Participants take prompt steps to repair their EAS equipment, or do they typically take several days or weeks before seeking repairs? Do other EAS stakeholders, such as alert originators, have concerns about equipment failures preventing the transmission of emergency alerts to the public? We encourage commenters to highlight any specific incidences in which an EAS equipment defect prevented members of the public from being alerted to an emergency. 10. We seek comment on how to better promote the operational readiness of EAS equipment. For example, instead of requiring repairs within 60 days, would it serve the public interest to require EAS Participants to conduct repairs promptly and with reasonable diligence? Are all EAS Participants already doing so? If so, what are the reasons why some EAS Participants are not able to conduct repairs promptly and diligently? What factors should we consider when determining whether repairs are made promptly and with reasonable diligence? What barriers prevent equipment from being repaired promptly and what steps can we take to remove those barriers? 11. Would it improve EAS operational readiness and public safety in general to increase the situational awareness of the Commission, alert originators, and others about the occurrence of equipment defects that might prevent alerts from reaching the public? For example, would such an approach allow us to better enforce our operational readiness rules and identify persistent technical problems, and make contingency plans for alert delivery? If so, should we adopt an EAS equipment defect notification requirement? For example, should we require EAS Participants to report EAS equipment defects and submit a follow-up notification when the equipment is repaired? Within what timeframe should they perform that notification to ensure that stakeholders are aware of possible impacts on EAS (e.g. 24 hours)? What content should the notification contain? For example, should notifications include the same information that is already included in requests for additional repair time that are required sent to the Regional Director of the FCC field office for the area that the EAS Participant serves? Cf. 47 CFR § 11.35(c) (“This request must explain what steps have been taken to repair or replace the defective equipment, the alternative procedures being used while the defective equipment is out of service, and when the defective equipment will be repaired or replaced.”). We seek comment on how, if at all, the Commission should share information to promote situational awareness among relevant stakeholders, such as alert originators State Emergency Communications Committees. We also seek comment on whether to treat this information as confidential and, if so, how to protect it. Are there other steps that we should take to better ensure that EAS is ready and available when it is needed? 12. We seek comment on any measures that the Commission could take to reduce burdens on EAS Participants if it were to take further steps to promote the operational readiness of EAS equipment. Should we remove the requirement under Section 11.35(b) that EAS Participants make entries in their own broadcast station log and cable system records showing the date and time the equipment was removed and restored to service? Would the elimination of the “60 day” rule in favor of a prompt repair rule reduce certain burdens on EAS Participants? We seek comments on the costs of any approaches to improving EAS operational readiness that commenters propose that we consider. In doing so, commenters should offer specific cost estimates where possible. For example, we seek comment on whether it would be reasonable to estimate that EAS Participants would transmit a maximum of 2,000 EAS equipment defect notifications annually under the approach discussed above, as 565 EAS Participants reported their equipment was defective during the 2021 Nationwide EAS Test? FCC, Report: August 11, 2021 Nationwide EAS Test at 16, 19 (2021), https://docs.fcc.gov/public/attachments/DOC-378861A1.pdf. Would it be reasonable to estimate that 2,000 annual notifications would require one hour of labor each from a General and Operations Manager who is compensated at $82 per hour, resulting in an overall cost of $164,000? The Bureau of Labor Statistics reports that the most recent hourly wage for General and Operations Managers is $55, which increases to $82 when increased by 50% to also include benefits. See https://www.bls.gov/oes/current/oes111021.htm (accessed on 8/17/22). BLS data shows that the hourly wage must be increased by approximately 50% to include employee benefits. See Employer Costs for Employee Compensation - March 2022 at https://www.bls.gov/news.release/pdf/ecec.pdf. We seek similarly detailed analysis on potential alternatives to improve EAS operational readiness. B. Improving Awareness of Unauthorized Access to EAS Equipment 13. Section 11.45(b) of the Commission’s rules requires that an EAS Participant notify the Commission by e-mail within 24 hours of its discovery that it has transmitted or otherwise sent a false alert to the public, including details concerning the event. 47 CFR § 11.45(b). We believe that it would be in the public interest to strengthen this rule in view of the increasing threats that cyber attacks pose to EAS networks and equipment. Accordingly, we propose to revise this rule to further require that an EAS Participant report any incident of unauthorized access of its EAS equipment (i.e., regardless of whether that compromise has resulted in the transmission of a false alert), See 47 CFR § 11.32 (EAS Encoder); 47 CFR § 11.33 (EAS Decoder). to the Commission via NORS within 72 hours of when it knew or should have known that an incident has occurred and provide details concerning the incident. Cf. 6 U.S.C. § 681b(a)(1)(A) (requiring covered entity experiencing covered cyber incident to report the incident to CISA not later than 72 hours after the covered entity reasonably believes that the incident has occurred, as enacted in the Cyber Incident Reporting for Critical Infrastructure Act of 2022). We seek comment on this proposal. 14. We observe that protecting EAS equipment alone is unlikely to be sufficient to protect the EAS from a cyber attack. Even without directly accessing an EAS Participant’s EAS equipment, a bad actor could send a false alert or prevent a legitimate alert with lifesaving information from reaching the public by gaining unauthorized access to EAS Participants’ communications systems and services. For this reason, we also propose to require that an EAS Participant report any incident of unauthorized access to any aspects of an EAS Participant’s communications systems and services that potentially could affect their provision of EAS. This would include infrastructure that serves to prevent unauthorized access to EAS equipment, including firewalls and Virtual Private Networks. We seek comment on this proposal and on any suitable alternatives. 15. We believe the proposed rule is justified in light of the instances of false EAS alerts in recent years, caused by compromised EAS equipment being used to transmit a false message. See, e.g., 2016 Notice at 638, para. 98. As recounted above, we are aware of several situations in the past decade in which bad actors were either capable of obtaining, or actually obtained unauthorized access to EAS equipment. Supra at para. 4. We seek comment on these views. Are there any other past or present security incidents involving EAS about which the Commission should be aware? Does unauthorized access to EAS equipment provide bad actors with the ability to disrupt EAS Participants’ regularly scheduled programming, which has the potential to inflict financial harm in relation to their advertisers and reputational harm with their audiences? Are there any other kinds of harms resulting from unauthorized access to EAS equipment that the Commission should consider? 16. We believe significant public safety benefits would accrue if EAS Participants were required to provide the Commission with notification that their EAS equipment, communications systems, or services have been accessed without authorization, even in the absence of a subsequent transmission of a false alert. This view is based on our observation that, after a system is compromised, many attackers will position themselves to attack connected systems in several different ways. For example, we have observed that it is characteristic of some cyber attacks that an attacker will start by compromising one device and then, prior to launching a specific attack, spend time and effort to identify and compromise other devices in the network, potentially using the initially comprised device as an access point to other devices. See Mandiant, M-Trends 2022 at 12 (2022), available at https://www.mandiant.com/m-trends (showing the median time attackers spent in compromised networks prior to detection was 17 days for the Americas); Oracle, Anatomy of a Cyber Attack at 5-6, (2017), https://www.oracle.com/us/technologies/linux/anatomy-of-cyber-attacks-wp-4124673.pdf (showing activities hackers take during the penetration and exfiltration stages of an attack to control additional network assets). The Commission could use the proposed notifications to work with providers and other government agencies to resolve an equipment compromise before the compromise is actually exploited to cause false EAS transmissions in at least some instances. We further believe that the Commission could leverage information on the frequency and nature of equipment compromise to better understand the prevalence and trends associated such attacks across the nation. The Commission and its government partners would thus be better apprised of the risks posed to EAS and in a position to use this information to inform further measures that might be necessary to secure EAS. 17. We seek comment on these views, including detailed information as to the associated costs and benefits of the proposed approach. For example, what would be a reasonable estimate of the financial harm that such a cyber attack would inflict upon an EAS Participant, and how should such estimates be calculated? We believe the cost of reporting an unauthorized access incident would tend to be similar to the cost of reporting a false alert, which the Commission has estimated to have a total cost of $11,600 per year across all EAS Participants. 2018 Order at 7102, para. 38 (estimating the cost of reporting false alerts to be $11,600 per year based on an average of 290 EAS participants filing two false alerts per year). We seek comment on that estimate. Are EAS Participants already conducting investigations and gathering information about suspected incidents of unauthorized access to EAS equipment, communications systems, and services? Are there less costly alternatives to an unauthorized access reporting requirement that would achieve similar or greater benefits? We believe that the marginal costs of an unauthorized access reporting requirement are likely to be low, as the requirement parallels the requirements of an upcoming CISA rulemaking. Specifically, CISA is required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to adopt rules requiring critical infrastructure sector entities to report cyber incidents, See 6 U.S.C. § 681b(c). but allows the requirement to be satisfied by reporting substantially similar information to another federal agency in a similar timeframe. See 6 U.S.C. § 681b(a)(5)(B). We seek comment on that belief. 18. We propose to define “unauthorized access” to EAS equipment, communications systems, and services for the purposes of today’s proposal to refer to any incident involving either remote or local access to EAS equipment, communications systems, or services by an individual or other entity that either does not have permission to access the equipment or exceeds their authorized access. We seek comment on this definition. For example, does this proposed definition mirror the methods that have been, and are likely to be, used by cyber-attackers to infiltrate EAS? We seek comment on whether it is appropriate to require that EAS Participants provide notification to the Commission within 72 hours of when they knew or should have known that an incident has occurred. Is this time frame appropriate or would it, for example, put undue pressure on EAS Participants at a critical time when they may be attempting to fully diagnose and resolve the compromise to their systems? On the other hand, is this time frame too slow to provide the Commission and government partners with timely notice of an incident? For example, consistent with the NORS reporting deadlines for interconnected VoIP outages, 47 CFR § 4.9(g)(1)(i). should the Commission be notified within 24 hours of a reasonable belief that an incident has occurred? In the alternative, should we require EAS Participants to provide notification to the Commission within 72 hours of “its reasonable belief that an incident has occurred,” consistent with the approach to cyber incident reporting outlined by CIRCIA? See 6 U.S.C. § 681b(a)(1)(A). Or, would this approach create disincentives for a provider to monitor the security of its own network? Would any alternative approach be more effective? Similar to what is contemplated by CIRCIA, See 6 U.S.C. § 681b(a)(3). should EAS Participants be required to submit updates to the Commission if substantial new or different information becomes available, until the date that the Commission is notified that the incident has concluded and been fully mitigated and resolved? Is the overall approach we propose today consistent with the incident reporting requirements of other federal and state government agencies, and if not, how should our proposal be harmonized to be more consistent with those requirements? 19. We seek comment on the kinds of information that should be included in reports of unauthorized access. We propose that reports include, to the extent it is applicable and available at the time of reporting, the date range of the incident, a description of the unauthorized access, the impact to the EAS Participant’s EAS operational readiness, a description of the vulnerabilities exploited and the techniques used to access the device, identifying information for each actor responsible for the incident, and contact information for the EAS Participant. We believe this information is necessary to understand the unauthorized access incident, resolve it before the compromise is actually exploited to send a false alert, and harmonize our requirements with those of other federal agencies. See 6 U.S.C. § 681b(c)(4) (outlining specific contents of cyber incident reports required by CIRCIA rulemaking). We seek comment on the proposed content of these reports and whether it should be modified. We propose that the contents of these reports be treated as presumptively confidential and only shared on a confidential basis with other Federal agencies and state government agencies that agree to protect them to the same extent and in the same manner as the Commission would and, to the extent that the policies or regulations of those agencies are stricter, to the same extent and in the same manner as they would if they had collected the information themselves. See 44 U.S.C. § 3510 (directing federal agencies to share information with other federal agencies subject to confidentiality protections). We also propose to allow disclosure by the Commission, or by parties with whom the Commission has shared the notifications, of anonymized information about breaches that might be useful for industry, security researchers, policymakers, and the general public. The Commission would make every effort to ensure that the security issue had been resolved before disclosing information about the breach that could promote the perpetration of similar attacks. Further, consistent with the Commission’s rules, we could disclose the identity of breached EAS Participants when it would serve the public interest. This disclosure would be limited to the identity of the EAS Participant and would not include the disclosure of any reports related to the unauthorized access. We seek comment on this approach to cyber incident information sharing. 20. We seek comment on how these reports should be submitted to the Commission. Should they be submitted to the FCC Operation Center by e-mail, in similar fashion to the false alert reports that EAS Participants are already required to file with the Commission? Should these reports be submitted in NORS to better capture the required contents in clearly defined fields and more easily facilitate sharing with federal partners? Or should we develop a new electronic database to collect the content of the reports? Are there other approaches we should consider? What are the costs and benefits associated with each approach? 21. We seek comment on whether Participating CMS Providers should also be required to report incidents of unauthorized access to their WEA systems, or services. Similar to EAS, we believe that such a requirement would allow the Commission and its government partners to better identify and evaluate risks posed to EAS and inform further measures that might be necessary to secure WEA. Should reports be required in the same timeframe and with the same content as proposed for EAS? Are there any differences between EAS and WEA that would warrant differing unauthorized access reporting requirements for WEA? If so, what are those differences and how should the requirements be modified to reflect them? C. Protecting the Nation’s Alerting Systems through the Development, Implementation, and Certification of a Cybersecurity Risk Management Plan 1. EAS Security 22. As discussed above, the EAS has faced cybersecurity risks for more than a decade, with PSHSB regularly advising EAS Participants to follow cybersecurity best practices and take other steps to improve their cybersecurity posture. Despite these admonitions, however, we have not observed meaningful security improvements. For example, PSHSB has frequently advised EAS Participants to update their EAS software to ensure that they have installed the most recent security patches, including one such round of outreach in 2020 after the discovery that certain EAS equipment was potentially vulnerable to IP-based attacks. See E-mail from Lisa M. Fowlkes, Chief, PSHSB, FCC to EAS Participants (April 24, 2020 2:03 am EDT). However, in filings related to the Nationwide EAS Test in August 2021, the Bureau observed that more than 5,000 EAS Participants were using outdated software or using equipment that no longer supported regular software updates. In light of these failures, we believe the Commission should take action to ensure the security of EAS. 23. We propose to require EAS Participants to submit an annual certification attesting that they have created, updated, and implemented a cybersecurity risk management plan. We note that other agencies are likewise either requiring or proposing to require their regulated entities to take cybersecurity measures to protect their systems. For example, the Commodity Futures Trading Commission (CFTC) requires registrants to establish and maintain information security controls as part of their mandatory system safeguards and to implement five types of security testing through ongoing risk assessments and board oversight: (1) vulnerability testing; (2) penetration testing; (3) controls testing; (4) security incident response plan testing; and (5) enterprise technology risk assessment.  See generally, CFTC, Fact Sheet - Final Rules on System Safeguards Testing Requirements (Sept. 8, 2016), http://www.cftc.gov/idc/groups/public/@newsroom/documents/file/syssafeguard_factsheet090816.pdf. The Securities and Exchange Commission (SEC) has proposed periodic cybersecurity reporting requirements that include disclosing a registrant’s policies and procedures to identify and manage cybersecurity risks.  See SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Mar. 9, 2022), https://www.sec.gov/rules/proposed/2022/33-11038.pdf. The cybersecurity risk management plan would describe how the EAS Participant employs their organizational resources and processes to ensure the confidentiality, integrity, and availability of the EAS. The plan must discuss how the EAS Participant identifies the cyber risks that they face, Sources of threat intelligence that may be helpful to EAS Participants’ identification of threats include the Communications Information Sharing and Analysis Center (ISAC), CISA Known Exploited Vulnerabilities, and PSHSB Public Notices. See, e.g., ISAO Standards Organization, Communications ISAC, https://www.isao.org/information-sharing-group/sector/communications-isac/ (last visited Aug. 14, 2022; CISA, Reducing the Significant Risk of Known Exploited Vulnerabilities, https://www.cisa.gov/known-exploited-vulnerabilities (last visited Aug. 14, 2022); Public Safety and Homeland Security Bureau Urges Emergency Alert System (EAS) Participants to Take Immediate Steps to Secure EAS Equipment, PS Docket No. 15-94, Public Notice, DA 22-828 (PSHSB Aug. 5, 2022). the controls they use to mitigate those risks, and how they ensure that these controls are applied effectively to their operations. Similarly, the Department of Health and Human Services (HHS) requires entities to conduct a risk analysis to determine the threats or hazards to the security of electronically stored, protected health information, and requires them to implement security policies and procedures.  See 45 CFR § 164.308. The Department of Defense (DoD) requires all entities within the defense supply chain to have a multi-level process to verify that DoD cybersecurity requirements have been implemented. See 48 CFR §§ 252.204-7012, 252.204-7021. The Securities and Exchange Commission (SEC) has proposed periodic cybersecurity reporting requirements that include disclosing a registrant’s policies and procedures to identify and manage cybersecurity risks.  See, SEC, Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (Mar. 9, 2022), https://www.sec.gov/rules/proposed/2022/33-11038.pdf. We believe that this certification requirement would improve the overall security of EAS by ensuring that EAS Participants are regularly taking steps to address security threats as part of their organization’s day-to-day strategic and operational planning. We also believe the creation and implementation of cybersecurity risk management plans would help to ensure EAS operational readiness and eliminate false alerts, which divert public safety and other government resources from other important activities, impose costs on EAS Participants that have to deal with many of the consequences and, ultimately, desensitize the public to legitimate alerts. We seek comment on this proposal. Do stakeholders agree this proposal would improve the security of the EAS? Are there other benefits that may accrue from the creation and implementation of cybersecurity risk management plans by EAS Participants? Is an annual certification the right frequency with which to file certifications, or are there circumstances where more (or less) frequent filings might be necessary? 24. We propose to afford each EAS Participant flexibility to structure its plan in a manner that is tailored to its organization, provided that the plan demonstrate that the EAS Participant is taking affirmative steps to analyze security risks and improve its security posture. While we believe there are many ways for EAS Participants to satisfy this requirement, we propose that EAS Participants can successfully demonstrate that they have satisfied this requirement by structuring their plans to follow an established risk management framework, such as the National Institute of Standards and Technology (NIST) Risk Management Framework See NIST Computer Security Resource Center, About the NIST Risk Management Framework (July 14, 2022), https://csrc.nist.gov/projects/risk-management/about-rmf (providing a system development process that prepares an organization to manage security and privacy risks by categorizing the system and information processed, stored and transmitted by the system, selecting and implementing controls to protect the system, and continuously assessing the system to determine if the controls are providing the desired results). or the NIST Cybersecurity Framework. See NIST Computer Security Resource Center, Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide (April 19, 2022), https://csrc.nist.gov/Projects/cybersecurity-framework/nist-cybersecurity-framework-a-quick-start-guide (providing a system development process that prepares an organization to identify, protect against, detect, respond to, and recover from cyber threats); see also CSRIC IV, Cybersecurity Risk Management and Best Practices, Final Report (2015), https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG4_Final_Report_031815.pdf (offering guidance to the communications sector on implementing the NIST Cybersecurity Framework). We believe this flexible approach would allow EAS Participants to develop a plan that is appropriate for their organization’s size and available resources, while still ensuring that the plan results in ongoing and material improvements in EAS security. Similarly, SEC and HHS have taken a flexible approach to security measures that their respective regulatees must implement.  See, SEC, Cybersecurity and Resiliency Observations (Jan. 27, 2020), https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf; Summary of the HIPAA Security Rule, https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html (last visited Aug. 16, 2022). We also anticipate that this requirement would reduce the costs imposed on smaller EAS Participants, which may have different cybersecurity needs than larger EAS Participants. We seek comment on this proposal. Alternatively, should we require EAS Participants to structure their plans to follow the NIST Risk Management Framework or the NIST Cybersecurity Framework? If so, should we require EAS Participants to follow the current version of each framework (i.e., Risk Management Framework for Information Systems and Organizations, NIST Special Publication 800-37, Revision 2; NIST Cybersecurity Framework V1.1)? NIST, Risk Management Framework for Information Systems and Organizations, NIST Special Publication 800-37, Revision 2 (2018), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf; NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1 (2018), https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf. If we take this approach, we anticipate that NIST may one day release updated versions of these frameworks, and we would then expect to seek notice and comment on whether we should require EAS Participants to follow the updated versions. We seek comment on this approach. 25. We propose that each cybersecurity risk management framework include security controls sufficient to ensure the confidentiality, integrity, and availability (CIA) of the EAS. “Confidentiality” in this context refers to assurance that information is not disclosed to unauthorized persons, processes, or devices. See ATIS, ATIS Telecom Glossary: Confidentiality, Assurance that information is not disclosed to unauthorized persons, processes, or devices https://glossary.atis.org/glossary/confidentiality (last visited Aug 9, 2022). “Integrity” refers to preventing unauthorized creation, amendment or deletion of information. See ATIS, ATIS Telecom Glossary: Integrity, https://glossary.atis.org/glossary/integrity (last visited Aug 9, 2022). Finally, “availability” refers to whether a network provides, timely, reliable access to data and information services for authorized users. See ATIS, ATIS Telecom Glossary: Availability, https://glossary.atis.org/glossary/availability (last visited Aug 9, 2022). Combined, these principles are generally referred to by cybersecurity experts as the “CIA triad.” See NIST Special Publication 1800-25A, Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events (Dec. 2020), Executive Summary, https://www.nccoe.nist.gov/publication/1800-25/VolA/index.html. We expect that reasonable security measures will include measures that are commonly the subject of best practices. While we believe there are potentially many ways for EAS Participants to satisfy this aspect of the requirement, we propose that EAS Participants will have satisfied it if they demonstrate they have successfully implemented an established set of cybersecurity best practices, such as applicable CIS Critical Security Controls See Center for Internet Security, Critical Security Controls version 8, https://www.cisecurity.org/controls (last visited Aug 9, 2022) (CIS Critical Security Controls or CIS) (providing security controls grouped by priority and feasibility for different sizes and resources of businesses in Implementation Groups). or the CISA Cybersecurity Baseline. Cybersecurity & Infrastructure Security Agency, Cross-Sector Cybersecurity Performance Goals and Objectives, https://www.cisa.gov/cpgs (last visited Aug. 5, 2020); Cybersecurity & Infrastructure Security Agency, Cross-Sector Cybersecurity Performance Goals (CPGs) Common Baseline: Controls List (Draft), https://www.cisa.gov/sites/default/files/publications/Common_Baseline_v2_Controls_List_508c.pdf (last visited Aug. 5, 2020)(CISA Baseline). See also White House, National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (July 28, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/28/national-security-memorandum-on-improving-cybersecurity-for-critical-infrastructure-control-systems/ (directing the Secretary of Homeland Security to “develop and issue and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety”). To ensure that every EAS Participant implements a baseline of security controls, however, we propose to require that each plan include security measures that address changing default passwords prior to operation, See, e.g., CISA Baseline 1.2 and CIS 5.2. installing security updates in a timely manner, See, e.g., CISA Baseline 6.3 and CIS 2.2. securing equipment behind properly configured firewalls or using other segmentation practices, See, e.g., CISA Baseline 5.3, 5.4 and CIS 4.2, 4.4, 4.5. requiring multifactor authentication where applicable, See, e.g., CISA Baseline 1.4 and CIS 6.3, 6.4, and 6.5. addressing the replacement of end-of-life equipment, and wiping, clearing, or encrypting user information before disposing of old devices. See, e.g., CISA Baseline and CIS 2.3. We expect that compliant cybersecurity risk management plans will not be limited to only these specific measures, as plans will vary based on individual providers’ needs and circumstances and will need regular updates to keep up with an evolving threat environment. We seek comment on these proposed rules. Are there other specific security measures that we should require EAS Participants to implement? For example, should we require EAS Participants to conduct network security audits or vulnerability assessments to identify potential security vulnerabilities? If so, how often should they be conducted? Should we require EAS Participants to report to the Commission when their network audits, network vulnerability assessments, or penetration testing reports reveal critical vulnerabilities? If so, how should we define a “critical vulnerability” for this purpose? Should we require EAS Participants to implement Incident Response Plans that describe how the procedures that EAS Participants would follow when respond to an ongoing cybersecurity incident? Should we require EAS Participants to conduct cybersecurity training for their employees or contractors and if so, what should the contents of that training be? What kinds of security measures have EAS Participants already implemented to protect the EAS, and how effective are they at mitigating cybersecurity risks? Should we require EAS Participants to keep records that demonstrate how they have implemented each of the baseline security controls? If so, what specific types of information should the records include and for how long should they be kept? Have EAS Participants identified unsuccessful attempts to access their systems, and if so, what specific security measures best thwarted those attempts? 26. Does this approach strike the appropriate balance between improving EAS security, complementing EAS Participants’ existing cybersecurity activities, and reducing burdens on small EAS Participants? If not, how should this requirement be modified to achieve that balance? We seek comment on whether this approach grants too much flexibility and will not result in improvements to EAS security. We also seek comment on alternative approaches that would be effective at improving EAS security. For example, should we require EAS Participants to address a specified list of cybersecurity subject matters in their risk management plans? Instead of requiring the use of a risk management plan, should we require EAS Participants to take specific steps to secure their EAS equipment? If so, could such a requirement be drafted in a way to encourage EAS Participants to continually examine and improve their cybersecurity posture, rather than merely check items off a list? Is our proposed certification requirement too burdensome on small EAS Participants? If so, what would be a more cost-effective way to promote EAS security for small EAS Participants? 27. We observe that protecting EAS equipment alone is unlikely to be sufficient to protect the EAS from a cyber attack. In addition to the risk of a bad actor sending a false alert, a bad actor could attack other elements of an EAS Participant’s systems or service as a way to prevent a legitimate alert with lifesaving information from reaching the public. For this reason, we propose to require that the cybersecurity risk management plan address not only the security of EAS equipment, but also the security of all aspects of an EAS Participant’s communications systems and services that potentially could affect their provision of EAS. We seek comment on this requirement. Are there alternative requirements that we should consider to ensure that bad actors cannot prevent the transmission of legitimate alerts (or engage in the transmission of false ones)? 28. We seek comment on whether there are industry groups, cybersecurity organizations, or other organizations that may be positioned to help EAS Participants create, implement, and maintain their cybersecurity risk management plan. What kinds of resources do these organizations offer, and how can EAS Participants make use of them? For example, are there organizations that offer, or that would be able to begin offering, authoritative sources of cybersecurity information and expertise? Are there organizations that can support EAS Participants by offering cybersecurity training, risk management plan templates, or otherwise promote the cybersecurity? If so, to what extent can these organizations help reduce the burdens related to the proposed certification requirement and make EAS more secure? 29. We propose that EAS Participants certify to creating, annually updating, and implementing a cybersecurity risk management plan by checking a box as part of its annual filing of EAS Test Reporting System Form One. See 47 CFR § 11.61(a)(3)(iv)(A). We seek comment on whether this is the most efficient way to implement a certification requirement for EAS Participants. If not, how should the certification be implemented? While the Commission does not intend to review each individual plan for sufficiency, we propose that the cybersecurity risk management plan be made available to the Commission upon request so that the Commission may review a specific plan as needed or proactively review a sample of EAS Participants’ plans to ensure that they are sufficient to ensure the confidentiality, integrity, and availability of the EAS. In such circumstances, cybersecurity risk management plans would be treated as presumptively confidential. We propose to delegate to the Bureau the authority to request review of such cybersecurity risk management plans and to evaluate them for sufficiency. We seek comment on this approach to evaluating plans. For how long we should require EAS Participants to retain prior versions of their cybersecurity risk management plans to enable the Bureau’s review? 30. We propose that the filing of, and subsequent compliance with, a cybersecurity risk management plan would not serve as a safe harbor or excuse or any other diminishment of responsibility for negligent security practices. We believe that allowing the filing of and compliance with a plan to have such an effect could create a perverse incentive. EAS Participants must remain constantly vigilant in preventing intrusions and can only satisfy that responsibility by acting reasonably in all circumstances. Any negligence in protecting the confidentially, integrity, and availability of EAS that results in transmission of false alerts or non-transmission of valid EAS messages would establish a violation of that duty, regardless of the content of the plan.  Furthermore, we propose that an EAS Participant’s failure to sufficiently develop or implement their plan, would be treated as a violation of the proposed rules.  We seek comment on the criteria or indicia that we should consider when determining whether a plan is insufficient to mitigate cyber risk. We also seek comment on any measures that the Commission should take to verify whether EAS Participants have implemented of their plans. 31. We believe that the benefits of this proposal outweigh the costs. While we believe that it is impossible to quantify the precise dollar value of improvements to the public’s safety, life, and health, as a general matter, Resilient Networks, Report and Order, PS Docket 21-346, FCC 22-50, para. 46 (2022) (Resilient Networks Order) (“it would be impossible to quantify the precise financial value of these health and safety benefits”). we nonetheless believe that very substantial public safety benefits will result from the rules we propose today: EAS will be better able to ensure that real alerts with lifesaving information are successfully delivered to the public and false alerts are prevented in order to preserve public trust and better ensure that the public takes appropriate action during real emergencies. As a consequence, we anticipate that the rule changes we adopt today will yield substantial life-saving benefits. Independent of that analysis, the Commission has previously found that “a foreign adversary’s access to American communications networks could result in hostile actions to disrupt and surveil our communications networks, impacting our nation’s economy generally and online commerce specifically, and result in the breach of confidential data.” Protecting Against National Security Threats to the Communications Supply Chain Through FCC Programs; Huawei Designation; ZTE Designation, WC Docket No. 18-89; PS Docket Nos. 19-351 and 19-352, Report and Order, Further Notice of Proposed Rulemaking, and Order, 34 FCC Rcd 11423, 11465, para. 109 (2019). Consistent with the Commission’s past analysis, our national gross domestic product was nearly $23 trillion last year, adjusting for inflation. See Press Release, Bureau of Economic Analysis, U.S. Department of Commerce, Gross Domestic Product (Third Estimate), Corporate Profits (Revised Estimate), and GDP by Industry, First Quarter 2022 (June 29, 2022), https://www.bea.gov/sites/default/files/2022-06/gdp1q22_3rd.pdf. Accordingly, if creating and implementing a cybersecurity risk management plan prevents even a 0.005% disruption to our economy, we believe our proposed requirement would generate $1.15 billion in benefits. Likewise, the digital economy accounted for $3.31 trillion of our economy in 2020, See Tina Highfill & Christopher Surfield, Bureau of Economic Analysis, U.S. Department of Commerce, New and Revised Statistics of the U.S. Digital Economy, 2005-2020 (May 2022), https://www.bea.gov/system/files/2022-05/New%20and%20Revised%20Statistics%20of%20the%20U.S.%20Digital%20Economy%202005-2020.pdf. and so we believe preventing a disruption of even 0.05% would produce benefits of $1.66 billion. As a check on our analysis, consider the impact of existing malicious cyber activity on the U.S. economy: $57 billion to $109 billion in 2016. See The Council of Economic Advisers, The Cost of Malicious Cyber Activity to the U.S. Economy at 36 (Feb. 2018), https://trumpwhitehouse.archives.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-Economy.pdf. Given the incentives and documented actions of hostile nation-state actors, reducing this activity (or preventing an expansion of such damage) by even 1% would produce benefits of $0.57 billion to $1.09 billion. Given this analysis, we believe the benefits of our rule to the American economy, commerce, and consumers are likely to significantly and substantially outweigh the costs of the proposed certification requirement. We seek comment on this analysis. Is there a more appropriate way to quantify these benefits? Are there any additional ways in which the proposed rules would benefit the public that the Commission should consider? 32. We estimate that the overall cost of our proposed cybersecurity risk management plan requirement will be approximately $21 million. We believe that EAS Participants will, on average, require 10 hours annually to initially draft a plan and then update the plan and submit their certification annually. When developing this average we anticipate that many large EAS Participants already have cybersecurity risk management plans and will incur only de minimis costs to comply with this requirement. We also anticipate that many small EAS Participants will require less than 10 hours to develop or update a plan that is appropriate to the size of their organization. Based on this estimate, we believe that the overall cost for 25,644 EAS Participants to comply with the proposed certification requirement with 10 hours of labor from a General and Operations Manager who is compensated at $82 per hour will be $21,028,080. FCC, Report: August 11, 2021 Nationwide EAS Test at 6 (PSHSB 2021), https://docs.fcc.gov/public/attachments/DOC-378861A1.pdf. The Bureau of Labor Statistics reports that the most recent hourly wage for General and Operations Managers is $55, which rises to $82 when increased by 50% to also include benefits. See supra n. 49. We seek comment on our analysis. 2. WEA Security 33. We propose to require Participating CMS Providers to certify that they are creating, annually updating, and implementing a cybersecurity risk management plan. As discussed above, WEA also faces security risks related to the transmission of false alerts and compromise of a Participating CMS Providers’ systems could disrupt the transmission of a legitimate WEA message. Are there additional cybersecurity risks to WEA about which we should be aware? To what extent do Participating CMS Providers already have cybersecurity risk management plans? We believe that the approach we propose above in the context of EAS – wherein we would afford flexibility for providers to assess what content should be in their cybersecurity risk management plans while proposing that it demonstrate how the provider identifies the cyber risks that they face, the controls they use to mitigate those risks, and how they ensure that these controls are applied effectively to their operations – lends itself to WEA as well. We seek comment on this tentative conclusion. Are there any fundamental differences in the transmission of WEA alerts or the threats that WEA faces that would require a different approach to ensuring WEA’s security? We seek comment on the least burdensome means by which Participating CMS Providers could submit their certification to the Commission, including via the Commission’s Electronic Comment Filing System, a designated Commission e-mail address, or a WEA-specific database designed for this purpose. 34. As with the EAS, we propose that a cybersecurity risk management plan should include security controls sufficient to ensure the confidentiality, integrity, and availability of WEA. See supra n. 73. We propose sufficient security measures could be demonstrated by implementing controls like the CISA Cybersecurity Baseline or appropriate CIS Implementation Group. See supra n. 74, 75. As with EAS Participants as described above we propose to require that each plan include a baseline of security measures that address changing default passwords prior to operation, installing security updates in a timely manner, securing equipment behind properly configured firewalls or using other segmentation practices, requiring multifactor authentication where applicable, addressing the replacement of end-of-life equipment, and wiping, clearing, or encrypting user information before disposing of old devices. We expect that compliant cybersecurity risk management plans will not be limited to only these specific measures, as plans will need regular updates to keep up with an evolving threat environment. We seek comment on these proposed rules. Are there specific security measures that we should require Participating CMS Providers to implement? For example, as above, we seek comment on whether we should require Participating CMS Providers to conduct network security audits or vulnerability assessments to identify potential security vulnerabilities, implement Incident Response Plans that describe the procedures that Participating CMS Providers would follow when responding to an ongoing cybersecurity incident, or require Participating CMS Providers to conduct cybersecurity training for their employees or contractors. 35. We believe that the benefits of this proposal for WEA outweighs the costs. As discussed above for EAS, we believe that the rules we propose today would better ensure that real WEA alerts with lifesaving information are successfully delivered to the public and false alerts are prevented in order to preserve public trust and better ensure that the public takes appropriate action during real emergencies. We estimate that the overall cost of our proposed cybersecurity risk management plan requirement will be approximately $62,320. We anticipate that many large Participating CMS Providers already have cybersecurity risk management plans and will incur only de minimis costs to comply with this requirement. We also anticipate that many small Participating CMS Providers will require less than 10 hours to develop or update a plan that is appropriate to the size of their organization. Based on this estimate, we believe that the overall cost for 76 Participating CMS Providers to comply with the proposed certification requirement with 10 hours of labor from a General and Operations Manager who is compensated at $82 per hour will be $62,320. FCC, Master WEA Registry, https://www.fcc.gov/files/weamasterregistry112019xls (last visited Aug. 19, 2022) (reflecting that 76 CMS Providers participate in WEA either in whole or in part). The Bureau of Labor Statistics reports that the most recent hourly wage for General and Operations Managers is $55, which rises to $82 when increased by 50% to also include benefits. See supra n. 49. We seek comment on this analysis. To what extent do Participating CMS Providers already implement a cybersecurity risk management framework? Are there alternatives that would be as effective but less burdensome, particularly to smaller providers? As with EAS above, we seek comment on whether there are industry groups, cybersecurity organizations, or other organizations that may be positioned to help Participating CMS providers create, implement, and maintain their cybersecurity risk management plans. What kinds of resources do these organizations offer, and how can Participating CMS providers make use of them? 36. We seek comment on whether there are other categories of communications service providers (e.g., services that support 911 calling) to which a cybersecurity risk management plan certification requirement should apply. Like emergency alerting, 911 is part of the nation’s emergency services critical infrastructure. See CISA, Emergency Services Sector, https://www.cisa.gov/emergency-services-sector (last visited Aug. 22, 2022). Similarly, like the nation’s alert and warning capability, 911 service has faced instances of compromise by cyberattacks, See, e.g., SOS Musings #49 - 911: We Have a Cybersecurity Emergency (May 26, 2021), https://cps-vo.org/node/76327 (describing a denial-of-service attack reportedly affecting 911 call centers in 12 states). and is regularly under threat. See CISA, CISA Releases Cyber Risks to 911: TDoS Fact Sheet, https://www.cisa.gov/blog/2020/06/09/cisa-releases-cyber-risks-911-tdos-fact-sheet (last visited Aug. 22, 2022). In light of those threats, should services that support 911 calling also be required to annually certify to creating, updating, and implementing cybersecurity risk management plans? If so, are there differences between emergency alerting and 911 that would warrant changes to the risk management plan requirements we propose today, if applied to services that support 911 calling? Are the benefits and costs of such a requirement commensurate with the benefits and costs of certification as described above? D. Displaying Only Valid WEA Messages on Mobile Devices 37. False alerts, such as the false ballistic missile alert that the Hawaii Emergency Management Agency accidentally sent during a training exercise in 2018, can cause panic, confusion, and damage the credibility of WEA. While that false alert was sent accidentally, bad actors could potentially exploit known WEA vulnerabilities to intentionally send false alerts to the public. The Commission’s rules require Participating CMS Providers’ network infrastructure to authenticate interactions with mobile devices and require mobile devices to authenticate interactions with CMS Provider infrastructure. 47 CFR § 10.330(b); 10.500(a). In practice, however, the security handshake between Participating CMS Providers and mobile devices does not include a process for mobile devices to ensure that the base station to which it attaches is valid. As a result, mobile devices that are not actively engaged with a valid base station are vulnerable to receiving and presenting false alerts. This threat exists when a mobile device attempts authentication with the provider, switches base stations, or returns to active from idle mode. 38. Accordingly, we propose to require Participating CMS Providers transmit sufficient authentication information to allow mobile devices to present WEA alerts only if they come from valid base stations. Ongoing work in international standards bodies suggests that Participating CMS Providers could achieve this outcome by transmitting sufficient authentication information to allow mobile devices to authenticate either the alert or the base station itself. For example, Participating CMS Providers could provide for authentication of the base station using a unique identifier or an encryption key. To what extent do Participating CMS Providers already uniquely identify legitimate base stations with a selection of base station characteristics to defend against denial-of-service attacks and fraud (i.e., through base station fingerprinting)? Could Participating CMS Providers leverage base station fingerprinting to protect the public from false WEA alerts through updates to WEA standards and mobile device firmware? Alternatively, or in addition, could WEA-capable mobile devices receive an appropriate encryption key from the network and then use that key to confirm either that an alert is authentic or that the base station transmitting it is authentic before presenting the alert? Should our rules prohibit CMS Providers and equipment manufacturers from marketing devices as WEA-capable unless they have these technical capabilities? 39. We seek comment on the trade-offs attendant to available technological approaches to protecting the public from false alerts. Could implementation of these approaches affect the ability of non-service initialized WEA-capable mobile devices, SIM-less WEA-capable mobile devices, or mobile devices that are no longer contractually associated with a CMS Provider to receive WEA alerts depending on the handset technology or generation of wireless network used? If so, how could the Commission mitigate these potential drawbacks by refining its proposed rules? To the extent that technological solutions have been implemented, is it still possible for a false alert of this type to be displayed on mobile devices, and if so, under what conditions? What steps could be taken to further minimize or eliminate these kinds of false alerts? 40. We estimate that Participating CMS Providers would incur a $14.5 million one-time cost to update the WEA standards and software necessary to comply with this requirement. This figure consists of approximately a $814,000 cost to update applicable WEA standards and approximately a $13.7 million cost to update applicable software. We quantify the cost of modifying standards as the annual compensation for 30 network engineers compensated at the national average for their field ($120,650/year; $58/hour), plus annual benefits ($60,325/year; 29/hour) working for the amount of time that it takes to develop a standard (one hour every other week for one year, 26 hours) for 12 distinct standards. 30 x ($58 + $29) x 26 x 12 = $814,320, a figure that we round to $814,000 to avoid the false appearance of precision in our estimate. See Bureau of Labor Statistics Employer Costs for Employee Compensation Summary, Computer Network Architect (May 2021), https://www.bls.gov/oes/current/oes151241.htm(last visited Aug. 25, 2022) (stating that the average base salary for a computer network architect is $120,730/yr); Letter from Tom Goode, General Counsel, ATIS, to Marlene Dortch, Secretary, FCC, PS Docket No. 15-91, at 1 (filed Sep. 6, 2016) (stating that, when standards need to be modified for WEA, it would be common practice for groups of approximately 30 individuals with relevant technical expertise meet approximately bi-weekly for an hour to discuss the modifications); Bureau of Labor Statistics, Employer Costs for Employee Compensation Summary (2022), https://www.bls.gov/news.release/ecec.nr0.htm (stating that, as of March 2022, civilian worker benefits accounted for approximately one third of total compensation, which in this case is $85,816/yr x. 1.5 = $26,775/yr); Wireless Emergency Alerts; Amendments to Part 11 of the Commission's Rules Regarding the Emergency Alert System, PS Docket Nos. 15-91, 15-94, Second Report and Order and Second Order on Reconsideration, 33 FCC Rcd 1320, 1344-45, para. 33, n.154 (2018) (listing the 12 WEA standards). We quantify the cost of modifying software as the annual compensation for a software developer compensated at the national average for their field ($120,990/year), plus annual benefits ($60,495/year) working for the amount of time that it takes to develop software (one year) at each of the 76 CMS Providers that participate in WEA. ($120,650 + $60,325) x 76 = $13,754,100, a figure that we round to $13.7 million to avoid the false appearance of precision in our estimate. See Bureau of Labor Statistics Employer Costs for Employee Compensation Summary, Software Developers, (May 2021) https://www.bls.gov/oes/current/oes151252.htm, (last visited Aug. 25, 2022) (stating that the average base salary for a software developer is $120,730/year, which results in total compensation of $180,960 when benefits are included); Verizon, PS Docket No. 15-91, Comments, PS Docket No. 15-91, at 5 (Jan. 13, 2016) (stating that it takes manufacturers and vendors 12 months to incorporate WEA standards into their products and test them); FCC, Master WEA Registry, https://www.fcc.gov/files/weamasterregistry112019xls (last visited Aug. 19, 2022) (reflecting that 76 CMS Providers participate in WEA either in whole or in part). We seek comment on these cost estimates and the underlying cost methodology we are using. We also seek comment on any other costs and benefits that would result from this proposal. Incidents of false WEA alerts can cause significant confusion and diminish the public’s trust in emergency alerts. For example, what harms could arise if an invalid base station sends a false alert to attendees to a public event, such as a parade or sporting event? For each technological approach considered, we urge commenters to address its effectiveness and cost of implementation, any additional latency that the measure could introduce into the delivery of WEA alerts, and the potential for the security measure to result in the suppression of legitimate alert content. E. WEA Infrastructure Functionality 41. Pursuant to the WARN Act, CMS Providers’ participation in WEA is voluntary, but CMS Providers that elect to participate in WEA must comply with all the WEA rules. WARN Act, § 1202(a). The WEA rules provide that WEA functionality, both in Participating CMS Providers’ networks and in mobile devices, “are dependent upon the capabilities of the delivery technologies implemented by a Participating CMS Provider” and certain WEA protocols “are defined and controlled by each Participating CMS Provider.” See 47 CFR § 10.330 (providing a caveat to the WEA infrastructure requirements); 47 CFR § 10.500 (providing a caveat to the WEA mobile device requirements). The inclusion of these statements may create the mistaken impression that Participating CMS Providers’ compliance with the rules that follow, including the base station authentication rules we propose today, would be conditioned on the Participating CMS Providers’ delivery technology. Emergency management agencies expect WEA to work as intended and when needed, and this language unintentionally could create uncertainties about the quality of WEA service that Participating CMS Providers offer. City of Houston Office of Public Safety and Homeland Security Comments, PS Docket No. 15-91, at 4 (Jan. 12, 2016); Clark County Office of Emergency Management Comments, PS Docket No. 15-91, at 3 (Jan. 13, 2016); Jefferson Parish Emergency Management Comments, PS Docket 15-91, at 4 (Dec. 14, 2015). For these reasons, the Commission proposed to remove this language from the WEA rules in 2016. See Wireless Emergency Alerts; Amendments to Part 11 of the Commission’s Rules Regarding the Emergency Alert System, PS Docket Nos. 15-91, 15-94, Report and Order and Further Notice of Proposed Rulemaking, 31 FCC Rcd 11112, 11185, para. 113 (2016) (WEA R&O and FNPRM). T-Mobile, ATIS, and CTIA, the only three commenters addressing this proposal, urged the Commission not to adopt it because “the rules should maximize the technological flexibility of CMS Providers participating in WEA.” T-Mobile USA, Inc., PS Docket No 15-91, Reply, at 10 (Jan. 8, 2017); accord Alliance for Telecommunications Industry Solutions (ATIS), PS Docket No. 15-91, Comments, at 3 (Dec. 8, 2016); CTIA, PS Docket No. 15-91, Comments, at 8 (Dec. 8, 2016). In the ten years since WEA’s deployment, however, Participating CMS Providers have coalesced around cell broadcast as the wireless technology used to transmit WEA alerts to capable mobile devices, and ATIS has standardized system performance. See, e.g., Enhanced Wireless Emergency Alert (eWEA) via GSM/UMTS Cell Broadcast Service Specification (ATIS-0700006.v002). 42. Accordingly, we seek to refresh the record on our proposal to remove these statements from the WEA rules. We believe these provisions introduce confusion and are unnecessary, particularly as we do not expect that any Participating CMS Provider would need to make changes to their WEA service as a result of this proposed amendment. We seek comment on this proposal, particularly from any CMS Provider that would need to make changes to their WEA offerings in the event that the rules were so amended. F. Promoting Digital Equity 43. The Commission, as part of its continuing effort to advance digital equity for all, Section 1 of the Communications Act of 1934 as amended provides that the FCC “regulat[es] interstate and foreign commerce in communication by wire and radio so as to make [such service] available, so far as possible, to all the people of the United States, without discrimination on the basis of race, color, religion, national origin, or sex.” 47 U.S.C. § 151. including people of color, persons with disabilities, persons who live in rural or Tribal areas, and others who are or have been historically underserved, marginalized, or adversely affected by persistent poverty or inequality, invites comment on any equity-related considerations The term “equity” is used here consistent with Executive Order 13985 as the consistent and systematic fair, just, and impartial treatment of all individuals, including individuals who belong to underserved communities that have been denied such treatment, such as Black, Latino, and Indigenous and Native American persons, Asian Americans and Pacific Islanders and other persons of color; members of religious minorities; lesbian, gay, bisexual, transgender, and queer (LGBTQ+) persons; persons with disabilities; persons who live in rural areas; and persons otherwise adversely affected by persistent poverty or inequality. See Exec. Order No. 13985, 86 Fed. Reg. 7009, Executive Order on Advancing Racial Equity and Support for Underserved Communities Through the Federal Government (Jan. 20, 2021). and benefits (if any) that may be associated with the proposals and issues discussed herein. Specifically, we seek comment on how our proposals may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well the scope of the Commission’s relevant legal authority. See Wireless Emergency Alerts; Amendments to Part 11 of the Commission’s Rules Regarding the Emergency Alert System, Report and Order and Further Notice of Proposed Rulemaking, FCC 16-127, PS Docket Nos. 15-191 and 15-94, Para. 176 at 11217 (Sept. 29, 2016) (2016 EAS Amendments to Part 11). G. Compliance Timeframes 44. Promoting the Operational Readiness of EAS Equipment. To the extent that we adopt requirements to improve the operational readiness of EAS, we seek comment on when those rules should go into effect. For example, if we were to adopt rules to hasten or improve the Commission’s visibility into the repair or replacement of non-operational EAS equipment, should those rules go into effect 30 days from publication in the Federal Register of notice that the Office of Management and Budget has completed its review of the modified information collection? What factors should we consider when determining when alternative operational readiness requirements should go into effect? 45. Improving Awareness of Unauthorized Access to EAS Equipment. We propose that the revision of Section 11.45 to require EAS Participants to report any incident of unauthorized access of their EAS equipment would be effective 60 days from publication in the Federal Register of notice that the Office of Management and Budget has completed its review of the modified information collection. We seek comment on this proposed timeframe. In the NDAA21 R&O, the Commission required EAS Participants to report false alerts to the Commission and, in a subsequent Public Notice, announced a compliance deadline approximately 60 days from publication in the Federal Register of notice that the Office of Management and Budget has approved the modified information collection. Amendment of the Commission’s Rules Regarding the Emergency Alert System; Wireless Emergency Alerts, PS Dockets 15-94 and 15-91, Report and Order, 36 FCC Rcd 10694 (June 17, 2021) (NDAA21 R&O); Public Safety and Homeland Security Bureau Announces Compliance Dates for Certain Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) Rules, PS Docket Nos. 15-91, 15-94, Public Notice, DA 22-600 (Jun. 6, 2022). We seek comment on whether an EAS Participant’s process for ascertaining whether an incident of unauthorized access of its EAS equipment has occurred and reporting it to the Commission entails a level of effort comparable to compliance with the Commission’s false alert reporting requirement. Would EAS Participants’ compliance with the Commission’s false alert reporting requirement reduce the incremental burden of compliance with this proposal? 46. Certifying to the Implementation of Cybersecurity Risk Management Plans. We propose that EAS Participants and Participating CMS Providers must certify to the implementation of a cybersecurity risk management plan that includes measures sufficient to ensure the confidentiality, integrity, and reliability of their respective alerting systems within 12 months of the publication in the Federal Register of notice that the Office of Management and Budget has completed its review of the modified information collection. A 12-month timeframe would be intended to provide time for EAS Participants that do not already have a risk management plan in place to create one, including by preparing the organization to manage security and privacy risks, categorizing the systems and the information that it processes, stores, and transmits, and selecting controls to protect the system. A 12-month timeframe could also provide time to implement the security controls that the plan describes, assess whether the controls are in place, operating as intended, and producing the desired results, appoint a senior official to authorize the system, and develop mechanisms to continuously monitor control implementation and risks to the system. We seek comment on these proposals. Should we offer EAS Participants and Participating CMS Providers who are small businesses an additional 12 months to comply with this requirement, with compliance required within 24 months of publication in the Federal Register of notice that the Office of Management and Budget has completed its review of the modified information collection? Is there any reason why EAS and Participating CMS Providers should have different implementation timeframes? 47. Displaying Only Valid WEA Messages on Mobile Devices. We propose that CMS Providers transmit sufficient authentication information to allow mobile devices to present WEA alerts only if they come from valid base stations 30 months from the publication of these rules in the Federal Register. The record in our WEA proceedings supports the premise that Participating CMS Providers require 12 months to work through appropriate industry bodies to publish relevant standards, another 12 months for Participating CMS Providers and mobile device manufacturers to develop, test, and integrate software upgrades consistent with those standards, and then 6 more months to deploy this new technology to the field during normal technology refresh cycles. See WEA R&O and NPRM, 31 FCC Rcd at 11161-62, para. 79. We seek comment on the applicability of this approach and timeframe, with which Participating CMS Providers have experience, to this proposal. We seek comment, in the alternative, on whether the urgent public safety need to protect the public from false alerts necessitates an expedited compliance timeframe and, if so, what that compliance timeframe should be. 48. WEA Infrastructure Functionality. We propose to remove language from our WEA infrastructure and mobile device rules effective 30 days after the rules’ publication in the Federal Register. We do not believe that Participating CMS Providers will need to make any changes to comply with these rules as revised because they offer a WEA service that is consistent with the rules as otherwise written. We seek comment on this compliance timeframe and on this view. IV. PROCEDURAL MATTERS 49. Paperwork Reduction Act. This document contains proposed new and modified information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, invites the general public and the Office of Management and Budget (OMB) to comment on the information collection requirements contained in this document, as required by the Paperwork Reduction Act of 1995, Public Law 104-13. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107-198, see 44 U.S.C. § 3506(c)(4), we seek specific comment on how we might further reduce the information collection burden for small business concerns with fewer than 25 employees. 50. Ex Parte Rules - Permit-But-Disclose. This proceeding this Notice initiates shall be treated as a “permit-but-disclose” proceeding in accordance with the Commission’s ex parte rules. 47 CFR §§ 1.1200 et seq. Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are reminded that memoranda summarizing the presentation must (1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made, and (2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter’s written comments, memoranda or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with Rule 1.1206(b). In proceedings governed by Rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules. 51. Regulatory Flexibility Act. The Regulatory Flexibility Act of 1980, as amended (RFA), See 5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601–612, was amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). requires that an agency prepare a regulatory flexibility analysis for notice and comment rulemakings, unless the agency certifies that “the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities.” Id. Accordingly, the Commission has prepared an Initial Regulatory Flexibility Analysis (IRFA) concerning the possible impact of the rule and policy changes contained in this Notice of Proposed Rulemaking. The IRFA is set forth in Appendix B. 52. Filing Requirements—Comments and Replies. Pursuant to sections 1.415 and 1.419 of the Commission’s rules, 47 CFR §§ 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission’s Electronic Comment Filing System (ECFS). See Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121 (1998). · Electronic Filers: Comments may be filed electronically using the Internet by accessing the ECFS: https://www.fcc.gov/ecfs/. · Paper Filers: Parties who choose to file by paper must file an original and one copy of each filing. · Filings can be sent by commercial overnight courier, or by first-class or overnight U.S. Postal Service mail. All filings must be addressed to the Commission’s Secretary, Office of the Secretary, Federal Communications Commission. o Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9050 Junction Drive, Annapolis Junction, MD 20701. o Postal Service first-class, Express, and Priority mail must be addressed to 45 L Street, NE, Washington, DC 20554. · Effective March 19, 2020, and until further notice, the Commission no longer accepts any hand or messenger delivered filings. This is a temporary measure taken to help protect the health and safety of individuals, and to mitigate the transmission of COVID-19. See FCC Announces Closure of FCC Headquarters Open Window and Change in Hand-Delivery Policy, Public Notice, 35 FCC Rcd 2788 (2020). · During the time the Commission’s building is closed to the general public and until further notice, if more than one docket or rulemaking number appears in the caption of a proceeding, paper filers need not submit two additional copies for each additional docket or rulemaking number; an original and one copy are sufficient. 53. People with Disabilities. To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (tty). 54. Additional Information. For further information regarding Notice, please contact James Wiley, Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau, (202) 418-1678, or by email to james.wiley@fcc.gov, or Steven Carpenter, Cybersecurity and Communications Reliability Division, Public Safety and Homeland Security Bureau, (202) 418-2313, or by email to steven.carpenter@fcc.gov. V. ORDERING CLAUSES 55. Accordingly, IT IS ORDERED that pursuant to Sections 1, 2, 4(i), 4(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403, 624(g), and 706 of the Communications Act of 1934, as amended, 47 U.S.C §§ 151, 152, 154(i), 154(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403, 544(g), and 606; The Warning, Alert and Response Network (WARN) Act, WARN Act §§ 602(a), (b), (c), (f), 603, 604, and 606, 47 U.S.C. §§ 1202(a),(b),(c), (f), 1203, 1204 and 1206; the Wireless Communications and Public Safety Act of 1999, Pub. L. No. 106-81, 47 U.S.C. §§ 615, 615a, 615b; Section 202 of the Twenty-First Century Communications and Video Accessibility Act of 2010, as amended, 47 U.S.C. § 613, this Notice of Proposed Rulemaking IS hereby ADOPTED. 56. IT IS FURTHER ORDERED that the Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, SHALL SEND a copy of this Notice, including the Initial Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration. 2 APPENDIX A: Proposed Rules For the reasons set forth above, Parts 10 and 11 of Title 47 of the Code of Federal Regulations are amended as follows: PART 10 – WIRELESS EMERGENCY ALERTS 1. The authority citation for part 10 continues to read as follows: Authority: [To be inserted prior to Federal Register publication.] 2. Revise § 10.330 to read as follows: § 10.330 Provider infrastructure requirements. This section specifies the general functions that a Participating CMS Provider is required to perform within its infrastructure. (a) Distribution of Alert Messages to mobile devices. (b) Authentication of interactions with mobile devices, including the transmission of sufficient authentication information to allow mobile devices to only present WEA alerts from valid base stations. (c) Reference Points D & E. Reference Point D is the interface between a CMS Provider gateway and its infrastructure. Reference Point E is the interface between a provider’s infrastructure and mobile devices including air interfaces. 3. Add § 10.360 to subpart C to read as follows: § 10.360 Cybersecurity Risk Management Plan Certification. (a) Each participating CMS Provider shall submit a certification to the Commission that it has created, annually updated, and implemented a cybersecurity risk management plan. The cybersecurity risk management plan shall describe how the Participating CMS Provider employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of WEA. The plan shall discuss how the Participating CMS Provider identifies the cyber risks that it faces, the controls it uses to mitigate those risks, and how it ensures that these controls are applied effectively to its operations. The plan shall address the security of all aspects of the Participating CMS Provider’s communications systems and services that potentially could affect its provision of WEA messages. The plan shall be made available to the Commission upon request. (b) Participating CMS Providers shall employ sufficient security controls to ensure the confidentially, integrity, and availability of the EAS. In furtherance of this requirement, the cybersecurity risk management plan shall address, but not be limited to, the following security controls: (1) Changing default passwords prior to operation; (2) Installing security updates in a timely manner; (3) Securing equipment behind properly configured firewalls or using other segmentation practices; (4) Requiring multifactor authentication where applicable; (5) Addressing the replacement of end-of-life equipment; and (6) Wiping, clearing, or encrypting user information before disposing of old devices. (c) Participating CMS Providers shall take reasonable measures to protect the confidentiality, integrity, and availability of EAS to avoid the transmission of false alerts or non-transmission of valid Alert Messages; failure to do so shall be, in addition to a violation of any specific provisions of this section, § 11.45(a) of this chapter, or § 10.520(d), an independent breach of this duty. 4. Revise § 10.500 introductory text as follows: § 10.500 General requirements. Mobile devices are required to perform the following functions: * * * * * PART 11 – EMERGENCY ALERT SYSTEM (EAS) 5. The authority citation for part 11 continues to read as follows: Authority: [To be inserted prior to Federal Register publication.] 6. In § 11.35, add paragraph (d) to read as follows: § 11.35 Equipment operational readiness. * * * * * (d) Annual EAS Security Certification. (1) The identifying information required by the ETRS as specified in §11.61(a)(3)(iv) shall include a Certification to the Commission that the EAS Participant has created, annually updated, and implemented a cybersecurity risk management plan. The cybersecurity risk management plan shall describe how the EAS Participant employs its organizational resources and processes to ensure the confidentiality, integrity, and availability of the EAS. The plan shall discuss how the EAS Participant identifies the cyber risks that its faces, the controls it uses to mitigate those risks, and how it ensures that these controls are applied effectively to their operations. The plan shall address the security of all aspects of an EAS Participant’s communications systems and services that potentially could affect its provision of EAS messages. The plan shall be made available to the Commission upon request. (2) EAS Participants shall employ sufficient security controls to ensure the confidentially, integrity, and availability of the EAS. In furtherance of this requirement, the cybersecurity risk management plan shall address, but not be limited to, the following security controls: (i) Changing default passwords prior to operation; (ii) Installing security updates in a timely manner; (iii) Securing equipment behind properly configured firewalls or using other segmentation practices; (iv) Requiring multifactor authentication where applicable; (v) Addressing the replacement of end-of-life equipment; and (vi) Wiping, clearing, or encrypting user information before disposing of old devices. (3) EAS Participants shall take reasonable measures to protect the confidentiality, integrity, and availability of EAS to avoid the transmission of false alerts or non-transmission of valid EAS messages; failure to do so shall be, in addition to a violation of any specific provisions of this section, § 11.45(a), or § 10.520(d) of this chapter, an independent breach of this duty. 7. Revise § 11.45 by redesignating paragraph (c) as paragraph (d) and adding a new paragraph (c) to read as follows: § 11.45 Prohibition of false or deceptive EAS transmissions. * * * * * (c) No later than seventy-two (72) hours after an EAS Participant knows or should have known that its EAS equipment, or communications systems, or services that potentially could affect their provision of EAS, have been accessed in an unauthorized manner, the EAS Participant shall provide notification to the Commission identifying, if applicable, the date range of the incident, a description of the unauthorized access, the impact to the EAS Participant’s EAS operational readiness, a description of the vulnerabilities exploited and the techniques used to access the device, identifying information for each actor responsible for the incident, and contact information for the EAS Participant. When one event or set of events gives rise to obligations under both paragraphs (b) and (c) of this section, an EAS Participant remains subject to each requirement individually. The Participant may elect to send a single notification to the Commission within 24 hours providing all the information described in both paragraphs or separate notification to the Commission within 24 hours and 72 hours. (d) * * * APPENDIX B Initial Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), See 5 U.S.C. § 603. The RFA, 5 U.S.C. §§ 601-612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). the Commission has prepared this Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on a substantial number of small entities by the policies and rules proposed in the Notice of Proposed Rulemaking (Notice). Written public comments are requested on this IRFA. Comments must be identified as responses to the IRFA and must be filed by the deadlines for comments on the Notice. The Commission will send a copy of the Notice, including this IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). See 5 U.S.C. § 603(a). In addition, the Notice and IRFA (or summaries thereof) will be published in the Federal Register. See id. A. Need for, and Objectives of, the Proposed Rules 2. The security of the nation’s alert and warning systems is essential to helping safeguard the lives and property of all Americans. To ensure that the EAS and WEA remain strong, the Commission must act proactively in its oversight of stakeholders associated with these systems. The Commission has previously encouraged stakeholders to ensure that their systems are secure and provided guidance on specific steps that communications providers could take to secure their equipment. According to data collected by the Public Safety and Homeland Security Bureau (Bureau) during the nationwide EAS test in August 2021 however, more than 5,000 EAS Participants were using outdated software or using equipment that no longer supported regular software updates. Moreover, in the area of equipment operational readiness, the test also revealed that an appreciable number of EAS Participants were unable to participate in testing due to equipment failure. This was despite receiving advanced notice that the test was going to be conducted. The Commission therefore believes the information revealed in the nationwide EAS test signals that we should take action to ensure and enhance the security of the EAS and WEA. In the Notice, the Commission acts to improve the security and reliability of the EAS and WEA by proposing and seeking comment on rules promoting the operational readiness of EAS equipment, improving awareness of unauthorized access to EAS equipment, communications systems, or services, protecting the nation’s alerting systems through the development, implementation, and certification of a cybersecurity risk management plan and displaying only valid WEA messages on mobile devices. 3. Specific proposals upon which the Commission seeks comment include: requiring EAS Participants and Participating CMS Providers to annually certify to having a cybersecurity risk management plan in place and employing sufficient security controls to ensure the confidentiality, integrity, and availability of their respective alerting systems (including certain baseline security controls); requiring EAS Participants to report any incident of unauthorized access of their EAS equipment, communications systems, or services (i.e., regardless of whether that compromise has resulted in the transmission of a false alert) to the Commission via NORS within 72 hours of when it knew or should have known that an incident has occurred, and provide details concerning the incident and requiring that mobile devices only present WEA alerts from valid base stations. In addition, the Commission seeks comment on whether and how to promote the operational readiness of EAS. The Commission also seeks comment to refresh the record on previously proposed changes to the WEA infrastructure functionality rules, See Wireless Emergency Alerts; Amendments to Part 11 of the Commission’s Rules Regarding the Emergency Alert System, PS Docket Nos. 15-91, 15-94, Report and Order and Further Notice of Proposed Rulemaking, 31 FCC Rcd 11112, 11185, para. 113 (2016) (WEA R&O and FNPRM). and on how our proposals in the Notice may promote or inhibit advances in diversity, equity, inclusion, and accessibility, as well as on the scope of the Commission’s relevant legal authority. B. Legal Basis 4. The proposed action is authorized pursuant to Sections 1, 2, 4(i), 4(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403, 624(g), and 706 of the Communications Act of 1934, as amended, 47 U.S.C. §§ 151, 152, 154(i), 154(n), 301, 303(b), 303(g), 303(r), 303(v), 307, 309, 335, 403, 544(g), and 606; The Warning, Alert and Response Network (WARN) Act, WARN Act §§ 602(a), (b), (c), (f), 603, 604, and 606, 47 U.S.C. §§ 1202(a),(b),(c), (f), 1203, 1204 and 1206; the Wireless Communications and Public Safety Act of 1999, Pub. L. No. 106-81, 47 U.S.C. §§ 615, 615a, 615b; Section 202 of the Twenty-First Century Communications and Video Accessibility Act of 2010, as amended, 47 U.S.C. § 613. C. Description and Estimate of the Number of Small Entities to Which the Proposed Rules Will Apply 5. The RFA directs agencies to provide a description of and, where feasible, an estimate of, the number of small entities that may be affected by the proposed rules, if adopted. See id. § 603(b)(3). The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” See id. § 601(6). In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act. See id.§ 601(3) (incorporating by reference the definition of “small-business concern” in the Small Business Act, 15 U.S.C. § 632). Pursuant to 5 U.S.C. § 601(3), the statutory definition of a small business applies “unless an agency, after consultation with the Office of Advocacy of the Small Business Administration and after opportunity for public comment, establishes one or more definitions of such term which are appropriate to the activities of the agency and publishes such definition(s) in the Federal Register.” A “small business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA). 15 U.S.C. § 632. 6. Small Businesses, Small Organizations, Small Governmental Jurisdictions. Our actions, over time, may affect small entities that are not easily categorized at present. We therefore describe here, at the outset, three broad groups of small entities that could be directly affected herein. See 5 U.S.C. § 601(3)-(6). First, while there are industry specific size standards for small businesses that are used in the regulatory flexibility analysis, according to data from the SBA’s Office of Advocacy, in general a small business is an independent business having fewer than 500 employees. See SBA, Office of Advocacy, Frequently Asked Questions, “What is a small business?,” https://cdn.advocacy.sba.gov/wp-content/uploads/2021/11/03093005/Small-Business-FAQ-2021.pdf. (Nov 2021). These types of small businesses represent 99.9% of all businesses in the United States, which translates to 32.5 million businesses. Id. 7. Next, the type of small entity described as a “small organization” is generally “any not-for-profit enterprise which is independently owned and operated and is not dominant in its field.” See 5 U.S.C. § 601(4). The Internal Revenue Service (IRS) uses a revenue benchmark of $50,000 or less to delineate its annual electronic filing requirements for small exempt organizations. The IRS benchmark is similar to the population of less than 50,000 benchmark in 5 U.S.C § 601(5) that is used to define a small governmental jurisdiction. Therefore, the IRS benchmark has been used to estimate the number small organizations in this small entity description. See Annual Electronic Filing Requirement for Small Exempt Organizations — Form 990-N (e-Postcard), https://www.irs.gov/charities-non-profits/annual-electronic-filing-requirement-for-small-exempt-organizations-form-990-n-e-postcard. We note that the IRS data does not provide information on whether a small exempt organization is independently owned and operated or dominant in its field. Nationwide, for tax year 2020, there were approximately 447,689 small exempt organizations in the U.S. reporting revenues of $50,000 or less according to the registration and tax data for exempt organizations available from the IRS. See Exempt Organizations Business Master File Extract (EO BMF), "CSV Files by Region," https://www.irs.gov/charities-non-profits/exempt-organizations-business-master-file-extract-eo-bmf. The IRS Exempt Organization Business Master File (EO BMF) Extract provides information on all registered tax-exempt/non-profit organizations. The data utilized for purposes of this description was extracted from the IRS EO BMF data for businesses for the tax year 2020 with revenue less than or equal to $50,000, for Region 1-Northeast Area (58,577), Region 2-Mid-Atlantic and Great Lakes Areas (175,272), and Region 3-Gulf Coast and Pacific Coast Areas (213,840) which includes the continental U.S., Alaska, and Hawaii. This data does not include information for Puerto Rico. 8. Finally, the small entity described as a “small governmental jurisdiction” is defined generally as “governments of cities, counties, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.” See 5 U.S.C. § 601(5). U.S. Census Bureau data from the 2017 Census of Governments See 13 U.S.C. § 161. The Census of Governments survey is conducted every five (5) years compiling data for years ending with “2” and “7”. See also Census of Governments, https://www.census.gov/programs-surveys/cog/about.html. indicate that there were 90,075 local governmental jurisdictions consisting of general purpose governments and special purpose governments in the United States. See U.S. Census Bureau, 2017 Census of Governments – Organization Table 2. Local Governments by Type and State: 2017 [CG1700ORG02], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. Local governmental jurisdictions are made up of general purpose governments (county, municipal and town or township) and special purpose governments (special districts and independent school districts). See also tbl.2. CG1700ORG02 Table Notes_Local Governments by Type and State_2017. Of this number there were 36,931 general purpose governments (county, See id. at tbl.5. County Governments by Population-Size Group and State: 2017 [CG1700ORG05], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 2,105 county governments with populations less than 50,000. This category does not include subcounty (municipal and township) governments. municipal and town or township See id. at tbl.6. Subcounty General-Purpose Governments by Population-Size Group and State: 2017 [CG1700ORG06], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 18,729 municipal and 16,097 town and township governments with populations less than 50,000. ) with populations of less than 50,000 and 12,040 special purpose governments - independent school districts See id. at tbl.10. Elementary and Secondary School Systems by Enrollment-Size Group and State: 2017 [CG1700ORG10], https://www.census.gov/data/tables/2017/econ/gus/2017-governments.html. There were 12,040 independent school districts with enrollment populations less than 50,000. See also tbl.4. Special-Purpose Local Governments by State Census Years 1942 to 2017 [CG1700ORG04], CG1700ORG04 Table Notes_Special Purpose Local Governments by State_Census Years 1942 to 2017. with enrollment populations of less than 50,000. While the special purpose governments category also includes local special district governments, the 2017 Census of Governments data does not provide data aggregated based on population size for the special purpose governments category. Therefore, only data from independent school districts is included in the special purpose governments category. Accordingly, based on the 2017 U.S. Census of Governments data, we estimate that at least 48,971 entities fall into the category of “small governmental jurisdictions.” This total is derived from the sum of the number of general purpose governments (county, municipal and town or township) with populations of less than 50,000 (36,931) and the number of special purpose governments - independent school districts with enrollment populations of less than 50,000 (12,040), from the 2017 Census of Governments - Organizations tbls.5, 6 & 10. 9. Wireless Telecommunications Carriers (except Satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular services, paging services, wireless internet access, and wireless video services. Id. The SBA size standard for this industry classifies a business as small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517312. U.S. Census Bureau data for 2017 show that there were 2,893 firms in this industry that operated for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 797 providers that reported they were engaged in the provision of wireless services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2021), https://docs.fcc.gov/pubId.lic/attachments/DOC-379181A1.pdf. Of these providers, the Commission estimates that 715 providers have 1,500 or fewer employees. Id. Consequently, using the SBA’s small business size standard, most of these providers can be considered small entities. 10. Broadband Personal Communications Service. The broadband personal communications services (PCS) spectrum encompasses services in the 1850-1910 and 1930-1990 MHz bands. See 47 CFR § 24.200. The closest industry with a SBA small business size standard applicable to these services is Wireless Telecommunications Carriers (except Satellite). See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517312. U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 11. Based on Commission data as of November 2021, there were approximately 5,060 active licenses in the Broadband PCS service. Based on a FCC Universal Licensing System search on November 16, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = CW; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. The Commission’s small business size standards with respect to Broadband PCS involve eligibility for bidding credits and installment payments in the auction of licenses for these services. In auctions for these licenses, the Commission defined “small business” as an entity that, together with its affiliates and controlling interests, has average gross revenues not exceeding $40 million for the preceding three years, and a “very small business” as an entity that, together with its affiliates and controlling interests, has had average annual gross revenues not exceeding $15 million for the preceding three years. See 47 CFR § 24.720(b). Winning bidders claiming small business credits won Broadband PCS licenses in C, D, E, and F Blocks. See Federal Communications Commission, Office of Economics and Analytics, Auctions, Auctions 4, 5, 10, 11, 22, 35, 58, 71 and 78, https://www.fcc.gov/auctions. 12. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 13. Narrowband Personal Communications Services. Narrowband Personal Communications Services (Narrowband PCS) are PCS services operating in the 901-902 MHz, 930-931 MHz, and 940-941 MHz bands. See 47 CFR § 24.5. PCS services are radio communications that encompass mobile and ancillary fixed communication that provide services to individuals and businesses and can be integrated with a variety of competing networks. Id. Wireless Telecommunications Carriers (except Satellite) See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. is the closest industry with a SBA small business size standard applicable to these services. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517312. U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 14. According to Commission data as of December 2021, there were approximately 4,211 active Narrowband PCS licenses. Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = CN; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. The Commission’s small business size standards with respect to Narrowband PCS involve eligibility for bidding credits and installment payments in the auction of licenses for these services. For the auction of these licenses, the Commission defined a “small business” as an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $40 million. See 47 CFR § 24.321(a)(1)-(2). A “very small business” is defined as an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $15 million. Id. Pursuant to these definitions, 7 winning bidders claiming small and very small bidding credits won approximately 359 licenses. See Federal Communications Commission, Economics and Analytics, Auctions, Auction 41: Narrowband PCS, Summary, Closing Charts, License By Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/41/charts/41cls2.pdf; Auction 50: Narrowband PCS, Summary, Closing Charts, License By Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/50/charts/50cls2.pdf. One of the winning bidders claiming a small business status classification in these Narrowband PCS license auctions had an active license as of December 2021. Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = CN; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 15. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 16. Wireless Communications Services. Wireless Communications Services (WCS) can be used for a variety of fixed, mobile, radiolocation, and digital audio broadcasting satellite services. Wireless spectrum is made available and licensed for the provision of wireless communications services in several frequency bands subject to Part 27 of the Commission’s rules. See 47 CFR §§ 27.1 – 27.1607. Wireless Telecommunications Carriers (except Satellite) See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. is the closest industry with a SBA small business size standard applicable to these services. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517312. U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 17. The Commission’s small business size standards with respect to WCS involve eligibility for bidding credits and installment payments in the auction of licenses for the various frequency bands included in WCS. When bidding credits are adopted for the auction of licenses in WCS frequency bands, such credits may be available to several types of small businesses based average gross revenues (small, very small and entrepreneur) pursuant to the competitive bidding rules adopted in conjunction with the requirements for the auction and/or as identified in the designated entities section in Part 27 of the Commission’s rules for the specific WCS frequency bands. See 47 CFR §§ 27.201 – 27.1601. The Designated entities sections in Subparts D – Q each contain the small business size standards adopted for the auction of the frequency band covered by that subpart. 18. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 19. 700 MHz Guard Band Licensees. The 700 MHz Guard Band encompasses spectrum in 746-747/776-777 MHz and 762-764/792-794 MHz frequency bands. Wireless Telecommunications Carriers (except Satellite) See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. is the closest industry with a SBA small business size standard applicable to licenses providing services in these bands. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517312. U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 20. According to Commission data as of December 2021, there were approximately 224 active 700 MHz Guard Band licenses. Based on a FCC Universal Licensing System search on December 14, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = WX; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. The Commission’s small business size standards with respect to 700 MHz Guard Band licensees involve eligibility for bidding credits and installment payments in the auction of licenses. For the auction of these licenses, the Commission defined a “small business” as an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $40 million for the preceding three years, and a “very small business” an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $15 million for the preceding three years. See 47 CFR § 27.502(a). Pursuant to these definitions, five winning bidders claiming one of the small business status classifications won 26 licenses, and one winning bidder claiming small business won two licenses. See Federal Communications Commission, Economics and Analytics, Auctions, Auction 33: Upper 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/33/charts/33cls2.pdf, Auction 38: Upper 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/38/charts/38cls2.pdf. None of the winning bidders claiming a small business status classification in these 700 MHz Guard Band license auctions had an active license as of December 2021. Based on a FCC Universal Licensing System search on December 14, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = WX; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 21. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 22. Lower 700 MHz Band Licenses. The lower 700 MHz band encompasses spectrum in the 698-746 MHz frequency bands. Permissible operations in these bands include flexible fixed, mobile, and broadcast uses, including mobile and other digital new broadcast operation; fixed and mobile wireless commercial services (including FDD- and TDD-based services); as well as fixed and mobile wireless uses for private, internal radio needs, two-way interactive, cellular, and mobile television broadcasting services. See Federal Communications Commission, Economics and Analytics, Auctions, Auctions 44, 49, 60: Lower 700 MHz Band, Fact Sheet, Permissible Operations, https://www.fcc.gov/auction/44/factsheet, https://www.fcc.gov/auction/49/factsheet, https://www.fcc.gov/auction/60/factsheet. Wireless Telecommunications Carriers (except Satellite) See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. is the closest industry with a SBA small business size standard applicable to licenses providing services in these bands. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517312. U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 23. According to Commission data as of December 2021, there were approximately 2,824 active Lower 700 MHz Band licenses. Based on a FCC Universal Licensing System search on December 14, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = WY, WZ; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. The Commission’s small business size standards with respect to Lower 700 MHz Band licensees involve eligibility for bidding credits and installment payments in the auction of licenses. For auctions of Lower 700 MHz Band licenses the Commission adopted criteria for three groups of small businesses. A very small business was defined as an entity that, together with its affiliates and controlling interests, has average annual gross revenues not exceeding $15 million for the preceding three years, a small business was defined as an entity that, together with its affiliates and controlling interests, has average gross revenues not exceeding $40 million for the preceding three years, and an entrepreneur was defined as an entity that, together with its affiliates and controlling interests, has average gross revenues not exceeding $3 million for the preceding three years. See 47 CFR § 27.702(a)(1)-(3). In auctions for Lower 700 MHz Band licenses seventy-two winning bidders claiming a small business classification won 329 licenses, See Federal Communications Commission, Economics and Analytics, Auctions, Auction 44: Lower 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/44/charts/44cls2.pdf. twenty-six winning bidders claiming a small business classification won 214 licenses, See Federal Communications Commission, Economics and Analytics, Auctions, Auction 49: Lower 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/49/charts/49cls2.pdf. and three winning bidders claiming a small business classification won all five auctioned licenses. See Federal Communications Commission, Economics and Analytics, Auctions, Auction 60: Lower 700 MHz Guard Bands, Summary, Closing Charts, Licenses by Bidder, https://www.fcc.gov/sites/default/files/wireless/auctions/60/charts/60cls2.pdf. 24. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 25. Upper 700 MHz Band Licenses. The upper 700 MHz band encompasses spectrum in the 746-806 MHz bands. Upper 700 MHz D Block licenses are nationwide licenses associated with the 758-763 MHz and 788-793 MHz bands. See 47 CFR § 27.4. Permissible operations in these bands include flexible fixed, mobile, and broadcast uses, including mobile and other digital new broadcast operation; fixed and mobile wireless commercial services (including FDD- and TDD-based services); as well as fixed and mobile wireless uses for private, internal radio needs, two-way interactive, cellular, and mobile television broadcasting services. See Federal Communications Commission, Economics and Analytics, Auctions, Auction 73: 700 MHz Band, Fact Sheet, Permissible Operations, https://www.fcc.gov/auction/73/factsheet. We note that in Auction 73, Upper 700 MHz Band C and D Blocks as well as Lower 700 MHz Band A, B, and E Blocks were auctioned. Wireless Telecommunications Carriers (except Satellite) See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. is the closest industry with a SBA small business size standard applicable to licenses providing services in these bands. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517312. U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of that number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus, under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 26. According to Commission data as of December 2021, there were approximately 152 active Upper 700 MHz Band licenses. Based on a FCC Universal Licensing System search on December 14, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = WP, WU; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. The Commission’s small business size standards with respect to Upper 700 MHz Band licensees involve eligibility for bidding credits and installment payments in the auction of licenses. For the auction of these licenses, the Commission defined a “small business” as an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $40 million for the preceding three years, and a “very small business” an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $15 million for the preceding three years. See 47 CFR § 27.502(a). Pursuant to these definitions, three winning bidders claiming very small business status won five of the twelve available licenses. See Auction of 700 MHz Band Licenses Closes; Winning Bidders Announced for Auction 73, Public Notice, DA-08-595, Attachment A, Report No. AUC-08-73-I (Auction 73) (March 20, 2008). The results for Upper 700 MHz Band C Block can be found on pp. 62-63. 27. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 28. Advanced Wireless Services (AWS) - (1710–1755 MHz and 2110–2155 MHz bands (AWS-1); 1915–1920 MHz, 1995–2000 MHz, 2020–2025 MHz and 2175–2180 MHz bands (AWS-2); 2155–2175 MHz band (AWS-3); 2000-2020 MHz and 2180-2200 MHz (AWS-4)). Spectrum is made available and licensed in these bands for the provision of various wireless communications services. See 47 CFR § 27.1(b). Wireless Telecommunications Carriers (except Satellite) See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. is the closest industry with a SBA small business size standard applicable to these services. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517312. U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus, under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 29. According to Commission data as December 2021, there were approximately 4,472 active AWS licenses. Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service = AD, AH, AT, AW; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. The Commission’s small business size standards with respect to AWS involve eligibility for bidding credits and installment payments in the auction of licenses for these services. For the auction of AWS licenses, the Commission defined a “small business” as an entity with average annual gross revenues for the preceding three years not exceeding $40 million, and a “very small business” as an entity with average annual gross revenues for the preceding three years not exceeding $15 million. See 47 CFR §§ 27.1002, 27.1102, 27.1104, 27.1106. Pursuant to these definitions, 57 winning bidders claiming status as small or very small businesses won 215 of 1,087 licenses. See Federal Communications Commission, Economics and Analytics, Auctions, Auction 66: Advanced Wireless Services (AWS-1), Summary, Spreadsheets, https://www.fcc.gov/sites/default/files/wireless/auctions/66/charts/66cls2.pdf. In the most recent auction of AWS licenses 15 of 37 bidders qualifying for status as small or very small businesses won licenses. See Auction of Advanced Wireless Services (AWS-3) Licenses Closes; Winning Bidders Announced for Auction 97, Public Notice, DA-15-131, Attachments A-B, (Auction No. 97) (January 30, 2015). 30. In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 31. Broadband Radio Service and Educational Broadband Service. Broadband Radio Service systems, previously referred to as Multipoint Distribution Service (MDS) and Multichannel Multipoint Distribution Service (MMDS) systems, and “wireless cable,” The use of the term "wireless cable" does not imply that it constitutes cable television for statutory or regulatory purposes. transmit video programming to subscribers and provide two-way high speed data operations using the microwave frequencies of the Broadband Radio Service (BRS) and Educational Broadband Service (EBS) (previously referred to as the Instructional Television Fixed Service (ITFS)). See 47 CFR § 27.4; see also Amendment of Parts 21 and 74 of the Commission’s Rules with Regard to Filing Procedures in the Multipoint Distribution Service and in the Instructional Television Fixed Service and Implementation of Section 309(j) of the Communications Act—Competitive Bidding, Report and Order, 10 FCC Rcd 9589, 9593, para. 7 (1995). Wireless cable operators that use spectrum in the BRS often supplemented with leased channels from the EBS, provide a competitive alternative to wired cable and other multichannel video programming distributors. Wireless cable programming to subscribers resembles cable television, but instead of coaxial cable, wireless cable uses microwave channels. Generally, a wireless cable system may be described as a microwave station transmitting on a combination of BRS and EBS channels to numerous receivers with antennas, such as single-family residences, apartment complexes, hotels, educational institutions, business entities and governmental offices. The range of the transmission depends upon the transmitter power, the type of receiving antenna and the existence of a line-of-sight path between the transmitter or signal booster and the receiving antenna. 32. In light of the use of wireless frequencies by BRS and EBS services, the closest industry with a SBA small business size standard applicable to these services is Wireless Telecommunications Carriers (except Satellite). See U.S. Census Bureau, 2017 NAICS Definition, “517312 Wireless Telecommunications Carriers (except Satellite),” https://www.census.gov/naics/?input=517312&year=2017&details=517312. The SBA small business size standard for this industry classifies a business as small if it has 1,500 or fewer employees. See 13 CFR § 121.201, NAICS Code 517312. U.S. Census Bureau data for 2017 show that there were 2,893 firms that operated in this industry for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517312, https://data.census.gov/cedsci/table?y=2017&n=517312&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,837 firms employed fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus under the SBA size standard, the Commission estimates that a majority of licensees in this industry can be considered small. 33. According to Commission data as December 2021, there were approximately 5,869 active BRS and EBS licenses. Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service =BR, ED; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. The Commission’s small business size standards with respect to BRS involves eligibility for bidding credits and installment payments in the auction of licenses for these services. For the auction of BRS licenses, the Commission adopted criteria for three groups of small businesses. A very small business is an entity that, together with its affiliates and controlling interests, has average annual gross revenues exceed $3 million and did not exceed $15 million for the preceding three years, a small business is an entity that, together with its affiliates and controlling interests, has average gross revenues exceed $15 million and did not exceed $40 million for the preceding three years, and an entrepreneur is an entity that, together with its affiliates and controlling interests, has average gross revenues not exceeding $3 million for the preceding three years. See 47 CFR § 27.1218(a). Of the ten winning bidders for BRS licenses, two bidders claiming the small business status won 4 licenses, one bidder claiming the very small business status won three licenses and two bidders claiming entrepreneur status won six licenses. See Federal Communications Commission, Economics and Analytics, Auctions, Auction 86: Broadband Radio Service, Summary, Reports, All Bidders, https://www.fcc.gov/sites/default/files/wireless/auctions/86/charts/86bidder.xls. One of the winning bidders claiming a small business status classification in the BRS license auction has an active licenses as of December 2021. Based on a FCC Universal Licensing System search on December 10, 2021, https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service =BR; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. 34. The Commission’s small business size standards for EBS define a small business as an entity that, together with its affiliates, its controlling interests and the affiliates of its controlling interests, has average gross revenues that are not more than $55 million for the preceding five (5) years, and a very small business is an entity that, together with its affiliates, its controlling interests and the affiliates of its controlling interests, has average gross revenues that are not more than $20 million for the preceding five (5) years. See 47 CFR § 27.1219(a). In frequency bands where licenses were subject to auction, the Commission notes that as a general matter, the number of winning bidders that qualify as small businesses at the close of an auction does not necessarily represent the number of small businesses currently in service. Further, the Commission does not generally track subsequent business size unless, in the context of assignments or transfers, unjust enrichment issues are implicated. Additionally, since the Commission does not collect data on the number of employees for licensees providing these services, at this time we are not able to estimate the number of licensees with active licenses that would qualify as small under the SBA’s small business size standard. 35. The Educational Broadcasting Services. Cable-based educational broadcasting services fall under the broad category of the Wired Telecommunications Carriers industry. See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. Examples of this category are: broadband Internet service providers (e.g., cable, DSL); local telephone carriers (wired); cable television distribution services; long-distance telephone carriers (wired); closed circuit television (CCTV) services; VoIP service providers, using owner operated wired telecommunications infrastructure; direct-to-home satellite system (DTH) services; telecommunications carriers (wired); satellite television distribution systems; and multichannel multipoint distribution services (MMDS). The Wired Telecommunications Carriers industry comprises establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired telecommunications networks. Id. Transmission facilities may be based on a single technology or a combination of technologies. Id. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services; wired (cable) audio and video programming distribution; and wired broadband Internet services. Id. 36. The SBA small business size standard for this industry classifies businesses having 1,500 or fewer employees as small. See 13 CFR § 121.201, NAICS Code 517311. U.S. Census Bureau data for 2017 show that there were 3,054 firms in this industry that operated for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this total, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus, under this size standard, the majority of firms in this industry can be considered small. Additionally, according to Commission data as of December 2021, there were 4,477 active EBS licenses. Based on a FCC Universal Licensing System search on December 17, 2021. https://wireless2.fcc.gov/UlsApp/UlsSearch/searchAdvanced.jsp. Search parameters: Service Group = All, “Match only the following radio service(s)”, Radio Service =ED; Authorization Type = All; Status = Active. We note that the number of active licenses does not equate to the number of licensees. A licensee can have one or more licenses. The Commission estimates that the majority of these licenses are held by non-profit educational institutions and school districts and are likely small entities. 37. Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing. This industry comprises establishments primarily engaged in manufacturing radio and television broadcast and wireless communications equipment. See U.S. Census Bureau, 2017 NAICS Definition, “334220 Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing,” https://www.census.gov/naics/?input=334220&year=2017&details=334220. Examples of products made by these establishments are: transmitting and receiving antennas, cable television equipment, GPS equipment, pagers, cellular phones, mobile communications equipment, and radio and television studio and broadcasting equipment. Id. The SBA small business size standard for this industry classifies businesses having 1,250 employees or less as small. See 13 CFR § 121.201, NAICS Code 334220. U.S. Census Bureau data for 2017 show that there were 656 firms in this industry that operated for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 334220, https://data.census.gov/cedsci/table?y=2017&n=334220&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 624 firms had fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Thus, under the SBA size standard, the majority of firms in this industry can be considered small. 38. Software Publishers. This industry comprises establishments primarily engaged in computer software publishing or publishing and reproduction. See U.S. Census Bureau, 2017 NAICS Definition, “511210 Software Publishers,” https://www.census.gov/naics/?input=511210&year=2017&details=511210. Establishments in this industry carry out operations necessary for producing and distributing computer software, such as designing, providing documentation, assisting in installation, and providing support services to software purchasers. Id. These establishments may design, develop, and publish, or publish only. Id. The SBA small business size standard for this industry classifies businesses having annual receipts of $41.5 million or less as small. See 13 CFR § 121.201, NAICS Code 511210. U.S. Census Bureau data for 2017 indicate that 7,842 firms in this industry operated for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 511210, https://data.census.gov/cedsci/table?y=2017&n=511210&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of this number 7,226 firms had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, we conclude that a majority of firms in this industry are small. 39. Noncommercial Educational (NCE) and Public Broadcast Stations. Noncommercial educational broadcast stations and public broadcast stations are television or radio broadcast stations which under the Commission's rules are eligible to be licensed by the Commission as a noncommercial educational radio or television broadcast station and are owned and operated by a public agency or nonprofit private foundation, corporation, or association; or are owned and operated by a municipality which transmits only noncommercial programs for education purposes. 40. The SBA small business size standards and U.S. Census Bureau data classify radio stations See U.S. Census Bureau, 2017 NAICS Definition, “515112 Radio Stations,” https://www.census.gov/naics/?input=515112&year=2017&details=515112. and television broadcasting See U.S. Census Bureau, 2017 NAICS Definition, “515120 Television Broadcasting,” https://www.census.gov/naics/?input=515120&year=2017&details=515120. separately and both categories may include both noncommercial and commercial stations. The SBA small business size standard for both radio stations and television broadcasting classify firms having $41.5 million or less in annual receipts as small. See 13 CFR § 121.201, NAICS Code 515112 (Radio Stations); NAICS Code 515120 (Television Broadcasting). For Radio Stations, U.S. Census Bureau data for 2017 show that 1,879 of the 2,963 firms that operated during that year had revenue of less than $25 million per year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515112, https://data.census.gov/cedsci/table?y=2017&n=515112&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We note that the U.S. Census Bureau withheld publication of the number of firms that operated for the entire year. We also note that the U.S. Census Bureau withheld publication of the number of firms that operated with sales/value of shipments/revenue in the individual categories for less than $100,000, and $100,000 to $249,999 to avoid disclosing data for individual companies (see Cell Notes for the sales/value of shipments/revenue in these categories). Therefore, the number of firms with revenue that meet the SBA size standard would be higher that noted herein. We further note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. For Television Broadcasting, U.S. Census Bureau data for 2017 show that 657 of the 744 firms that operated for the entire year had revenue of less than $25,000,000. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515120, https://data.census.gov/cedsci/table?y=2017&n=515120&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. While the U.S. Census Bureau data does not indicate the number of non-commercial stations, we estimate that under the applicable SBA size standard the majority of noncommercial educational broadcast stations and public broadcast stations are small entities. 41. According to Commission data as of March 31, 2022, there were 4,503 licensed noncommercial educational radio and television stations Broadcast Station Totals as of March 31, 2022, Public Notice, DA 22-365 (rel. April 5, 2022) (March 2022 Broadcast Station Totals PN), https://www.fcc.gov/document/broadcast-station-totals-march-31-2022. In addition, the Commission estimates as of March 31, 2022, there were 384 licensed noncommercial educational (NCE) television stations, 383 Class A TV stations, 1,840 LPTV stations and 3,231 TV translator stations. Id. The Commission does not compile and otherwise does not have access to financial information for these stations that permit it to determine how many stations qualify as small entities under the SBA small business size standards. However, given the nature of these services, we will presume that all noncommercial educational and public broadcast stations qualify as small entities under the above SBA small business size standards. 42. Radio Stations. This industry is comprised of “establishments primarily engaged in broadcasting aural programs by radio to the public.” See U.S. Census Bureau, 2017 NAICS Definition, “515112 Radio Stations,” https://www.census.gov/naics/?input=515112&year=2017&details=515112. Programming may originate in their own studio, from an affiliated network, or from external sources. Id. The SBA small business size standard for this industry classifies firms having $41.5 million or less in annual receipts as small. See 13 CFR § 121.201, NAICS Code 515112. U.S. Census Bureau data for 2017 show that 2,963 firms operated in this industry during that year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515112, https://data.census.gov/cedsci/table?y=2017&n=515112&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. We note that the US Census Bureau withheld publication of the number of firms that operated for the entire year. Of this number, 1,879 firms operated with revenue of less than $25 million per year. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We note that the U.S. Census Bureau withheld publication of the number of firms that operated with sales/value of shipments/revenue in the individual categories for less than $100,000, and $100,000 to $249,999 to avoid disclosing data for individual companies (see Cell Notes for the sales/value of shipments/revenue in these categories). Therefore, the number of firms with revenue that meet the SBA size standard would be higher that noted herein. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data and the SBA’s small business size standard, we estimate a majority of such entities are small entities. 43. The Commission estimates that as of March 31, 2022, there were 4,508 licensed commercial AM radio stations and 6,763 licensed commercial FM radio stations, for a combined total of 11,271 commercial radio stations. Broadcast Station Totals as of March 31, 2022, Public Notice, DA 22-365 (rel. April 5, 2022) (March 2022 Broadcast Station Totals PN), https://www.fcc.gov/document/broadcast-station-totals-march-31-2022. Of this total, 11,269 stations (or 99.98 %) had revenues of $41.5 million or less in 2021, according to Commission staff review of the BIA Kelsey Inc. Media Access Pro Database (BIA) on June 1, 2022, and therefore these licensees qualify as small entities under the SBA definition. In addition, the Commission estimates that as of March 31, 2022, there were 4,119 licensed noncommercial (NCE) FM radio stations, 2,049 low power FM (LPFM) stations, and 8,919 FM translators and boosters. Id. The Commission however does not compile, and otherwise does not have access to financial information for these radio stations that would permit it to determine how many of these stations qualify as small entities under the SBA small business size standard. Nevertheless, given the SBA’s large annual receipts threshold for this industry and the nature of these radio station licensees, we presume that all of these entities qualify as small entities under the above SBA small business size standard. 44. We note, however, that in assessing whether a business concern qualifies as “small” under the above definition, business (control) affiliations “[Business concerns] are affiliates of each other when one concern controls or has the power to control the other or a third party or parties controls or has the power to control both.” 13 CFR § 21.103(a)(1). must be included. Our estimate, therefore, likely overstates the number of small entities that might be affected by our action, because the revenue figure on which it is based does not include or aggregate revenues from affiliated companies. In addition, another element of the definition of “small business” requires that an entity not be dominant in its field of operation. We are unable at this time to define or quantify the criteria that would establish whether a specific radio or television broadcast station is dominant in its field of operation. Accordingly, the estimate of small businesses to which the rules may apply does not exclude any radio or television station from the definition of a small business on this basis and is therefore possibly over-inclusive. An additional element of the definition of “small business” is that the entity must be independently owned and operated. Because it is difficult to assess these criteria in the context of media entities, the estimate of small businesses to which the rules may apply does not exclude any radio or television station from the definition of a small business on this basis and similarly may be over-inclusive. 45. FM Translator Stations and Low-Power FM Stations. FM translators and Low Power FM Stations are classified in the industry for Radio Stations. See U.S. Census Bureau, 2017 NAICS Definition, “515112 Radio Stations,” https://www.census.gov/naics/?input=515112&year=2017&details=515112. The Radio Stations industry comprises establishments primarily engaged in broadcasting aural programs by radio to the public. Id. Programming may originate in their own studio, from an affiliated network, or from external sources. Id. The SBA small business size standard for this industry classifies firms having $41.5 million or less in annual receipts as small. See 13 CFR § 121.201, NAICS Code 515112. U.S. Census Bureau data for 2017 show that 2,963 firms operated during that year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515112, https://data.census.gov/cedsci/table?y=2017&n=515112&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. We note that the US Census Bureau withheld publication of the number of firms that operated for the entire year. Of that number, 1,879 firms operated with revenue of less than $25 million per year. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We note that the U.S. Census Bureau withheld publication of the number of firms that operated with sales/value of shipments/revenue in the individual categories for less than $100,000, and $100,000 to $249,999 to avoid disclosing data for individual companies (see Cell Notes for the sales/value of shipments/revenue in these categories). Therefore, the number of firms with annual receipts that meet the SBA size standard would be higher that noted herein. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Therefore, based on the SBA’s size standard we conclude that the majority of FM Translator stations and Low Power FM Stations are small. Additionally, according to Commission data, as of March 31, 2022, there were 8,919 FM Translator Stations and 2,049 Low Power FM licensed broadcast stations. Broadcast Station Totals as of March 31, 2022, Public Notice, DA 22-365 (rel. April 5, 2022) (March 2022 Broadcast Station Totals PN), https://www.fcc.gov/document/broadcast-station-totals-march-31-2022. The Commission however does not compile and otherwise does not have access to information on the revenue of these stations that would permit it to determine how many of the stations would qualify as small entities. For purposes of this regulatory flexibility analysis, we presume the majority of these stations are small entities. 46. Television Broadcasting. This industry is comprised of “establishments primarily engaged in broadcasting images together with sound.” See U.S. Census Bureau, 2017 NAICS Definition, “515120 Television Broadcasting,” https://www.census.gov/naics/?input=515120&year=2017&details=515120. These establishments operate television broadcast studios and facilities for the programming and transmission of programs to the public. Id. These establishments also produce or transmit visual programming to affiliated broadcast television stations, which in turn broadcast the programs to the public on a predetermined schedule. Programming may originate in their own studio, from an affiliated network, or from external sources. The SBA small business size standard for this industry classifies businesses having $41.5 million or less in annual receipts as small. See 13 CFR § 121.201, NAICS Code 515120. 2017 U.S. Census Bureau data indicate that 744 firms in this industry operated for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515120, https://data.census.gov/cedsci/table?y=2017&n=515120&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of that number, 657 firms had revenue of less than $25,000,000. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data we estimate that the majority of television broadcasters are small entities under the SBA small business size standard. 47. The Commission estimates that as of March 31, 2022, there were 1,373 licensed commercial television stations. Broadcast Station Totals as of March 31, 2022, Public Notice, DA 22-365 (rel. April 5, 2022) (March 2022 Broadcast Station Totals PN), https://www.fcc.gov/document/broadcast-station-totals-march-31-2022. Of this total, 1,280 stations (or 93.2%) had revenues of $41.5 million or less in 2021, according to Commission staff review of the BIA Kelsey Inc. Media Access Pro Television Database (BIA) on June 1, 2022, and therefore these licensees qualify as small entities under the SBA definition. In addition, the Commission estimates as of March 31, 2022, there were 384 licensed noncommercial educational (NCE) television stations, 383 Class A TV stations, 1,840 LPTV stations and 3,231 TV translator stations. Id. The Commission however does not compile, and otherwise does not have access to financial information for these television broadcast stations that would permit it to determine how many of these stations qualify as small entities under the SBA small business size standard. Nevertheless, given the SBA’s large annual receipts threshold for this industry and the nature of these television station licensees, we presume that all of these entities qualify as small entities under the above SBA small business size standard. 48. Cable and Other Subscription Programming. The U.S. Census Bureau defines this industry as establishments primarily engaged in operating studios and facilities for the broadcasting of programs on a subscription or fee basis. See U.S. Census Bureau, 2017 NAICS Definition, “515210 Cable and Other Subscription Programming,” https://www.census.gov/naics/?input=515210&year=2017&details=515210. The broadcast programming is typically narrowcast in nature (e.g., limited format, such as news, sports, education, or youth-oriented). These establishments produce programming in their own facilities or acquire programming from external sources. Id. The programming material is usually delivered to a third party, such as cable systems or direct-to-home satellite systems, for transmission to viewers. Id. The SBA small business size standard for this industry classifies firms with annual receipts less than $41.5 million as small. See 13 CFR § 121.201, NAICS Code 515210. Based on U.S. Census Bureau data for 2017, 378 firms operated in this industry during that year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 515210, https://data.census.gov/cedsci/table?y=2017&n=515210&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. The US Census Bureau withheld publication of the number of firms that operated for the entire year to avoid disclosing data for individual companies (see Cell Notes for this category). Of that number, 149 firms operated with revenue of less than $25 million a year and 44 firms operated with revenue of $25 million or more. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We note that the U.S. Census Bureau withheld publication of the number of firms that operated with sales/value of shipments/revenue in all categories of revenue less than $500,000 to avoid disclosing data for individual companies (see Cell Notes for the sales/value of shipments/revenue in these categories). Therefore, the number of firms with revenue that meet the SBA size standard would be higher than noted herein. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, the Commission estimates that the majority of firms operating in this industry are small. 49. Cable System Operators (Rate Regulation Standard). The Commission has developed its own small business size standard for the purpose of cable rate regulation. Under the Commission’s rules, a “small cable company” is one serving 400,000 or fewer subscribers nationwide. 47 CFR § 76.901(d). Based on industry data, there are about 420 cable companies in the U.S. S&P Global Market Intelligence, S&P Capital IQ Pro, U.S. MediaCensus, Operator Subscribers by Geography (last visited May 26, 2022). Of these, only seven have more than 400,000 subscribers. S&P Global Market Intelligence, S&P Capital IQ Pro, Top Cable MSOs 12/21Q (last visited May 26, 2022); S&P Global Market Intelligence, Multichannel Video Subscriptions, Top 10 (April 2022). In addition, under the Commission’s rules, a “small system” is a cable system serving 15,000 or fewer subscribers. 47 CFR § 76.901(c). Based on industry data, there are about 4,139 cable systems (headends) in the U.S. S&P Global Market Intelligence, S&P Capital IQ Pro, U.S. MediaCensus, Operator Subscribers by Geography (last visited May 26, 2022). Of these, about 639 have more than 15,000 subscribers. S&P Global Market Intelligence, S&P Capital IQ Pro, Top Cable MSOs 12/21Q (last visited May 26, 2022). Accordingly, the Commission estimates that the majority of cable companies and cable systems are small. 50. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, contains a size standard for a “small cable operator,” which is “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than one percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.” 47 U.S.C. § 543(m)(2). For purposes of the Telecom Act Standard, the Commission determined that a cable system operator that serves fewer than 677,000 subscribers, either directly or through affiliates, will meet the definition of a small cable operator based on the cable subscriber count established in a 2001 Public Notice. FCC Announces New Subscriber Count for the Definition of Small Cable Operator, Public Notice, 16 FCC Rcd 2225 (CSB 2001) (2001 Subscriber Count PN). In this Public Notice, the Commission determined that there were approximately 67.7 million cable subscribers in the United States at that time using the most reliable source publicly available. Id. We recognize that the number of cable subscribers changed since then and that the Commission has recently estimated the number of cable subscribers to be approximately 58.1 million. See Communications Marketplace Report, GN Docket No. 20-60, 2020 Communications Marketplace Report, 36 FCC Rcd 2945, 3049, para. 156 (2020) (2020 Communications Marketplace Report). However, because the Commission has not issued a public notice subsequent to the 2001 Subscriber Count PN, the Commission still relies on the subscriber count threshold established by the 2001 Subscriber Count PN for purposes of this rule. See 47 CFR § 76.901(e)(1). Based on industry data, only six cable system operators have more than 677,000 subscribers. S&P Global Market Intelligence, S&P Capital IQ Pro, Top Cable MSOs 12/21Q (last visited May 26, 2022); S&P Global Market Intelligence, Multichannel Video Subscriptions, Top 10 (April 2022). Accordingly, the Commission estimates that the majority of cable system operators are small under this size standard. We note however, that the Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million. The Commission does receive such information on a case-by-case basis if a cable operator appeals a local franchise authority’s finding that the operator does not qualify as a small cable operator pursuant to § 76.901(e) of the Commission’s rules. See 47 CFR § 76.910(b). Therefore, we are unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Communications Act. 51. Satellite Telecommunications. This industry comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” See U.S. Census Bureau, 2017 NAICS Definition, “517410 Satellite Telecommunications,” https://www.census.gov/naics/?input=517410&year=2017&details=517410. Satellite telecommunications service providers include satellite and earth station operators. The SBA small business size standard for this industry classifies a business with $35 million or less in annual receipts as small. See 13 CFR § 121.201, NAICS Code 517410. U.S. Census Bureau data for 2017 show that 275 firms in this industry operated for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517410, https://data.census.gov/cedsci/table?y=2017&n=517410&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of this number, 242 firms had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Additionally, based on Commission data in the 2021 Universal Service Monitoring Report, as of December 31, 2020, there were 71 providers that reported they were engaged in the provision of satellite telecommunications services. Federal-State Joint Board on Universal Service, Universal Service Monitoring Report at 26, Table 1.12 (2021), https://docs.fcc.gov/pubId.lic/attachments/DOC-379181A1.pdf. Of these providers, the Commission estimates that approximately 48 providers have 1,500 or fewer employees. Id. Consequently using the SBA’s small business size standard, a little more than of these providers can be considered small entities. 52. All Other Telecommunications. This industry is comprised of establishments primarily engaged in providing specialized telecommunications services, such as satellite tracking, communications telemetry, and radar station operation. See U.S. Census Bureau, 2017 NAICS Definition, “517919 All Other Telecommunications,” https://www.census.gov/naics/?input=517919&year=2017&details=517919. This industry also includes establishments primarily engaged in providing satellite terminal stations and associated facilities connected with one or more terrestrial systems and capable of transmitting telecommunications to, and receiving telecommunications from, satellite systems. Id. Providers of Internet services (e.g. dial-up ISPs) or voice over Internet protocol (VoIP) services, via client-supplied telecommunications connections are also included in this industry. Id. The SBA small business size standard for this industry classifies firms with annual receipts of $35 million or less as small. See 13 CFR § 121.201, NAICS Code 517919. U.S. Census Bureau data for 2017 show that there were 1,079 firms in this industry that operated for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Sales, Value of Shipments, or Revenue Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEREVFIRM, NAICS Code 517919, https://data.census.gov/cedsci/table?y=2017&n=517919&tid=ECNSIZE2017.EC1700SIZEREVFIRM&hidePreview=false. Of those firms, 1,039 had revenue of less than $25 million. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. We also note that according to the U.S. Census Bureau glossary, the terms receipts and revenues are used interchangeably, see https://www.census.gov/glossary/#term_ReceiptsRevenueServices. Based on this data, the Commission estimates that the majority of “All Other Telecommunications” firms can be considered small. 53. Direct Broadcast Satellite (“DBS”) Service. DBS service is a nationally distributed subscription service that delivers video and audio programming via satellite to a small parabolic “dish” antenna at the subscriber’s location. DBS is included in the Wired Telecommunications Carriers industry which comprises establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired telecommunications networks. See U.S. Census Bureau, 2017 NAICS Definition, “517311 Wired Telecommunications Carriers,” https://www.census.gov/naics/?input=517311&year=2017&details=517311. Transmission facilities may be based on a single technology or combination of technologies. Id. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services, wired (cable) audio and video programming distribution; and wired broadband internet services. See id. Included in this industry are: broadband Internet service providers (e.g., cable, DSL); local telephone carriers (wired); cable television distribution services; long-distance telephone carriers (wired); closed-circuit television (CCTV) services; VoIP service providers, using own operated wired telecommunications infrastructure; direct-to-home satellite system (DTH) services; telecommunications carriers (wired); satellite television distribution systems; and multichannel multipoint distribution services (MMDS). By exception, establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry. Id. 54. The SBA small business size standard for Wired Telecommunications Carriers classifies firms having 1,500 or fewer employees as small. See 13 CFR § 121.201, NAICS Code 517311. U.S. Census Bureau data for 2017 show that 3,054 firms operated in this industry for the entire year. See U.S. Census Bureau, 2017 Economic Census of the United States, Selected Sectors: Employment Size of Firms for the U.S.: 2017, Table ID: EC1700SIZEEMPFIRM, NAICS Code 517311, https://data.census.gov/cedsci/table?y=2017&n=517311&tid=ECNSIZE2017.EC1700SIZEEMPFIRM&hidePreview=false. Of this number, 2,964 firms operated with fewer than 250 employees. Id. The available U.S. Census Bureau data does not provide a more precise estimate of the number of firms that meet the SBA size standard. Based on this data, the majority of firms in this industry can be considered small under the SBA small business size standard. According to Commission data however, only two entities provide DBS service - DIRECTV (owned by AT&T) and DISH Network, which require a great deal of capital for operation. See Annual Assessment of the Status of Competition in the Market for the Delivery of Video Programming, Eighteenth Report, Table III.A.5, 32 FCC Rcd 568, 595 (Jan. 17, 2017). DIRECTV and DISH Network both exceed the SBA size standard for classification as a small business. Therefore, we must conclude based on internally developed Commission data, in general DBS service is provided only by large firms. D. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 55. We expect the actions proposed in the Notice, if adopted, will impose additional reporting, recordkeeping and/or other compliance obligations on small as well as other entities who are EAS Participants and Participating CMS Providers. More specifically, if adopted, EAS Participants and Participating CMS Providers would be required to annually certify to creating, updating, and implementing a cybersecurity risk management plan to ensure the confidentiality, integrity, and availability of their respective alerting systems. The cybersecurity risk management plan must contain among other things, a description of how organizational resources are employed to ensure the confidentiality, integrity, and availability of the alerting system. Further, any incident involving the unauthorized access to EAS equipment, communications systems, or services, regardless of whether the event resulted in the transmission of a false alert would require EAS Participants to report the unauthorized access to the Commission within 72 hours of when the EAS Participant knew or should have known that an incident has occurred. The Commission also seeks comment on whether and how to strengthen the operational readiness of the EAS. 56. In assessing the cost of compliance with our proposed rule to create a cybersecurity risk management plan, we estimate the cost for each small EAS Participant We believe that the overall cost for all 25,644 EAS Participants, not just small participants, to comply with the proposed certification requirement entails 10 hours of labor that is compensated at $90 per hour will be $21,028,080. and each Participating CMS Providers We believe that the overall cost for all 76 Participating CMS Providers, not just small providers, to comply with the proposed certification requirement entails 10 hours of labor that is compensated at $82 per hour will be 62,320. to be approximately $820. These costs are based on 10 hours of labor at $82 an hour and apply to all EAS Participants and Participating CMS Providers not just small entities. We anticipate however, that many small EAS Participants and Participating CMS Providers will not require 10 hours to develop or update a cybersecurity risk management plan tailored to the size of their organization. The cost for reporting an unauthorized access incident we believe would be similar to the cost of reporting a false alert, which the Commission has estimated to have a total cost of $11,600 per year across 290 EAS Participants. Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, Wireless Emergency Alerts, PS Docket Nos. 15-94 and 15-91, Report and Order and Further Notice of Proposed Rulemaking, 33 FCC Rcd 7086, 7102, para. 38 (2018) This estimates the cost of reporting false alerts to be $11,600 per year based on an average of 290 EAS participants filing two false alerts per year. This total cost when apportioned to each EAS Participant comes out to approximately $40 per EAS Participant. Id. The total cost of $11,600 divided by 290 EAS Participants equals $40 per participant. 57. We estimate a $9.2 million one-time cost for all Participating CMS Providers, not just small providers, to update the WEA standards and software necessary to comply with our proposed rule that Participating CMS Providers transmit sufficient authentication information to allow mobile devices to present WEA alerts only if they come from valid base stations. This figure consists of approximately a $500,000 cost to update applicable WEA standards and approximately an $8.7 million cost to update applicable software. We quantify the cost of modifying standards as the annual compensation for 30 network engineers compensated at the national average for their field ($85,816/year; $41.26/hour), plus annual benefits ($26,775/year; 12.87/hour) working for the amount of time that it takes to develop a standard (one hour every other week for one year, 26 hours) for 12 distinct standards. We quantify the cost of modifying software as the annual compensation for a software engineer compensated at the national average for their field ($86,998/year), plus annual benefits ($27,143/year) working for the amount of time that it takes to develop software (one year) at each of the 76 CMS Providers that participate in WEA. 58. At this time the Commission cannot quantify the cost of compliance for small entities to comply with the other proposals or approaches on which it seeks comment in the Notice. We believe that the modifications to improve and enhance the security of the EAS that we discuss in the Notice are the most efficient and least burdensome approach and do not believe small entities will have to hire professionals to meet the requirements discussed in the Notice, if adopted. To help the Commission more fully evaluate the cost of compliance for small entities should our proposals be adopted, in the Notice, we request comments on the cost implications of our proposals and ask whether there are more efficient and less burdensome alternatives (including cost estimates) for the Commission to consider. We expect the information we receive in comments including cost and benefit analyses, will help the Commission identify and evaluate relevant matters for small entities, including compliance costs and other burdens that may result from the proposals and inquiries we make in the Notice. E. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered 59. The RFA requires an agency to describe any significant, specifically small business alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): “(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance or reporting requirements under the rule for such small entities; (3) the use of performance, rather than design, standards; and (4) and exemption from coverage of the rule, or any part thereof, for such small entities.” 5 U.S.C. § 603(c)(1)-(4). 60. The Commission has taken steps to minimize the impact of the proposals in the Notice as a general matter, and specifically targeting small entities, has sought comment on the extent to which we can limit the overall economic impact of these proposed requirements if we provide increased flexibility for businesses classified as small under the SBA small business size standard. Below we discuss actions taken and alternatives considered by the Commission for the rules proposed promoting the operational readiness of EAS equipment, improving awareness of unauthorized access to EAS equipment, communications systems, and services, and requiring the development, implementation, and certification of a cybersecurity risk management plan. 61. To further the Commission’s objectives to promote EAS equipment operational readiness, in the Notice we seek comment on whether to require EAS Participants to repair EAS equipment with prompt and reasonable diligence, on whether the EAS Participants should notify the Commission of the status of their repairs, and, if so, on the timing, content, and means of that notification. 62. We seek comment on whether a compliance timeframe of 30 days from publication in the Federal Register of notice that the Office of Management and Budget (OMB) has completed its review of the modified information collection to improve the Commission’s visibility into the repair or replacement of non-operational EAS equipment would not impose a burden on small entities. Small and other EAS Participants currently make entries in their broadcast station logs and cable system records showing the date and time equipment was removed and restored to service, and therefore already have processes and procedures in place to record information about the operational status of their EAS equipment in station logs that could be utilized for the proposed notification requirement. In the event that the Commission were to alternatively require this notification to be provided through NORS, the requirement would become effective within 30 days from publication in the Federal Register of notice that the OMB has approved the modified information collection or upon publication in the Federal Register of a Public Notice announcing that NORS is technically capable of receiving such notifications, whichever is later. Similarly, this requirement should not impose a burden on small entities for the reason stated above and since EAS Participants are already likely to be using NORS. 63. Our approach to improving awareness of unauthorized access to EAS equipment, communications systems, and services relies on our belief that significant public safety benefits will accrue if EAS Participants were required to provide the Commission with notification that their EAS equipment, communications systems, and services have been accessed without authorization, even in the absence of a subsequent transmission of a false alert. The reporting requirement we proposed in the Notice requiring EAS Participants to provide notification to the Commission via NORS within 72 hours of when an EAS Participant knew or should have known that an incident has occurred should result in low marginal costs for small and other EAS participants since our requirement parallels the reporting obligations EAS Participants may have to other government agencies that require critical infrastructure sector entities to report cyber incidents. See 6 U.S.C. § 681b(c). CISA is required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to adopt rules requiring critical infrastructure sector entities to report cyber incidents. This would allow the requirement to be satisfied by reporting substantially similar information to another federal agency in a similar timeframe. See id. § 681b(a)(5)(B). We believe the cost to report unauthorized access is comparable to the cost of reporting false alerts which further supports our belief that these costs will be relatively low for small and other EAS Participants. The total estimated cost of reporting false alerts is $11,600 per year based on an average of 290 EAS participants filing two false alerts per year. The total cost of $11,600 divided by 290 EAS Participants equals $40 per participant. In the Notice we have requested comments and cost and benefit analyses on our proposal and beliefs. In addition, we have requested alternative proposals (accompanied by cost analyses) for unauthorized access reporting requirements that would be less costly for small and other EAS Participants while producing similar or greater benefits. 64. The requirement for EAS Participants to report any incident of unauthorized access of its EAS equipment, communications systems, or services would be effective 60 days from publication in the Federal Register of notice that the OMB has approved the modified information collection. Since we consider the requirement to report unauthorized access similar to the Commission’s false alert reporting requirement, there are likely to be compliance synergies for small and other EAS Participants, and less of a burden than there would be in the absence of the similarity. We therefore seek comment in the Notice on whether an EAS Participant’s process for ascertaining whether an incident of unauthorized access of its EAS equipment, communications systems, or services has occurred and reporting it to the Commission entails a level of effort comparable to compliance with the Commission’s false alert reporting requirement. 65. To further explore the impact of the cybersecurity risk management plan requirement proposed in the Notice which requires small and other EAS Participants and Participating CMS Providers to create, implement, and annually update a cybersecurity risk management plan and submit an annual certification attesting to compliance with requirement, Commission seeks comment on steps that it could take to limit various burdens. In particular, the Commission requests comment on whether the steps that it describes for EAS Participants and Participating CMS Providers to submit their risk management plans are the most efficient way to implement a certification requirement. In the Notice, we propose to afford each EAS Participant and Participating CMS Provider the flexibility to include content in its plan that is tailored to its organization, provided that the plan demonstrates how the EAS Participant or Participating CMS Provider identifies the cyber risks that they face, the controls they use to mitigate those risks, and how they ensure that these controls are applied effectively to their operations. 66. The Commission also proposes to require that each plan include security controls sufficient to ensure the confidentiality, integrity, and availability (CIA) of the EAS. While we believe there are numerous methods to satisfy this aspect of the requirement, we have proposed to allow the requirement to be satisfied by providing evidence of the successful implementation of an established set of cybersecurity best practices, such as applicable Center for Internet Security (CIS) Critical Security Controls See Center for Internet Security, Critical Security Controls version 8, https://www.cisecurity.org/controls (last visited Aug 9, 2022) (CIS Critical Security Controls) (providing security controls grouped by priority and feasibility for different sizes and resources of businesses in Implementation Groups). or the Cybersecurity & Infrastructure Security Agency (CISA) Cybersecurity Baseline. Cybersecurity & Infrastructure Security Agency, Cross-Sector Cybersecurity Performance Goals and Objectives, https://www.cisa.gov/cpgs (last visited Aug. 5, 2020); Cybersecurity & Infrastructure Security Agency, Cross-Sector Cybersecurity Performance Goals (CPGs) Common Baseline: Controls List (Draft), https://www.cisa.gov/sites/default/files/publications/Common_Baseline_v2_Controls_List_508c.pdf (last visited Aug. 5, 2020). We believe adopting this flexible approach will allow EAS Participants and Participating CMS Providers to develop a plan that is appropriate for their organization’s size and available resources, while still ensuring that the plan results in ongoing and material improvements in EAS and WEA security. The Commission anticipates that this flexibility will reduce the costs imposed on small business EAS Participants and Participating CMS Providers, which will have different cybersecurity needs than larger EAS Participants and Participating CMS Providers, respectively. We do note, however, that to ensure that every EAS Participant implements a baseline of security controls, the Commission proposes to require that each plan include certain security measures: changing default passwords prior to operation, installing security updates in a timely manner, securing equipment behind properly configured firewalls or using other segmentation practices, requiring multifactor authentication where applicable, addressing the replacement of end-of-life equipment, and wiping, clearing, or encrypting user information before disposing of old devices. 67. The Commission proposes to require compliance with the requirement to implement a cybersecurity risk management plan and certification within twelve months of the publication in the Federal Register of notice that the OMB has approved the modified information collection. We recognize that larger EAS Participants are likely to already have cybersecurity risk management plans in place. We ask whether we should allow small entities a two-year timeframe to implement this requirement. The two-year timeframe should provide sufficient time for small EAS Participants and small Participating CMS Providers that do not already have a risk management plan in place to create one. The timeframe would also be sufficient to prepare their organizations to manage security and privacy risks, categorize their systems and the information being processed, stored, and transmitted, and select controls to protect their systems. Further, a two-year timeframe would provide time for these entities to implement the security controls that the plan describes, assess whether the controls are in place, operating as intended, and producing the desired results, appoint a senior official to authorize the system, and develop mechanisms to continuously monitor control implementation and risks to the system. 68. In the Notice, the Commission identifies alternative approaches on several matters that might minimize the economic impact for small entities. For example, the Commission requests alternatives to providing a second notification to the Commission once repairs of EAS equipment have been completed, and the EAS Participant’s EAS systems have been tested and determined to once again be fully functional. The Commission seeks comment on potential alternatives to, and additional aspects of, the discussed approach, as well as their accompanying costs and benefits. The Commission recommends that EAS Participants file the required notifications regarding EAS equipment failures and repairs in the NORS database, but requests comment on other means EAS Participants could use to submit the notifications such as via email to a designated e-mail address. 69. The Commission expects to more fully consider the economic impact and alternatives for small entities following the review of comments filed in response to the Notice, including costs and benefits analyses. Having data on the costs and economic impacts of proposals and approaches will allow the Commission to better evaluate options and alternatives for minimization of any significant economic impact on small entities as a result of the proposals and approaches raised in the Notice. The Commission’s evaluation of this information will shape the final alternatives it considers to minimize any significant economic impact that may occur on small entities, the final conclusions it reaches, and any final rules it promulgates in this proceeding. F. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules 70. None. STATEMENT OF CHAIRWOMAN JESSICA ROSENWORCEL Re: Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, PS Docket No. 15-94; Wireless Emergency Alerts, PS Docket No. 15-91; Protecting the Nation’s Communications Systems from Cybersecurity Threats, PS Docket No. 22-329; Notice of Proposed Rulemaking (October 27, 2022) October is Cybersecurity Awareness Month. It’s an opportunity to recognize the importance of cybersecurity, take action to protect ourselves, and raise awareness about the steps we can take to stay safe online. This year’s theme, “See Yourself in Cyber,” emphasizes that cybersecurity is an issue for everyone, everywhere. That includes the Federal Communications Commission—where the work we are doing puts network security front and center. We demonstrate that today with a rulemaking that would require Emergency Alert System and Wireless Emergency Alert participants to have a cybersecurity risk management plan in place and to ensure they have installed the most recent security patches. We then seek comment on other ways to improve the operational readiness of these systems, including reporting breaches to the agency. This effort will help ensure the function of these essential systems in emergencies and that the public can trust the warnings they receive. This is important because the Department of Homeland Security recently determined that some of this alerting infrastructure is susceptible to serious security vulnerabilities. While some patches have been released to fix these flaws, not everyone has installed them. We are committed to fixing that here and now. This month—again, Cybersecurity Awareness Month—I also shared with my colleagues a proposal that would update our equipment authorization procedures to prohibit the sale of telecommunications and video surveillance equipment from five Chinese vendors that could pose a national security risk. Last week, I joined Deputy National Security Advisor Anne Neuberger at a White House workshop to advance cybersecurity for the Internet of Things. Last week I also announced a first-of-its-kind settlement against Truphone that will require the company to divest its unvetted Russian ownership, pay a civil penalty, and put in place new security procedures to vet any new ownership through the Office of Foreign Asset Control at the Treasury Department. These efforts follow a series of other initiatives to keep our networks secure. We started by making our supply chains more transparent, by publishing the first-ever list of communications equipment and services that pose an unacceptable risk to national security. Since then, we’ve updated that list to add equipment and services from five additional entities. We are removing insecure equipment from our universal service programs and from our networks through the Secure and Trusted Communications Networks Act Reimbursement Program. Working with our national security colleagues, we have revoked the Section 214 operating authorities of four Chinese state-owned carriers. We also have worked with the Department of State to update the 20-year-old process used for approving submarine cable licenses and with the Department of Justice to address related national security concerns. In addition, I have proposed stricter data breach reporting rules and launched inquiries on the security of internet routing and the security of the Internet of Things in order to reduce cyber risk. I also rechartered the Communications, Security, Reliability, and Interoperability Council and, for the first time, designated the Cybersecurity and Infrastructure Security Agency as a co-chair. And as today’s rulemaking demonstrates, there’s more to come. Thank you to the Commission staff responsible for making all of this happen—and for ensuring that network security is now a priority for the agency. That is true during Cybersecurity Awareness Month and every month. A special thank you for today’s rulemaking goes to Debra Jordan, Nicole McGinnis, David Furth, Austin Randazzo, Rochelle Cohen, Ken Carlberg, James Wiley, Steven Carpenter, Minsoo Kim, Tara Shostek, Saswat Misra, Justin Cain, Shawn Cochran, John Evanoff, and David Sieradzki from the Public Safety and Homeland Security Bureau; Deborah Broderson and Douglas Klein from the Office of General Counsel; Aleks Yankelevich, Emily Talaga, Chuck Needy, and Cher Li from the Office of Economics and Analytics; Jeremy Marcus, Ashley Tyson, Janet Moran, Chris Sova, and Raphael Sznajder from the Enforcement Bureau; Charles Mathias and Ethan Jeans from the Wireless Telecommunications Bureau; Chana Wilkerson and Joy Ragsdale from the Office of Communications Business Opportunities; Zachary Ross from the Wireless Competition Bureau; and Sima Nilsson from the Media Bureau. STATEMENT OF COMMISSIONER GEOFFREY STARKS Re: Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, PS Docket No. 15-94; Wireless Emergency Alerts, PS docket No. 15-91; Protecting the Nation’s Communications Systems from Cybersecurity Threats, PS Docket No. 22-329, Notice of Proposed Rulemaking (October 27, 2022) As technology becomes more sophisticated and integral to public life, the risk and occurrence of cyber-attacks has also increased at an alarming rate. The threat of cyber-attacks has permeated through every industry with digital capabilities, including the domestic public warning system we use in the United States. Specifically, the Emergency Alert System (EAS) and the Wireless Emergency Alert (WEA) system are two significant components of the national public warning system. Both services exist to deliver urgent national public warnings from state, local, and federal authorities when there is emergency information necessary to protect people and property from danger, such as inclement weather, and AMBER alerts. Given the significance of these services, it is especially important for the Commission to emphasize the security of EAS and WEA. Unfortunately, in the last decade, the Commission has been made aware of several incidents that raise concerns about the security of the EAS and WEA systems. EAS and WEA systems have become increasingly susceptible to malicious intrusions and cyber threats without sufficient security measures in place to protect them. According to data collected by the Public Safety and Homeland Security Bureau during the nationwide EAS test in August 2021, more than 5,000 EAS Participants were using outdated software or using equipment that no longer supported regular software updates. In the area of equipment operational readiness, the test also revealed that an appreciable number of EAS Participants were unable to participate in testing due to equipment failure. Most recently, on August 1, 2022, the Federal Emergency Management Agency (FEMA) issued an advisory on a potential vulnerability in certain EAS encoder/decoder devices that have not been updated to most recent software versions. FEMA observed that if EAS devices are not up to date, an unauthorized actor could issue false EAS alerts over the EAS Participant’s infrastructure. The same week, the Commission released another Public Notice highlighting the need for EAS participants to secure their EAS equipment. We simply cannot leave our alerting systems unprotected. The proposals in the NPRM would require EAS Participants and Commercial Mobile Service (CMS) providers that participate in WEA take several steps to increase the operational readiness of these systems and improve the Nation’s cybersecurity posture, including by addressing cybersecurity vulnerabilities that could be exploited by malicious cyber actors. First, the item proposes that EAS participants report unauthorized access of their EAS equipment, communications systems, and services within 72 hours of when it knew or should have known that the incident occurred, with details of the incident. Second, it seeks comment on whether we should require the same for unauthorized access to WEA systems and equipment. This is an important step. Without notice, unauthorized access could continue unabetted and spread to other EAS and WEA systems. I’m glad to see that the item has proposed to have the reporting period match the amount of time identified in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). I’ve consistently said that the Commission’s actions must be within the larger whole-of-government approach to protect our nation’s networks and infrastructure. I’m confident that this proposal will compliment other efforts at the Cybersecurity and Infrastructure Security Agency as it implements the broader CIRCIA reporting requirements, and as we work together to secure our networks. The item also proposes to require EAS Participants and Participating CMS Providers to annually certify to creating, updating, and implementing a reasonably sufficient cybersecurity risk management plan to ensure the confidentiality, integrity, and availability of their respective alerting systems. I strongly support this proposal. Consistent with my recent efforts to push for providers receiving Universal Service Fund support to have cybersecurity risk management plans, it is integral that our networks are protected and that providers take affirmative steps to do so as part of their normal operations. To the extent that the Commission asks to see a copy of a provider’s cybersecurity risk management plan, I appreciate my colleagues agreeing to my edit to propose that these plans be presumptively confidential. It is important that providers view us a partner on national security. To be so, we need to ensure that we are doing our part to protect their networks when they share information with us. I also want to thank my colleagues for agreeing to another edit. As part of our proposal to require EAS Participants to adopt cybersecurity risk management plans, we will now seek comment on whether we should require the plans to be structured to follow the NIST Risk Management Framework or the NIST Cybersecurity Framework. The importance to the safety of life and property regarding EAS alerts cautions that allowing a cybersecurity risk management plan that doesn’t meet the structure of the NIST gold standards is likely to be ineffective. If, as Shakespeare once said, “what’s past is prologue,” we need to be vigilant to avoid a situation where so many EAS participants did not update their system. Our recent experience with those in the path of Hurricanes Fiona and Ian reiterated the importance of EAS and WEA alerts. We must ensure and safeguard EAS’s operational readiness. We must increase the Commission’s situational awareness of disruptions to EAS. And, we must further prevent instances of cyber-attacks on EAS and WEA. It is fitting that we are adopting this item now, as October is Cybersecurity Awareness Month. I thank the Public Safety and Homeland Security Bureau, and all the Commission staff that worked diligently on this item. It has my support.