To accompany its recently adopted modifications to the requirements for the Emergency Alert System (“EAS”), the Federal Communications Commission (“FCC”) has issued a Notice of Proposed Rulemaking (“NPRM”) to address the FCC’s ongoing concerns about operational readiness and the security of the EAS system from being acted or otherwise misused by bad actors.
Comments on these proposals are due on December 23, 2022, and reply comments are due by January 23, 2023.
In particular, the FCC is concerned that many stations are operating EAS equipment that does not have the latest software installed and is also troubled by the number of stations that do not have operational EAS equipment on any given day. In its latest NPRM, the Commission has questioned whether the current requirement that EAS equipment be repaired within 60 days is sufficient, and whether it should require notifications of malfunctioning equipment.
Aside from its worries about operational readiness of the EAS system, the FCC is also seriously concerned about the potential for bad actors to gain access to an EAS participant’s EAS equipment or associated infrastructure either to transmit a false alert or to interfere with transmission or reception of a legitimate alert. FCC rules currently require that EAS participants notify the FCC by e-mail within 24 hours of any discovery that a false alert has been transmitted to the public. It is now proposing to require that EAS participants also notify the FCC of any unauthorized access to either a participant’s EAS equipment or any part of the communications infrastructure, such as a firewall or Virtual Private Network. The proposal is that such notification would be made through the Network Outage Reporting System (“NORS”) within 72 hours.
In order to further address the issue of tampering with the EAS system, the FCC has further proposed to require EAS participants to certify annually that they have created, updated, and implemented a cybersecurity risk management plan. The NPRM is seeking input as to the specifics of such a requirement and how it should ensure that annual certifications reflect actual plans to address cybersecurity risks. As a part of that, the NPRM has proposed that any negligence in security practices that results in a false alert would itself be a violation of the FCC’s rules.
Should you have any questions concerning this matter, or if you would like assistance in filing comments, please do not hesitate to contact us.