Cyber Security Certification Program, 26171-26180 [2010-11162]

Agencies

• FEDERAL COMMUNICATIONS COMMISSION

[Federal Register Volume 75, Number 90 (Tuesday, May 11, 2010)]
[Proposed Rules]
[Pages 26171-26180]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-11162]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Chapter I

[PS Docket No. 10-93; FCC 10-63]


Cyber Security Certification Program

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: This document seeks comment on whether the Commission should 
establish a voluntary program under which participating communications 
service providers would be certified by the FCC or a yet to be 
determined third party entity for their adherence to a set of cyber 
security objectives and/or practices. The Commission also seeks comment 
on other actions it should take, if any, to improve cyber security and 
to improve education on cyber security issues. The Commission's goals 
in this proceeding are to increase the security of the nation's 
broadband infrastructure, promote a culture of more vigilant cyber 
security among participants in the market for communications services, 
and offer end users more complete information about their communication 
service providers' cyber security practices.

DATES: Comments are due on or before July 12, 2010 and reply comments 
are due on or before September 8, 2010.

ADDRESSES: You many submit comments, identified by PS Docket No. 10-93 
and/or rulemaking FCC 10-63, by any of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     Federal Communications Commission's Web Site: https://fjallfoss.fcc.gov/ecfs2/. Follow the instructions for submitting 
comments.

[[Page 26172]]

     Mail: Parties who choose to file by paper can submit 
filings by hand or messenger delivery, by commercial overnight courier, 
or by first-class or overnight U.S. Postal Service mail. All filings 
must be addressed to the Commission's Secretary, Office of the 
Secretary, Federal Communications Commission. All hand-delivered or 
messenger-delivered paper filings for the Commission's Secretary must 
be delivered to FCC Headquarters at 445 12th St., SW., Room TW-A325, 
Washington, DC 20554. All hand deliveries must be held together with 
rubber bands or fasteners. Any envelopes must be disposed of before 
entering the building.
    Commercial overnight mail (other than U.S. Postal Service Express 
Mail and Priority Mail) must be sent to 9300 East Hampton Drive, 
Capitol Heights, MD 20743. U.S. Postal Service first-class, Express, 
and Priority mail must be addressed to 445 12th Street, SW., 
Washington, DC 20554. Parties who choose to file by paper must file an 
original and four copies of each filing. Include docket number PS 
Docket No. 10-93 and/or rulemaking FCC 10-63 in the subject line of the 
message.
     People with disabilities: Contact the FCC to request 
reasonable accommodations (accessible format documents, sign language 
interpreters, CART, etc.) by e-mail: FCC504@fcc.gov or phone: 202-418-
0530 or TTY: 202-418-0432.
    For detailed instructions for submitting comments and additional 
information on the rulemaking process, see the SUPPLEMENTARY 
INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: Jeffery Goldthorp, Chief, 
Communications Systems Analysis Division, Public Safety and Homeland 
Security Bureau, at 202-418-1096.

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Notice 
of Inquiry (NOI) in PS Docket No. 10-93, FCC 10-63, adopted and 
released on April 21, 2010. The complete text of this document is 
available for inspection and copying during normal business hours in 
the FCC Reference Information Center, Portals II, 445 12th Street, SW., 
Room CY-A257, Washington, DC 20554. It is also available on the 
Commission's Web site at https://www.fcc.gov/headlines.html. This 
document may also be purchased from the Commission's duplicating 
contractor Best Copy and Printing, Inc., Portals II, 445 12th Street, 
SW., Room CY-B402, Washington, DC 20554, telephone (800) 378-3160 or 
(202) 488-5300, facsimile (202) 488-5563, or via e-mail at 
fcc@bcpiweb.com. To request materials in accessible formats for people 
with disabilities (braille, large print, electronic files, audio 
format), send an e-mail to fcc504@fcc.gov or call the Consumer & 
Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 
(tty).

Summary of the Notice of Inquiry

Background

    This NOI seeks comment on whether the Commission should establish a 
voluntary program under which participating communications service 
providers would be certified by the FCC or a yet to be determined third 
party entity for their adherence to a set of cyber security objectives 
and/or practices. The Commission seeks comment on the components of 
such a program, if any, and whether such a program would create 
business incentives for providers of communications services to sustain 
a high level of cyber security culture and practice. The Commission's 
goals in this proceeding are to: (1) Increase the security of the 
nation's broadband infrastructure; (2) promote a culture of more 
vigilant cyber security among participants in the market for 
communications services; and (3) offer end users more complete 
information about their communication service providers' cyber security 
practices. The Commission seeks comment on whether the program 
described herein would meet these goals. The Commission also seeks 
comment on other actions it should take, if any, to improve cyber 
security and to improve education on cyber security issues.
    In today's interconnected world, an increasingly greater amount of 
the nation's daily business depends on our rapidly growing broadband 
communications infrastructure. Banking, investment and commercial 
interests routinely rely on the durability and security of IP-based 
networks to move capital and to track goods and services around the 
globe. To put this development in perspective, while our nation's total 
GDP was just over $14T last year, two banks in New York move over $7T 
per day in transactions. Moreover, our medical and educational 
establishments increasingly rely on robust broadband communications 
networks to reach distant patients and students in real time. Further, 
all levels of government, from the national to the local level, 
similarly depend on our communications networks to provide services, 
serve the public, collect information and maintain security. Such 
services require the instantaneous, secure movement of vast amounts of 
data.
    The security of the core communications infrastructure--the 
plumbing of cyberspace--is believed to be robust. Yet recent trends 
suggest that the networks and the platforms on which Internet users 
rely are becoming increasingly susceptible to operator error and 
malicious cyber attack. For example, the Conficker botnet could be used 
to exploit vulnerabilities in underlying Internet routing technologies 
or other Internet mechanisms, thereby undermining the integrity of the 
Internet. There are also documented instances of distributed denial of 
service attacks on the Domain Name System infrastructure, a core 
Internet mechanism. Further, there recently has been an exponential 
growth in malware being reported. PandaLabs reports that in 2009 it 
detected more new malware than in any of the previous twenty years. It 
also reports that in 2009, the total number of individual malware 
samples in its database reached 40 million, and that it received 55,000 
daily samples in its laboratory, with this figure rise in the most 
recent months. Unfortunately this growth also happens at a time when 
enterprises are spending less on security. Nearly half (47%) of all 
enterprises studied in the 2009 Global State of Information Security 
Study reported that they are actually reducing their budgets for 
information security initiatives. In addition, a 2008 Data Breach 
Investigation Report concluded that 87% of cyber breaches could have 
been avoided if reasonable security controls had been in place.
    Given society's increasing dependence on broadband communications 
services and given trends suggesting our nation's increased 
susceptibility to operator error and malicious cyber attack, Federal 
entities, frequently in cooperation with the private sector, have been 
actively engaged in efforts to secure cyberspace. For example, the 
National Institute of Standards and Technology (NIST) has reached out 
to, and is using, private sector expertise to identify where barriers 
exist to information security standards development. The Federal Bureau 
of Investigation (FBI) has taken on a cyber mission that includes 
stopping those behind the most serious computer intrusions and the 
spread of malicious code, and the FBI together with Department of 
Justice lead the national effort to investigate and prosecute 
cybercrime. Moreover, the Department of Homeland Security's (DHS's) 
National Cyber Security Division has taken on the responsibility of 
seeking to protect the cyber security

[[Page 26173]]

of various critical sectors of the economy and government.
    The Commission also has been part of Federal efforts to secure 
cyberspace, and already has taken a series of steps given its statutory 
duty to make available ``a rapid, efficient, Nation-wide and world-wide 
wire and radio communication service with adequate facilities * * * for 
the purpose of the national defense [and] for the purpose of promoting 
safety of life and property through the use of wire and radio 
communication.'' 47 U.S.C. 151. First, the Commission was among the 
Federal agencies that contributed to the White House 60-Day Cyberspace 
Policy Review. This 60-day interagency document traced out a strategic 
framework to ensure that U.S. Government cyber security initiatives are 
appropriately integrated, resourced and coordinated with Congress and 
the private sector. Further, as his first act following confirmation, 
Chairman Julius Genachowski asked the Commission's Public Safety and 
Homeland Security Bureau (PSHSB or the Bureau) for an analysis and 
briefing within thirty days of his appointment on the FCC's 
preparedness for a major public emergency, including its preparation 
for, and response to, cyber emergencies.
    In its report, PSHSB noted that while the Commission had taken some 
actions to address cyber security, it recommended that the Commission 
take steps to expand its role in this important area. The Bureau 
observed that one means by which the Commission has sought to motivate 
industry to adopt effective cyber security measures has been through 
the former Network Reliability and Interoperability Council (NRIC). In 
December 2004, NRIC began issuing an extensive set of best practices 
for securing computers and other software-controlled network equipment, 
which are referred to as cyber security best practices.
    The Commission does not know whether there is wide-spread adherence 
to NRIC's cyber security best practices in the industry, or whether, if 
adopted, these best practices would be equally effective under all 
circumstances or for all broadband providers. The Commission believes 
that large organizations and commercial entities in particular are 
interested in the cyber security practices of their communications 
service providers, but notes that these customers of communications 
services have no effective way of knowing what the cyber security 
practices of competing providers may be. The lack of such information 
likely removes at least one significant incentive for providers fully 
to implement the NRIC best practices, in that they do not risk losing 
customers to networks with better security practices. The reduced 
incentive for heightened cyber security likely is compounded because a 
particular provider may not be motivated to exceed the security level 
of other interconnected network operators. Additionally, it appears 
that the sheer number of NRIC best practices may make it difficult for 
providers to prioritize them when determining how to invest their 
resources to improve network security. Moreover, the Commission's 
review of the best practices indicates that, in certain cases, they may 
provide too little specific guidance for network operators seeking to 
ensure that their operations meet objectively measurable cyber security 
criteria.
    In its comprehensive Broadband Notice of Inquiry (NOI), 24 FCC Rcd 
4342, the Commission posited a particular method of motivating 
broadband providers to adopt a cyber security culture. In the Broadband 
NOI, the Commission sought comment on the extent to which the Broadband 
Plan should address the cyber security issue, and if so, what steps the 
plan should take to secure the nation's most vulnerable broadband 
facilities and data transfers from cyber threats, such as espionage, 
disruption, and denial of service attacks. Specifically, the Broadband 
NOI asked whether the Commission should adopt a process whereby 
communications providers can certify their compliance with specific 
standards and best practices.
    To ensure that end users are fully protected from attacks that 
affect or occur over communications infrastructure, the recently 
released National Broadband Plan (NBP) recommended that the Commission 
initiate a proceeding to establish a voluntary cyber security 
certification regime that creates market incentives for communications 
service providers to upgrade the cyber security measures they apply to 
their networks. In making this recommendation, the NBP stated that a 
voluntary cyber security certification program could promote a culture 
of more vigilant network security among market participants, increase 
the security of the nation's communications infrastructure and offer 
end users more complete information about their providers' cyber 
security practices. The NBP further recommended that the Commission 
examine additional voluntary incentives that could improve cyber 
security and improve education about cyber security issues, as well as 
inquire about the international aspects of a certification program. 
This NOI represents an initial and necessary step to implementing these 
recommendations and enhancing the cyber security of our Nation's 
communications systems.

Discussion

Legal Authority
    The proposed certification program would further the Commission's 
core purposes as set forth in section 1 of the Communications Act: (1) 
The establishment of ``a rapid, efficient, Nation-wide and world-wide 
wire and radio communication service with adequate facilities,'' (2) 
``the national defense,'' and (3) ``promoting safety of life and 
property through the use of wire and radio communication.'' 47 U.S.C. 
151. The Commission seeks comment on the strongest sources of authority 
to create the proposed certification program, if any, and asks 
commenters to address whether different sources of authority would be 
required with regard to program participation by different types of 
communications providers.
    For example, the Commission seeks comment on whether the proposed 
certification program would fall within specific grants of authority in 
Title II and Title III. In addition, the Commission seeks comment on 
whether it could, if necessary, exercise ancillary authority to create 
a voluntary certification program. In particular, the Commission seeks 
comment on the scope of the Commission's ancillary authority, if any, 
to implement the proposed program in light of the recent decision of 
the United States Court of Appeals for the District of Columbia Circuit 
in Comcast Corporation v. FCC.
A Market-Based Incentives Program To Encourage Industry Cyber Security 
Practices
    As noted above, the Commission seeks comment on whether the FCC 
should establish a voluntary incentives-based certification program in 
which participating communications service providers will receive 
network security assessments by approved, private-sector auditors who 
will examine those provider's adherence to stringent cyber security 
practices that have been developed, through consensus, by a broad-based 
public-private sector partnership. Those providers whose networks 
successfully complete the assessment may then market their networks as 
complying with stringent FCC network security requirements.
    The Commission seeks comment on the benefits, advantages, 
disadvantages and costs of this program. For example, in proposing this 
program, the Commission hopes to create a

[[Page 26174]]

significant incentive for all providers to increase the security of 
their systems and improve their cyber security practices. Would the 
program envisioned meet this goal? Would such a program create an 
economic incentive that will lead service providers to implement best 
practices? Would it create incentives for small communications service 
providers? Would it create disadvantages for smaller communications 
service providers or present barriers to new entrants? If it does 
create such disadvantages and/or barriers, what can be done to mitigate 
such effects, if anything? What about those serving rural areas and/or 
tribal lands? The Commission also seeks comment on whether the public 
awareness of cyber security practices that could result from a cyber 
security certification program would contribute to broader 
implementation by industry.
    Would an FCC cyber security certification be an important factor in 
service provider selection by major customers, including consumers, 
businesses and all levels of government? From an end user perspective, 
would the program the Commission envisions, with its focus on market-
based incentives and consensus-based criteria, raise any concerns 
regarding the value of the program? If so, what actions could the 
Commission take, if any, to address those concerns, should it decide to 
move forward with establishing this program?
    The Commission anticipates that a communications provider's 
participation in the certification program discussed herein would be 
voluntary, but that by agreeing to participate, such communications 
providers would be bound by the program's rules. The Commission seeks 
comment on this approach. Would the advantages of a voluntary cyber 
security certification program outweigh any disadvantages of a 
voluntary program, i.e., that by its nature, it is not mandatory. Would 
a mandatory cyber security certification program better achieve the 
Commission's overall goals?
    To offset the administrative costs associated with the voluntary 
certification program, should the Commission collect fees from those 
communications service providers that decide to participate? If so, how 
should such fees be determined and collected? Would the resultant costs 
outweigh the program's value to participants?
Scope of Participation
    The Commission seeks comment on the scope of the certification 
program. Should the program, if implemented, be open to all 
communications service providers or should it be limited to certain 
types of providers? If the latter, which ones? Should it be focused on 
Internet Service Providers? The Commission observes that a program open 
to a more diverse set of entities may require the use of certification 
criteria that are so broad as to reduce the value of the certification 
program in the eyes of end-users and communications providers alike. Is 
there merit to this observation? Why or why not? Would restricting the 
applicants to Internet Service Providers permit a more focused, 
meaningful set of certification criteria? Should the Commission develop 
multiple sets of sector-specific certification criteria? The Commission 
anticipates that participation in this program, if established, would 
be limited to entities providing communications services within the 
United States and/or companies that own or operate communications 
assets in the United States, including non-U.S. entities that are 
authorized to do so. The Commission seeks comment on this approach.
General Network Cyber Security Objectives
    Under the program envisioned, the Commission would establish 
general cyber security objectives that would serve as the starting 
point for the program. These objectives would serve as the overarching 
policy goals that would then form the basis for the criteria on which 
participating communications service providers would be assessed. The 
Commission seeks comment on whether general security objectives could 
serve as a sufficient basis for the cyber security certification 
program on which it seeks comment today. Can a set of general security 
objectives, by highlighting significant cyber security threat areas, 
serve as a guide by which communications providers can develop and 
implement specific, assessable cyber security policies and practices? 
The Commission seeks comment on the following four possible security 
objectives that it proposes as the starting point of the security 
regime: (1) Secure equipment management; (2) updating software; (3) 
intrusion prevention and detection; and (4) intrusion analysis and 
response. Are these sufficient as the initial set? Should there be 
more? Fewer? Commenters are encouraged to be specific on this issue.
    Secure equipment management. The Commission recognizes that 
communications networks often rely on the ability to manage network 
equipment remotely and automatically; these capabilities can provide 
significant operational benefits. However, this remote management 
capability can also expose networks to significant risks of 
unauthorized access and systemic destruction. The Commission believes 
that good security practice directs network operators to install and 
maintain security management practices that cover all remotely managed 
equipment and to ensure, as fully as possible given current 
technologies, against damage or unauthorized access to network 
equipment.
    Updating software. Keeping system software up to date is essential 
to continued security of the network, as new vulnerabilities regularly 
come to light after network operators have placed software in operation 
in their networks. Accordingly, proper network-security practices 
require comprehensive version management and the prompt installation of 
software updates that effectively address level and severity of the 
threat that a particular vulnerability poses.
    Intrusion prevention and detection. Despite the best equipment 
management and patching practices, communications networks, by their 
very nature, will remain susceptible to intrusion and/or attack. 
Therefore, a necessary component of any security regime will be 
procedures to ensure timely and appropriate intrusion prevention, 
detection, and response. The Commission expects that these procedures 
will be calibrated to most quickly detect and respond to those network 
intrusions that, by virtue of their location, pose the greatest threat 
to the continued reliable and secure operation of the affected network.
    Intrusion analysis and response. Physical damage or disruption of 
network components, whether the product is of natural or man-made 
events, poses another significant threat to our communications 
networks. Accordingly, proper network-security practices dictate that 
network operators be prepared to quickly recognize and respond in the 
event that network components sustain physical damage or experience 
degraded operating efficiency. This would include having appropriate 
redundancies built into the network and having adequate repair and 
replacement plans, as well as spare equipment and software, for network 
components likely to sustain physical damage.
Role for the Private Sector
    Additionally, the Commission seeks comment on the role for the 
private sector that the Commission envisions in

[[Page 26175]]

this network-security regime. Should the private-sector bodies involved 
in this certification program have extensive responsibilities in this 
program, or should the Commission retain primary responsibility for the 
maintenance and administration of the proposed program? Given that the 
vast majority of U.S. communications infrastructure is privately 
controlled, once general cyber security objectives have been 
established could a certification authority--a private-sector body 
composed of major industry stake holders--responsibly take over the 
task of developing and maintaining the applicable security criteria? In 
particular, the Commission seeks comment on whether various private-
sector entities (or the Commission) should: (1) Be responsible for 
developing, maintaining and improving the list of network cyber 
security criteria; (2) have responsibility for accrediting the auditors 
who will conduct security assessments of communications service 
providers; (3) establish the assessment procedures and practices to 
guide those assessments; and (4) maintain a database of the 
communications services providers that have passed the assessments and 
are therefore entitled to market their services as meeting the FCC's 
cyber security certification requirements. Which entity should actually 
grant certifications for the cyber security program? Should it be the 
Commission, and if not, what should be the characteristics of the 
entity that would best perform this function? Additionally, the 
Commission seeks comment on whether the auditors should also be 
private-sector entities. If so, in order to prevent conflicts of 
interest, should the Commission prohibit the program's auditors from 
being affiliated, or having other relationships, with any of the 
entities with responsibility for the various other aspects of the 
certification program or entities that are participating in the 
program?
    The Commission seeks comment on whether significant private-sector 
involvement of this sort would serve the security goals of this program 
and thereby serve the public interest. While the Commission suggests 
that it may have the responsibility to establish or review the general 
security objectives and to serve as a final route of appeal when 
necessary, the Commission does not believe that it has the substantial 
resources needed to participate in the daily operation of the proposed 
cyber security certification program. On the other hand, the Commission 
believes that the private sector does have the resources necessary to 
keep such a program functioning quickly and efficiently. The Commission 
seeks comment on this issue. Furthermore, the Commission believes that 
manufacturers, users and communications providers have the most current 
knowledge of virtually every aspect of network technology. Accordingly, 
the Commission seeks comment on whether such private sector 
representatives would be able to contribute their up-to-date knowledge 
to the program in a way that would allow the program to be most 
effective in keeping pace with technological developments and in 
responding effectively to developing threats to the communications 
infrastructure. Would industry participants be concerned about their 
ability to share proprietary information in this way? How could the 
Commission alleviate these concerns, if at all, including through any 
structural safeguards? The Commission believes that this approach 
builds on its traditional approach to network reliability and security: 
the Commission has recognized industry's operational experience and 
personnel resources, and has applied them through mechanisms like the 
NRIC, MSRC, and most recently CSRIC. The Commission notes that it has 
previously charged the private sector with similar broad authority in 
the Part 68 mandatory certification regime governing the attachment of 
network terminal equipment. The Commission seeks comment on the 
feasibility and benefits of, and other relevant issues arising from, 
having the cyber security regime rely in this manner on the private 
sector, rather than primarily on Commission resources. The Commission 
also seeks comment on whether there exist any private entities that 
could perform the functions enumerated above. If so, who are they? If 
not, how could the Commission facilitate creation of such bodies, if at 
all?
    A certification program along the lines contemplated could very 
well require a significant level of administrative activity. Keeping 
this in mind, should the Commission establish a certification 
administrative entity? If so, should the entity acting as the 
``administrator'' be required, as part of its role, to establish and 
maintain a database of certificated networks/providers? More generally, 
what are the types of activities that should be performed by the 
program administrator?
    Although the Commission anticipates that the certification regime 
it envisions would be primarily administered by the private sector, the 
Commission seeks comment on whether it should retain the ability to 
guide the development of the program through its continued review of 
the general security objectives. Additionally, the Commission seeks 
comment on whether as part of its oversight authority, it should be 
available as a final avenue of appeal for certain decisions by the 
certification authority, the auditors and the other entities involved 
in the program. Does the public interest require that the Commission 
maintain a greater level of scrutiny or control with respect to the 
activities of particular entities? If so, the Commission seeks comment 
on what particular scrutiny or control, if any, would best protect the 
public interest. For example, would it unnecessarily delay the 
functioning of the certification authority--and its ability to respond 
to new network security threats--for the Commission to formally seek 
public comment on certification criteria that the authority may develop 
in the future? Alternatively, would the Commission's ability to set the 
general network security objectives and adjudicate appeals from action 
of the certification authority, if such ability exists, permit the 
Commission adequately to protect the public interest by influencing the 
operation and direction of the cyber security regime?
    Finally, it is possible that similar certification-related programs 
have already been implemented in the private sector. Are there existing 
industry-sponsored initiatives which seek to improve security and 
reliability of networks by certification, applying industry-established 
standards? If so, please comment on each initiative's scope, 
organization and participation. Comments are also requested on whether 
it would be beneficial and appropriate to utilize any relevant 
standards established by such groups in the Commission's cyber security 
certification program. Should the efforts of the Commission in the area 
of cyber security, if any, to establish a certification process for 
services providers be aligned with existing cyber security efforts 
either commercial or government, domestic or international? If so, 
which organizations should be considered and which specific points of 
alignment are relevant?
Security Criteria
    As noted above, the Commission envisions that participating 
communications service providers would be assessed based on a stringent 
set of criteria. The Commission seeks comment on the overall framework 
for the certification criteria. What role, if

[[Page 26176]]

any, should a standards development body play in establishing the 
criteria to determine if an applicant to the certification program is 
``certification worthy,'' and if such a role is appropriate, which 
entity should be responsible for such development? Is it possible to 
assess different management and operational models with a single set of 
generic criteria that measure an organization's commitment to providing 
cyber security? Why or why not? Alternatively, should the set of 
criteria vary based on the specific nature of the applicant's business? 
The Commission observes that this latter method might better measure 
the extent to which relevant cyber security measures are applied at a 
particular entity, how could assessments based on different sets of 
criteria be compared?
    The Commission seeks comment on possible criteria by which 
participating network operators would be assessed. The Commission 
believes that the assessment of any level of security must be based on 
objectively verifiable criteria. This assumes some kind of objectively 
accepted method of observing the network, for example, through direct 
examination by the Commission, reports by network providers and/or 
examination of the network by third parties. The Commission seeks 
comment on this view.
    The Commission also seeks comment on how to ensure that any 
criteria adopted keeps up with not only current but also evolving 
threats and technology. To obtain certification, should the Commission 
require a showing that certain defense-in-depth steps or measures have 
been taken, ones that are reasonably available and can deter/prevent 
certain types of hacking and other security breaches of broadband 
Internet services? For example, one existing cyber threat, ``MAC 
spoofing,'' is a technique whereby cyber hackers can remotely change an 
assigned Media Access Control address of a network device to a 
different one, allowing the cyber intruder to bypass access control 
lists on servers or routers, either ``hiding'' a computer on a network 
or allowing it to impersonate another computer. This technique can be 
not only harmful to the end user, but it can threaten the ability of 
the service provider's network to function as designed and to be 
available when required. Before a service provider applicant is granted 
a certificate, should the applicant be required to demonstrate 
particular best practices or other steps that have been taken to avert 
MAC spoofing, enhance detection of it, and take effective corrective 
action once detected?
    As Americans increasingly rely on broadband technology and IP-
enabled services in their everyday lives, they will want greater 
transparency from service providers. More specifically, consumers will 
want to be able to compare and judge the quality and robustness not 
only of the IP-enabled services provided by various providers, but also 
of the providers' cyber security programs, and related data (e.g. 
number of outages, number of security breaches, etc.) that may affect 
them. If greater transparency is expected from service providers, the 
providers would have incentive to improve their performance, and 
consumers would have access to important information unrelated to 
price, which to date has been difficult for them to obtain. Comments 
are requested on how the criteria could be structured to reward greater 
transparency among service providers so that consumers are able to 
obtain important types of data needed to guide their decisions on 
provider selection and on the extent to which they can reasonably rely 
on the security of their IP-enabled services.
    Alternatively, would a program based on the sorts of general cyber 
security objectives described above be effective? Could these general 
cyber security objectives serve as the basis of a case by case inquiry 
to measure the specific cyber security practices of individual 
communications providers? Assuming that it would be possible to arrive 
at cyber security criteria based on a mutually agreed upon set of 
general objectives, the Commission seeks comment on whether such 
security objectives could serve as the basis for a set of specific 
network cyber security criteria against which it would be possible to 
objectively measure the network-security practices of communications 
service providers. If so, could NRIC or CSRIC best practices serve as 
the criteria for a cyber security certification program? If not could 
the Commission establish a set of cyber security criteria?
    The Commission seeks comment on the procedure for updating the 
certification criteria or objectives. Should a single certification 
authority have ongoing responsibility for keeping the certification 
criteria in step with new developments in technology? Could it 
constantly apply the industry's evolving knowledge of how best to 
combat the most recent security threats? Whether such authority resides 
in an independent entity or the Commission, it will therefore be 
necessary to update the certification criteria on a regular basis. The 
Commission seeks comment on how this should occur.
Structure of Security Regime
    Membership. Given the central importance of the criteria to the 
continuing success of a cyber security certification program, it is 
important for the entity developing them to have access to as broad of 
a range of knowledge and experience in the relevant fields as possible. 
If a certification authority is established, the Commission believes 
that it should be fairly balanced in terms of the points of view and 
industry segments that sit on it. Accordingly, the Commission seeks 
comment on whether a certification authority should be open to all 
segments of the potentially affected industries, including incumbent 
and competitive wireline carriers; wireless and satellite providers; 
cable service providers; undersea cable operators, internet service 
providers (both facility and non-facility based); and providers of VOIP 
services. The Commission seeks comment on whether any other potentially 
interested groups or entities should also be involved.
    The Commission recognizes that a body representing so many diverse 
interests runs the risk of growing too large to be able to function 
effectively. Accordingly, the Commission seeks comment on how to ensure 
that a certification authority can be limited to a workable size 
without having the unintended result of arbitrarily restricting the 
participation of interests that should be involved in the authority's 
activities. The Commission also seeks comment on the applicability to 
the certification authority of the membership criteria set out in 
International Standard ISO/IEC 17011(E), particularly sections 4.2 
(Structure) and 4.3 (Impartiality).
    Assuming a certification authority possessed the significant degree 
of autonomy on which the Commission seeks comment, would it be 
necessary for the Commission to prescribe other rules regarding 
membership, such as procedures for admitting new members or time limits 
on the service of particular entities and individuals?
    Operating Procedures. Having charge, as it would, of the 
centerpiece of the cyber security regime, a certification authority 
would have the potential for significant impact--both positive and 
negative--on numerous entities in the communications industry. 
Accordingly, the Commission seeks comment on whether it would be 
necessary for the authority to reach its decisions through a process 
that appropriately preserves the rights of all affected parties. For

[[Page 26177]]

example, the American National Standards Institute (ANSI) has developed 
procedures to assist decision-making by consensus. In particular in the 
Part 68 Order, the Commission discussed the benefits of the 
Organization Method and the Standards Committee Method, both of which 
provide procedures to help ensure equal participation by entities 
participating in decision-making in large, diverse bodies. These ANSI 
procedures offer an array of due process protections. The Commission 
seeks comment on whether these decision-making requirements and/or any 
others should apply to the operations of the certification authority:
    a. The right of any person (organization, company, government 
agency, individual, etc.) with a direct and material interest to 
participate by expressing an opinion and its basis, having that 
position considered, and appealing if adversely affected.
    b. No undue financial barriers to participation, no conditions upon 
participation based on organization membership, and no unreasonable 
requirements for technical qualifications, etc.
    c. A requirement that the standards development process include a 
balance of interests and that it not be dominated by any single 
interest category.
    d. A requirement to actively seek and fully consider relevant, 
representative user views including individuals and organizations.
    e. A requirement that written procedures govern the methods used 
for standards development and will be available to any interested 
person.
    f. A requirement that the written procedures contain an 
identifiable, realistic, and readily available appeals mechanism for 
the impartial adjudication of substantive and procedural complaints 
regarding any action or inaction.
    g. Notification of standards activity shall be announced in 
suitable media; comment periods are specified.
    h. A requirement that prompt consideration be given to the written 
views and objections of all participants; a prompt effort shall be made 
to resolve all objections; each objector shall be informed in detail of 
the appeals process and how to proceed if the objector so desires.
    i. International standards shall be taken into consideration.
    j. The principle that it is generally not acceptable to include 
proper names or trademarks of specific companies in a standard, but a 
patented item may be used in a term if technical reasons justify this 
approach.
    The Commission also seeks comment on whether ANSI accreditation 
procedures should formally apply to the certification authority. If so, 
should it be the Organization Method or the Standards Committee Method 
that applies?
    As noted above, the Commission seeks comment on whether a cyber 
security certification authority and the entities serving on it be 
prohibited from serving as auditors under the program. Would such a 
restriction help reduce the potential for conflicts of interest or 
claims of undue influence in the process? The Commission seeks comment 
on this aspect of the proposal.
    Auditor Accreditation. As set out above, stringent, objective 
assessments of individual providers would compose an important part of 
the cyber security certification program on which the Commission seeks 
comment herein. Accordingly, should an independent auditor 
accreditation body, composed of private-sector entities with relevant 
expertise, be responsible for establishing the requirements that 
auditors must meet to be accredited to conduct cyber security 
assessments under the regime proposed today? Should the Commission 
delegate the precise details about the structure of the accreditation 
process to an accreditation body? The Commission anticipates, however, 
that the accreditation process will involve the advance publication of 
specific standards for the auditors involved in the program and an 
application and approval process through which auditors may seek 
inclusion on the list of those entities that have received official 
approval to conduct network security assessments. The Commission seeks 
comment on the foregoing aspects of the program. Should the Commission 
impose requirements on the auditor accreditation process to ensure 
competence, integrity and objectivity in the accreditation of auditors? 
If not, why should the Commission choose not to impose such 
requirements? In addition, should the Commission impose these 
requirements for auditor qualification in the application or approval 
process? Should it require that a certain number of auditors be 
accredited before the assessment or accreditation process may begin? 
Additionally, the Commission seeks comment on whether the auditor 
accreditation body should be required to meet the requirements and 
conditions of International Standard ISO/IEC 17011:2004(E) to the 
extent that it serves as an accreditation body for compliance auditors 
in this program.
    Given the narrow, specialized focus of the auditor accreditation 
body, the Commission expects that it will be appropriate for membership 
to differ substantially from that of the certification authority 
discussed above (both in the entities that are represented in each, as 
well as the individuals who would be involved in each activity). More 
generally, the Commission seeks comment on the appropriate composition 
of this body. What entities or industry segments should be represented 
on it? Should the Commission limit the body's size, given the 
relatively narrow focus of its work? As with the certification 
authority, the Commission proposes that members of the accreditation 
body and their affiliates be prohibited from serving as auditors in the 
cyber security program. Should the Commission place any other 
limitations on the membership of the accreditation body?
    The Commission seeks comment on whether the accreditation body 
should follow the consensus decision-making model discussed above in 
connection with the certification authority. The Commission seeks 
comment on whether it is necessary for it to provide any additional 
guidance on the operating procedures for the auditor accreditation 
body.
    Development of Assessment Standards. It would, of course, be 
necessary to develop assessment standards to guide the auditors' review 
of the cyber security measures of participating providers. As indicated 
above, the Commission seeks comment about whether the network-security 
criteria will be definitive and objectively measurable. The Commission 
has sought comment on whether it is feasible to establish such 
criteria, either on an objective, generally applicable basis, or on a 
case by case basis by using general cyber security objectives. Either 
way, the auditors likely will need additional guidance about how to 
apply the security criteria to particular providers. What role, if any, 
should a standards body play in this process? Should certain criteria 
only be applicable to specific types of providers? Should assessment 
standards set out which criteria apply to which types of providers? 
Additionally, the Commission seeks comment on whether it would be 
necessary to establish: (1) What portion of the applicable assessment 
criteria a provider must pass in order to successfully complete the 
assessment; (2) what percentage of a provider's operations the auditors 
must examine for compliance with applicable security criteria; (3) 
whether any level of self-certification by providers will be permitted 
on any of the assessment criteria; and (4) whether a particular 
assessment will be an ``examination

[[Page 26178]]

engagement'' or an ``agreed upon procedures audit.''
    If the certification program specifies only general security 
criteria, it may be necessary for the applicant to define in greater 
detail the specific security measures that would satisfy those general 
criteria. In such circumstances, a two-step process may be necessary: 
First, the certification authority would review and approve the 
applicant's proposed specific criteria, to ensure that they truly 
satisfy the general security criteria; and second, it would review and 
approve the applicant's satisfaction of those criteria. The Commission 
seeks comment on such an approach. Are there ways to minimize the need 
for applicants to self-define specific security criteria? Could the 
examination function of the certification entity consist mainly of 
approving the applicant's internal audit? Would this be a more 
efficient, less burdensome approach? The Commission believes that an 
objectives-based certification would give the certifying entity 
significant discretion to determine whether an applicant had satisfied 
a particular objective. Should there be some level of oversight to this 
discretion, either by an applicant appeal or by Commission review? The 
Commission seeks comment on these questions.
    Should the auditor accreditation body also develop these assessment 
standards, or should they be developed by a separate entity? If it is 
appropriate to constitute a separate entity for this task, the 
Commission seeks comment on the appropriate composition of such a body. 
Again, in light of the narrow focus of such a body, the Commission 
expects that this body likely would have a more limited membership than 
the proposed certification authority. Should the group developing 
assessment standards be required to involve members of the professional 
auditing community in some of these decisions, and, if so, how?
    Should the Commission prohibit the members of the assessment 
standards body and their affiliates from serving as auditors in the 
network security program? Should the Commission set additional 
limitations on the membership or operations of such a group? Should it 
direct the group to operate according to the consensus model discussed 
above in connection with the certification authority?
    Should the Commission seek public comment on proposed assessment 
criteria before they go into effect? Should the Commission exercise 
some other form of control or guidance over the development of the 
assessment criteria? As with the security criteria, the Commission also 
seeks comment on how frequently and through what mechanism the 
assessment procedures should be updated.
    Maintaining Assessment Results; Conferring Security Certificate. 
The final aspect of the network security program that the Commission 
proposes involves keeping records of successful assessment results. It 
appears that a database administrative entity may not need to possess 
the detailed results of the security assessment in order to perform its 
job of maintaining a publicly available database, but it also appears 
that both the audit plan for a particular communications service 
provider and the detailed results of an audit might well need to be 
preserved and made available to the Commission upon request. To that 
end, who should be responsible for keeping the detailed records? Who 
besides the Commission should be allowed access to such records? Upon 
the successful completion of a security assessment, should the auditor 
and the network operator jointly communicate the assessment results to 
an appropriate entity? Would the appropriate authority's receipt of 
this NOI be the event that entitled the communications service provider 
to begin marketing its services as having received the FCC's network-
security certification? Under this approach, would it be necessary for 
the Commission to receive notification of, or to confirm, the 
assessment results? Rather, should some private entity be responsible 
for creating and maintaining a publicly available database of the 
communications service providers that have met the applicable network 
security criteria by virtue of a successful assessment? The Commission 
seeks comment on this structure of the network security program, the 
retention of assessment results, the frequency with which entities must 
be recertified that have successfully completed the assessment 
certification process, and any requirements for upgrading security. For 
example, should recertification require upgrading of security based on 
products that are used in the market place? Should the certification 
process require that updates be applied before the onset of the next 
certification cycle? The Commission seeks comment on whether it should 
designate some entity, such as a standards development body, to perform 
this function or whether it should be done by the certification 
authority or some member thereof, if anything.
    Should the Commission seek to develop a process to track the 
effectiveness of the certification process with regard to improvements 
in cyber security realized, the cost to implement, and other factors 
that would seek to quantify the overall effectiveness of the program? 
If so, what factors should be considered, if any?
Appeals to the Commission
    Although the Commission has sought comment on a cyber security 
certification program as being largely a private sector process, it 
also seeks comment on whether public interest considerations would 
support giving participating parties the right to appeal adverse 
decisions to the Commission. For example, should parties be able to 
bring to the attention of the Commission instances in which they feel 
the certification authority has been either too strict or too lax in 
defining the security criteria? Should they be permitted to challenge 
assessment procedures; the accreditation of auditors; and the final 
result of an assessment? Should an aggrieved party be required 
initially to present its appeal to, and obtain a decision from, the 
certification authority, or other relevant program entity, before 
applying to the Commission for review? Should appeals to program 
authorities be subject to some relatively short deadline? Similarly, 
should appeals to the Commission be permitted only if filed within a 
limited period of time after the appeal decision of the relevant 
security program authority? The Commission seeks comment on this aspect 
of the proposed program and the time periods that would be appropriate.
Security Certificate
    Several additional questions arise in connection with the security 
certificate that would be conferred on providers that have successfully 
completed an assessment under the cyber security certification program. 
First, what should be the duration of the certificate? The Commission 
recognizes that communications technology and threats to cyber security 
are constantly evolving. Accordingly, it is reluctant to adopt a regime 
in which the certificate lasts for too long. Such an arrangement might 
reduce a provider's incentive to stay abreast of the latest industry 
developments. On the other hand, the Commission acknowledges that too 
short of a certification period (and the attendant repeat assessment 
obligation) might depress participation in this voluntary program. In 
attempting to balance these competing considerations, how long should 
the security certification last, after which a communications service 
provider would be required to pass another assessment?

[[Page 26179]]

The Commission seeks comment on this issue.
    A related issue on which the Commission seeks comment is the 
appropriate renewal process for the security certification. The 
Commission seeks comment on whether the initial assessment of a 
provider's network security practices will be relatively extensive. The 
Commission seeks further comment on whether the assessment preceding 
renewal of a security certification should be more truncated. 
Alternatively, should a provider be permitted a greater level of self-
certification in connection with a certificate renewal? Is the question 
of certificate renewal procedures one that the Commission should leave 
to the certification authority or the assessment standards body, or 
should the Commission, if anything, set certain threshold requirements 
on which the appropriate program authority can build later?
    The Commission also seeks comment on the permissible uses by 
providers of the security certification. As discussed above, the 
Commission envisions that the program, if implemented, would permit 
communications service providers to distinguish their services in the 
marketplace by advertising them as compliant with FCC-sanctioned 
security requirements. Is it necessary or appropriate to place limits 
on the manner in which providers that have received a certificate may 
use it? Is doing so consistent with applicable legal, including 
Constitutional, constraints on the Commission's action?
    The Commission seeks comment on what form the evidence of the 
security certificate should take. The Commission presently expects that 
it will develop an appropriate logo or emblem, analogous to that used 
for Part 15 devices, which a provider would display to indicate that it 
had received the security certification. Should an emblem of this sort 
be accompanied by short, stock text describing the security 
certification? If so, the Commission seeks comment on the appropriate 
phrasing.
Enforcement Matters
    The Commission seeks comment on whether any Commission enforcement 
process should accompany the cyber security certification process. For 
example, would it be necessary for the Commission, if anything, to have 
in place special procedures to address the situation if a provider 
incorrectly claims to have received the security certificate? Or, would 
it be sufficient for the certification authority and/or the Commission, 
if anything, to publish a statement correcting the provider's incorrect 
statement? In addition, the Commission seeks comment as to what 
enforcement process should be followed, if any, and what action, if 
any, should be taken for attempted misuse or actual misuse of the 
security certification or seal. How should applicants be treated who 
apply for certifications under false pretenses? What action, if any, 
should be taken if a communications service provider were to hold 
itself out to the public as having such a certification without being 
properly certified?
    The Commission expects that it would be unnecessary for it to have 
a separate enforcement process for the auditors in a cyber security 
certification program. Rather, the Commission expects that an auditor 
dissatisfied with a decision of the certification authority--presumably 
a decision to exclude the auditor from participation in the security 
certification program--would simply petition the Commission like any 
other dissatisfied party. The Commission seeks comment on this 
question. Is it necessary for the Commission to create any other 
mechanisms relating to dispute resolution specific to this program?
    Should the Commission, or a private sector entity, be responsible 
for deciding to revoke, suspend, or reinstate a revoked security 
certificate? If a certificate is suspended, how long should suspension 
last? If a certificate is revoked, how long should the service provider 
be required to wait before the Commission allows that provider to re-
apply for certification? Given that certifications may last for a 
particular duration and may possibly be renewed, several questions 
arise. Should a procedure be established to revoke or suspend a 
security certificate before its expiration date and, if so, what should 
the process entail? Should the Commission consider, if anything, 
revoking or suspending a security certificate for repeated network 
outages for violation(s) of the program's best practices/standards? 
What kinds of record-keeping or other requirements, if any, should be 
imposed on certificate holders in order to make the determination that 
a certificate should be revoked or suspended? The Commission seeks 
comment on these questions and on other actions it can take in this 
area.
Domestic and International Coordination
    The Commission recognizes that increasingly, broadband networks 
used by U.S. ISPs are connected to many other networks, including the 
electric grid and the financial sector. These connections exist within 
the United States as well as between the United States and other 
countries. The Commission seeks comment on cyber security efforts 
underway for these interconnected networks that could inform the 
certification program, as well as ways the Commission might wish to 
coordinate, if at all, the development of its certification program, if 
any, with firms and agencies related to these networks. The Commission 
also recognizes that work on the subject of cyber security is currently 
underway in various countries and in international organizations such 
as the International Telecommunications Union (ITU) and Organisation of 
Economic Cooperation and Development (OECD). The Commission invites 
comment on how those work efforts could inform the FCC's certification 
program, if at all, and how the Commission could share the expertise 
gained from this program with other countries and international 
organizations, if at all.
Other Cyber Security Incentives
    Apart from the issue of a certification program, the Commission 
seeks comment on other actions, including voluntary incentives the 
Commission can take to improve cyber security, if any. Are there 
effective and efficient methods that the Commission should consider, if 
any, that could ensure the cyber security of commercial broadband 
networks as they relate to national purposes such as public safety, 
consumers, healthcare, education, energy, government and security? 
Commenters suggesting ideas should provide details of their 
suggestions, including the benefits, advantages, disadvantages and 
costs. The Commission is interested not only in actions it can take on 
its own, but also ideas that the Commission might recommend to its 
Federal partners or to Congress, if any. The Commission also seeks 
comment on how to improve education on cyber security issues. What 
actions, if any, can the Commission take to better educate end users, 
including consumers, businesses and government agencies about cyber 
security? Are there, for example, educational and/or outreach 
activities in which the Commission, either alone or with other 
stakeholders (e.g., Federal agencies, state and local governments, 
private industry) should engage to assist individuals in protecting 
their personal computers and other devices? How can the Commission 
better educate the industry about best practices and other methods to 
enhance cyber security in their communications networks and systems, if 
at all?

[[Page 26180]]

    The Commission further notes that cyber threats to network end 
users also threaten the abilities of the service provider's network to 
function as designed and to be available when required. Such threats 
include, for example, the proliferation of botnets and from ``MAC 
spoofing,'' a technique whereby cyber hackers remotely change an 
assigned Media Access Control address of a network device to a 
different one, allowing the bypassing of access control lists on 
servers or routers, either ``hiding'' a computer on a network or 
allowing it to impersonate another computer. Therefore, the Commission 
seeks comment on steps that service providers should take, if any, to 
help detect and respond to threats to end users that take place on or 
through the service provider's network, and the extent to which best 
practices in this area would enhance detection and maximize 
effectiveness of response.

Procedural Matters

    Ex Parte Presentations. This matter will be treated as a ``permit-
but-disclose'' proceeding in accordance with the Commission's ex parte 
rules. See 47 CFR 1.1200 & 1.1206. Although a Notice of Inquiry 
proceeding is generally exempt from the ex parte rules, the Commission 
finds that the public interest is best served by treating this critical 
cyber security matter as a ``permit-but-disclose'' proceeding. See 47 
CFR 1.1200(a), 1.1204(b)(1). Persons making oral ex parte presentations 
are reminded that memoranda summarizing the presentations must contain 
summaries of the substance of the presentations and not merely a 
listing of the subjects discussed. More than a one-or two-sentence 
description of the views and arguments presented is generally required. 
Other rules pertaining to oral and written ex parte presentations in 
permit-but-disclose proceedings are set forth in Sec.  1.1206(b) of the 
Commission's rules, 47 CFR 1.1206(b).
    Comment Filing Procedures. Comments may be filed using: (1) The 
Commission's Electronic Comment Filing System (ECFS), (2) the Federal 
Government's eRulemaking Portal, or (3) by filing paper copies. See 
Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121 
(1998). Comments may be filed electronically using the Internet by 
accessing the ECFS: https://fjallfoss.fcc.gov/ecfs2/ or the Federal 
eRulemaking Portal: https://www.regulations.gov. Parties who choose to 
file by paper must file an original and four copies of each filing.
    Filings can be sent by hand or messenger delivery, by commercial 
overnight courier, or by first-class or overnight U.S. Postal Service 
mail. All filings must be addressed to the Commission's Secretary, 
Office of the Secretary, Federal Communications Commission. Effective 
December 28, 2009, all hand-delivered or messenger-delivered paper 
filings for the Commission's Secretary must be delivered to FCC 
Headquarters at 445 12th St., SW., Room TW-A325, Washington, DC 20554. 
All hand deliveries must be held together with rubber bands or 
fasteners. Any envelopes must be d