Disruptions to Communications, 22796-22825 [2021-07457]
Download as PDF
22796
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
FEDERAL COMMUNICATIONS
COMMISSION
47 CFR Part 4
[PS Docket No. 15–80; FCC 21–34; FRS
20221]
Disruptions to Communications
Federal Communications
Commission.
ACTION: Final rule.
AGENCY:
In this document, the Federal
Communications Commission
(Commission) adopts final rules to
provide direct, read-only access to
Network Outage Reporting System
(NORS) and Disaster Outage Reporting
System (DIRS) filings to agencies of the
50 states, the District of Columbia, tribal
nations, territories, and Federal
Government that have official duties
that make them directly responsible for
emergency management and first
responder support functions, including
by: Allowing these agencies to share
NORS and DIRS information with
agency officials, first responders, and
other individuals with a ‘‘need to
know’’ who cannot directly access
NORS and DIRS and yet play a vital role
in preparing for, or responding to,
events that threaten public safety;
allowing participating agencies to
publicly disclose aggregated and
anonymized information derived from
NORS or DIRS filings; conditioning a
participating agency’s direct access to
NORS and DIRS filings on their
agreement and ability to preserve the
confidentiality of the filings and not
disclose them absent a finding by the
Commission allowing the disclosure;
and establishing an application process
that would grant eligible agencies access
to NORS and DIRS after those agencies
certify to certain requirements related to
maintaining the confidentiality of the
data and the security of the databases.
DATES: This rule is effective September
30, 2022.
FOR FURTHER INFORMATION CONTACT: For
further information, contact Saswat
Misra, Attorney-Advisor, Cybersecurity
and Communications Reliability
Division, Public Safety and Homeland
Security Bureau, (202) 418–0944 or via
email at Saswat.Misra@fcc.gov.
SUPPLEMENTARY INFORMATION: This is a
summary of the Commission’s Second
Report and Order, FCC 21–34, adopted
on March 17, 2021 and released on
March 18, 2021. The document is
available for download at https://
docs.fcc.gov/public/attachments/FCC21-34A1.pdf. To request this document
in accessible formats for people with
jbell on DSKJLSW7X2PROD with RULES2
SUMMARY:
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
disabilities (e.g., Braille, large print,
electronic files, audio format, etc.) or to
request reasonable accommodations
(e.g., accessible format documents, sign
language interpreters, CART, etc.), send
an email to fcc504@fcc.gov or call the
FCC’s Consumer and Governmental
Affairs Bureau at (202) 418–0530
(voice), (202) 418–0432 (TTY).
The Federal Communications
Commission may delay this effective
date by publishing a document in the
Federal Register.
Paperwork Reduction Act:
The Second Report and Order
requires service providers to make
adjustments to their NORS reporting
processes to accommodate the
Commission’s adjustments to its NORS
web-based form pursuant to section 47
CFR 4.11. These adjustments and the
new requirement that agencies file
certification forms, pursuant to 47 CFR
4.2, to request access to NORS and DIRS
reports, constitute a modified
information collection. The information
collection requirements contained in the
rules that require OMB approval are
subject to the Paperwork Reduction Act
of 1995 (PRA), Public Law 104–13. The
information collection will be submitted
to OMB for review under 47 U.S.C.
3507(d), and will not take effect until it
is approved by OMB.
Congressional Review Act:
The Commission has determined, and
the Administrator of the Office of
Information and Regulatory Affairs,
Office of Management and Budget,
concurs, that this rule is non-major
under the Congressional Review Act, 5
U.S.C. 804(2). The Commission will
send a copy of this Order to Congress
and the Government Accountability
Office, pursuant to 5 U.S.C. 801(a)(1)(A).
Synopsis:
I. Introduction
1. Section 1 of the Communications
Act of 1934, as amended (the Act),
charges the Commission with
‘‘promoting safety of life and property
through the use of wire and radio
communications.’’ 47 U.S.C. 151. This
statutory objective and statutory
authorities cited below have supported
the Commission’s institution of outage
reporting requirements, codified in part
4 of our rules, that require providers to
report network outages that exceed
specified magnitude and duration
thresholds. The outage data that the
Commission collects pursuant to part 4
provide critical situational awareness
that enables the Commission to be an
effective participant in emergency
response and service restoration efforts,
particularly in the early stages of
communications disruption.
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
2. Currently, the Commission collects
network outage information in the
NORS and infrastructure status
information in the DIRS. This
information is sensitive for reasons
concerning national security and
commercial competitiveness, and the
Commission thus treats it as
presumptively confidential. The
Commission makes this information
available to the Department of
Homeland Security’s (DHS) National
Cybersecurity and Communications
Integration Center but does not share the
information more broadly with other
Federal, state, or local partners.
However, in a 2016 Report and Order
and Further Notice, the Commission
found that state and Federal agencies
would benefit from direct access to
NORS data and that ‘‘such a process
would serve the public interest if
implemented with appropriate and
sufficient safeguards.’’ 81 FR 45055,
45064 (July 12, 2016) (2016 Report and
Order and Further Notice).
3. Today’s Order bridges this gap and
promotes better information sharing and
awareness during times of emergency. It
creates a framework to provide state,
Federal, local, and Tribal partners with
access to the critical NORS and DIRS
information they need to ensure the
public’s safety while preserving the
presumptive confidentiality of the
information. Today’s actions will ensure
that these public safety officials can
appropriately and effectively leverage
the same reliable and timely network
outage and infrastructure status
information as the Commission when
responding to emergencies.
II. Background
4. Network Outage Reporting System
or NORS. In 2004, the Commission
adopted rules that require outage
reporting for communications providers,
including wireline, wireless, paging,
cable, satellite, VoIP, and Signaling
System 7 service providers, to address
‘‘the critical need for rapid, complete,
and accurate information on service
disruptions that could affect homeland
security, public health or safety, and the
economic well-being of our Nation,
especially in view of the increasing
importance of non-wireline
communications in the Nation’s
communications networks and critical
infrastructure.’’ These rules currently do
not extend to broadband networks. In
2016, the Commission sought comment
on whether its part 4 rules should be
updated to implement a proposed
system for the mandatory reporting of
broadband network outages and other
disruptions, including those based on
performance degradation. The proposals
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
in the 2016 Report and Order and
Further Notice remain pending.
5. Under these rules, certain service
providers must submit outage reports to
NORS for outages that exceed specified
duration and magnitude thresholds.
Service providers are required to submit
a notification to NORS generally within
two hours of determining that an outage
is reportable to provide the Commission
with timely preliminary information.
The service provider must then either (i)
provide an initial report within three
calendar days, followed by a final report
with complete information on the
outage within 30 calendar days of the
notification; or (ii) withdraw the
notification and initial reports if further
investigation indicates that the outage
did not in fact meet the applicable
reporting thresholds.
6. All three types of NORS filings—
notifications, initial reports, and final
reports—contain service disruption or
outage information that, among other
things, include: The reason the event is
reportable, incident date/time and
location details, state affected, number
of potentially affected customers, and
whether enhanced 911 (E911) was
affected. The Commission analyzes
NORS outage reports, in the short-term,
to assess the magnitude of major outages
and, in the long-term, to identify
network reliability trends and determine
whether the outages likely could have
been prevented or mitigated had the
service providers followed certain
network reliability best practices.
Information collected in NORS has
contributed to several of the
Commission’s outage investigations and
recommendations for improving
network reliability.
7. NORS filings are presumed
confidential and thus are withheld from
routine public inspection. 47 CFR
0.457(d)(vi), 4.2; 80 FR 34321 (June 16,
2015) (2015 Notice). The Commission
grants read-only access to outage report
filings in NORS to the National
Cybersecurity and Communications
Integration Center at DHS, but does not
directly grant access to other Federal
agencies, state governments, or other
entities. DHS, however, may share
relevant information with other Federal
agencies at its discretion. The
Commission also publicly shares
limited analyses of aggregated and
anonymized data to address
collaboratively industry-wide network
reliability issues and improvements.
8. Disaster Information Reporting
System or DIRS. In the wake of
Hurricane Katrina, the Commission
established DIRS as a means for service
providers, including wireless, wireline
cable service providers, and
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
broadcasters, to voluntarily report to the
Commission their communications
infrastructure status and situational
awareness information during times of
crises. The Commission recently
required a subset of service providers
that receive Stage 2 funding from the
Uniendo a Puerto Rico Fund or the
Connect USVI Fund to report in DIRS
when it is activated in the respective
territories. DIRS, like NORS, is a webbased filing system. The Commission
analyzes infrastructure status
information submitted in DIRS to
provide public reports on
communications status during DIRS
activation periods, as well as to help
inform investigations about the
reliability of post-disaster
communications.
9. DIRS filings are also presumed
confidential and disclosure of
information derived from those filings is
limited. The Commission grants direct
access to the DIRS database to the
National Cybersecurity and
Communications Integration Center at
DHS. The Commission also prepares
and provides aggregated DIRS
information, without company
identifying information, to the National
Cybersecurity and Communications
Integration Center, which then
distributes the information to a DHS-led
group of Federal agencies tasked with
coordinating disaster response efforts,
including other units in DHS, during
incidents. Agencies use the analyses for
their situational awareness and for
determining restoration priorities for
communications infrastructure in
affected areas. The Commission also
provides aggregated data, without
company-identifying information, to the
public during disasters.
10. Expanding Access to NORS and
DIRS. In a 2015 Notice, the Commission
proposed to grant state governments
‘‘read-only access to those portions of
the NORS database that pertain to
communications outages in their
respective states.’’ The Commission also
asked if this access should extend
beyond states and include ‘‘the District
of Columbia, U.S. territories and
possessions, and Tribal nations.’’ The
Commission proposed to condition
access on a state or other agency’s
certification that it ‘‘will keep the data
confidential and that it has in place
confidentiality protections at least
equivalent to those set forth in the
Federal Freedom of Information Act
(FOIA).’’ The Commission sought
comment on other key implementation
details, including how to ‘‘ensure that
the data is shared with officials most in
need of the information while
maintaining confidentiality and
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
22797
assurances that the information will be
properly safeguarded.’’ Similarly, the
Commission sought comment on
sharing NORS filings with Federal
agencies besides the Department of
Homeland Security pursuant to certain
safeguards to protect presumptively
confidential information.
11. In a 2016 Report and Order and
Further Notice, the Commission found
that the record reflected broad
agreement that these agencies would
benefit from direct access to NORS data
and that ‘‘such a process would serve
the public interest if implemented with
appropriate and sufficient safeguards.’’
The Commission determined that
providing agencies with direct access to
NORS filings would have public
benefits but concluded that the process
required more development for ‘‘a
careful consideration of the details that
may determine the long-term success
and effectiveness of the NORS
program.’’
12. Finding that the record was not
fully developed and that the
‘‘information sharing proposals raise[d]
a number of complex issues that
warrant[ed] further consideration,’’ the
Commission directed the Public Safety
and Homeland Security Bureau (PSHSB)
to further study and develop proposals
regarding how NORS filings could be
shared with agencies in real time,
keeping in mind the information sharing
privileges already granted to DHS. The
Bureau subsequently conducted ex
parte meetings to solicit additional
viewpoints from industry, state public
service commissions, trade associations,
and other public safety stakeholders on
the issue of granting state and Federal
Government agencies direct access to
NORS and DIRS filings.
13. In a February 2020 Second Further
Notice, the Commission proposed to: (i)
Grant direct, read-only access to the
Commission’s NORS and DIRS filings to
agencies acting on behalf of the Federal
Government, the 50 states, the District
of Columbia, Tribal Nations, and the
U.S. territories that demonstrate that
they reasonably require access to
prepare for, or respond to, an event that
threatens public safety pursuant to their
official duties (i.e., that have a ‘‘need to
know’’); (ii) authorize participating
agencies to share copies of these filings,
and any other confidential information
derived from the filings, within or
outside their agencies when a recipient
also has a ‘‘need to know,’’ subject to
certain safeguards, (iii) allow the
recipient to further share the
confidential NORS and DIRS
information, directly or in summarized
form, with additional recipients; and
(iv) authorize any recipient to freely
E:\FR\FM\29APR2.SGM
29APR2
22798
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
jbell on DSKJLSW7X2PROD with RULES2
share aggregated and anonymized
information derived from the NORS and
DIRS filings of at least four service
providers. 85 FR 17818 (Mar. 31, 2020)
(Second Further Notice).
14. The Commission proposed to
safeguard the confidentiality of NORS
and DIRS information by conditioning
an agency’s direct access on agreements
to: (i) Treat NORS and DIRS filings as
confidential and not disclose them,
absent a finding by the Commission
allowing the disclosure; and (ii) provide
timely notification to the Commission
when the agency receives a request from
a third party to release NORS or DIRS
filings or related records and when
changes to statutes or rules would affect
the agency’s ability to adhere to the
Commission’s required confidentiality
protections.
III. Second Report and Order
15. With this Order, we conclude that
directly sharing NORS data with state
and Federal agencies, subject to
appropriate and sufficient safeguards, is
in the public interest, and we extend
this finding to include the sharing of
DIRS data. We limit eligibility for direct
access to our NORS and DIRS databases
to ‘‘need to know’’ agencies acting on
behalf of the Federal Government, the
50 states, the District of Columbia,
Tribal Nations, and the U.S. territories.
We also decide which agency
responsibilities constitute a ‘‘need to
know’’ and limit a participating
agency’s use of this information to those
purposes. We allow these agencies to
share confidential information derived
from NORS and DIRS filings with noncredentialed individuals at the
participating agency and at nonparticipating agencies on a strict ‘‘need
to know’’ basis. We also allow recipients
to release aggregated and anonymized
NORS and DIRS information to the
public and offer guidance on how that
aggregation and anonymization should
be performed.
16. To preserve the sensitive nature of
NORS and DIRS filings, we adopt
various safeguards, including limiting
agency access to events occurring
within an agency’s jurisdiction; limiting
access to five user accounts; requiring
initial and annual security training; and
requiring agencies to certify that they
will take appropriate steps to safeguard
the information contained in the filings,
including notifying the Commission of
unauthorized or improper disclosure.
We require that participating agencies
certify they will treat the information as
confidential and not disclose the
information absent a finding by the
Commission that allows them to do so.
We decline to allow non-participating
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
agencies to further share the information
with others. Under today’s Order, we
hold participating agencies responsible
for any inappropriate disclosures of
information by the non-participating
agencies with which they share
information, including by retaining the
ability to terminate participating
agencies’ direct access to NORS and
DIRS.
A. Sharing NORS Filings With State,
Federal and Other Agencies
17. In the Second Further Notice, the
Commission tentatively concluded ‘‘that
sharing NORS data with state and
Federal agencies would serve the public
interest—provided that appropriate and
sufficient safeguards were
implemented’’ and sought to refresh the
record to inform next steps. We now
observe that industry, public safety
organizations, and government agency
commenters overwhelmingly support
the Commission’s proposal. We agree
with commenters concluding that
sharing NORS filings with other
agencies will improve situational
awareness during and after disasters,
enable agencies to better assess the
public’s ability to access emergency
communications, and assist with the
coordination of emergency response
efforts.
18. The Alliance for
Telecommunications Industry Solutions
(ATIS), however, maintains that while it
‘‘supports efforts that aid in restoral of
communications services and that help
save lives,’’ the sharing of NORS reports
will ‘‘generally not serve such
purposes’’ and NORS reports contain
information that is not relevant to
public safety. ATIS also argues that
specific NORS fields should not be
shared with agencies.
19. We reject ATIS’s view as it is
controverted by a number of
commenters explaining, with detailed
examples and based on knowledge of
their own day to day responsibilities
and operations, why the information
contained in NORS filings is relevant to
public safety by assisting in rapid
communications service restoration and
enhancing situational awareness. For
example, the Montrose Emergency
Telephone Service Authority (METSA)
believes that if the Colorado Public
Utilities Commission (COPUC) had been
granted NORS access following a July
2019 fiber cut, ‘‘the COPUC could have
assisted with generalized information
regarding areas which were truly
impacted by the outage.’’ In another
example, Massachusetts Department of
Telecommunications and Cable (MDTC)
believes that direct access to NORS data
would have provided it, local official
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
and town residents, businesses, and
government offices with ‘‘timely, and
therefore, actionable’’ information about
a recent wireline telephone service
outage. MDTC also believes that access
would have helped providers avoid the
burden of being contacted multiple
times by multiple parties.
B. Sharing DIRS Filings With State,
Federal and Other Agencies
20. In the Second Further Notice, the
Commission also proposed sharing DIRS
filings with eligible state and Federal
agencies and sought comment on the
anticipated benefits of sharing DIRS
filings. We adopt this proposal, finding
that sharing DIRS filings will enhance
public safety by improving participating
agencies’ situational awareness
regarding infrastructure status and
helping to inform their decisions on
how to allocate resources. No
commenters oppose the Commission’s
DIRS proposal. Rather, many agree that
sharing DIRS filings will provide the
benefits cited by the Commission in the
Second Further Notice, including
improving the effectiveness of response
and recovery efforts during and after
disasters and providing stakeholders
with actionable status of
communications outages.
Communications Workers of America
(CWA) states that ‘‘information
contained in the DIRS will be very
helpful to understand the status of
communications infrastructure in the
impacted area and to set restoration
priorities’’ following major events such
as wildfires and flooding. Other
commenters underscore that access to
both DIRS and NORS are vital to aid in
situational awareness and emergency
response initiatives because in the
counties where DIRS has been activated,
NORS reporting obligations are typically
suspended for the duration of the DIRS
activation.
21. Some commenters urge the
Commission to make DIRS reporting
mandatory. We decline to do so, as this
issue is outside of the scope of this
rulemaking. We agree with T-Mobile
that such action would go ‘‘beyond the
question of sharing NORS and DIRS
data and the manner in which the
information should be shared.’’ We also
note that as our priority with this
proceeding is ensuring that agencies
begin to receive critical information
about service outages to assist them in
their service restoration initiatives,
technical changes that may be
necessitated by making DIRS reporting
mandatory could delay such access.
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
C. Scope of Direct Access
22. Eligibility for direct access. In the
Second Further Notice, the Commission
proposed that direct access to NORS
and DIRS be limited to agencies acting
on behalf of the Federal Government,
the 50 states, the District of Columbia,
Tribal Nations, and the U.S. territories
(including Puerto Rico and the U.S.
Virgin Islands). We adopt this proposal.
23. The majority of commenters agree
with this proposal, typically without
significant comment. For example, TMobile remarks that limiting direct
access in this way strikes an appropriate
balance between disseminating NORS
and DIRS information to those who
most need it (i.e., to save lives and
property) and safeguarding the
information’s confidential nature. The
California Public Utilities Commission
believes that Tribal Nation eligibility is
appropriate since Tribal Nation
governments have oversight
responsibility for public safety matters
in their lands in the same manner as the
other entities that the Commission has
identified for direct access. We find that
limiting direct access to NORS and DIRS
filings is necessary to limit the risk for
the over disclosure of sensitive and
confidential information and to ensure
administrative efficiency. While the
Commission proposed to disallow direct
access by local agencies, it proposed
mechanisms to ensure that local
agencies and related entities and
individuals could indirectly access
NORS and DIRS information on a caseby-case basis. We adopt some of these
mechanisms today.
24. We reject Colorado Public Utilities
Commission’s view that Tribal Nation
entities should be eligible for direct
access only if they do not participate
directly in a state 911 program or have
their own 911 program. We find no
reason to treat Tribal Nations differently
than state agencies with respect to
NORS or DIRS information sharing, and
commenters have offered no new
evidence to warrant such a departure.
The Colorado Public Utilities
Commission’s approach appears to
assume that NORS and DIRS
information is only beneficial as it
relates to improving 911 service. In
contrast, we find that jurisdictions,
including Tribal lands, can benefit from
NORS and DIRS information for uses
beyond improved 911 performance.
This is corroborated, for example, by
The Utility Reform Network’s comments
evidencing that agencies serving Tribal
lands would have been better able to
transmit emergency evacuation alerts
during the 2019 California wildfire
event had they had access to outage
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
information. We find that Tribal Nations
have a need for NORS and DIRS
information regardless of their
participation in a state’s 911 program.
25. We reject the position of some
commenters that at the state or local
level, only state-based fusion centers
(i.e., state-owned and operated centers
that serve as focal points in states and
major urban areas for the receipt,
analysis, gathering and sharing of threatrelated information among state, local,
Tribal, territorial, Federal and private
sector partners) should be eligible to
directly access NORS and DIRS data.
These commenters argue that fusion
centers are uniquely qualified for direct
access because they work closely with
state public safety agencies, are familiar
with handling, analyzing, and
summarizing sensitive information, and
typically operate around the clock or
because of their ‘‘connection to the
Federal Government.’’ We are not
persuaded.
26. Our experience over many years
indicates that many other types of
agencies have experience in
coordinating with public safety
agencies, handling sensitive
information, and working tirelessly
when disasters strike. No commenter
has argued or provided evidence that
fusion centers have specific expertise in
interpreting NORS and DIRS outage
information such that they alone should
disseminate it. Fusion centers are not
uniquely or solely qualified in this
regard. We therefore find no reason to
preclude otherwise eligible state
agencies from accessing NORS and DIRS
information, especially if such access
would enhance public safety response
and situation awareness. Contrary to
views posited by the IACP, we find no
administrative benefit in limiting
accessibility to NORS and DIRS
information to fusion centers. Instead,
by exercising our administrative
oversight for reviewing each application
for access to NORS and DIRS, as
detailed in today’s Order, the
Commission will be better able to
ensure that NORS and DIRS information
is used appropriately.
27. Local Agencies. We are not
persuaded by commenters who argue
that local agencies should be eligible for
direct access to NORS and DIRS because
they have the primary responsibility for
responding to emergencies. We find the
potential benefits of doing so are
outweighed by the substantial risks and
burdens of providing local agencies
with direct access.
28. As noted by some commenters,
local entity governments typically do
not have the level of experience
navigating the kinds of outage and
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
22799
infrastructure status information
contained in NORS and DIRS filings
that state agencies do. We agree with
USTelecom that providing direct access
to local entities would likely
exponentially increase the number of
participating entities, thus complicating
administration and increasing
opportunities for erroneous disclosure
of confidential information. We believe
such a large increase would render it
difficult or impossible for the
Commission to effectively administer
the sharing framework. Instead, we
believe that providing local entities
indirect access, through participating
agencies with direct access, will
sufficiently support the public safety
needs of localities while striking a fair
balance between sharing NORS and
DIRS information and minimizing the
potential for unauthorized disclosure.
29. We similarly reject the views of
some commenters that request that the
Commission provide local entities with
direct access purportedly so that state
agencies are not burdened by, and
delays are not created in, requiring them
to provide this information to local
entities themselves. Today’s framework
does not require, but only allows, these
agencies to share NORS and DIRS
information with local entities. As the
National Association of Regulatory
Utility Commissioners (NARUC) points
out, agencies collectively have more
resources dispersed across the country
than the Commission. We find that the
responsibility of disseminating
information to local entities is most
efficiently placed on this range of state
and other agencies, each with specific
knowledge and incentives to further
public safety in its own jurisdiction.
30. We also are not convinced that
allowing an agency with direct access to
share its credentials with an associated
local entity would alleviate our
administrative burdens and disclosure
risk concerns, as opined by the Texas 9–
1–1 Entities. We reject this approach
because it would allow direct access to
NORS and DIRS by local agencies
whose certifications have not been
reviewed and approved by the
Commission and are not directly
accountable to the Commission. We find
that a credential sharing scheme would
unacceptably increase the risk that our
training and other procedural safeguards
would not be implemented, which
would make it more likely that NORS
and DIRS filings could be improperly
used or disclosed.
31. We also find unconvincing, the
view of one commenter that ‘‘advocates,
researchers and the public,’’ among
others, should be eligible for direct
access purportedly ‘‘to hold
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22800
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
telecommunications providers
accountable and monitor the
communications rights of impacted
communities.’’ This approach fails to
address the Commission’s findings that
have long treated NORS and DIRS
filings as presumptively confidential to
further national security and protect
commercially sensitive information. We
find that granting such broad access to
NORS and DIRS information would
effectively render that treatment moot
and thereby detract from these
objectives.
32. Eligible agencies must have a
‘‘need to know.’’ In the Second Further
Notice, the Commission proposed that
direct access to NORS and DIRS be
limited to eligible agencies that have a
‘‘need to know,’’ which was defined as
‘‘reasonably requir[ing] access to the
information in order to prepare for, or
respond to, an event that threatens
public safety, pursuant to its official
duties.’’ We today adopt a modified
definition of ‘‘need to know’’ that
includes only agencies that have official
duties that make them directly
responsible for emergency management
and first responder support functions.
33. Most commenters agree that direct
access should be limited to agencies
with a ‘‘need to know’’ to prevent the
over-disclosure of sensitive NORS and
DIRS information, though commenters
differ in their views on the appropriate
definition of the term. We are persuaded
by Verizon that a ‘‘need to know’’
should be defined to refer to an agency
‘‘having official duties making it
directly responsible for emergency
management and first responder support
functions.’’ We find that this definition
best achieves the goal of ensuring that
only agencies with the greatest and most
relevant public safety needs have access
to the sensitive information contained
in our NORS and DIRS databases. We
note that this definition for ‘‘need to
know’’ is more specific and narrow than
what the Commission proposed in the
Second Further Notice and will
minimize the number of disputes over
which agencies qualify for access, thus
preserving public safety resources. We
confirm NCTA’s view that an ‘‘event’’
giving rise to a ‘‘need to know’’ may be
either natural or ‘‘manmade.’’ While we
do not exhaustively enumerate here
every type of agency that may qualify
for access under our adopted ‘‘need to
know’’ standard, we expect that
qualifying agencies will include state
homeland security and emergency
management departments, state first
responder departments (including fire
and law enforcement departments), and
state public utility (or public service)
commissions. We agree with New York
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
State Public Service Commission and
the Public Service Commission of the
District of Columbia that state public
utility and service commissions
typically support public safety and
emergency response efforts, including
by coordinating the restoration of
telecommunications in their
jurisdictions.
34. In view of the record, we disagree
with the views of the Competitive
Carriers Association and T-Mobile who
argued that the Commission’s earlier
proposed definition of ‘‘need to know’’
struck an appropriate balance between
ensuring that an appropriate set of
agencies will have access to NORS and
DIRS data for their public safety efforts
and reducing the likelihood of improper
disclosure. For the reasons noted above,
we find that a more objective and
narrower standard is necessary for
today’s program to be administrable and
to ensure that the sensitive information
in NORS and DIRS filings is not
disseminated broadly beyond a small set
of core agencies in each state or other
jurisdiction.
35. Demonstrating a ‘‘need to know.’’
An agency applying for direct access to
NORS and DIRS must demonstrate its
‘‘need to know’’ by citing to statutes or
other regulatory authority that
establishes it has official duties making
it directly responsible for emergency
management and first responder support
functions.
36. We agree with Verizon and NCTA
that an objective showing of legal
authority, in the form of statues or other
regulatory bases, is necessary as part of
the application process to ensure that
only qualified agencies have direct
access to NORS and DIRS filings. We
find that the approach we adopt today
will avoid protracted disputes and
subjective interpretations about what
roles and responsibilities an agency may
have during an emergency and will
guard against the over-disclosure of
sensitive NORS and DIRS information.
37. Scope of Use. In the Second
Further Notice, the Commission
proposed that NORS and DIRS
information accessed by participating
agencies be used only for public safety
purposes. We adopt this proposal and
clarify that the only valid public safety
purposes are the same purposes that
would give rise to a ‘‘need to know,’’
i.e., carrying out emergency
management and first responder support
functions that an agency is directly
responsible for pursuant to its official
duties.
38. Several commenters seek
confirmation that certain use cases are
permitted. We confirm commenters’
views that a participating agency’s
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
dissemination of information to other
individuals responsible for preparing
and responding to disasters is an
acceptable use. We also confirm
commenters’ views that the assessment
of emergency notification options
available in areas impacted by an outage
or disaster, including determining
whether Wireless Emergency Alert
messages can be delivered and, if not,
coordinating alternate methods of
notification, is an acceptable use. We
further confirm the views of the
Telecommunications Regulatory Bureau
of Puerto Rico and other commenters
that identifying trends and performing
analyses designed to make long-term
improvements in public safety outcomes
are acceptable uses. We agree that these
long-term efforts are critical for
preparing for events that threaten public
safety in ways that will reduce the loss
of life and property in future outage and
disaster scenarios. We are similarly
persuaded by the Massachusetts
Department of Telecommunications and
Cable, which explains the potential
value of NORS and DIRS information in
its analyses used to improve service and
avoid future outages, and the Michigan
Public Service Commission, which
explains that the information would
assist in understanding the nature of
outages, ultimately resulting in more
resilient networks. We find that these
uses reflect carrying out emergency
management and first responder support
functions by informing the public of
danger, or preparing in advance for such
danger, to avoid the loss of life and
property.
39. We expressly forbid the use of
NORS and DIRS information obtained
through the procedures we adopt today
for non-emergency-related regulatory
purposes, including merger review,
consumer protection activities, contract
disputes with a state, or the release of
competitive information to the public.
We agree with commenters that such
uses of NORS and DIRS data would be
inconsistent with the public safety
purposes for which the sharing
framework was created. Moreover, such
uses could create counter-productive
incentives for providers to supply
superfluous information in their NORS
and DIRS disclosures thereby
diminishing the public safety value of
these filings.
40. 911 fee diversion. In the Second
Further Notice, the Commission sought
comment on whether it should exclude
from eligibility agencies located in
states that have diverted or transferred
911 fees for purposes other than 911 and
how it should address agency access in
states that have inadequately responded
to Commission inquiries about their
E:\FR\FM\29APR2.SGM
29APR2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
practices for using 911 fees. We decline
to exclude agencies located in fee
diverting states from eligibility in
today’s information sharing framework.
41. Nearly all commenters reject the
exclusion of agencies on grounds that
they are located in states that have
engaged in fee diversion or provided an
inadequate disclosure of their fee
practices to the Commission. We agree
with those commenters who remark that
access to NORS and DIRS information,
and the important public safety benefits
associated therewith, should not be
conditioned on whether a state engages
in 911 fee diversion. We find this point
particularly compelling since, as noted
by Colorado Public Utilities
Commission and NASNA, diversion
may be an act of the state legislature
rather than the agency seeking access to
NORS and DIRS information.
42. We find that the benefits of
providing NORS and DIRS information
to entities in these states outweigh the
possibility that withholding this
information may incentivize legislatures
to reconsider fee diversion decisions,
particularly as no commenters offered
evidence supporting this view. On
September 30, 2020, the Commission
adopted a Notice of Inquiry seeking
comment on ways to dissuade states and
territories from diverting fees collected
for 911 to other purposes, and on the
effects of 911 fee diversion. We are not
persuaded otherwise by T-Mobile’s
conclusory statement supporting the
exclusion of agencies, which in relying
on comments filed in an unrelated
proceeding, fails to address the potential
negative impacts of withholding NORS
and DIRS information from agencies or
the extent to which doing so would
motivate legislatures to reconsider their
fee diversion decisions.
jbell on DSKJLSW7X2PROD with RULES2
D. Confidentiality Protections
43. Direct access conditioned on
confidential treatment by agencies. In
the Second Further Notice, the
Commission proposed that the
Commission make all confidentiality
determinations implicating the release
of confidential NORS and DIRS
information pursuant to today’s
program. The Commission proposed
that a participating agency only receive
direct access to NORS and DIRS filings
if it could agree, under its governing
laws, that when it received a request to
release NORS or DIRS information
under open record laws in its
jurisdiction, it would defer to and
comply with a Commission
determination and not disclose the
filings other than as expressly allowed
in today’s Order or any subsequent
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
Commission determinations. We adopt
this proposal.
44. The majority of commenters,
including state and local entities, and
industry advocacy organizations,
support this approach. We agree with
Verizon that this approach is ‘‘essential’’
to protecting NORS and DIRS
information, because requests for
disclosure of confidential information
would be determined uniformly rather
than being left to a patchwork of varying
open records law standards among
jurisdictions. We also agree with the
IACP, which stresses that without the
Commission’s role in reviewing
requests, public safety entities could
face ‘‘nuisance lawsuits’’ and have their
scarce public safety resources diverted
as they become ‘‘embroiled in legal
challenges or extended discussions
regarding the confidentiality of NORS
and DIRS information.’’ We find that
our approach would create a necessary,
simple mechanism to control the flow of
confidential NORS and DIRS
information, even when state and other
open records laws vary.
45. Commenters confirm that this
proposal is workable in practice. A
number of state public utility
commissions identify exemptions in
their open records laws that allow them
to defer to the Commission’s FOIA
determination in place of making their
own. Moreover, no commenter contends
that there is a jurisdiction that would
not be able to defer to the Commission
pursuant to the jurisdiction’s open
records and other relevant laws. We
agree with The Utility Reform Network
that state, Federal and Tribal Nation
entities are well versed in handling
confidential material based on their
other programs and that they would
therefore be able to adhere to today’s
confidentiality requirements. We
similarly agree with the California
Public Utilities Commission and
Massachusetts Department of
Telecommunications and Cable, which
bolster this point by noting that today’s
confidentiality requirements are familiar
to many participating agencies because
they resemble ones the Commission
separately established for the sharing of
presumptively confidential data with
states in separate programs involving
the Form 477 database and the North
American Numbering Plan
Administrator database.
46. We are unpersuaded on the
current record that the presumption of
confidentiality for all NORS and DIRS
information is not fully warranted, as
some commenters argue. While these
commenters contend that NORS and
DIRS information often does not contain
information that is sensitive for national
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
22801
security reasons, no commenter
provides practical guidance on how to
distinguish at an operational level those
reports that contain such sensitive
national security information (or
sensitive business information) from
those that do not. Because we did not
seek comment on this question, and
because the record is incomplete as to
the types of information, or the specific
fields in NORS and DIRS, that these
commenters believe should not receive
confidential treatment, we are not in a
position today to decide upon the merits
of these views. We also find that these
commenters fail to address the
possibility that a collection of NORS
and DIRS filings could reflect patterns
that implicate national security, even
when filings taken individually may
not. Moreover, given that we maintain
the presumption of confidentiality as to
our own use of NORS and DIRS data, we
find it logical to require that
participating agencies, and those who
receive information from them, be held
to the same type of confidentiality
standards. To do otherwise would allow
these entities to disclose the data in
ways that would contradict and render
meaningless the Commission’s own
presumptively confidential treatment.
Based on the lack of new information
provided by commenters on the current
record, we decline to reverse at this time
the Commission’s long-held view that
NORS and DIRS information warrants
confidential treatment. The Commission
acknowledges that some commenters
assert that public access to some outage
information would benefit the public,
and nothing we do today permanently
forecloses us from examining this issue
further in the future.
47. We also find unpersuasive the
view of the California Public Utilities
Commission that ‘‘industry’s
perception’’ of the confidentiality of
NORS and DIRS data is changing,
merely because Verizon and other
service providers have decided to
increase their public disclosure of
outage information around major
communications outage events. On the
contrary, we believe that a rollback of
the Commission’s presumption of
confidentiality of NORS and DIRS data
would actually have the opposite effect
of discouraging companies from
voluntarily taking meaningful
incremental steps to make more
information available.
48. We also reject NTCA’s position
that today’s framework should go
further and shield NORS and DIRS
filings from any disclosure in response
to a request filed under state-level
FOIA-type laws. The approach we adopt
today permits disclosure only when the
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22802
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
state defers to the Commission and the
Commission makes a determination,
based on the Federal FOIA standard,
permitting the disclosure. Because the
Commission will consider requests
made under state-level open records
laws identically to requests made under
FOIA, NORS and DIRS information
would not be better protected from
inappropriate disclosure by specifically
blocking from consideration any
requests received by participating
agencies under their open records laws.
We also reject NARUC’s view that the
Commission’s proposal is unnecessary
since ‘‘to avoid concerns [in] the tiny
minority of States that have arguably
deficient FOIA-type protections inplace,’’ the Commission need only
condition access to the data on states
providing some level of confidential
treatment. We have not found any
practical way to identify the purported
‘‘tiny minority’’ of states that have
deficient open records laws. Even
among states that have ‘‘non-deficient
laws,’’ we expect that the substance of
those laws is likely to vary in ways that
would result in the different treatment
of certain NORS and DIRS data fields
from jurisdiction to jurisdiction. In
contrast, the Commission’s proposal
would advantageously provide a
uniform confidentiality standard and
thus better protect confidential NORS
and DIRS information from
unauthorized disclosure.
49. Agency notifications to the
Commission proposed in the Second
Further Notice. In the Second Further
Notice, the Commission proposed to
require that a participating agency
notify the Commission: (i) Within 14
calendar days from the date the agency
receives a request from third parties to
disclose NORS filings and DIRS filings,
or related records, pursuant to its
jurisdiction’s open record laws or other
legal authority that could compel it to
do so, and (ii) at least 30 calendar days
prior to the effective date of any change
in relevant statutes or rules (e.g., its
open records laws) that would affect the
agency’s ability to adhere to the
confidentiality protections in this
information sharing framework. We
adopt these proposals.
50. Commenters generally support
these proposals and no commenter
expressly opposes them. We find that
the 14-day notification we adopt today
will allow the Commission take
appropriate action, including (at the
Commission’s option) notifying an
affected service provider so that the
provider can supply its comments on
the matter if permitted under the
jurisdiction’s open records law. We find
that the 30-day notification we adopt
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
today will provide the Commission with
an opportunity to determine whether to
terminate an agency’s access to NORS or
DIRS filings or take other appropriate
steps as necessary to protect this
information. As noted in the Second
Further Notice, we find that these
proposals will help ensure consistency
in disclosure by many disparate
agencies that will receive this
information under the terms of today’s
Order and will instill confidence that
submitted information will continue to
be protected as it is today.
51. Additional notifications proposed
by commenters. We reject the views of
commenters that additional
notifications from the Commission or
participating agencies are necessary to
ensure that service providers can
dispute various types of requests for
NORS and DIRS information and thus
protect the confidentiality of their
shared information. ATIS argues that we
should require a notification from a
participating agency within 14 days of
when it receives a request to share
NORS and DIRS data with a local
agency. ATIS also argues that for both
this notification and the 14-day
disclosure request notification the
Commission proposed in the Second
Further Notice, the Commission should
be required (as opposed to have the
option) to notify service providers to
allow them sufficient opportunity to
provide any input. ATIS further argues
that we should also require participating
agencies to notify service providers at
least 30 calendar days prior to the
effective date of any change in relevant
statutes or rules that could implicate the
providers’ filings. CenturyLink similarly
argues that service providers should be
made aware when a local agency
receives access to NORS and DIRS data.
ACA Connect contends that an agency
should be required to submit,
apparently to the Commission, the name
of all recipients that it shares
information with.
52. We reject these views, including
to the extent they would require that
participating agencies provide
notification directly to service
providers. Our rules require that the
Commission provide notice to service
providers, and allow them an
opportunity for comment, when it
receives FOIA requests for their NORS
and DIRS filings. 47 CFR 0.461(d)(3).
Today’s rules require that a
participating agency provide the
Commission, not service providers, with
notice when it receives a request for the
NORS and DIRS filings under its state
or other open-records laws. We find that
the burden of requiring participating
agencies to provide a voluminous
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
number of new notifications to service
providers on receipt of sharing requests
(which are likely to be received when
major outages or other public safety
events are on-going) to be an
unwarranted diversion of scarce public
safety resources from state, Tribal
Nation, and local agencies when they
may be needed most. We further note
that providers have the ability and
incentive to monitor potential changes
in confidentiality laws (where the
providers operate) as a matter of general
business practice, and we find it
redundant and inefficient to ask
participating agencies to commit their
limited resources to this task. To
address the concerns of record that
providers would not receive notice
when the Commission is notified of a
request under state-level open records
laws, Commission Staff will post a
notification to the Commission’s
Electronic Filing Comment System
(EFCS) in the present docket, on receipt
of such notification from a participating
agency, identifying the existence of the
open records request, the jurisdiction
under which the request was received
and the service provider(s) whose filings
are implicated by the request. Interested
parties, including service providers,
may use the push notification feature in
ECFS to receive an alert when filings
have been posted in the present docket,
further facilitating prompt notification.
We find that this approach
appropriately balances providing
notification to service providers of the
existence of such requests with our
concerns that requiring participating
agencies to provide direct notifications
to providers could be overly
burdensome of scarce public safety
resources.
53. We recognize, however, based on
these comments, a need for increased
accountability in how participating and
non-participating agencies use NORS
and DIRS information. We therefore
adopt the requirement that each
participating agency make available for
Commission inspection, upon
Commission request, a list of all
localities for which the agency has
disclosed NORS and DIRS data. The
Commission may, at its discretion, share
such lists with the implicated providers.
While this requirement falls short of
some commenters’ requests for
additional notifications, we find that it
appropriately balances maintaining
accountability on the part of
participating agencies with minimizing
the day-to-day burden on agencies for
participating in the sharing program.
54. The Commission is aware that
agencies that voluntarily elect to
participate in this information sharing
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
framework may incur some costs due to
the obligation to notify the Commission
when they receive requests for NORS
filings, DIRS filings, or related records
and when there is a change in relevant
statutes or laws that would affect the
agency’s ability to adhere to
confidentiality protections. These costs
include modest initial costs to review
and revise their confidentiality
protections in accordance with the
framework we adopt in today’s Order,
and minimal reoccurring costs to notify
the Commission as described above. We
cannot quantify agency costs for these
activities, which would vary based on
each participating agency’s particular
circumstances, including the number of
requests or changes in law that would
necessitate notifications, as we lack the
record evidence to quantify such
benefits. This lack of quantification,
however, does not diminish in any way
the advantages of providing access to
NORS and DIRS information to improve
the safety of residents during times of
telecommunications outage
infrastructure distress. We conclude that
the benefits of participation would
likely exceed the costs for any agency
electing to participate in today’s
framework; otherwise, such an agency
could avoid such costs altogether by
deciding not to participate in this
information sharing. We find that the
benefits attributable to providing NORS
and DIRS access to these agencies and
other parties are substantial and may
have significant positive effects on the
abilities of these entities to safeguard
the health and safety of residents during
times of natural disaster or other
unanticipated events that impair
telecommunications infrastructure.
55. Moreover, we are unaware of any
alternative approaches with lower costs,
nor have any been identified by
commenters, that would still ensure that
the Commission promptly and reliably
learns of the actions described above
that may lead to the disclosure of NORS
or DIRS-related information. Lessening
the promptness or reliability of
notifications to the Commission would
disincentivize providers from supplying
robust and fulsome NORS and DIRS
reports and therefore reduce the benefits
that those filings would provide to the
Commission and participating agencies
alike. We find that this reduction in
benefits would outweigh the expected
modest cost savings to those
participating agencies that would be
required to provide notifications under
the framework we adopt today.
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
E. Preemption and its Relation to State,
Federal and Other Reporting
Requirements
56. We reject requests from
commenters that urge the Commission
to preempt state outage reporting
requirements. Some industry
commenters, including T-Mobile and
CenturyLink, generally favor
preemption as they believe it will,
among other considerations, promote
uniformity in the outage reporting
requirements they must observe. For
example, T-Mobile states that
‘‘[c]onsistent with its recognition that
there should be consistency with regard
to outage information available to the
public, the Commission should preempt
state laws requiring the submission of
outage data by wireless carriers. These
laws often establish different thresholds
for trigging outage reporting and could
cause public confusion.’’ CenturyLink
also comments that ‘‘[a]pproximately 34
states have outage reporting
requirements that, in most cases, do not
align with the FCC’s reporting criteria.
Complying with these various state
rules poses both a resource burden and
a systems burden that would lack a
corresponding benefit if states obtain
outage information by accessing NORS/
DIRS.’’
57. We note that the actions we take
today would not place any new NORS,
DIRS or state-level filing requirements
on service providers and we find no
compelling reasons to upset our
information sharing framework by
implementing any additional
requirements for service providers at
this time. We further agree with the
California Public Utilities Commission
that ‘‘preemption is not an issue in the
FNPRM,’’ and acknowledge that because
the Commission did not seek comment
on this issue, the record on this
significant Federalism question is not
fully developed. Nothing in this
paragraph is intended to narrow limit,
or broaden a party’s opportunity to seek
redress under all applicable existing
laws, including through declaratory
judgement in accordance with 47 CFR
1.2 of or rules, on grounds that a state
rule or law is allegedly preempted by
Federal law or rule, including our part
4 outage reporting rules. Such rights
remain undisturbed by today’s Order.
As we have indicated above, we did not
seek comment on the issue of
preemption in this proceeding, and the
record here is insufficient to make any
determinations on a need to launch
further proceedings on this issue. For
this reason, we also agree with the
California Governor’s Office of
Emergency Services that ‘‘the FCC
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
22803
should decline any invitation to broadly
preempt state law because the question
is outside the scope of the present
proceeding.’’ Moreover, the Commission
is persuaded by commenters, including
NASUCA, NARUC and California
Governor’s Office of Emergency
Services, underscoring that, currently,
states can determine what outage
reporting requirements are most
appropriate for their jurisdictions.
F. Safeguards for Direct Access to NORS
and DIRS Filings
58. We adopt specific safeguards to
ensure the continued confidentiality,
appropriate sharing, and limited
disclosure of NORS and DIRS
information. These safeguards include
providing read-only access to NORS and
DIRS filings, limiting the number of
users with access to NORS and DIRS
filings at participating agencies,
requiring participating agencies to
receive training on their privileges and
obligations under the framework (such
as reporting any known or reasonably
suspected breach of protocol to the
Commission and service providers), and
potentially terminating access to
agencies that misuse or improperly
disclose NORS and DIRS data.
59. As several record commenters
express overall concerns about
adequately securing NORS and DIRS
information, our safeguards strategically
respond to potential NORS and DIRS
data security threats. For example, our
training requirements are intended to
set clear parameters for how agencies
use NORS and DIRS filings, our limits
on agency user accounts will help us
control account access, and our
measures to audit account access will
enable us to detect and quickly
investigate potential misuse. We expect
that, collectively, these safeguards will
protect the NORS and DIRS data we will
share under our framework from
inappropriate use and minimize the
potential harm from data breaches as
noted by certain record commenters.
Based on our review of the record, we
find that the safeguards we adopt today
appropriately balance the need to
preserve the confidentiality of NORS
and DIRS information against the need
to provide agencies with critical
information to assist them with
protecting public safety.
1. Read-Only Direct Access to NORS
and DIRS and Limits on Access to
Historical Filings
60. In the Second Further Notice, the
Commission renewed the Commission’s
proposal, first made in the 2016 Report
and Order and Further Notice, that
participating state and Federal agencies
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22804
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
be granted direct access to NORS and
DIRS filings in a read-only manner to
help prevent the improper manipulation
of NORS and DIRS data. We now adopt
this proposal, finding that this approach
is vital to protecting NORS and DIRS
filings from improper use. We observe
that all industry, public safety
organizations, and state and local
government parties commenting on the
Commission’s read-only proposal agree
with it, with some specifically noting
that they believe it will be an effective
safeguard against the improper
manipulation of NORS and DIRS data.
Further, ATIS states that it strongly
supports read-only access as a means
‘‘to further enhance confidentiality.’’ We
agree with commenters that granting
read-only access will help reduce the
risk that participating agencies’
employees or others could make
unauthorized modifications to the
filings, whether unintentional or
malicious, and ensure the accuracy of
information shared via the information
sharing framework.
61. Some commenters encourage the
Commission to implement additional
technological measures to prevent the
improper use of information, including
mechanisms to limit the manipulation
and improper access of printouts and
downloadable NORS and DIRS data,
such as placing confidentiality
notifications or headers and watermarks
on viewable and printable documents.
We acknowledge that these
recommendations would serve as useful
safeguards against the improper use of
outage data and find it would be in the
public interest to further develop the
record on the suitability of these
measures and safeguards. We thus direct
PSHSB to seek, via Public Notice,
further information on the cost, manner
and technical feasibility of
implementing these technological
measures and safeguards in NORS and
DIRS and to make determinations on
which of these measures and safeguards,
if any, would be suitable for
implementation in NORS and DIRS. We
further delegate authority to PSHSB to
implement in NORS and DIRS any
measures and safeguards that it
determines suitable and in the public
interest based on the record developed
in response to the Public Notice.
Cognizant of the effective date of today’s
rules, we instruct the Bureau to work
expeditiously to make its
determinations and, if applicable, the
associated revised implementations to
NORS and DIRS. These
implementations should not impose
new regulatory requirements on service
providers or additional conditions on
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
agencies seeking access to the outage
data. Nothing in this paragraph will
serve as basis for delaying the effective
date of the rules we adopt today.
62. The Commission also
acknowledges the proposal from the
Massachusetts Department of
Telecommunications and Cable that the
Commission ‘‘establish a mechanism for
Authorized State Agencies to comment
on and give feedback to the FCC on the
shared data,’’ as the Massachusetts
Department of Telecommunications and
Cable believes that ‘‘states may have
information that does not appear in or
that contradicts NORS or DIRS data,
information which could allow the FCC
to improve its data collection.’’ We find
that it is premature to determine
whether this would be a useful feature
for participating agencies, and we
believe it is appropriate to wait until
these agencies have had experience with
NORS and DIRS before building this
functionality into those systems. We
suggest that participating agencies that
wish to share information related to
contents of NORS and DIRS filings
instead informally contact Commission
staff with their concerns.
63. Access to Historical Filings. The
Commission proposed in the Second
Further Notice to grant participating
agencies access only to those NORS and
DIRS filings made after the effective
date of this proposed information
sharing framework, even if the agency
begins its participation at a later date.
We adopt this approach today.
64. We are persuaded by industry
commenters who argue that the
Commission should not make available
NORS and DIRS filings submitted before
the effective date of the framework
because the Commission should honor
the expectation of confidentiality that
providers had at the time they
submitted them. For example, NTCA
asserts that ‘‘providers submitted their
NORS and DIRS filings with the
expectation that only the Commission
would have access to those filings.’’ We
agree, and believe it would be
inappropriate in this context to adopt
rules to allow retroactive carte blanche
access to these filings by agencies
joining the framework as providers had
no notice that we would share such
confidential information with
participating agencies and maintained
an expectation that we would withhold
them from disclosure. We also find that
providing access to filings submitted
before the effective date of the proposal
would be technically difficult to
implement, as it would require the
modification of tens of thousands of
previously filed outage reports to ensure
that access can be limited by
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
jurisdiction. Nonetheless, while we
decline to adopt proposals to share
filings submitted before the effective
date of the framework, we also agree
with public safety and state government
commenters that having access to past
filings could help identify trends in
outages and be useful to agencies in
planning and responding to outages to
improve network reliability, and we
reject industry commenters like
CenturyLink, that argue to the contrary.
On balance, however, we find that the
need to preserve the confidentiality of
filings submitted before the effective
date of the framework is stronger than
any rationale posited to support access
to these filings. We believe that
providing participating agencies with
direct access to filings submitted after
the effective date of the framework, even
if their participation begins at a later
date, is the optimal approach as it
provides fair notice to service providers
while also providing agencies with
information to assist them with
identifying outage trends over time and
enhance their preparedness and
recovery efforts as noted above and in
the Second Further Notice.
65. We further note that ATIS argues
that it ‘‘does not believe that it is
necessary to provide access to filings
made before a state has been granted
access,’’ but ‘‘should access to prior
reports be made available,’’ access to
past reports should be limited to ‘‘no
earlier than 90 days,’’ and ATIS
proposes that should additional NORS
and DIRS data be needed by
participating agencies, the Commission
could grant it ‘‘upon a showing of
reasonable necessity. We reject ATIS’s
argument as we do not find that ATIS
provides a compelling explanation
regarding why limiting access to reports
to no earlier than 90 days is an
appropriate window (as opposed to
another window of time). Moreover, the
Commission does not find any harm in
sharing filings older than 90 days so
long as they were made after the
effective date of the framework,
consistent with our decision today, as
filers would be on notice of the prospect
that their filings could become available
to states that subsequently demonstrate
their eligibility for access. The
Commission also finds that requiring
participating agencies to demonstrate a
reasonable necessity for additional
NORS and DIRS reports, as ATIS
suggests, could impede efficient access
to available NORS and DIRS filings.
2. Disclosing Aggregated NORS and
DIRS Information
66. In the Second Further Notice, the
Commission proposed to allow
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
participating agencies to provide
aggregated NORS and DIRS information
to any entity including the broader
public. In doing so, ‘‘aggregated NORS
and DIRS information’’ was defined to
refer to information from the NORS and
DIRS filings of at least four service
providers that has been aggregated and
anonymized to avoid identifying any
service providers by name or in
substance.’’ The Second Further Notice
articulated several potential public
safety benefits stemming from the
public disclosure of aggregated NORS
and DIRS information, including its use
in keeping the ‘‘public informed of ongoing emergency and network outage
situations, timelines for recovery, and
geographic areas to avoid while disaster
and emergency events are ongoing.’’
67. Based on our review of the record,
we continue to expect that the
Commission’s proposal will yield these
benefits and adopt it today. We agree
with commenters that assert that
appropriate use of aggregation can
provide useful information to public
safety entities and the public while still
maintaining the confidentiality of data
submitted by providers.’’ We disagree
that agencies should be permitted to
publicly disclose NORS and DIRS data
that are not aggregated and anonymized
as proposed, and accordingly, the rules
we adopt today do not permit data to be
treated as disclosable under the
definition of ‘‘aggregated NORS and
DIRS information’’ unless the data has
been drawn from at least four service
providers. Based on our experience in
determining whether aggregated
disclosure is appropriate in other
contexts, we believe that where there
are fewer than four service providers,
the disclosure of aggregated outage
information, particularly in combination
with providers’ specific knowledge of
competitors in the region, could
inadvertently reveal one service
provider’s commercially sensitive
information to another. Even where the
data is aggregated from four service
providers, however, under the approach
to disclosure we adopt today, agencies
are prohibited from publicly disclosing
such data if they cannot ensure that no
one can derive the information of any
individual company from the
aggregation. For example, aggregating
the data from four service providers may
not sufficiently anonymize the data if
one provider’s data constitutes an
overwhelming share of the total.
68. To help mitigate concerns
regarding improper aggregation due to
lack of expertise, we include exemplar
aggregated and anonymized reports
based on hypothetical data in Appendix
D. This Appendix also contains non-
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
binding guidelines for aggregating
NORS and DIRS data. We expect this
Appendix will show participating
agencies how to aggregate users and cell
sites affected by outages from NORS and
DIRS reports in a manner that ensures
anonymization to prevent misuse and
address any potential confusion
participating agencies have about
aggregating NORS and DIRS data. As
stated in this Appendix, we note that
aggregated data may not reflect the exact
number of users affected by a service
provider’s outage and is only used for
situational awareness, and agencies’
failure to properly aggregate data could
lead to the improper disclosure of
service providers’ confidential
information and may result in
termination of their access to NORS and
DIRS filings by the Commission. We
believe that with the guidance we
provide agencies today, they will be
able to aggregate and anonymize NORS
and DIRS data in accordance with our
rules.
69. Several commenters have urged
the Commission to adopt a broader
definition of aggregation to enable
aggregation in what they have described
as the numerous areas that have fewer
than four providers. For example, the
California Public Utilities Commission
comments that the ‘‘proposal fails to
consider aggregation in the many
instances where an area is only served
by two major wireline service
providers.’’ Allowing the public
dissemination of NORS and DIRS
information where there are only two
providers, for example, however, would
unnecessarily reveal confidential
information about each of those
providers to the other. We believe that
the dangers posed by such disclosure
substantially outweigh the benefits of
disclosure to the public, given the
availability of the data to participating
agencies. We recognize that an agency’s
ability to provide aggregated
information may depend on the types
(e.g., wireless or wireline) and numbers
of providers serving a region and the
unique circumstances of an outage;
there, however, aggregated disclosure
may be possible without an
unauthorized disclosure of confidential
information given the multiple
providers of each type and at least four
providers overall. Even so, there may be
situations where, for an example, an
outage affects only the two wireline
providers in an area, and not the two
wireless providers. In that case, only the
two wireline providers would be filing
reports, and any aggregation of their
data would fall short of the four-or-more
provider requirement for public
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
22805
disclosure. We find that this approach is
necessary to ensure the confidentiality
of NORS and DIRS information and
strikes a reasonable balance between the
relevant policy considerations. This
policy does not override agreements
certain wireless providers have made
with the Commission regarding the use
of aggregated DIRS data consistent with
the Wireless Network Resiliency
Cooperative Framework.
70. We reject one commenter’s
proposal that, if aggregated data may not
be disclosed because of an insufficient
number of providers, then the
Commission should first conduct a ‘‘risk
assessment’’ to determine how
adversely affected the public would be
by not receiving such data, and second,
if the risk assessment shows harm, then
the Commission should modify its
‘‘need to know’’ approach by disclosing
information under a protective order to
‘‘public safety officials, researchers, and
public interest representatives.’’ As a
threshold matter, it is unclear what this
commenter means by ‘‘risk assessment,’’
what specific metrics this commenter
believes the ‘‘risk assessment’’ would
use to measure what it refers to as ‘‘the
impact of disparate access,’’ and what
costs are associated with such an
assessment to the Commission. To the
extent this commenter is suggesting that
such a risk assessment be used to
identify parties that would qualify
under the ‘‘need-to-know’’ standard as
recipients of confidential information,
we believe it is more appropriate to rely
on state agencies to employ our new
rules to share outage information
downstream to the extent necessary to
address an emergency situation for all
affected within the community. We
anticipate that, in the appropriate
circumstances, public safety officials
downstream from a participating state
agency might have a ‘‘need to know’’
and may thus obtain confidential outage
information from such an agency that
has determined it permissible under our
rules to share such information in this
manner. It is perhaps less likely,
however, that public interest
organizations or researchers would
qualify for such sharing under our rules.
Insofar as this commenter would have
us relax the ‘‘need-to know’’
requirements to allow such expanded
sharing, we reject that proposal, as we
believe that the balance we have struck
between disclosure of some information
to facilitate localized responses to
emergencies and service outages caused
by them, on the one hand, and the
protection of sensitive data from
unnecessary disclosure, on the other,
will best serve the overall public
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22806
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
interest. We also note that no
commenter has recommended a
practical alternative to the
Commission’s proposal that would
enable aggregation at a lower threshold
while ensuring that national security
and competitive concerns are addressed.
Additionally, we note that under the
Commission’s proposal, participating
agencies in areas with fewer than four
communications providers have access
to this data for public safety purposes
consistent with the rules we adopt
today; they simply may not disclose the
data publicly.
71. ATIS and SIA argue that the
Commission, instead of participating
agencies, should produce or approve
aggregated reports for public
dissemination consistent with its
existing practices and because of the
Commission’s expertise with issuing
these reports. We reject these proposals.
As dozens—or hundreds—of agencies
might participate in the information
sharing framework, and there could be
several potential emergencies, and the
need for prompt resolution of those
emergencies and related outages, we
find that it would be impractical and
administratively burdensome for the
Commission to produce aggregated and
anonymized reports on behalf of all
participating agencies seeking to
publicly disseminate aggregated reports
under the Commission’s proposal.
72. We note that T-Mobile also
contends that aggregated data should be
disclosed only by the Commission
because, among other considerations,
‘‘public disclosure by agencies other
than the FCC could ultimately mislead
or confuse the public’’ during times of
crises. T-Mobile asserts that agencies’
unfamiliarity with the data can lead to
agencies either misinterpreting the data
or producing aggregated data reports
that differ from each other, and that
‘‘these disparate reports would most
likely cause confusion and potentially
hinder, rather than help, situational
awareness.’’ T-Mobile further argues
that as an alternative, the Commission
should share data it already aggregates,
such as the aggregated DIRS reports it
publishes on its website. We reject TMobile’s arguments. We find that, like
the Commission, participating agencies
with a ‘‘need to know’’ have or will
quickly develop the necessary expertise
to be able to understand NORS and
DIRS information, coordinate with the
Commission and regional partners
where necessary, and release
information to the public in a
responsible way. For example, while
NORS and DIRS filings often estimate
the potential impact of service
disruptions rather than reflect the exact
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
number of users affected by an outage,
those estimates can still effectively
inform the public’s understanding about
the effect outages across several
providers following a disaster and we
expect that participating agencies will
be able to communicate that information
to the public in a productive way.
73. We do not agree that existing
Commission data aggregations can
replace state and local agencies’ needs
to inform the public about outages and
infrastructure status. For example, we
anticipate that some agencies will
determine it is appropriate to release
information to the public more
frequently than once a day or in specific
regions not covered by the
Commission’s public DIRS reports or
any aggregations of outage data that it
might prepare. Also, as we stated above,
we believe that it would be impractical
and administratively burdensome for
the Commission itself to fulfill requests
to aggregate NORS and DIRS data from
potentially numerous participating
agencies, and such an approach could
delay the Commission’s assistance with
resolution of the underlying
emergencies prompting the need to
share the reports. To the extent that the
Commission identifies any instances of
an agency using NORS or DIRS
information in an improper way, it will
take steps to ensure that improper
disclosure does not occur in the future.
3. Direct Access to NORS and DIRS
Filings Based on Jurisdiction
74. In the Second Further Notice, the
Commission acknowledged that outages
and disasters can cross multiple
jurisdictional boundaries and therefore
proposed enabling a participating
agency to receive direct access to all
NORS notifications, initial reports, and
final reports and all DIRS filings for
events reported to occur at least
partially in their jurisdiction including
multistate outages. We also proposed
enabling participating agencies to
receive access to NORS and DIRS filings
for outage events and disasters that
occur in portions of their jurisdictions
but also span across additional states.
We sought comment on, inter alia,
whether participating agencies would
make use of NORS and DIRS filings that
affect states beyond their own, whether
participating agencies have a ‘‘need to
know’’ about the effects of multistate
outages and infrastructure status outside
their jurisdiction, and whether any
harms could potentially arise from
granting a participating agency access to
multistate outage and infrastructure
information.
75. We adopt these proposals today as
we expect they will enhance public
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
safety by providing agencies with
thorough information regarding outages
to aid in their response and recovery
coordination efforts. Several public
safety and state government commenters
support granting participating agencies
multistate outage information about
outages occurring at least partially in
their jurisdictions. We agree with these
commenters that access to this
information would ensure that
participating agencies have a complete
picture of outages and their causes and
would improve coordination between
jurisdictions in response to disasters.
We also agree with the Pennsylvania
Public Utility Commission that
participating agencies are ultimately in
the best position to determine what
effects of multistate outages and
infrastructure status outside their
jurisdiction are relevant to informing
their responses to the event.
76. We disagree with commenters that
argue that state access should be
restricted to outage reports for those
portions of events occurring in that
state. For example, the Competitive
Carriers Association contends that ‘‘any
decision to allow access to information
about adjacent states should be made on
a case-by-case basis only upon a
showing of need,’’ as it believes ‘‘such
geographic limitation is an important
mechanism for the Commission to
ensure that data is used only for
intended purposes.’’ We find that
participating agencies would be better
able to address public safety matters,
including by improving their outreach
and coordination with other
jurisdictions in response to disasters, if
they have a more complete picture of
outages and their causes. ATIS further
urges the Commission to prohibit the
sharing of data from multistate events
with agencies until it addresses how to
effectuate this change in NORS. We also
find that modifying NORS forms to
allow users to select more than one state
when submitting a NORS filing, as
discussed further below, will be
adequate to allow the Commission to
ensure that participating agencies can
only access filings for outages that at
occur least partially in their jurisdiction.
77. Sharing of Complete NORS and
DIRS Reports and Filings. In their
comments concerning the scope and
type of confidential information that
should be shared with participating
agencies, some industry commenters
opine that some reports and fields in
NORS and DIRS, such as root cause
analyses, sympathy reports, reports on
simplex events, contact information,
and equipment types, are irrelevant and
likely to cause confusion and contain
confidential information. ATIS also
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
states information regarding ‘‘special
offices and facilities in
Telecommunications Service Priorities
(TSP) 1 and 2’’ in NORS filings ‘‘provide
no relevant public safety information
and should therefore not be shared with
state agencies.’’ A sympathy report
contains information regarding a service
outage that was caused by a failure in
the network of another company. A
simplex report contains information
about which diversity of resources
prevented a failure in a network from
causing a loss of service. TSP is an FCC
program that directs
telecommunications service providers to
give preferential treatment to users
enrolled in the program when they need
to add new lines or have their lines
restored following a disruption of
service, regardless of the cause. In
NORS, providers can indicate if TSP
was involved during service restoration.
A root cause analysis indicates the
underlying reason why the outage
occurred or why the outage was
reportable. CTIA and Verizon
recommend the Commission convene a
workshop to discuss practices for interjurisdictional sharing of information,
which USTelecom supports as a way to
determine what information is
necessary to share.
78. On review, we reject most
commenters’ proposals to share only
certain types of outage filings made in
NORS and DIRS and reject proposals to
convene workshops to identify the
appropriate types of NORS and DIRS
data to share. We agree with ATIS that
reports related to simplex events as
contained in NORS filings should not be
shared with participating agencies.
These reports contain information that
helps identify which diversity of
resources prevented a failure in a
network from causing a loss of service,
which could be helpful for analyzing
trends in outages, but we find that this
information is not immediately relevant
to emergency response. However, we
note that sympathy reports and reports
containing information about TSPs
contain actionable information on
outages that could be of use to public
safety officials for emergency response
or service restoration and we decline to
exclude these reports from NORS
filings. For example, sympathy reports
contain information regarding service
outages that, while caused by a failure
in the network of another provider,
nonetheless have an effect on the
reporting service provider that may have
public safety implications. Moreover,
information about TSPs may be helpful
to emergency response officials to
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
indicate which repairs are being
prioritized by service providers.
79. For the NORS filings that are
shared with participating agencies,
including notifications, initial and final
reports, we find that their contents
about service outages, such as dates and
times of incidents, geographic areas
affected, effects of outages on 911
service, the numbers of potentially
affected users, and causes (including
information about any affected
equipment) are highly relevant to
agencies that seek to increase their
situational awareness of emergency
events and coordinate disaster response
and recovery efforts. Furthermore, in
response to several commenters’
position that some fields in NORS
reports are too sensitive or confusing to
share and should be excluded, we
expect participating agencies will be
able to discern which information from
various types of NORS and DIRS filings
is relevant to their own circumstances
during various stages of public safety
events, particularly as we expect that
participating agencies will possess
sufficient technical and operational
expertise to understand the information
that some commenters maintain could
be confusing. We also find that the
confidentiality requirements and
safeguards we adopt today will protect
sensitive NORS information from
improper use and disclosure. We
recognize that, once the information
sharing framework becomes effective,
participating agencies may initially
engage the Commission (and potentially
service providers, through their existing
relationships) with questions about
NORS and DIRS data, which will lead
to more effective use of all types NORS
and DIRS filings over time.
80. We specifically reject the view
that all of a service providers’ contact
information should be excluded in the
NORS and DIRS filings and information
we share with participating agencies. As
noted by the Michigan Public Service
Commission, we expect that agencies’
technical staff will review NORS and
DIRS filings and that the staff will
occasionally require contact with
providers experiencing outages in their
jurisdiction to better understand and
resolve substantive issues. Because we
expect that agencies will analyze NORS
and DIRS information in similar ways to
the Commission, we disagree with
ATIS’s view that all contact information
supplied to the Commission with a
filing should be excluded from sharing.
However, we agree with commenters
that it is unnecessary to share with
participating agencies the contact
information of those individuals that
solely file NORS or DIRS information
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
22807
and do not have substantive details to
share about an outage or infrastructure
status. We find that this approach
strikes an appropriate balance between
ensuring participating agencies have
access to the substantive information
they need and avoiding unproductive
contact that can potentially distract
from the making of timely filings. We
note that, currently, NORS and DIRS
give providers the option to list primary
(or first) and secondary contacts, either
for an outage (NORS) or generally for
the provider (DIRS). We clarify that the
providers should enter as their primary
contact an individual that they
specifically designate for substantive
follow-up discussion about an outage or
about infrastructure status. For the
secondary contact, providers should
identify the individual who undertakes
the administrative task of preparing and
filing applicable reports in NORS and
DIRS. By following this guidance,
providers can help ensure consistency
in the communications between
themselves and participating agencies.
81. Tribal Nation Government
Agency/State Agency Access to
Multistate Event Data. In the Second
Further Notice, the Commission asked
whether a participating Federally
recognized Tribal Nation agency that
receives direct access to NORS and
DIRS filings has a ‘‘need to know’’ about
events that occur entirely outside of its
borders but within the border of the
state where the Tribal land is located, or
if a state agency should ‘‘receive direct
access to NORS and DIRS filings
reflecting events occurring entirely
within Tribal land located in the state’s
boundaries. The Commission further
asked whether any harms could ‘‘arise
from granting Tribal Nation authorities
access to outage and infrastructure
information outside of their territories,’’
and sought comment on whether
‘‘Tribal Nation authorities’ access to
NORS and DIRS filings should be
limited only to those aspects of
multistate outages that occur solely in
their territories.’’
82. NASNA and the Colorado Public
Utilities Commission, the only two
commenters opining specifically on this
issue, both agree that a Federally
recognized Tribal Nation agency that
receives direct access to NORS and
DIRS filings can have a ‘need to know’
about events that occur entirely outside
of its borders but within the border of
the state where the Tribal land is
located. We are persuaded by NASNA
and the Colorado Public Utilities
Commission’s comments and note that
no commenter opposes this approach.
We adopt the proposal that a Federally
recognized Tribal Nation agency may
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22808
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
receive direct access to NORS and DIRS
filings for events that occur entirely
outside of its borders but within the
borders of the state where the Tribal
land is located and, conversely, that a
state agency receive direct access to
these filings reflecting events occurring
entirely within Tribal land located in
the state’s boundaries to the extent these
filings are available, and access would
not impinge upon Tribal sovereignty.
We also grant Tribal Nation agencies
direct access to NORS and DIRS filings
for outage events and disasters that
occur in portions of their jurisdictions
but also span across additional states.
As the Commission stated in the Second
Further Notice, because of the technical
nature of many outages, equipment
located in a Tribal land could impact
service in the states in which Tribal
lands are located, and we expect this
action to enhance the situational
awareness of Tribal Nations, and the
states in which they are located,
regarding service outages and thereby
improve public safety. We note that
NASNA supports the Commission’s
proposal to give state agencies direct
access to NORS and DIRS filings for
events occurring entirely within Tribal
land located in a state’s boundaries to
improve information sharing between
states and Tribal nations. NASNA states
that ‘‘it would be most efficient to allow
direct access to data that relates to
incidents within a state agency’s state
boundaries, and to a tribal entity’s tribal
jurisdiction,’’ and comments that this
approach ‘‘gives the states and tribal
entities the ability to share data when it
is appropriate.’’ We note that this
approach does not impact Tribal
sovereignty as under our framework,
outage data will be provided in the first
instance by the provider to the FCC, and
only thereafter shared with a Tribal
entity.
83. Technical Implementation. In the
Second Further Notice, the Commission
sought comment on aspects of the
technical implementation of its
proposals regarding direct access to
NORS and DIRS filings based on
jurisdiction, including its assertion that
service providers would incur minimal,
if any, burdens related to DIRS because
they would not need to modify their
DIRS reporting processes to
accommodate multistate reporting. The
Commission also proposed changing the
Commission’s NORS form to allow users
to select more than one state when
submitting a NORS filing, consistent
with the proposal to allow access to
outages that span multiple states. The
Commission estimated the cost of such
a change for the nation’s service
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
providers to be $3.2 million and sought
comment on this proposal and any
potential alternatives, including any
necessary adjustments to account for
Tribal land borders. While a few
commenters expressed concerns about
the accuracy of estimated costs to
service providers, no commenters
provided cost data or analysis to
support their concerns or rebut the
Commission’s cost estimates. Similarly,
while some state agency and advocacy
organizations expressed concerns that it
will be burdensome for voluntarily
participating agencies to relay
information they retrieve from the
NORS and DIRS databases to
‘‘downstream’’ entities, none of these
entities attempt to quantify the costs
associated with these activities. In the
absence of any cost analyses or other
cost data quantifying alternative cost
estimates, the Commission continues to
rely upon the estimates discussed in the
Second Further Notice indicating that
the nation’s service providers will incur
total initial set up costs of $3.2 million
based on the Commission’s estimate of
1,000 service provider incurring costs of
$80 per hour and spending 40 hours to
implement update or revise their
software used to report outages to the
Commission in NORS and DIRS.
84. We thus adopt this proposal
consistent with our view that it will
allow the Commission to effectuate our
provision of access to filings for outages
that span more than one state, and we
conclude that the benefits of today’s
program far exceed the costs. We note
that commenters did not address the
Commission’s assessment that service
providers would likely incur minimal to
no costs to accommodate DIRS reporting
as DIRS form already requests filers to
include data at the county level.
However, most parties commenting on
the Commission’s proposed NORS
modification support the NORS
modification. For example, NCTA
supports this approach because it allows
the Commission to limit participating
agencies’ access to information about
those outages that occur within their
jurisdiction. Furthermore, CenturyLink
states that also it prefers this approach,
provided that the Commission does not
require state-specific impacts to be
broken out for each reported outage.
This change in NORS reporting can be
accomplished without revising section
4.2 of our rules as section 4.11 of our
rules already requires that, inter alia,
communications providers supply, in
their NORS filings to the Commission,
information on the geographic area
affected by an outage using the
Commission’s approved Web-based
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
outage reporting templates. Here, the
Commission is merely updating the
form of its templates to further facilitate
jurisdiction-specific access.’’
85. We note that NTCA ‘‘recommends
the Commission undertake a cost benefit
analysis of any proposed changes to the
method in which providers submit
information into the NORS and DIRS
systems to ensure any burdens imposed
on providers caused by having to
modify the way they report outages and
any additional time needed to report
outages to meet any new requirements
are outweighed by the benefit to public
safety.’’ As we note above, we have
performed this analysis and find that
the changes we adopt today ensure that
the burdens imposed on providers are
outweighed by the public safety benefits
of our information sharing framework.
We further acknowledge commenters’
proposals to include Tribal Nation
agencies in the list of jurisdictions for
providers to choose from in NORS.
However, we decline to adopt these
proposals because we find that it would
be administratively burdensome and
difficult to continuously track the full
extent of existing Tribal Nation agencies
to include and update in NORS.
However, we note that the approach we
adopt above, to give Tribal Nation
agencies access to outage reports within
the border of the state where the Tribal
land is located, would achieve the same
goals in a less burdensome manner.
86. Additionally, in the Second
Further Notice, the Commission asked,
as an alternative, whether it should
require service providers to submit
several state-specific filings instead of
submitting single aggregated filings for
each outage that list all affected states.
All parties commenting on this issue
disagree with this approach and assert
that it would increase reporting burdens
on service providers. NASNA notes that
this proposal ‘‘certainly seems less
efficient and more time consuming for
the providers than making the proposed
change to the Commission’s reporting
form, but since the end result to the
participating state agencies is the same,
NASNA leaves it to the providers to
express its preference on this matter.’’
CoPUC’s comments echo NASNA’s on
this issue. Based on our review of the
record, we are persuaded by comments
underscoring the burdens this approach
would impose on service providers and,
thus, we decline to adopt it.
4. Limiting the Number of User
Accounts per Participating Agency
87. Presumptive Limits on User
Accounts. In the Second Further Notice,
the Commission proposed to
presumptively limit the number of user
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
accounts granted to a participating
agency to five accounts for NORS and
DIRS access per state or Federal agency
with additional accounts permitted on
an agency’s reasonable showing of need.
Furthermore, to ‘‘reduce the reliance of
any one agency on another by allowing
each to apply for direct access to NORS
and DIRS filings,’’ the Commission also
proposed, in the Second Further Notice,
that the Commission review all
reasonable requests from state and
Federal agencies, rather than proposing
a presumptive limit on the number of
participating agencies eligible for direct
access to NORS and DIRS filings.
88. We adopt the Commission’s
proposals today as we find that that they
will limit access to NORS and DIRS
information to the employees that are
intended to receive it and allow
participating agencies to identify misuse
by specific employees. Colorado Public
Utilities Commission and NASNA
recommend that the language of the
Commission’s proposal be clarified to
read that ‘‘access should be up to five
employees per agency, not per state.’’
We adopt this clarification today for
precision. We note that the majority of
record commenters support the
Commission’s proposal to
presumptively limit the number of user
accounts, underscoring the Second
Further Notice’s assertion that it is an
important safeguard to minimize the
potential for over-disclosure of sensitive
information. For example, ACA
Connects notes that implementing this
measure will ‘‘limit the risk of improper
use or disclosure of the data.’’ However,
we disagree with ATIS that we should
‘‘better define what a ‘reasonable
showing of need’ would entail’’ for
granting additional accounts to
agencies. While some factors that we
expect could help demonstrate a
reasonable showing of need include the
jurisdictional area that an agency serves
or the number of public safety functions
for which it is responsible, we decline
to require or define specific factors and
will decide all requests on a case-bycase basis.
89. NASNA and the Colorado Public
Utilities Commission support the
Commission’s proposals to review all
requests for direct access from eligible
agencies and not to restrict the number
of potentially participating agencies.
Verizon argues that the ‘‘Commission
should adopt a presumption that two
agencies within a state may have access
to the reports,’’ as it asserts this action
‘‘would better reflect that most states
maintain both a single regulatory
commission with some public safetyrelated responsibilities and a statewide
executive branch emergency
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
management agency.’’ Verizon further
argues that the ‘‘Commission would
have discretion to expand this number
upon a good faith showing as this
governance structure may vary among
states, but reducing the presumptive
number would help incent different
state agencies to coordinate their
information gathering efforts in advance
of major outage events.’’
90. We reject Verizon’s proposal that
the Commission adopt a presumption
that two agencies within a state may
have access to NORS and DIRS filings.
We expect that participating agencies
will indicate, in their application for
access, the legal authority that charges
them with promoting the protection of
life or property. This showing will allow
us to best assess whether specific state
agencies should have access to these
filings. We also find that allowing only
two entities to have access to NORS and
DIRS filings could necessitate a
competitive process to determine which
agency would get selected, which would
delay access, not have clear standards,
and may lead to disharmony among
agencies that need to coordinate and
cooperate. Additionally, we find that
granting access to all qualifying agencies
will make each of those entities more
accountable to the Commission as they
would have to bind themselves to the
program’s requirements when signing
the certification.
91. Agency Assignment and
Management of User Accounts. The
Second Further Notice proposed
requiring that ‘‘an agency assign each
user account to a unique employee and
manage the process of reassigning user
accounts as its roster of employees
changes.’’ As we continue to find that
these proposals will minimize the
improper use of NORS and DIRS
information and give participating
agencies flexibility for managing user
accounts, we adopt them with certain
modifications to further strengthen our
account management requirements. The
Commission will retain for its records
the unique account identifiers
associated with each agency. We note
that while ATIS specifically expresses
support for the Second Further Notice’s
proposal that agencies assign user
accounts to employees and manage the
reassignment process for these accounts,
most commenters do not rebut the
necessity of these proposals to protect
against improper disclosure. However,
some industry commenters propose
placing additional limitations on agency
access to prevent improper use, which
we adopt or reject infra.
92. AT&T recommends the
Commission designate a ‘‘coordinator’’
to be responsible for ‘‘an agency’s access
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
22809
to confidential NORS/DIRS
information,’’ as it believes this will
‘‘ensure that each potential recipient has
a ‘need to know’ basis for access to the
information, the recipient understands
the duty to maintain confidentiality,
and the information will be destroyed in
a secure manner when there is no longer
a need to know.’’ AT&T states that after
designation ‘‘the coordinator would
have the ability to approve additional
requests for access credentials for
personnel from that agency,’’ and that
this ‘‘approach would allow
downstream sharing of information by
the coordinator who would be best
positioned to ensure that recipients
have a ‘need to know.’ ’’ AT&T further
argues that a ‘‘similar procedure has
worked well in the context of the 911
Reliability Certification System,’’ and
states that for that procedure, ‘‘the
potential information recipient sends a
request to a designated FCC staff
member to receive coordinator status
and these requests are handled on caseby-case basis.’’ No commenters oppose
AT&T’s recommendation.
93. We adopt AT&T’s
recommendation as we find that it
would help facilitate the efficient
administration of our framework and
provide additional safeguards to protect
NORS and DIRS data for the reasons it
describes. Therefore, we will require
participating agencies, in the
Certification Form (Appendix C) we
adopt today, to indicate the name and
contact information of their agency
coordinator. We will require this agency
employee to serve as their agency’s
point of contact for all matters related to
their agency’s framework access,
including managing agency accounts,
submitting requests for additional user
accounts, coordinating downstream
sharing consistent with our rules,
coordinating with the Commission to
manage any unauthorized access
incidents, and taking reasonable efforts
to make available for Commission
inspection a list of all localities for
which the agency has disclosed NORS
and DIRS data.
94. Several commenters recommend
the implementation of auditing and
reporting measures to minimize
improper use. For example, ATIS
recommends that ‘‘the Commission
require states to conduct an internal
audit every six months . . . of
individuals with access to determine
whether these accounts are still
necessary and to require personnel to
regularly update passwords,’’ and that
‘‘the results of this audit should be
shared with the Commission.’’ CTIA
recommends that the Commission
‘‘develop a process for regularly
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22810
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
auditing accounts it has granted to
public safety stakeholder agencies and
sharing the results of this process with
providers that file reports to NORS and
DIRS.’’ USTelecom proposes that the
framework ‘‘contain regular reports that
provide a record of how many active
accounts are maintained by each agency
and the number of reports accessed by
each,’’ and that ‘‘upon request, and in a
reasonable time frame,’’ the Commission
‘‘provide reports to carriers listing
which Federal or state government
agency accounts have accessed their
NORS or DIRS outage data.’’ Moreover,
NCTA recommends suspending
‘‘individual user access if an individual
has not accessed NORS or DIRS within
a 12-month period.’’ We reject all
commenters’ auditing and report
production proposals as they would
place undue obligations on the
Commission and participating agencies
and could be financially prohibitive. We
further find that requiring the
suspension of access to users that are
inactive over 12 months is too
prescriptive. For example, given the
sporadic nature of disasters and
emergency events, users at some
participating agencies might not access
NORS and DIRS filings for over a year.
95. Additionally, to increase account
security, several parties make proposals
that recommend the tracking of how
users access NORS and DIRS filings. For
instance, NTCA recommends requiring
‘‘agencies accessing the filings to track
the name of the authorized individual
within the agency that accessed
information and when.’’ CTIA states
that the ‘‘Commission should ensure
that adequate tools are available to aid
investigations after data breaches,’’ and
opines that ‘‘one such tool is an audit
log for the NORS and DIRS database,
recording which data was accessed,
when, and by whom.’’ NCTA
recommends that ‘‘reporting service
providers should be able through online
access to obtain information identifying
both the agencies and the user accounts
that accessed their information.’’ We
adopt CTIA’s approach and will develop
auditing capabilities into NORS and
DIRS that track which reports specific
users access and when they are
accessed. We note that no commenters
oppose this approach. We believe this
will allow the Commission to maintain
effective oversight as to how NORS and
DIRS are used, including following an
incident involving unauthorized access.
We believe that this approach will be
less burdensome on participating
agencies than the approaches
recommended by NTCA and NCTA,
respectively. We acknowledge however
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
the contentions of commenters who
have argued that service providers
should have access to these logs so that
they can determine whether their data
has been mishandled. We find that
service providers have a legitimate
interest in ensuring that their
presumptively confidential data is
handled appropriately even as we
remain wary that service providers
could use such information to burden
participating agencies with queries
based on the logs, particularly during
times of exigency. Therefore, we
delegate authority to PSHSB to consider
written requests from service providers
for access to audit logs regarding their
own records on a case-by-case basis and
to release requested information to the
requesting service provider only if
PSHSB determines that doing so would
be in the public interest. A service
provider’s written request must explain
the specific circumstances that the
provider believes warrants its access to
audit logs and identify, with
particularity, the requested date ranges
and entities covered by in the request.
5. Training Requirements
96. In the Second Further Notice, the
Commission proposed that each
individual granted a user account for
direct access to NORS and DIRS filings
be required to complete security
training on the proper access, use of,
and compliance with safeguards to
protect these filings prior to being
granted initial access, and that this
training occur on an annual basis
thereafter to make the framework more
effective and reduce the risk of overdisclosure of NORS and DIRS
information. Furthermore, the
Commission sought comment on
whether anyone who receives
confidential NORS and DIRS
information, including downstream
recipients, be required to complete
formal training. We adopt a proposed
training requirement today, and note
that an overwhelming number of
commenters submit that some form of
training is necessary for participating
agencies to ensure the appropriate uses
of NORS and DIRS data and minimize
over-disclosure, and believe
participating agencies should certify
that they have undertaken security
training consistent with the
Commission’s requirements. For
example, the Public Service
Commission of the District of Columbia
opines that it ‘‘agrees with the FCC and
many commenters that training of
authorized state agency staff about
NORS and DIRS reporting is important
to ensure proper treatment of NORS and
DIRS information.’’ The Competitive
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
Carriers Association states that it
‘‘supports the Commission’s proposal to
mandate annual security trainings to
agency personnel accessing the data,’’
and that ‘‘considering the sensitive
nature of NORS and DIRS data, regular
security trainings will help ensure
safeguards are adhered to and that
information remains protected.’’
97. We acknowledge that the
Michigan Public Service Commission
states that it ‘‘does not support the
proposal for annual training
requirements as currently discussed in
the FNPRM,’’ as it contends that if
‘‘there are to be annual certifications to
access NORS and DIRS outage
information, the MPSC believes that any
required training should be free of
charge to applicants and centrally
located or made available online.’’ The
IACP also recommends that ‘‘any
required training be accessible on-line
and be time limited to that which is
necessary to cover the points required.’’
As we decline to prescribe specific
training or platforms that agencies must
use to facilitate training, we respond to
the Michigan Public Service
Commission’s concerns by noting that
we expect that the implementation of
our training requirements, as discussed
below, will give agencies the
opportunity to tailor training programs
to their unique needs, including
considerations of cost.
98. Furthermore, in the Second
Further Notice, the Commission sought
comment on whether anyone who
receives confidential NORS and DIRS
information, including downstream
recipients, should be required to
complete formal training. While we
decline to adopt a formal training
requirement for downstream recipients,
we will require participating agencies to
instruct downstream recipients to keep
NORS and DIRS information they
receive as confidential and obtain a
certification from downstream entities
that they will treat the information as
confidential.
99. We note that commenters are
divided on this issue. For example,
while the Pennsylvania Public Utilities
Commission and the Satellite Industry
Association maintain that downstream
training should be required to ensure
that downstream recipients understand
the consequences of downstream
sharing and to reduce the risk of the
mishandling of NORS and DIRS
information. NASNA and the Colorado
Public Utilities Commission disagree.
For example, the Colorado Public
Utilities Commission states that ‘‘there
are potentially hundreds of individual
agencies throughout the state that may
have a ‘‘need to know’’ during a disaster
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
or large-scale emergency, and requiring
each of those agencies to have
individuals undertake a multi-hour
training prior to receiving the
information is unreasonable,’’ and
further argues that it ‘‘would also be
unduly burdensome for the
participating state agency to keep track
of who has had training, who hasn’t,
and whether annual refresher training
has been maintained.’’ As an alternative
to downstream training, the Colorado
Public Utilities Commission and
NASNA suggest that a participating
agency ‘‘be allowed to develop an
affidavit to be signed by subrecipients
prior to the receipt of confidential
information, acknowledging that they
understand that un-anonymized data is
confidential and that it is not to be
shared.’’
100. We are persuaded by NASNA
and the Colorado Public Utilities
Commission’s assertion that a
downstream training requirement would
be unreasonable, given the potentially
hundreds of downstream entities that
might receive information through the
framework. However, we find that
providing downstream access with
insufficient safeguards could amplify
the possibility of unauthorized
disclosure, particularly because
downstream entities will have less
experience with protecting NORS and
DIRS data than participating agencies.
Therefore, we also agree with NASNA
and the Colorado Public Utilities
Commission’s alternative approach.
101. We will require participating
agencies sharing data with entities that
have a ‘‘need to know’’ to instruct these
entities that they must treat the
information as confidential, not disclose
it absent a finding by the Commission
that allows it to do so, report any
unauthorized access, and securely
destroy the information when the public
safety event that warrants its access to
the information has concluded. We
delegate authority to PSHSB to develop
a certification for use by participating
agencies. Furthermore, as we explain
infra, we will hold participating
agencies responsible for inappropriate
disclosures of NORS and DIRS
information by the non-participating
agencies with which they share it. We
will also require participating agencies
to obtain non-participating agencies’
certification, under the penalty of
perjury, that they will abide by these
restrictions.
102. We note that NTCA ‘‘encourages
the Commission to adopt rules requiring
any local, state or Federal personnel
with access to NORS and DIRS filings
sign a certification attesting they have
undertaken security training consistent
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
with the Commission’s recommendation
. . . and will access and use the
information only for the public safety
purposes for which it is intended.’’ We
find that our downstream training
requirements that we adopt today, along
with the required Certification Form we
discuss infra, provides for adequate
training of personnel, enables us to
obtain appropriate acknowledgment
from agencies regarding their efforts to
train employees on the appropriate uses
of NORS and DIRS information.
Consistent with NCTA’s proposal, the
Certification Form as described infra
will require participating agencies
granted access to certify that they have
completed security training and will use
NORS and DIRS information for public
safety purposes only. However, we
decline to adopt this requirement for
local personnel through the Certification
Form as we are not requiring training for
downstream entities granted access to
NORS and DIRS information by
participating agencies, and we will
require participating agencies to obtain
a separate certification from these
entities regarding the appropriate use of
NORS and DIRS information as
described above.
103. Agency Compliance with
Training Requirements. In the Second
Further Notice, the Commission sought
comment on requiring third-party audits
to ‘‘ensure that state and Federal
agencies’ training programs comply
with the Commission’s proposed
required program elements’’ and asked
‘‘what specific steps should the
Commission take, if any, to ensure the
adequacy of such programs.’’ ATIS
‘‘urges the Commission to consider
reviewing and formally approving all
training programs to ensure that they are
effective and address all relevant
issues.’’ NASNA and the Colorado
Public Utilities Commission believe that
in lieu of requiring third-party audits of
partner training programs, participating
agencies should provide a copy of their
training curriculum to the FCC. For
example, NASNA states that if ‘‘the FCC
requires reassurance that participating
agencies are meeting training
requirements, those agencies could be
required to provide a copy of its training
curriculum to the FCC and attest that all
employees within the agency are
required to complete the training prior
to applying for an account,’’ and that the
‘‘same requirement could exist for the
annual refresher training requirement.’’
104. We adopt a requirement,
consistent with NASNA and the
Colorado Public Utilities Commission’s
proposal, to require participating
agencies to make copies of their training
curriculum available for the
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
22811
Commission’s review upon request. We
are persuaded that is approach will be
the most effective way for the
Commission to confirm the adequacy of
state and Federal training programs, and
mandate remediation as necessary,
without burdening participating
agencies with a requirement to procure
third-party audits. We will not require
advance review and approval of
agencies’ training materials by the
Commission, as we find that doing so
would be administratively burdensome
to the Commission and prevent efficient
access to NORS and DIRS information.
We also find that requiring advance
review is unnecessary, as we believe
that requiring agencies to certify to the
adequacy of their training programs, as
discussed infra, is sufficient to ensure
that the plans’ adequacy.
105. Training Program Required
Elements and Exemplars. In the Second
Further Notice, the Commission
proposed that rather than mandating an
agency’s use of a specific training
program, agencies ‘‘develop their own
training program or rely on an outside
training program that covers, at a
minimum, specific topics or ’’program
elements. These program elements are:
‘‘(i) Procedures and requirements for
accessing NORS and DIRS filings; (ii)
parameters by which agency employees
may share confidential and aggregated
NORS and DIRS information; (iii) initial
and continuing requirements to receive
trainings; (iv) notification that failure to
abide by the required program elements
will result in personal or agency
termination of access to NORS and DIRS
filings and liability to service providers
and third-parties under applicable state
and Federal law; and (v) notification to
the Commission, at its designated email
address, concerning any questions,
concerns, account management issues,
reporting any known or reasonably
suspected breach of protocol and, if
needed, requesting service providers’
contact information upon learning of a
known or reasonably suspected breach.’’
Additionally, the Commission proposed
‘‘that [it] direct PSHSB to identify one
or more exemplar training programs
which would satisfy the required
program elements.’’ We adopt these
proposals today with slight
modifications as we continue to find
that they are critical to ensuring
participating agencies’ comprehensive
understanding of our information
sharing framework. Specifically, we
adopt a requirement that participating
agencies’ training programs must cover
the five program elements that the
Commission identified in the Second
Further Notice; we enable agencies to
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22812
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
develop their own training program or
rely on an outside training program that
includes these program elements; and
delegate authority to PSHSB the duty to
consult with diverse stakeholders to
identify an exemplar training program
or develop exemplar training materials
that include these program elements.
106. We observe that ATIS, the only
commenter specifically addressing the
proposed training program’s required
elements, supports those elements.
Moreover, some commenters underscore
their belief that to help facilitate
uniformity of training materials and
reduce burdens on participating
agencies, the Commission should
identify exemplar training programs that
participating agencies can use in their
efforts to train staff on the proper uses
of NORS and DIRS filings.
107. The Second Further Notice also
sought comment on ‘‘the benefits and
drawbacks to the Commission
potentially working with one or more
external partners, such as ATIS, to
develop exemplar training programs.’’
ATIS states that it would ‘‘be happy to
assist with development of a training
program,’’ and would ‘‘work
collaboratively with other associations
so that this training would be completed
within a reasonable time after the
release of the final rules.’’ The Boulder
Regional Emergency Telephone Service
Authority urges ‘‘the Commission to
decline the ATIS’s offer to develop
training which ATIS proposes to focus
solely on limitations on use of the
materials and penalties for misuse,’’
because it believes that ‘‘training
should’’ ‘‘focus on interpretation and
utility of data.’’ Verizon states that
training for the confidentiality
requirements it recommends ‘‘would be
appropriate, in coordination with
Commission staff, ATIS and public
safety stakeholders.’’ Verizon also states
that the framework safeguards it
supports in its comments ‘‘should be
another subject of the workshops it
recommends.’’
108. We find that many stakeholders,
including ATIS, possess significant
technical and operational expertise that
could benefit the Commission in the
development of exemplar training.
Thus, to identify an exemplar training
program or develop exemplar training
materials, the Commission delegates
authority to PSHSB to consult with
diverse stakeholders with a range of
perspectives, including state
governments, the public safety
community, service providers, and other
industry representatives. We find that
this approach will foster a collaborative
process to ensure training materials
reflect the needs of all information
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
sharing framework participants. We
note that ATIS also recommends that
the training specifically provide
guidance on six specific guidance
topics. These topics are ‘‘(1) The
purpose of NORS and DIRS; (2)
Appropriate use of confidential and
aggregated data; (3) Who would be
deemed to have a ‘‘need to know;’’ (4)
What would qualify as a public safety
purpose; (5) Proper distribution and use
of printouts, including a requirement
that users not delete the notification
proposed by ATIS informing readers
that the information in the document
may be shared only with authorized
users with a ‘‘need to know,’’ only for
public safety purposes, etc.; and (6) The
requirement that, should there be a
known or suspect breach as noted
above, the party whose data was
breached must be immediately
notified.’’ We decline to adopt these
recommendations at this time but note
that ATIS has the opportunity to
recommend these specific guidance
topics if it works with the Commission
and other stakeholders to develop
exemplar training materials.
109. Some commenters also suggest
the Commission convene stakeholder
workshops, or facilitate other
collaborative measures, before initiating
the sharing framework to further
develop data sharing protocol and other
features of the framework as necessary.
For instance, Verizon contends that ‘‘to
ensure that any new rules are
implemented collaboratively among the
service providers and government
agencies involved, the Commission
should convene stakeholder workshops
in the months preceding adoption of
final rules.’’ Several other commenters
support workshops’ proposals.
According to Verizon, these workshops
could allow stakeholders to, in part,
‘‘work through IT implementation
challenges to ensure compatibility with
providers’ and state agencies systems,’’
‘‘establish practices and guidance for
permissible uses and sharing of
information with employees and local
government stakeholders,’’ and ‘‘help
educate state and local governments on
the information not included in NORS
and DIRS reports, and on how service
providers obtain information to include
in the reports.’’ Verizon further opines
that to establish practices for
downstream sharing and use of
information, the Commission could
initiate ‘‘workshops of its own’’ and
encourage ‘‘other collaborative
discussions involving industry and
public safety trade associations and
standards groups,’’ and incorporate
‘‘those practices into training.’’ CTIA
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
also argues that ‘‘the Commission
should convene a broad group of subject
matter experts to identify processes to
protect data confidentiality while
advancing outage information sharing
with public safety stakeholders.’’
Furthermore, AT&T recommends that
‘‘before initiating agency and public
disclosures, the Commission should
give providers and government agencies
the opportunity to review an example of
the information to be made available
through this process,’’ and states that
‘‘[i]t would be useful for the providers
that submit information to NORS/DIRS
to see a mock-up format, any template,
and online access tools to be used so
that they have an opportunity to raise
any concerns and recommend changes.’’
AT&T also states that ‘‘[s]imilarly,
feedback from government agencies
would ensure that the Commission’s
final framework provides the statespecific information sought by these
parties, while potentially minimizing
multiple operationally redundant
reporting regimes across providers’
service footprints,’’ and ‘‘[s]uch a
collaborative process is most likely to
achieve the Commission’s dual
purposes of giving government agencies
useful information while also preserving
confidentiality of sensitive data.
110. We find that workshops are not
an appropriate venue to develop
requirements for our framework as the
open record has provided all interested
parties with an opportunity to comment
on our, and other parties’, proposals in
this proceeding. Thus, we reject all
recommendations that workshops be
used, in any way, to develop our
framework rules, including rules
regarding downstream and interjurisdictional sharing. We further reject
AT&T’s proposal to enable providers
and participating agencies to review and
provide feedback on information to be
made available through the framework
before its initiation. We expect that the
exemplar training materials supplied to
agencies, which will be developed with
the input of diverse stakeholders, will
provide information to help guide
agencies on the proper ways to access
and use NORS and DIRS information,
which they can choose to integrate into
any training materials they develop.
However, we delegate authority to
PSHSB to host one or more workshops
before the effective date of the
framework to educate stakeholders
about NORS and DIRS filings generally
and the requirements we adopt today,
including our rules regarding the
appropriate uses of NORS and DIRS
data, training measures, and aspects of
IT implementation of the framework.
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
6. Sharing of Confidential NORS and
DIRS Information
111. Responsibilities of Participating
Agencies. In the Second Further Notice,
the Commission proposed to allow
individuals granted credentials for
direct access to NORS and DIRS filings
to share copies of the filings, in whole
or part, and any confidential
information derived from the filings
within their agency, on a strict ‘‘need to
know’’ basis. We adopt this proposal.
112. Commenters generally support
allowing individuals with direct access
credentials at a participating agency to
share confidential NORS and DIRS
information with individuals within
their agencies on a ‘‘need to know’’
basis. We agree with the Pennsylvania
Public Utility Commission that this
mechanism is especially important
given the many individuals involved in
coordinating emergency response, many
of whom will not be credentialed for
access, and we agree with T-Mobile that
it is prudent to ensure that nonparticipating agency officials are able to
receive NORS and DIRS information to
steer their agency in improving public
safety outcomes. Moreover, we find the
proposed approach to be a practical way
to enable the individuals who are
credentialed to login to our databases
and thereby access NORS and DIRS
filings to convey this filed information
to their agency’s decision makers. We
find significant public safety benefits in
ensuring that all ‘‘need to know’’
individuals at any agency, including key
executives, decision-makers and
potentially first responders, have access
to NORS and DIRS information and we
find this will allow an agency to make
collectively informed decisions on how
to use the information, ultimately
lowering rather than increasing the
chance of misuse of the information.
113. We reject CTIA’s contrasting
view that restricting access to
credentialed users at an agency is a
necessary safeguard for encouraging
service providers to provide robust
disclosures of relevant information in
their NORS and DIRS filings. To the
contrary, we find that if credentialed
users could not coordinate with noncredentialed decision-making officials
and other expert agency personnel on
the substance of NORS and DIRS
reports, this would likely lead to more
instances of impermissible use and
improper disclosure (and worse public
safety outcomes), rather than fewer
instances. For example, if a credentialed
user cannot share NORS and DIRS
information with specialized emergency
management experts within their own
agency, they would potentially use the
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
information to make recommendations
on public safety matters that they are
not qualified to make. If a credentialed
user cannot share NORS and DIRS
information with agency decisionmakers, they would potentially make
decisions on allocating resources in
response to a public safety threat that
they would not have the authority to
make. We find that the risks of improper
disclosure would increase as
credentialed users would be forced to
work outside of their agency’s normal
chain of command in acting on
confidential NORS and DIRS
information. We believe that service
providers will recognize that this
observation, along the many safeguards
implemented today, provide assurances
the presumptively confidential NORS
and DIRS filings the supply to the
Commission will continue to be
protected, and we believe that service
providers will remain motivated in
supplying robust NORS and DIRS filings
to resolve network reliability and outage
issues, as they have historically done.
We note that service providers are
required to submit NORS reports that
meet all the requirements of our part 4
rules. While DIRS reporting is
voluntary, our experience with DIRS
activations provides us with the insight
that providers are likely to provide
complete DIRS reports in order to take
advantage of the Commission’s waiver
of the NORS reporting obligations in
those regions where DIRS has been
activated.
114. We are also unpersuaded by
NCTA’s concern that ‘‘increasing the
number of people who have access to
the data inherently increases the risk of
breach or accidental disclosure’’
because this conceptual possibility of an
increased risk is outweighed by the
harms that arise from disallowing intraagency sharing, which would make it
less likely that an agency’s staff and
leadership will use NORS and DIRS
information to take action, thereby
frustrating the purposes of the
information sharing framework we
adopt today.
115. Based on concerns of
commenters, we bar the sharing of
confidential NORS and DIRS
information with contractors. While we
recognize that an agency’s contractors
can engage in public safety functions in
times of crises, we find that sharing
with contractors should be barred given
the potential for conflicts of interest
among contractors, who may work on
behalf of service providers as well as
public safety agencies. As no
commenter has identified how NORS
and DIRS information can be shared in
ways that would appropriately address
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
22813
these potential conflicts of interest, we
decline to make this information
available to contractors.
116. With respect to a participating
agency’s sharing of reports with
downstream entities (described infra),
in the Second Further Notice, the
Commission proposed that the sharing
agency determine whether a ‘‘need to
know’’ exists on the part of the
recipient. We adopt this proposal,
which most commenters support
without significant comment. With
regard to potential costs burdens, we
reiterate that participating agencies are
not required to share NORS and DIRS
information but instead are permitting
to do so. As previously noted in the
Second Further Notice, we find that this
approach is appropriate because the
sharing agency is in a strong position,
particularly in comparison to the
Commission, to make this determination
based on its ‘‘on the ground’’ knowledge
of the public safety-related activities,
and trustworthiness, of the downstream
entities with which it elects to share,
e.g., based on its prior interactions with
such agencies.
117. We reject ATIS’s view that we
should ‘‘not leave it entirely in the
hands of state agencies to determine
whether a local agency has a ‘need to
know’ ’’ as ATIS believes this could
result in misuse or unauthorized access
to the information. ATIS suggests a
scheme where agencies with direct
access to NORS and DIRS would inform
the Commission of whom they may plan
to share information with in advance of
a public safety event and we would then
use this information to seek input from
filers, including objections, prior to any
information sharing. We find that the
public safety benefits of our adopted
approach outweigh ATIS’s concerns of
misuse or improper access to NORS and
DIRS information. Our adopted
approach ensures that decisions on how
to best resolve public safety problems
are in the hands of those closest to the
issues (i.e., participating agencies).
Requiring the Commission receive
notifications and solicit comments from
filers, as ATIS favors, creates delays in
decision making that would make NORS
and DIRS information significantly less
useful to participating agencies in the
context of exigencies. We instead agree
with Colorado Public Utilities
Commission that participating agencies
can make this decision more effectively
and quickly given their familiarity with
on the ground facts. Moreover, we find
that the many safeguards that we have
imposed on downstream sharing today
to be directly responsive to ATIS’s
concerns as we believe they are
sufficient to protect these sensitive
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22814
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
filings from misuse and unauthorized
access.
118. We also reject ATIS’s view that
we should require that participating
agencies make advance arrangements
with agencies they choose to share
downstream with (and that the
Commission be notified of the existence
of these arrangements) prior to dealing
with an on-going public safety event.
We are instead persuaded by the
International Association of Chiefs of
Police’s remark that these requirements
would present a ‘‘barrier to access’’ as
they would consume additional
resources that agencies often do not
have. We decline to require that a
participating agency make advance
arrangements, or share at all, with other
entities in light of the burden concerns
expressed in the record. We find,
however, that advance arrangements
would likely reduce long term burdens
on all parties. We therefore encourage,
but do not require, participating
agencies to make advance arrangements
where they deem it practical and in the
interests of public safety to do so.
119. We reject the views of the
International Association of Chiefs of
Police that we go further and require
that participating agencies share
information with local police agencies
having a ‘‘need to know.’’ While we
share the view that police agencies play
a vital role in resolving many public
safety issues, we decline to require
participating agencies share confidential
NORS and DIRS information with police
agencies or any other local entity. We
find that requiring Federal, state,
territory, and Tribal Nation agencies to
share information with other entities is
incompatible with our decision today to
hold the participating agency
accountable for the way information is
used by those entities. To maintain the
reasonableness of this accountability
measure, we find it critical that
participating agencies be able to
evaluate and select the entities (if any)
with which they share information. As
a practical matter, however, we expect
that participating agencies will, in many
cases, voluntarily share information
with police agencies when a ‘‘need to
know’’ exists.
120. We also reject the views of NCTA
and other commenters that a
participating agency should not be
allowed to share directly with others
outside the agency on grounds that this
would risk over-disclosure. As noted
above, we place safeguards on such
direct sharing that will minimize the
risk of unauthorized disclosure, which
we find strikes an appropriate balance
between disseminating NORS and DIRS
information to those who can act on it,
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
thereby savings lives and property, and
protecting the sensitive nature of these
filings. We also reject ACA Connects’
view that the ‘‘need to know’’ of a
recipient must be determined in
advance of any sharing event (as
opposed to in real-time during the
event). We find that this provision
would likely create significant and
impractical delays in the transfer of
critical information to non-participating
agencies, particularly during times of
severe exigency, and we find that the
many safeguards that we’ve introduced
on direct sharing today appropriately
balance disseminating NORS and DIRS
information with protecting the
sensitive nature of these filings.
121. In the Second Further Notice, the
Commission proposed to allow
individuals granted credentials for
direct access to NORS and DIRS filings
to share copies of particular filings, in
whole or part, and any confidential
information derived from the filings
outside their agency on a strict ‘‘need to
know’ ’’ basis. We adopt this proposal
and clarify that not only must there be
a ‘‘need to know’’ for downstream
sharing, but that need must pertain to a
specific imminent or on-going public
safety event.
122. Many state, local and industry
commenters support allowing
credentialed individuals at a
participating agency to directly share
confidential NORS and DIRS
information with others outside their
agency, including individuals working
for local entities, on a ‘‘need to know’’
basis. We agree with Verizon and the
City of New York that, while state
agencies are a good initial dissemination
point, effectively addressing public
safety requires collaboration between
state agencies and local entities (among
others). We also agree with the Public
Service Commission of the District of
Columbia that this proposal will ‘‘assist
in developing a coordinated response to
a disaster or other major outage,’’ and
with the Pennsylvania Public Utility
Commission, which supports this
proposal as necessary to ensure that
information can be disseminated from
participating agencies to county
emergency agencies, as they are often
‘‘the key decision-makers and first
responders’’ who need this information
given their ‘‘vital role . . . in ensuring
public safety during times of crisis.’’ We
find that the proposed approach would
provide a targeted and efficient way to
put relevant information in the hands of
local entities while minimizing the risk
of over disclosure of confidential NORS
and DIRS information. We also find that
the proposed approach would be an
effective way to ensure that PSAPs and
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
911 authorities that do not qualify as
participating agencies can obtain
relevant NORS and DIRS information.
123. We clarify, however, that not
only must there be a ‘‘need to know’’ for
downstream sharing, but that it must
pertain to a specific imminent or ongoing public safety event. Thus, in
contrast with today’s restrictions on
sharing within a participating agency,
we exclude a participating agency from
sharing confidential information
downstream when a potential recipient
is seeking to use the information to
identify trends and perform analyses
related to long-term improvements in
public safety outcomes. Many
commenters express concerns that
downstream sharing raises additional
risks and would thus appear to support
today’s decision to further restrict the
conditions on which it is permitted. We
agree with commenters there is
generally less accountability and an
increased risk of over-disclosure when
NORS and DIRS information is shared
outside of those participating agencies
that have been granted direct access. We
similarly agree with ATIS and T-Mobile
that the risks of improper use are
heightened since outside recipients are
not directly accountable to the
Commission through our Certification
Form (Appendix C). We find that these
observations justify our further
restriction on a ‘‘need to know’’ in the
context of downstream sharing.
Moreover, without this restriction in
place, a participating agency could
simply share all (or vast amounts) of
NORS and DIRS filings with a nonparticipating agency on grounds of a
general ‘‘need to know,’’ which would
frustrate our decision to limit direct
access to the many filings housed in our
NORS and DIRS databases to
participating agencies only.
124. Responsibilities of NonParticipating Agencies. The
Commission proposed in the Second
Further Notice to require that nonparticipating agencies that seek NORS
and DIRS information first provide
certification, to the supplying
participating agency, that they will treat
the information as confidential, not
publicly disclose it absent a finding by
the Commission that allows them to do
so, and securely destroy the information
when the public safety event that
warrants its access to the information
has concluded. We adopt this proposal
while also requiring that nonparticipating agencies certify that they
have completed security training using
participating agencies’ training
materials before being granted access to
NORS and DIRS filings and clarifying
the meaning of ‘‘secure’’ destruction.
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
125. Some commenters, including
state utility commissions that would
incur much of the burden associated
with these proposals, agree with the
Commission’s approach and find it
workable. We agree with the
Pennsylvania Public Utility Commission
that requiring a non-participating
agency’s agreement to treat filings as
confidential will help maintain NORS
and DIRS filers’ trust in the
confidentiality of submitted information
and ensure the continued success of our
NORS and especially voluntary DIRS
programs. We also agree with both the
Colorado Public Utilities Commission
and NASNA that each of these
requirements is workable and can be
implemented in practice even if they do
impose some burden.
126. Moreover, while no commenter
questioned what ‘‘secure’’ destruction
would entail, we find that clarifying this
term will simplify implementation of
this program for non-participating
agencies that are required to securely
destroy information according to its
terms. We clarify that the secure
destruction of confidential NORS and
DIRS information requires, at a
minimum, securely cross-cut shredding,
or machine-disintegrating, paper copies
of the information, and irrevocably
clearing and purging digital copies,
when the public safety event that
warrants access to the information has
concluded.
127. We reject the Colorado Public
Utilities Commission’s view that a nonparticipating agency has a need to keep
‘‘descriptions’’ related to NORS and
DIRS information in their possession to
the extent it would violate our
requirement for the secure destruction
of the confidential NORS and DIRS
information after the conclusion of a
public safety event. We agree with
Telecommunications Regulatory Bureau
of Puerto Rico’s representation from its
own practice, that such reports can (and
should) be ‘‘general in nature’’ and not
reflect confidential NORS and DIRS
information. We find that to allow a
non-participating agency to keep more
granular information on file is
outweighed by the need to restrict the
dissemination of sensitive NORS and
DIRS information.
128. As noted above, we will require
downstream agencies to certify that they
have completed security training using
participating agencies’ training
materials before being granted access to
NORS and DIRS filings. We find that
providing downstream access without
any safeguards could amplify the
possibility of unauthorized disclosure,
particularly because downstream
entities will have less experience with
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
protecting NORS and DIRS data than
participating agencies.
129. Further downstream sharing. In
the Second Further Notice, the
Commission proposed that the sharing
of confidential NORS and DIRS
information be allowed further
downstream as well. According to this
proposal, once an agency with direct
NORS and DIRS access shared
confidential NORS and DIRS
information with a recipient, that
recipient could further summarize and/
or share the information with others that
also had a ‘‘need to know.’’ Based on the
record before us, we decline to adopt
this proposal.
130. We find that the further
downstream sharing proposal implicates
several legitimate concerns around the
ability to safeguard the confidentiality
of the information and foster
accountability among individuals and
entities that would receive information.
We agree with ACA Connects that the
proposed approach would have made it
hard to control the flow of information
and maintain accountability when
improper disclosure occurred. We agree
with ATIS and T-Mobile that the risks
of improper use would be heightened if
sharing were extended to those further
downstream, i.e., to those not closely
associated with agencies subject to our
accountability measures, including as
signatories to our Certification Form
(Appendix C). Moreover, while some
commenters suggest that these issues
could be addressed through the
imposition of additional safeguards,
such as instituting a Commission
‘‘coordinator’’ (who would be
responsible for releasing the information
that is to be shared downstream and
ensuring that recipients indeed have a
‘‘need to know’’) and allowing public
comment on a proposed disclosure-bydisclosure basis. We reject these views
as we find the proposed additional
safeguards to be highly burdensome
since, by adding delay to decision
making, they would significantly
diminish the value of the associated
NORS and DIRS information in the
context of exigencies.
131. We reject the views of some local
entities that believe that the further
downstream sharing proposal would be
workable as-is. We reject these views in
the context of further downstream
sharing. As noted by the industry
commenters, the Commission’s further
downstream sharing proposal would
require responsible practices not just by
participating agencies and those that are
one ‘‘hop’’ removed from these agencies,
but from a larger set of entities
potentially many hops removed from
the participating agency and generally
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
22815
not approved or cleared by the
participating agency (or the
Commission) in advance. We find that
these public safety risks heighten, as do
the difficulties of identifying the source
of impermissible disclosure as
information continues to be shared
downstream with additional parties.
Even if each individual entity taken
alone has strong incentives to protect
NORS and DIRS information, as Boulder
Regional Emergency Telephone Service
Authority contends, the risk of improper
disclosure increases as a larger number
of entities gains access to the
information. To minimize that risk at
the launch of today’s new information
sharing framework, we find that it is
prudent to allow participating agencies
to share NORS and DIRS confidential
information under the conditions
established in this order but not to allow
further downstream sharing.
132. Penalties and Remedies. The
Commission proposed in the Second
Further Notice to hold participating
agencies responsible for inappropriate
disclosures of NORS and DIRS
information by the non-participating
agencies with which they share it and
noted that consequences for improper
disclosures by a participating agency or
non-participating agency (with which
the participating agency shares
information) could result in termination
of access to NORS and DIRS data for the
participating agency. We adopt this
proposal. We find that the risk of losing
access is a necessary safeguard that will
incentivize participating agencies to
make judicious selections up-front on
with whom they share NORS and DIRS
information, if anyone.
133. In doing so, we reject the views
of some commenters that believe that it
would be unfair and a disservice to
terminate a participating agency’s access
to NORS and DIRS information because
of the potential bad actions of a nonparticipating entity which it cannot
directly control. To further address the
concerns in the record, however, we
confirm that in any decision to
terminate access, and set a length of
time that the termination is effective,
the Commission will consider the
totality of the circumstances, including
the reasonableness of the participating
entity’s decision to share information
with a non-participating agency, the
severity of the misuse of shared
information, and the implementation of
other appropriate safeguards by the
implicated participating agency.
134. To address concerns of record, to
the extent that a participating agency is
unclear on whether specific
downstream individuals or entities have
a ‘‘need to know,’’ despite the clarity we
E:\FR\FM\29APR2.SGM
29APR2
22816
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
jbell on DSKJLSW7X2PROD with RULES2
have provided on the scope of the term
in today’s Order, we encourage (but do
not require) the agency to contact the
Commission at NORS_DIRS_
information_sharing@fcc.gov to discuss
its potential sharing with the
individuals and entities well in advance
of a relevant public safety event.
135. We reject NASNA’s suggestion
that when a participating agency’s direct
access is terminated by the Commission,
it be terminated for exactly three years,
as we find this to be an unnecessarily
rigid approach. We agree with Colorado
Public Utilities Commission and
Montrose Emergency Telephone Service
Authority that a decision to terminate
access need not be permanent.
136. We encourage participating
agencies to proactively monitor and
terminate access to non-participating
agencies when they find such action
warranted, but we reject Colorado
Public Utilities Commission’s view that
the Commission should defer to
participating agencies on termination
decisions. The Commission has a strong
incentive to safeguard all NORS and
DIRS information that it receives to
ensure that providers provide detailed
reports on a nationwide basis.
137. The Commission will provide its
remediation decisions, including its
reasoning and actions to be taken to
hold the participating agency
accountable in a letter to the agency’s
coordinator, which may also be released
on the Commission’s website. If the
Commission terminates an agency’s
access, the Commission will specify in
the letter the time duration of this
penalty as well as any conditions that
must be met prior to reinstatement of
access.
G. Procedures for Requesting Direct
Access to NORS and DIRS
138. In the Second Further Notice, the
Commission proposed requiring eligible
state, Tribal Nation and Federal
agencies to apply for direct access to
NORS and DIRS filings by sending a
request to the Commission’s designated
email address and completing a
Certification Form. The request would
include: (i) A signed statement from an
agency official, on the agency’s official
letterhead, including the official’s full
contact information and formally
requesting access to NORS and DIRS
filings; (ii) a description of why the
agency has a need to access NORS and
DIRS filings and how it intends to use
the information in practice; (iii) if
applicable, a request to exceed the
proposed presumptive limits on the
number of individuals (i.e., user
accounts) permitted to access NORS and
DIRS filings with an explanation of why
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
this is necessary and (iv) a completed
copy of a Certification Form, a template
of which is provided in this item as
Appendix C.’’ On receipt, the
Commission would review the request,
follow-up with the agency official with
any potential questions or issues. Once
the Commission has reviewed the
application and confirmed the
application requirements are satisfied,
the Commission would grant NORS and
DIRS access to the agency by issuing the
agency NORS and DIRS user accounts.
We adopt these application procedures
today, subject to the modification we
have discussed above to require
applying agencies to identify legal
authority that charges them with
promoting the protection of life or
property. We find that, generally,
commenters opining on the proposed
procedures for requesting NORS and
DIRS access raise no concerns with
them. For example, the Competitive
Carriers Association opines that the
‘‘FNPRM’s proposed procedures for
requesting data would help to ensure
data is accessed on a limited, as-needed
basis.’’ NASNA notes the Second
Further Notice’s proposed ‘‘procedure
for potential participating agencies to
apply for direct access to NORS and
DIRS data,’’ and states that it ‘‘has no
objections to the procedure outlined.’’
139. Other commenters urge
additional modifications to the
proposed procedures, which we reject.
For example, ACA Connects urges the
Commission ‘‘to require agencies as part
of their application to explain precisely
the public safety need that justifies
access to NORS or DIRS data, and to
grant such access only to that extent
necessary to meet that need,’’ and also
argues that ‘‘a participating agency
should be required to submit to the
Commission the names of all
individuals with whom it will share the
data, along with an explanation why
each individual ‘‘needs to know’’ the
information.’’ We decline to adopt this
proposal as we expect our application
requirement that legal authority be
identified and certified to by agencies
will address the issue of public safety
need and find that requiring agencies to
submit the names of all individuals with
whom it will share data is inflexible and
disregards that agencies might not know
the full extent of individuals it will
provide access to at the time of
application. Furthermore, we note that
Verizon suggests that applications
‘‘could include point of contact
information for localities seeking access
to information in the reports.’’ We also
reject this recommendation as our
application process is focused on
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
reviewing the eligibility of agencies
under the sharing framework and
ensuring that they will adhere to the
framework’s safeguards and we defer to
participating agencies to determine
whether and how they want to establish
a point of contact for requests by local
agencies.
140. Moreover, some commenters
propose that the Commission notify
service providers when a particular
agency applies for access to allow the
provider to raise any concerns. For
example, Verizon argues that ‘‘if service
providers have concern for the
confidentiality protections available in a
particular state or have other issues
appropriate for the Commission’s
consideration, such notification would
give the service provider an opportunity
to raise those concerns.’’ We find that,
if implemented, this approach could
lead to protracted disputes between
service providers and participating
agencies and impede efficient access to
NORS and DIRS information. While
Verizon does not indicate what ‘‘other
issues’’ could be raised for the
Commission’s consideration through a
notification process in its comments, the
Commission expects that its objective
application process and its safeguards
for protecting the confidentiality of
NORS and DIRS data will help prevent
improper use and disclosure.
141. Furthermore, we find that
eligible agencies, which have public
safety duties, are unlikely to release
sensitive information in ways that
undermine national security or other
public safety purposes. These agencies
are also not in competition with service
providers, and thus lack anticompetitive
motives to use the information
improperly. Moreover, we find that
potentially contesting an agency’s
eligibility under our framework could
detract from service provider and public
safety resources that should be more
immediately directed to using NORS
and DIRS information to improve public
safety. However, we encourage service
providers to inform the Commission
about any laws that would prevent any
eligible agencies in a jurisdiction from
maintaining the confidentiality of NORS
and DIRS information, as well as any
specific concerns regarding
participating agencies that may be
improperly accessing, using, or
disclosing NORS and DIRS information.
142. Although we will not notify
providers when an agency requests
access to NORS and DIRS information
for the aforementioned reasons, we find
that providers should be kept apprised
of the entities granted direct access to
NORS and DIRS filings to track the use
of network outage data. Therefore, we
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
will develop a general list of
participating agencies granted access to
filings under our information sharing
framework that will made available to
relevant service providers. This list will
be updated on a periodic basis. We
delegate authority to PSHSB to develop,
update, and make available this list.
143. Certification Form. In the Second
Further Notice, the Commission
proposed the adoption of a Certification
Form ‘‘to address the certifications and
acknowledgments required for direct
access to NORS and DIRS filings,’’ and
sought comment on the various
elements and requirements of the
Certification Form. Based on our review
of the record, we adopt the proposed
Certification Form today, with slight
modifications we discuss below, as we
expect that it will provide for adequate
acknowledgment of the confidential
nature of the NORS and DIRS filings
and help protect against the
unauthorized use of NORS and DIRS
information. We note that several
commenters support the proposed
Certification Form.
144. Many commenters offer various
proposals for modifications intended to
strengthen the safeguarding of NORS
and DIRS information by requiring
notice of data breaches to the
Commission and service providers. We
agree with commenters that it will
further public safety to require
participating agencies to certify that
they will immediately notify the
Commission and affected service
providers of data breaches or the
unauthorized or improper disclosure of
NORS/DIRS data. CenturyLink also
comments that ‘‘State and local agencies
should be required to immediately
report to the service provider and the
FCC any unauthorized or improper
disclosure of NORS/DIRS data.’’ ACA
Connects further states that ‘‘the
Commission should require
participating agencies to notify the
Commission and affected
communications providers in the event
of a data breach, and should set forth
appropriate penalties, including
revocation of the agreement, for an
agency that fails to protect or misuses
the data,’’ and that [a]t minimum, an
agency that demonstrates a pattern of
misuse or improper disclosure of NORS
or DIRS data should be cut off from any
further access.’’ We find that in addition
to enabling service providers to
minimize the negative effects of
improper disclosure, this modification
to the Certification Form would allow
the Commission to quickly identify
misuse of NORS and DIRS information,
further investigate violations of
information sharing rules, and, if
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
necessary, restrict continued access by
offending participating agencies. NCTA
also argues that ‘‘as AT&T has
previously suggested, after any
improper access to or use of NORS or
DIRS data by an employee, the
Qualifying Governmental Agency
should agree ‘‘to perform an
investigation of that employee and
report the results of its investigation to
the Commission and, possibly, to law
enforcement.’’ As we expect that the
approach we adopt today will enable
the Commission to coordinate the swift
investigation of potentially improper
uses of NORS and DIRS data, which
could include investigation of personnel
at participating agencies, we decline to
adopt this proposal.
145. Other commenters make
additional Certification Form proposals
intended to ensure confidentiality and
the proper use of NORS and DIRS
filings, which we reject. We decline to
adopt NCTA’s recommendation that the
Commission require participating
agencies ‘‘to certify that NORS and DIRS
filings will not be accessed by
individuals who are not designated
employees,’’ or are no longer employed
by the agency. We note that nonparticipating agencies that receive
NORS and DIRS information from
participating agencies will be required
to complete a certification that they will
treat the information as confidential. We
also expect that the training and
safeguard requirements we adopt today
will be sufficient to prevent
unauthorized access to filings. We
further find that the addition of this
provision could be confusing as we note
that pursuant to the rules we adopt
today, participating agencies can share
copies of NORS and DIRS filings, within
or outside their participating agency.
NCTA also recommends that a
participating agency certify that, among
other things, it will only use NORS and
DIRS information for public safety
responsibilities. ATIS also urges that the
Certification Form be modified to
‘‘specifically require agencies to certify
that they have ‘‘need to know’’ this
information and that they agree to use
this information only for public safety
purposes.’’ CenturyLink also agrees with
NCTA that ‘‘a certifying agency should
also describe ‘‘how it intends to use the
information in practice.’’ We further
find that the limitations on NORS and
DIRS data described in the Certification
Form—which requires agencies to
certify that they will comply with the
restrictions we adopt today—and our
application procedures—including
procedures that require agencies to
identify the legal authority that charges
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
22817
them with public safety
responsibilities—as adopted adequately
address the remaining issues referenced
in NCTA and other commenter’s
proposals.
146. In addition to these arguments,
some commenters urge the Commission
to adopt a certification process similar
to the process the Commission has
implemented to grant state access to
North American Numbering Plan data,
require state agencies to certify that they
have adequate confidentiality
protections in place, or describe the
safeguards they have implemented to
protect NORS and DIRS data. We reject
all proposals regarding these issues to
the extent that they differ from the
provisions in the Certification Form we
adopt today. We note that the proposed
Certification Form was modeled after
the certification that we require for
access to North American Numbering
Plan data, but enhanced to protect
NORS and DIRS information, which if
mishandled, implicates national
security and competitive sensitivity
concerns. For example, the Certification
Form requires agencies to certify and
acknowledge that NORS and DIRS
filings are sensitive and presumed
confidential for national security and
commercial competitiveness reasons
and report any suspected breaches to
the Commission immediately.
147. In addition, we will require
agencies to certify that they have
implemented practical data protection
safeguards including assigning user
accounts to single employees, promptly
reassigning user accounts to reflect
changes as their rosters of designated
employees change, and periodically
changing user account passwords to
ensure that user account credentials are
not used by individuals who are not the
agency’s designated employees.
Furthermore, the requirements we adopt
today will obligate participating
agencies to implement effective
confidentiality safeguards regardless of
the level of safeguards that exist in their
states. For example, we require all
participating agencies to certify that
they will ‘‘treat NORS and DIRS filings
and information in accordance with
procedural and substantive protections
that are equivalent to or greater than
those afforded under Federal
confidentiality statutes and rules,
including but not limited to the Federal
Freedom of Information Act,’’ and to
‘‘the extent that Federal confidentiality
statutes and rules impose a higher
standard of confidentiality than
applicable state law or regulations
provide,’’ the agencies must certify that
they will ‘‘adhere to the higher Federal
standard.’’
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22818
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
148. Commenters also make proposals
intended to ensure the Certification
Form clarifies the limitations of NORS
and DIRS filings and the scope of
entities eligible to receive them. For
example, Verizon proposes that the
Certification Form state that the
recipient of filings ‘‘further
acknowledges that information reported
in DIRS and NORS filings is subject to
revision and correction by the reporting
service provider.’’ However, we find
that the proposed Certification Form
accounts for potential errors and
inaccuracies in NORS and DIRS filings
by requiring participating agencies to
‘‘acknowledge that the Commission
does not guarantee the accuracy of
either the NORS or DIRS filings.’’ We
note that providers can share revised
and corrected filings with us, which we
will in turn make available to
participating agencies granted access to
the framework. Additionally, ATIS
proposes that the Certification Form be
modified to ‘‘avoid confusion by
clarifying in the opening paragraph that
state agencies may get access only to
reports for that state and cannot request
nationwide filings.’’ ATIS states that
‘‘one way to achieve this would be
replace the bracketed language with
‘‘[for state agencies, name of states; for
Federal agencies, name of states or
nationwide].’’ ’’ We agree with ATIS that
we should revise the Certification Form
to clarify the scope of entities that we
intend to provide with access to our
framework. Therefore, we add bracketed
language to the Certification Form to
indicate that states, the District of
Columbia, Tribal Nations, and U.S.
territories may be granted access only
for reports of outages connected to their
jurisdictions consistent with our rules.
149. We note that in addition to the
Certification Form revisions we describe
above, and consistent with the
requirements we adopt today, we add an
additional provision to the form to
require the designated agency contact
for each participating agency to serve as
the coordinating point of contact for the
agency consistent with the requirements
we have described.
150. Finally, in the Second Further
Notice, the Commission proposed to
‘‘direct PSHSB to promulgate any
additional procedural requirements that
may be necessary to implement the
Commission’s proposals for the sharing
of NORS and DIRS information,
consistent with the Administrative
Procedure Act.’’ The Commission also
stated that ‘‘we foresee that such
procedural requirements may include
implementation of agency application
processing procedures, necessary
technical modifications to the NORS
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
and DIRS databases (including,
potentially, modifications designed to
improve data protection and guard
against unauthorized disclosure), and
reporting guidelines to ensure that the
Commission receives the notifications
identified in Appendix C.’’ The
Commission sought comment on these
proposals, and asked whether there
were additional safeguards it should
adopt for the application process or any
other procedural requirements that
would be necessary to implement the
Commission’s proposals. No
commenters addressed these proposals
or provided any evidence to rebut their
necessity. Thus, we adopt them and we
are confident that PSHSB’s technical
and administrative expertise will help
facilitate the efficient implementation of
the information sharing framework to
further enhance public safety as
contemplated by the rules we adopt
today.
H. Effective Dates
151. In the Second Further Notice, the
Commission proposed to have the
Public Safety and Homeland Security
Bureau issue a Public Notice that would
(a) announce OMB approval of any new
information collection requirements that
the Commission might adopt in
modifying the DIRS and NORS regime;
and (b) set a date on which (i) service
providers would be required to conform
any new filings in NORS and DIRS to
any newly adopted reporting protocols;
and (ii) agencies could file certification
forms requesting access to those reports.
Thus, direct NORS and DIRS access
would become available to eligible
agencies as of the specified date.
Moreover, the Commission proposed
that the date set by the Bureau would be
a date after the technical adjustments
necessary to facilitate sharing had been
made to the Commission’s NORS and
DIRS databases. The Commission
tentatively concluded in the Second
Further Notice that adoption of this
proposal would give interested agencies
ample time to prepare their
certifications and give service providers
sufficient time to adjust their NORS and
DIRS filing processes to conform with
technical changes required by today’s
final rule changes. While no commenter
opposed our proposals, we find it in the
public interest to adopt the proposals
with one modification, i.e., to specify an
effective date, subject to extension, as
part of today’s decision.
152. We find that this approach
provides the Commission adequate time
to implement the regime contemplated
by today’s rules and will permit the
Bureau time to account for
contingencies, i.e., the readiness of the
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
databases and the OMB approval that
facilitates the implementation of the
revised regime. Our experience in other
contexts informs our estimate that the
NORS and DIRS database adjustments
and related transition to implement the
new requirements will require
approximately 18 months. Accordingly,
we set an effective date below of
September 30, 2022 for the revisions to
section 4.2. We delegate authority to the
Public Safety and Homeland Security
Bureau, which will seek OMB review
and make adjustments to the databases,
to extend this effective date if necessary
by Public Notice published in the
Federal Register (e.g., if database
adjustments take longer than we
estimate here or if the required OMB
review of the modified information
collections under the new rule
provisions is delayed).
IV. Procedural Matters
153. Final Regulatory Flexibility
Analysis. The Regulatory Flexibility Act
of 1980, as amended (RFA), requires
that an agency prepare a regulatory
flexibility analysis for notice and
comment rulemakings, unless the
agency certifies that ‘‘the rule will not,
if promulgated, have a significant
economic impact on a substantial
number of small entities.’’ Accordingly,
the Commission has prepared a Final
Regulatory Flexibility Analysis (FRFA)
concerning the possible impact of the
rule changes contained in this Second
Report and Order on small entities. The
FRFA is set forth in Appendix B.
154. Paperwork Reduction Act
Analysis. As described at paras. 83 and
84, supra, service providers will be
required to make adjustments to their
NORS reporting processes, to
accommodate the Commission’s
adjustments to its NORS web-based
form, pursuant to section 47 CFR 4.11
of the Commission rules. These
adjustments and today’s new
requirement that agencies file
certification forms, pursuant to section
4.2, to request access to NORS and DIRS
reports, constitute a modified
information collection. They require
that service providers modify their
NORS reporting processes to provide
the Commission with jurisdictionspecific reports and that participating
agencies begin to provide the
Commission with certification forms
and reports and information related to
known or reasonably suspected
unauthorized use or improper
disclosure of confidential NORS and
DIRS information. These modified
information collections will be
submitted to the Office of Management
and Budget (OMB) for review under
E:\FR\FM\29APR2.SGM
29APR2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
jbell on DSKJLSW7X2PROD with RULES2
section 3507(d) of the Paperwork
Reduction Act of 1995 (PRA). OMB, the
general public, and other Federal
agencies will be invited to comment on
the new or modified information
collection requirements contained in
this proceeding. This document will be
submitted to OMB for review under
section 3507(d) of the PRA. In addition,
we note that, pursuant to the Small
Business Paperwork Relief Act of 2002,
the Commission previously sought, but
did not receive, specific comment on
how the Commission might further
reduce the information collection
burden for small business concerns with
fewer than 25 employees. The
Commission does not believe that the
new or modified information collection
requirements will be unduly
burdensome on small businesses.
Applying these new or modified
information collections will promote
public safety response efforts, to the
benefit of all size governmental
jurisdictions, businesses, equipment
manufacturers, and business
associations by providing better
situational information related to the
nation’s network outages and
infrastructure status. We describe
impacts that might affect small
businesses, which includes most
businesses with fewer than 25
employees, in the FRFA in Appendix B.
155. Further Information. For further
information, contact Saswat Misra,
Attorney-Advisor, Cybersecurity &
Communications Reliability Division,
Public Safety and Homeland Security
Bureau, (202) 418–0944 or via email at
Saswat.Misra@fcc.gov.
V. Ordering Clauses
156. Accordingly it is ordered that,
pursuant to the authority contained in
sections 1, 4(i), 4(j), 4(o), 251(e)(3), 254,
301, 303(b), 303(g), 303(r), 307, 309(a),
309(j), 316, 332, and 403, of the
Communications Act of 1934, as
amended, and section 706 of the
Telecommunications Act of 1996, 47
U.S.C. 151, 154(i)–(j) & (o), 251(e)(3),
254, 301, 303(b), 303(g), 303(r), 332,
403, and 1302, this Second Report and
Order in PS Docket No. 15–80 is
adopted.
157. It is further ordered that the
amendments of the Commission’s rules
as set forth in Appendix A are adopted,
effective September 30, 2022, as
described at § III.H, above.
158. The Commission will submit this
Second Report and Order to the
Administrator of the Office of
Information and Regulatory Affairs,
Office of Management and Budget, for
concurrence as to whether these rules
are ‘‘major’’ or ‘‘non-major’’ under the
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
Congressional Review Act, 5 U.S.C.
804(2). The Commission will send a
copy of this Second Report and Order
to Congress and the Government
Accountability Office pursuant to 5
U.S.C. 801(a)(1)(A).
Final Regulatory Flexibility Analysis
159. As required by the Regulatory
Flexibility Act of 1980, as amended
(RFA), an Initial Regulatory Flexibility
Analysis (IRFA) was incorporated in the
Amendments to Part 4 of the
Commission’s Rules Concerning
Disruptions to Communications, Second
Further Notice of Proposed Rulemaking
(Second Further Notice). The
Commission sought written public
comment on the proposals in the
Second Further Notice, including
comment on the IRFA. No comments
were received specifically addressing
the IRFA. This Final Regulatory
Flexibility Analysis (FRFA) conforms to
the RFA.
A. Need for, and Objectives of, the
Second Report and Order
160. In the Second Report and Order,
the Commission adopts various
proposals made in the Second Further
Notice adopted in February 2020. We
take specific steps to share the
Commission’s network outage and
infrastructure status information with
state and Federal Government agencies
and others whose official duties make
them directly responsible for emergency
management and first responder support
functions (i.e., have a ‘‘need to know’’).
B. Summary of Significant Issues Raised
by Public Comments in Response to the
IRFA
161. No comments were submitted
specifically in response to the IRFA,
however a few commenters expressed
concerns about the estimated costs to
service providers discussed by the
Commission in the Second Further
Notice. Despite these concerns however,
none of the commenters provided any
cost data or analysis to support their
concerns or rebut the Commission’s cost
estimates in accordance with the
Commission’s request for such data in
the Second Further Notice. Similarly,
while some state agency and advocacy
organizations expressed concerns that it
will be burdensome for voluntarily
participating agencies to relay
information they retrieve from the
NORS and DIRS databases to other
permissible ‘‘downstream’’ entities as
allowed by the adopted information
sharing framework, none of these
entities attempt to quantify the costs
associated with these activities.
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
22819
162. Moreover, the Commission is
unaware of any alternative approaches
with lower costs, nor have any been
identified by commenters, that would
still ensure that the Commission
promptly and reliably learns of the
actions described above that may lead to
the disclosure of NORS or DIRS-related
information. Lessening the promptness
or reliability of notifications to the
Commission would disincentivize
providers from supplying robust and
fulsome NORS and DIRS reports and
therefore reduce the benefits that those
filings would provide to the
Commission and participating agencies
alike. We find that this reduction in
benefits would outweigh the expected
modest cost savings to those
participating agencies that would be
required to provide notifications under
the framework we adopt today.
C. Response to Comments by Chief
Counsel for Advocacy of the Small
Business Administration
163. Pursuant to the Small Business
Jobs Act of 2010, which amended the
RFA, the Commission is required to
respond to any comments filed by the
Chief Counsel for Advocacy of the Small
Business Administration (SBA), and to
provide a detailed statement of any
change made to the proposed rules as a
result of those comments. No comments
were filed by the SBA.
D. Description and Estimate of the
Number of Small Entities to Which
Rules Will Apply
164. The RFA directs agencies to
provide a description of, and, where
feasible, an estimate of, the number of
small entities that may be affected by
the rules adopted herein. The RFA
generally defines the term ‘‘small
entity’’ the same as the terms ‘‘small
business,’’ ‘‘small organization,’’ and
‘‘small governmental jurisdiction.’’ In
addition, the term ‘‘small business’’ has
the same meaning as the term ‘‘small
business concern’’ under the Small
Business Act. A small business concern
is one which: (1) Is independently
owned and operated; (2) is not
dominant in its field of operation; and
(3) satisfies any additional criteria
established by the Small Business
Administration (SBA). Such entities
include Interconnected VoIP services,
Wireline Providers, Wireless
Providers—Fixed and Mobile, Satellite
Service Providers, and Cable Service
Providers.
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
22820
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
E. Description of Projected Reporting,
Recordkeeping, and Other Compliance
Requirements for Small Entities
165. Service Providers. The rules
adopted in the Second Report and Order
require service providers to make minor
adjustments to their existing reporting
process to account for new or refined
multistate reporting for the NORS
filings.
166. Voluntarily participating
agencies. Pursuant to the confidential
protections adopted in the Second
Report and Order, voluntarily
participating agencies, including those
that are small entities, will be required
to notify the Commission when they
receive requests for NORS filings, DIRS
filings, or related records, and prior to
the effective date of any change in
relevant statutes of laws that would
affect the agency’s ability to adhere to
the confidentiality protections that the
Commission requires. Under the
adopted information sharing framework,
voluntarily participating agencies will
also be required to submit to the
Commission requests for direct access to
NORS and DIRS filings which include a
description of why the agency has a
need to access NORS and DIRS filings
(‘‘need to know’’) and how it intends to
use the information in practice.
Agencies applying for direct access to
NORS and DIRS are required to
demonstrate their ‘‘need to know’’ by
citing to legal authority, in the form of
a statutes, rules, court decisions, or
other binding legal provisions,
establishing that it has official duties
involving preparing for, or responding
to, an event that threatens public safety.
167. Additionally, participating
agencies will be required to implement
initial and annual security training to
each person granted a user account for
NORS and DIRS filings, and certify that
they will take appropriate steps to
safeguard the information contained in
the filings, including notifying the
Commission of unauthorized or
improper disclosure. In the event of any
known or reasonably suspected breach
of protocol involving NORS and DIRS
filings participating agencies will be
required to report this information to
the Commission and all affected
providers immediately. Participating
agencies will also be required to
maintain and make available for
inspection, upon Commission request, a
list of all localities for which the agency
has disclosed NORS and DIRS data.
168. In the Second Report and Order,
the Commission allows participating
agencies to share confidential NORS
and DIRS information within an outside
the agency subject to certain limitations.
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
Participating agencies will also be
required to execute an annual
attestation form certifying and
acknowledging compliance with
requirements of the information sharing
framework that the Commission adopts.
F. Steps Taken To Minimize the
Significant Economic Impact on Small
Entities, and Significant Alternatives
Considered
169. The Commission has taken
specific steps minimize costs for both
service providers and voluntarily
participating agencies in the NORS and
DIRS information sharing framework
adopted in the Second Report and
Order. The Commission did not make
DIRS reporting mandatory as urged by
some commenters in the proceeding.
Moreover, while the Commission
adopted changes to the NORS form
filing to allow users to select more than
one state when submitting a request for
NORS information that modified the
method in which service providers
report outage information in NORS, this
change did not impose additional levels
of reporting to require disaggregation to
provide a breakout of state-specific
impacts by submitting state specific
filings We note that service providers
will not need to modify their DIRS
reporting processing to accommodate
multistate reporting. To provide
participating agencies maximum
flexibility and reduce potential costs of
compliance with the training
requirements, rather than mandate an
agency’s use of a specific training
program, we adopted requirements that
allow agencies to develop their own
training program or rely on an outside
training program that covers, at a
minimum, a set of five ‘‘program
elements.’’
170. In addition, rather than requiring
third-party audits of training programs
to ensure that state and Federal
agencies’ training programs comply
with the Commission’s proposed
required program elements,
participating agencies are required to
make copies of their training curriculum
available for the Commission’s review
upon demand which will significantly
minimize costs associated with the
required training programs. The
Commission also declined to adopt a
‘‘downstream training’’ requirement
which would have required any entity
receiving NORS & DIRS information
from a participating agency to complete
formal training. Similarly, the
Commission declined to adopt a
requirement for participating agencies to
obtain an affidavit on confidentiality
from local entities prior to receipt NORS
and DIRS information. To further assist
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
and reduce the burden on small entities
and other participating agencies with
meeting the training requirements the
Commission adopted in the Second
Report and Order, the Commission will
consult with diverse stakeholders with
a range of perspectives, including state
governments, the public safety
community, service providers, and other
industry representatives to develop
exemplar training materials, that can be
used by participating agencies to
training their staffs on the proper uses
of NORS and DORS filings.
171. The Commission also declined to
grant local agencies direct access to
NORS and DIRS considering among
other things the burdens that would
result for local entities, many of which
may be small entities. Additionally, the
Commission has adopted a single form
to address the certifications and
acknowledgments required for direct
access to NORS and DIRS. The use of a
single form, coupled with the fact that
the proposed certification form is
similar to one that the Commission
currently requires for sharing sensitive
numbering data with states using FCC
Form 477 data, should help minimize
preparation time and costs, specifically
for those smaller agencies since these
agencies should be familiar with the
existing requirements and have
comparable operational processes and
procedures already in place.
Certification Form
Instructions: Please review and
complete the form below. Please send
your completed form to NORS_DIRS_
information_sharing@fcc.gov. On
review, the Commission will contact
you to resolve any questions with your
application papers or issue your agency
login credentials for accessing NORS
and DIRS.
[NAME OF AGENCY]
CERTIFICATION FORM FOR NORS AND
DIRS SHARING
[your title]
[name of agency]
[address]
[address]
Dear Commission:
[Agency name] requests access to Network
Outage Reporting System (NORS) and
Disaster Information Reporting System
(DIRS) filings involving [for states, the
District of Columbia, or U.S. Territories, the
name of state(s) or jurisdiction(s); for Federal
agencies, the name of state(s) or nationwide;
for Tribal nations, the name of the Tribal
Government or component thereof] (filings).
I hereby certify and acknowledge that I am
authorized to act on behalf of the [name of
agency] and that [name of agency] is willing
and able to be bound by the terms and
conditions provided in this document.
E:\FR\FM\29APR2.SGM
29APR2
jbell on DSKJLSW7X2PROD with RULES2
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
On behalf of [agency name], I acknowledge
and certify that [agency name] agrees to the
terms below.
I hereby certify and acknowledge that each
user account is to be assigned to a single
employee and that [agency name] will
promptly reassign user accounts to reflect
changes as its roster of designated employees
changes (e.g., due to employee departure and
arrival).
I hereby certify and acknowledge that
[agency name] will change user account
passwords and take other reasonable
measures to ensure that user account
credentials are not used by individuals who
are not [agency name]’s designated
employees.
I hereby certify and acknowledge that
NORS and DIRS filings, and the information
contained therein (collectively, NORS and
DIRS filings and information) are sensitive
and presumed confidential for national
security and commercial competitiveness
reasons.
I hereby certify that [agency name] will
treat NORS and DIRS filings and data as
confidential under Federal and state Freedom
of Information Act statutes and similar laws
and regulations and not disclose them absent
a finding by the Commission that allows
[agency name] to do so.
I hereby certify that [agency name] will
treat NORS and DIRS filings and information
in accordance with procedural and
substantive protections that are equivalent to
or greater than those afforded under Federal
confidentiality statutes and rules, including
but not limited to the Federal Freedom of
Information Act. 5 U.S.C. 552(b)(4). To the
extent that Federal confidentiality statutes
and rules impose a higher standard of
confidentiality than applicable state, U.S.
territory, or Tribal law or regulations provide,
I represent that the [name of agency] is
legally able to and will adhere to the higher
Federal standard. I agree that the [name of
agency] will notify the Commission, within
14 calendar days via the email, NORS_DIRS_
information_sharing@fcc.gov, when [name of
agency] receives a request from a third party
to disclose NORS filings and DIRS filings, or
related records, pursuant to a state’s open
record laws or other legal authority that
could compel [name of agency] to do so. I
agree to notify the Commission via the email,
NORS_DIRS_information_sharing@fcc.gov, at
least 30 calendar days prior to the effective
date of any change in relevant statutes of
laws that would affect [name of agency]’s
ability to adhere to at least the Federal
confidentiality rules and statutes standard.
I hereby certify and acknowledge that the
Commission’s rules place restrictions on the
access to and use of NORS and DIRS filings
and information. I certify that I have
reviewed and agree to comply with the
restrictions regarding information sharing as
described in part 4 of Title 47 of the Code
of Federal Regulations.
I hereby certify and acknowledge that the
[name of agency] will adopt or develop a
NORS and DIRS security training program, if
it has not already, that satisfies each of the
required training program elements
identified at [cite to forthcoming Order], that
the [name of agency] will administer this
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
training to each of its designated employees
prior to their access to NORS and DIRS
filings and information and then at least
annually thereafter. The [name of agency]
will make copies of its training curriculum
available for the Commission’s review upon
demand.
I further acknowledge that [name of
agency] will report immediately to any
affected service providers and to the
Commission, via the email NORS_DIRS_
information_sharing@fcc.gov and NSOC@
fcc.gov, any known or reasonably suspected
breach of the protocol specified in the
training program or any other known or
reasonably suspected unauthorized use or
improper disclosure of NORS and DIRS
information.
I further acknowledge that if [name of
agency] needs contact information for a
provider, that [agency name] may request this
information from the Commission at NORS_
DIRS_information_sharing@fcc.gov, and that
this does not toll [agency name]’s obligation
to immediately notify any affected service
providers, using the best contact information
known to [agency name].
I acknowledge on behalf of [name of
agency] that the Commission does not
guarantee the accuracy of either the NORS or
DIRS filings as both sets of filings are
submitted to the respective web-based
databases by service providers pursuant to
mandatory reporting timeframes for NORS
filings and voluntary reporting timeframes
for DIRS filings. Further, I acknowledge that
there may be times access to the filings is
unavailable, e.g., due to planned or
unplanned service and maintenance.
I hereby certify and acknowledge that
[agency name’s] continued access to NORS
and DIRS filings and information is
conditioned on its annual recertification of a
current version of this form, available on the
Commission’s website. I acknowledge that
the Public Safety and Homeland Security
Bureau (Bureau) of the Commission may
terminate [agency name]’s access at any time,
and for any reason, by giving written notice
to [name of agency]. If access is terminated,
I agree that [name of agency] will, upon the
Commission’s termination notice, cause to be
securely destroyed any and all NORS and
DIRS filings and information or other data
received pursuant to this grant, whether
electronic or hardcopy form.
I hereby certify and acknowledge that all
the terms and conditions provided in this
document apply to past and future NORS and
DIRS filings and information.
I hereby certify that [employee name, title,
phone number and email address] will
manage my agency’s access to NORS and
DIRS filings by managing user accounts in
accordance with the Commission’s rules;
coordinating the downstream sharing of
NORS and DIRS filings; making available for
Commission inspection a list of all localities
for which the agency has disclosed NORS
and DIRS data; coordinating with the
Commission to manage an unauthorized
access incident; and answering any questions
from the Commission regarding my agency’s
access, use, or sharing of NORS and DIRS
filings.
I hereby certify and acknowledge my and
[agency name]’s obligation to inform the
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
22821
Commission if I cease to be the designated
representative of [agency name] with
authority to obligate and bind the agency to
the statements above or if the employee listed
above ceases to be the designated agency
contact.
I acknowledge that the Bureau makes no
determinations about any provisions of
[name of state] law or agency regulations or
your statements about such provisions.
Sincerely,
[name and title of official], on behalf of
[name of agency]
Affirmed:
Lisa M. Fowlkes
Chief
Public Safety and Homeland Security Bureau
Federal Communications Commission
Exemplar Aggregated Data
Overview
The following provides general nonbinding guidelines regarding how to
aggregate NORS and DIRS data,
followed by examples of aggregated
NORS and DIRS data based on
hypothetical information. The
aggregated data presented does not
reflect the exact number of users
affected by a service provider’s outage
and is only used for situational
awareness. We remind agencies
participating in our framework that
failure to properly aggregate data in
accordance with the rules adopted in
the Second Order could lead to the
improper disclosure of service
providers’ confidential information and
may result in termination of their access
to NORS and DIRS filings by the
Commission. Participating agencies
with additional questions are urged to
contact the Commission for guidance.
General Aggregation Guidelines
Aggregation ‘Dos’
• It is best to aggregate only NORS
and DIRS information of the same type
(e.g., aggregate wireless data and
wireline data separately). If information
is aggregated across different types, the
public release of this information
should state the types of NORS or DIRS
information aggregated (e.g. ‘‘This data
includes wireless and wireline data’’).
• It is best to aggregate 911 outages
according to their impact (e.g., 911 call
delivery affected, only 911-caller
location information affected). If
information is aggregated across
different types of 911 outages, the
public release of this information
should note the approximate proportion
of the effects (e.g., ‘‘in most cases only
location information is affected’’).
• If aggregating NORS information,
aggregate information related to longterm trends using final reports only.
E:\FR\FM\29APR2.SGM
29APR2
22822
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
jbell on DSKJLSW7X2PROD with RULES2
• If aggregating NORS information
from notifications or initial reports,
please be aware that this information
may change as service providers further
remediate or investigate the outage. It is
recommended that agencies make clear
that this information is only preliminary
and may change or be updated over
time.
• If several reported outages seem
very large, it is good practice to confirm
the magnitude of the outage with the
reporting service providers prior to
releasing any aggregated information
about them. In some instances, service
providers may intentionally
overestimate the effect of an outage out
of an abundance of caution. Agencies
should be aware of these circumstances
prior to determining what information
would be appropriate to release to the
public.
• If an agency intends to aggregate the
duration or the number of users affected
by multiple outages, reporting the
median is generally preferred over
reporting the mean (average) because
the mean may be skewed by
unrepresentatively high or low outliers.
• When aggregating data for incidents
occurring over a period of time, use the
incident date/time, not the creation date
or reportable date.
• The frequency of NORS outage
reports varies by season. If aggregating
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
for the purpose of comparing two time
periods, it is advisable that the time
periods be of the same season of the
year (e.g., compare January to March
2020, to January to March 2019, but not
to July to August 2019.)
• Be careful when aggregating outages
with durations of all 9’s that are greater
than 99 (e.g., 999, 9999, 99999). These
values can be indicators that the outage
is ongoing even though the report is
final. If in doubt, it is best to contact the
reporting service provider and/or
exclude these outages from the
aggregation.
• Sudden increases or decreases in
NORS reports may be the result of
reporting rules changes or other effects.
If sudden changes are noticed, the FCC
should be consulted before data is made
public. As a corollary, personnel
responsible for data aggregation should
keep up with any NORS rule changes.
Aggregation ‘Don’ts’
• Do not release NORS data for a
single outage, even if the name of the
service provider is not mentioned in the
release. Aggregation should always
occur across at least four service
providers, meaning that in most
instances, agencies cannot release
aggregated information about an
ongoing outage.
• Do not aggregate data over a
geographic region which has fewer than
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
four service providers of that type in the
region. For example, if a county is
served by only three wireless service
providers, do not report an aggregation
of wireless outage data for that county.
• Do not aggregate NORS and DIRS
data together.
• Do not aggregate NORS data at a
scope smaller than a state, unless the
reports you are aggregating all specify a
smaller region (e.g., a specific county or
Tribal territory).
• In NORS, do not aggregate nonservice affecting outages (i.e., OC3
Simplex outages) with service affecting
outages.
• Do not identify names of service
providers as sources of outage data.
• Do not use the time zone data in
NORS to determine outage location.
This data is used only to identify the
time zone for the incident time.
• Do not include Special Facilities
outage reports in any aggregation.
Examples of Aggregated NORS and
DIRS Data
NORS Example
The following table shows the total
number of wireline users affected by
wireline outages in each state as
reported by 4 companies or more:
BILLING CODE 6712–01–P
E:\FR\FM\29APR2.SGM
29APR2
22823
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
ON-XXXX3471
Company1
V\/ireline- 900,000 user-minutes
OHIO
'1'4/2018 20:36
10
39
2,450
ON-XXXX3475
Company4
V\/ireline- 900,000 user-minutes
OHIO
'1'5/2018 20:36
4
35
43,540
ON-XXXX3477
Company3
V\/ireline- 900,000 user-minutes
OHIO
'1'6/2018 20:36
6
53
35,000
ON-XXXX3575
Company4
V\/ireline- 900,000 user-minutes
OHIO
'1'7/2018 20:36
0
30
40,313
ON-XXXX3580
Company3
V\/ireline- 900,000 user-minutes
OHIO
'1'8/2018 20:36
3
11
257,690
ON-XXXX3581
Company2
V\/ireline- 900,000 user-minutes
OHIO
'1'9/2018 20:36
5
28
23,434
ON-XXXX3582
Company3
V\/ireline- 900,000 user-minutes
OHIO
'1'10/2018 20:36
14
6
22,720
ON-XXXX3590
Company3
V\/ireline- 900,000 user-minutes
OHIO
'1'1'1'2018 20:36
10
7
10,897
ON-XXXX3591
Company5
V\/ireline- 900,000 user-minutes
OHIO
'1'12/2018 20:36
8
16
42,480
ON-XXXX3592
Company3
V\/ireline- 900,000 user-minutes
OHIO
'1'13/2018 20:36
3
11
257,690
ON-XXXX3593
Company2
V\/ireline- 900,000 user-minutes
OHIO
'1'14/2018 20:36
5
28
23434
ON-XXXX3598
Company2
V\/ireline- 900,000 user-minutes
OHIO
'1'15/2018 20:36
14
6
22,720
ON-XXXX3472
Company1
V\/ireline- 900,000 user-minutes
PENNSYLVANIA
'1'4/2018 20:36
10
7
10,897
ON-XXXX3474
Company2
V\/ireline- 900,000 user-minutes
PENNSYLVANIA
'1'5/2018 20:36
8
16
42480
ON-XXXX3479
Company4
V\/ireline- 900,000 user-minutes
PENNSYLVANIA
'1'6/2018 20:36
2
6
116000
ON-XXXX3481
Company3
V\/ireline- 900,000 user-minutes
PENNSYLVANIA
'1'7/2018 20:36
26
6
1,624
ON-XXXX3560
Company3
V\/ireline- 900,000 user-minutes
PENNSYLVANIA
'1'8/2018 20:36
21
35
234235
ON-XXXX3578
Company1
V\/ireline- 900,000 user-minutes
PENNSYLVANIA
'1'9/2018 20:36
6
21
59,647
ON-XXXX3579
Company2
V\/ireline- 900,000 user-minutes
PENNSYLVANIA
'1'10/2018 20:36
11
27
8,860
ON-XXXX3595
Company1
VVireline - 900,000 user-minutes
PENNSYLVANIA
'1'1'1'2018 20:36
10
39
2450
ON-XXXX3599
Company3
VVireline - 900,000 user-minutes
PENNSYLVANIA
'1'12/2018 20:36
4
35
43,540
ON-XXXX3600
Company1
VVireline - 900,000 user-minutes
PENNSYLVANIA
'1'13/2018 20:36
6
53
35,000
ON-XXXX3601
Company5
VVireline - 900,000 user-minutes
PENNSYLVANIA
'1'14/2018 20:36
0
30
40313
ON-XXXX3602
Company1
VVireline - 900,000 user-minutes
PENNSYLVANIA
'1'15/2018 20:36
3
11
257690
ON-XXXX3603
Company1
VVireline - 900,000 user-minutes
PENNSYLVANIA
'1'16/2018 20:36
5
28
23434
ON-XXXX3604
Company1
VVireline - 900,000 user-minutes
PENNSYLVANIA
'1'17/2018 20:36
14
6
22720
ON-XXXX3476
Company1
VVireline - 900,000 user-minutes
VIRGINIA
'1'5/2018 20:36
10
7
10,897
ON-XXXX3480
Company2
VVireline - 900,000 user-minutes
VIRGINIA
'1'6/2018 20:36
8
16
42480
ON-XXXX3482
Company3
VVireline - 900,000 user-minutes
VIRGINIA
'1'7/2018 20:36
2
6
116,000
ON-XXXX3485
Company1
VVireline - 900,000 user-minutes
VIRGINIA
'1'8/2018 20:36
26
6
1,624
ON-XXXX3487
Company1
VVireline - 900,000 user-minutes
VIRGINIA
'1'9/2018 20:36
3
11
257690
ON-XXXX3490
Company4
VVireline - 900,000 user-minutes
VIRGINIA
'1'10/2018 20:36
5
28
23434
ON-XXXX3502
Company1
VVireline - 900,000 user-minutes
VIRGINIA
'1'1'1'2018 20:36
14
6
22,720
ON-XXXX3507
Company3
VVireline - 900,000 user-minutes
VIRGINIA
'1'12/2018 20:36
10
7
10,897
ON-XXXX3517
Company2
VVireline - 900,000 user-minutes
VIRGINIA
'1'13/2018 20:36
8
16
42,480
ON-XXXX3530
Company1
VVireline - 900,000 user-minutes
VIRGINIA
'1'14/2018 20:36
2
6
116000
ON-XXXX3531
Company1
VVireline - 900,000 user-minutes
VIRGINIA
'1'15/2018 20:36
26
6
1624
For the NORS aggregation example
table below, the number of wireline
users affected from all reports above per
state were added and are presented in
Wireline Users Affected
782,368
PENNSYLVANIA
898,890
VIRGINIA
645,846
ER29AP21.006
OHIO
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
PO 00000
Frm 00029
Fmt 4701
Sfmt 4725
E:\FR\FM\29APR2.SGM
29APR2
ER29AP21.005
jbell on DSKJLSW7X2PROD with RULES2
State Affected
the total number of wireline users
affected per state:
22824
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
DIRS Example
The following table shows the total
number of cell sites were affected by a
xxxxxxxx
disaster in each state as reported by 4
companies or more:
Company1
County
99
1'4
CALIFORNIA
19:19.0
Company2
County
no
26
CALIFORNIA
19:19.0
Company3
County
99.82
1623
CALIFORNIA
03:53.0
Company4
County
no
2238
CALIFORNIA
24:21.0
Company1
County
no
FLORIDA
19:19.0
Company2
County
no
23
FLORIDA
19:19.0
Company3
County
no
203
FLORIDA
19:19.0
Company4
County
FLORIDA
56:04.0
Company5
County
14
FLORIDA
56:04.0
Company1
County
148
FLORIDA
56:04.0
Company2
County
no
FLORIDA
02:42.0
Company3
County
no
GEORGIA
57:15.0
Company4
County
no
2
GEORGIA
58:09.0
Company5
County
no
24
GEORGIA
58:25.0
Company3
County
no
33
GEORGIA
58:42.0
Company4
County
95
GEORGIA
56:04.0
Company2
County
233
GEORGIA
56:04.0
Company1
County
285
GEORGIA
03:04.0
Company1
County
PENNSYLVAN
IA
56:04.0
126
PENNSYLVAN
IA
04:52.0
126
PENNSYLVAN
IA
05:36.0
X1681
oxxxxxxxxxx
X1662
oxxxxxxxxxx
X1663
OXX-
xxxxxxxx
4
X1664
oxxxxxxxxxx
X1666
OXX-
xxxxxxxx
X1666
OXX-
xxxxxxxx
X1667
oxxxxxxxxxx
2
X1666
OXX-
xxxxxxxx
X1669
oxxxxxxxxxx
n
26
.,
X1670
OXX-
xxxxxxxx
50
X1671
oxxxxxxxxxx
X1672
OXX-
xxxxxxxx
X1673
oxxxxxxxxxx
X1674
oxxxxxxxxxx
X1676
OXX-
xxxxxxxx
13
13
X1676
oxxxxxxxxxx
X1677
OXX-
xxxxxxxx
no
oxxxxxxxxxx
33
11
X1679
OXX-
xxxxxxxx
Company2
County
X1680
oxxxxxxxxxx
Company3
County
Company4
County
no
28
PENNSYLVAN
IA
24:28.0
Company5
County
no
13
PENNSYLVAN
IA
24:28.0
Company3
County
no
.,
PENNSYLVAN
IA
24:28.0
PENNSYLVAN
IA
24:28.0
PENNSYLVAN
IA
24:28.0
PENNSYLVAN
IA
58:32.0
X1681
OXX-
xxxxxxxx
X1682
oxxxxxxxxxx
X1683
OXX-
xxxxxxxx
X1684
oxxxxxxxxxx
Company1
County
no
46
X1686
oxxxxxxxxxx
Company2
County
no
Company3
County
no
X1686
OXX-
xxxxxxxx
37
jbell on DSKJLSW7X2PROD with RULES2
X1687
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
PO 00000
Frm 00030
Fmt 4701
Sfmt 4725
E:\FR\FM\29APR2.SGM
29APR2
ER29AP21.007
X1678
Federal Register / Vol. 86, No. 81 / Thursday, April 29, 2021 / Rules and Regulations
in the total number of affected cell sites
per state in the table below. The
percentage of cell sites out of service
were calculated by dividing the number
Sum of
Sum of Cell
State Affected
Sites
Served
Sum of
Cell Sites
Cell Sites Out Due
Out of
to Cell
Service
Site
Damage
CALIFORNIA
4051
455
681
426
FLORIDA
GEORGIA
PENNSYLVANIA
List of Subjects in 47 CFR Part 4
Airports, Communications common
carriers, Communications equipment,
Reporting and recordkeeping
requirements, Telecommunications.
Federal Communications Commission.
Marlene Dortch,
Secretary.
Final Rule
For the reasons set forth above, part
4 of title 47 of the Code of Federal
Regulations is amended as follows:
PART 4—DISRUPTIONS TO
COMMUNICATIONS
1. The authority citation for part 4
continues to read as follows:
■
Authority: 47 U.S.C. 34–39, 151, 154, 155,
157, 201, 251, 307, 316, 615a–1, 1302(a), and
1302(b); 5 U.S.C. 301, and Executive Order
no. 10530.
2. Section 4.2 is revised to read as
follows:
■
jbell on DSKJLSW7X2PROD with RULES2
§ 4.2 Availability of reports filed under this
part.
Reports filed under this part will be
presumed to be confidential under
§ 0.457(d)(1) of this chapter. Notice of
any requests for inspection of outage
reports will be provided pursuant to
§ 0.461(d)(3) of this chapter except that
the Chief of the Public Safety and
Homeland Security Bureau may grant,
without providing such notice, an
agency of the states, the District of
Columbia, U.S. territories, Federal
Government, or Tribal Nations direct
VerDate Sep<11>2014
19:24 Apr 28, 2021
Jkt 253001
8
34
13
11
Sum of
Frm 00031
Fmt 4701
Out Due
Out Due
to
to No
Transport
Power
3
0
0
0
Sfmt 9990
Sum of
Cell Sites Cell Sites
access to portions of the information
collections affecting its respective
jurisdiction after the requesting agency
has certified to the Commission that it
has a need to know this information and
has protections in place to safeguard
and limit the disclosure of this
information as described in the
Commission’s Certification Form for
NORS and DIRS Sharing (Certification
Form). Sharing is restricted by the
following terms:
(a) Requesting Agencies granted direct
access to information collections must
report immediately to any affected
service providers and to the
Commission any known or reasonably
suspected unauthorized use or improper
disclosure, manage their agency’s access
to outage reports by managing user
accounts in accordance with the
Commission’s rules, coordinate with the
Commission to manage an unauthorized
access incident, and answer any
questions from the Commission
regarding their agency’s access, use, or
sharing of reports.
(b) Agencies granted direct access to
information collections may share
copies of the filings, and any
confidential information derived from
the filings, outside their agency on a
strict need-to-know basis when doing so
pertains to a specific imminent or ongoing public safety event. The agency
must condition the recipients’ receipt of
confidential NORS and DIRS
information on the recipients’
certification, on a form separate from
the Certification Form, that they will
treat the information as confidential, not
PO 00000
of cell sites served by the number of cell
sites out of service for each state:
2
13
0
4
0
21
13
7
Percent
Cell Sites
Out of
Service
0.20%
7.47%
1.91%
2.58%
publicly disclose it absent a finding by
the Commission that allows them to do
so, and securely destroy the information
by, at a minimum, securely cross-cut
shredding, or machine-disintegrating,
paper copies of the information, and
irrevocably clearing and purging digital
copies, when the public safety event
that warrants access to the information
has concluded.
(c) Except as permitted pursuant to
paragraph (b) of this section, agencies
granted direct access to information
collections may not share filings, or any
confidential information derived from
the filings, with non-employees of the
agency, including agency contractors,
unless such sharing is expressly
authorized in writing by the
Commission.
(d) Agencies granted direct access to
information collections may
disseminate aggregated and anonymized
information to the public. Such
information must be aggregated from at
least four service providers and must be
sufficiently anonymized so that it is not
possible to identify any service
providers by name or in substance.
(e) Consequences for an Agency’s
failure to comply with these terms may
result in, among other measures,
termination of direct access to reports
by the Commission for a time period to
be determined by the Commission based
on the totality of the circumstances
surrounding the failure.
[FR Doc. 2021–07457 Filed 4–28–21; 8:45 am]
BILLING CODE 6712–01–C
E:\FR\FM\29APR2.SGM
29APR2
ER29AP21.008
For the DIRS aggregation example
table below, the number of cell sites
affected from all wireless reports above
for each state were added and presented
22825
Agencies
[Federal Register Volume 86, Number 81 (Thursday, April 29, 2021)]
[Rules and Regulations]
[Pages 22796-22825]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-07457]
[[Page 22795]]
Vol. 86
Thursday,
No. 81
April 29, 2021
Part II
Federal Communications Commission
-----------------------------------------------------------------------
47 CFR Part 4
Disruptions to Communications; Final Rule
Federal Register / Vol. 86 , No. 81 / Thursday, April 29, 2021 /
Rules and Regulations
[[Page 22796]]
-----------------------------------------------------------------------
FEDERAL COMMUNICATIONS COMMISSION
47 CFR Part 4
[PS Docket No. 15-80; FCC 21-34; FRS 20221]
Disruptions to Communications
AGENCY: Federal Communications Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: In this document, the Federal Communications Commission
(Commission) adopts final rules to provide direct, read-only access to
Network Outage Reporting System (NORS) and Disaster Outage Reporting
System (DIRS) filings to agencies of the 50 states, the District of
Columbia, tribal nations, territories, and Federal Government that have
official duties that make them directly responsible for emergency
management and first responder support functions, including by:
Allowing these agencies to share NORS and DIRS information with agency
officials, first responders, and other individuals with a ``need to
know'' who cannot directly access NORS and DIRS and yet play a vital
role in preparing for, or responding to, events that threaten public
safety; allowing participating agencies to publicly disclose aggregated
and anonymized information derived from NORS or DIRS filings;
conditioning a participating agency's direct access to NORS and DIRS
filings on their agreement and ability to preserve the confidentiality
of the filings and not disclose them absent a finding by the Commission
allowing the disclosure; and establishing an application process that
would grant eligible agencies access to NORS and DIRS after those
agencies certify to certain requirements related to maintaining the
confidentiality of the data and the security of the databases.
DATES: This rule is effective September 30, 2022.
FOR FURTHER INFORMATION CONTACT: For further information, contact
Saswat Misra, Attorney-Advisor, Cybersecurity and Communications
Reliability Division, Public Safety and Homeland Security Bureau, (202)
418-0944 or via email at [email protected].
SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Second
Report and Order, FCC 21-34, adopted on March 17, 2021 and released on
March 18, 2021. The document is available for download at https://docs.fcc.gov/public/attachments/FCC-21-34A1.pdf. To request this
document in accessible formats for people with disabilities (e.g.,
Braille, large print, electronic files, audio format, etc.) or to
request reasonable accommodations (e.g., accessible format documents,
sign language interpreters, CART, etc.), send an email to
[email protected] or call the FCC's Consumer and Governmental Affairs
Bureau at (202) 418-0530 (voice), (202) 418-0432 (TTY).
The Federal Communications Commission may delay this effective date
by publishing a document in the Federal Register.
Paperwork Reduction Act:
The Second Report and Order requires service providers to make
adjustments to their NORS reporting processes to accommodate the
Commission's adjustments to its NORS web-based form pursuant to section
47 CFR 4.11. These adjustments and the new requirement that agencies
file certification forms, pursuant to 47 CFR 4.2, to request access to
NORS and DIRS reports, constitute a modified information collection.
The information collection requirements contained in the rules that
require OMB approval are subject to the Paperwork Reduction Act of 1995
(PRA), Public Law 104-13. The information collection will be submitted
to OMB for review under 47 U.S.C. 3507(d), and will not take effect
until it is approved by OMB.
Congressional Review Act:
The Commission has determined, and the Administrator of the Office
of Information and Regulatory Affairs, Office of Management and Budget,
concurs, that this rule is non-major under the Congressional Review
Act, 5 U.S.C. 804(2). The Commission will send a copy of this Order to
Congress and the Government Accountability Office, pursuant to 5 U.S.C.
801(a)(1)(A).
Synopsis:
I. Introduction
1. Section 1 of the Communications Act of 1934, as amended (the
Act), charges the Commission with ``promoting safety of life and
property through the use of wire and radio communications.'' 47 U.S.C.
151. This statutory objective and statutory authorities cited below
have supported the Commission's institution of outage reporting
requirements, codified in part 4 of our rules, that require providers
to report network outages that exceed specified magnitude and duration
thresholds. The outage data that the Commission collects pursuant to
part 4 provide critical situational awareness that enables the
Commission to be an effective participant in emergency response and
service restoration efforts, particularly in the early stages of
communications disruption.
2. Currently, the Commission collects network outage information in
the NORS and infrastructure status information in the DIRS. This
information is sensitive for reasons concerning national security and
commercial competitiveness, and the Commission thus treats it as
presumptively confidential. The Commission makes this information
available to the Department of Homeland Security's (DHS) National
Cybersecurity and Communications Integration Center but does not share
the information more broadly with other Federal, state, or local
partners. However, in a 2016 Report and Order and Further Notice, the
Commission found that state and Federal agencies would benefit from
direct access to NORS data and that ``such a process would serve the
public interest if implemented with appropriate and sufficient
safeguards.'' 81 FR 45055, 45064 (July 12, 2016) (2016 Report and Order
and Further Notice).
3. Today's Order bridges this gap and promotes better information
sharing and awareness during times of emergency. It creates a framework
to provide state, Federal, local, and Tribal partners with access to
the critical NORS and DIRS information they need to ensure the public's
safety while preserving the presumptive confidentiality of the
information. Today's actions will ensure that these public safety
officials can appropriately and effectively leverage the same reliable
and timely network outage and infrastructure status information as the
Commission when responding to emergencies.
II. Background
4. Network Outage Reporting System or NORS. In 2004, the Commission
adopted rules that require outage reporting for communications
providers, including wireline, wireless, paging, cable, satellite,
VoIP, and Signaling System 7 service providers, to address ``the
critical need for rapid, complete, and accurate information on service
disruptions that could affect homeland security, public health or
safety, and the economic well-being of our Nation, especially in view
of the increasing importance of non-wireline communications in the
Nation's communications networks and critical infrastructure.'' These
rules currently do not extend to broadband networks. In 2016, the
Commission sought comment on whether its part 4 rules should be updated
to implement a proposed system for the mandatory reporting of broadband
network outages and other disruptions, including those based on
performance degradation. The proposals
[[Page 22797]]
in the 2016 Report and Order and Further Notice remain pending.
5. Under these rules, certain service providers must submit outage
reports to NORS for outages that exceed specified duration and
magnitude thresholds. Service providers are required to submit a
notification to NORS generally within two hours of determining that an
outage is reportable to provide the Commission with timely preliminary
information. The service provider must then either (i) provide an
initial report within three calendar days, followed by a final report
with complete information on the outage within 30 calendar days of the
notification; or (ii) withdraw the notification and initial reports if
further investigation indicates that the outage did not in fact meet
the applicable reporting thresholds.
6. All three types of NORS filings--notifications, initial reports,
and final reports--contain service disruption or outage information
that, among other things, include: The reason the event is reportable,
incident date/time and location details, state affected, number of
potentially affected customers, and whether enhanced 911 (E911) was
affected. The Commission analyzes NORS outage reports, in the short-
term, to assess the magnitude of major outages and, in the long-term,
to identify network reliability trends and determine whether the
outages likely could have been prevented or mitigated had the service
providers followed certain network reliability best practices.
Information collected in NORS has contributed to several of the
Commission's outage investigations and recommendations for improving
network reliability.
7. NORS filings are presumed confidential and thus are withheld
from routine public inspection. 47 CFR 0.457(d)(vi), 4.2; 80 FR 34321
(June 16, 2015) (2015 Notice). The Commission grants read-only access
to outage report filings in NORS to the National Cybersecurity and
Communications Integration Center at DHS, but does not directly grant
access to other Federal agencies, state governments, or other entities.
DHS, however, may share relevant information with other Federal
agencies at its discretion. The Commission also publicly shares limited
analyses of aggregated and anonymized data to address collaboratively
industry-wide network reliability issues and improvements.
8. Disaster Information Reporting System or DIRS. In the wake of
Hurricane Katrina, the Commission established DIRS as a means for
service providers, including wireless, wireline cable service
providers, and broadcasters, to voluntarily report to the Commission
their communications infrastructure status and situational awareness
information during times of crises. The Commission recently required a
subset of service providers that receive Stage 2 funding from the
Uniendo a Puerto Rico Fund or the Connect USVI Fund to report in DIRS
when it is activated in the respective territories. DIRS, like NORS, is
a web-based filing system. The Commission analyzes infrastructure
status information submitted in DIRS to provide public reports on
communications status during DIRS activation periods, as well as to
help inform investigations about the reliability of post-disaster
communications.
9. DIRS filings are also presumed confidential and disclosure of
information derived from those filings is limited. The Commission
grants direct access to the DIRS database to the National Cybersecurity
and Communications Integration Center at DHS. The Commission also
prepares and provides aggregated DIRS information, without company
identifying information, to the National Cybersecurity and
Communications Integration Center, which then distributes the
information to a DHS-led group of Federal agencies tasked with
coordinating disaster response efforts, including other units in DHS,
during incidents. Agencies use the analyses for their situational
awareness and for determining restoration priorities for communications
infrastructure in affected areas. The Commission also provides
aggregated data, without company-identifying information, to the public
during disasters.
10. Expanding Access to NORS and DIRS. In a 2015 Notice, the
Commission proposed to grant state governments ``read-only access to
those portions of the NORS database that pertain to communications
outages in their respective states.'' The Commission also asked if this
access should extend beyond states and include ``the District of
Columbia, U.S. territories and possessions, and Tribal nations.'' The
Commission proposed to condition access on a state or other agency's
certification that it ``will keep the data confidential and that it has
in place confidentiality protections at least equivalent to those set
forth in the Federal Freedom of Information Act (FOIA).'' The
Commission sought comment on other key implementation details,
including how to ``ensure that the data is shared with officials most
in need of the information while maintaining confidentiality and
assurances that the information will be properly safeguarded.''
Similarly, the Commission sought comment on sharing NORS filings with
Federal agencies besides the Department of Homeland Security pursuant
to certain safeguards to protect presumptively confidential
information.
11. In a 2016 Report and Order and Further Notice, the Commission
found that the record reflected broad agreement that these agencies
would benefit from direct access to NORS data and that ``such a process
would serve the public interest if implemented with appropriate and
sufficient safeguards.'' The Commission determined that providing
agencies with direct access to NORS filings would have public benefits
but concluded that the process required more development for ``a
careful consideration of the details that may determine the long-term
success and effectiveness of the NORS program.''
12. Finding that the record was not fully developed and that the
``information sharing proposals raise[d] a number of complex issues
that warrant[ed] further consideration,'' the Commission directed the
Public Safety and Homeland Security Bureau (PSHSB) to further study and
develop proposals regarding how NORS filings could be shared with
agencies in real time, keeping in mind the information sharing
privileges already granted to DHS. The Bureau subsequently conducted ex
parte meetings to solicit additional viewpoints from industry, state
public service commissions, trade associations, and other public safety
stakeholders on the issue of granting state and Federal Government
agencies direct access to NORS and DIRS filings.
13. In a February 2020 Second Further Notice, the Commission
proposed to: (i) Grant direct, read-only access to the Commission's
NORS and DIRS filings to agencies acting on behalf of the Federal
Government, the 50 states, the District of Columbia, Tribal Nations,
and the U.S. territories that demonstrate that they reasonably require
access to prepare for, or respond to, an event that threatens public
safety pursuant to their official duties (i.e., that have a ``need to
know''); (ii) authorize participating agencies to share copies of these
filings, and any other confidential information derived from the
filings, within or outside their agencies when a recipient also has a
``need to know,'' subject to certain safeguards, (iii) allow the
recipient to further share the confidential NORS and DIRS information,
directly or in summarized form, with additional recipients; and (iv)
authorize any recipient to freely
[[Page 22798]]
share aggregated and anonymized information derived from the NORS and
DIRS filings of at least four service providers. 85 FR 17818 (Mar. 31,
2020) (Second Further Notice).
14. The Commission proposed to safeguard the confidentiality of
NORS and DIRS information by conditioning an agency's direct access on
agreements to: (i) Treat NORS and DIRS filings as confidential and not
disclose them, absent a finding by the Commission allowing the
disclosure; and (ii) provide timely notification to the Commission when
the agency receives a request from a third party to release NORS or
DIRS filings or related records and when changes to statutes or rules
would affect the agency's ability to adhere to the Commission's
required confidentiality protections.
III. Second Report and Order
15. With this Order, we conclude that directly sharing NORS data
with state and Federal agencies, subject to appropriate and sufficient
safeguards, is in the public interest, and we extend this finding to
include the sharing of DIRS data. We limit eligibility for direct
access to our NORS and DIRS databases to ``need to know'' agencies
acting on behalf of the Federal Government, the 50 states, the District
of Columbia, Tribal Nations, and the U.S. territories. We also decide
which agency responsibilities constitute a ``need to know'' and limit a
participating agency's use of this information to those purposes. We
allow these agencies to share confidential information derived from
NORS and DIRS filings with non-credentialed individuals at the
participating agency and at non-participating agencies on a strict
``need to know'' basis. We also allow recipients to release aggregated
and anonymized NORS and DIRS information to the public and offer
guidance on how that aggregation and anonymization should be performed.
16. To preserve the sensitive nature of NORS and DIRS filings, we
adopt various safeguards, including limiting agency access to events
occurring within an agency's jurisdiction; limiting access to five user
accounts; requiring initial and annual security training; and requiring
agencies to certify that they will take appropriate steps to safeguard
the information contained in the filings, including notifying the
Commission of unauthorized or improper disclosure. We require that
participating agencies certify they will treat the information as
confidential and not disclose the information absent a finding by the
Commission that allows them to do so. We decline to allow non-
participating agencies to further share the information with others.
Under today's Order, we hold participating agencies responsible for any
inappropriate disclosures of information by the non-participating
agencies with which they share information, including by retaining the
ability to terminate participating agencies' direct access to NORS and
DIRS.
A. Sharing NORS Filings With State, Federal and Other Agencies
17. In the Second Further Notice, the Commission tentatively
concluded ``that sharing NORS data with state and Federal agencies
would serve the public interest--provided that appropriate and
sufficient safeguards were implemented'' and sought to refresh the
record to inform next steps. We now observe that industry, public
safety organizations, and government agency commenters overwhelmingly
support the Commission's proposal. We agree with commenters concluding
that sharing NORS filings with other agencies will improve situational
awareness during and after disasters, enable agencies to better assess
the public's ability to access emergency communications, and assist
with the coordination of emergency response efforts.
18. The Alliance for Telecommunications Industry Solutions (ATIS),
however, maintains that while it ``supports efforts that aid in
restoral of communications services and that help save lives,'' the
sharing of NORS reports will ``generally not serve such purposes'' and
NORS reports contain information that is not relevant to public safety.
ATIS also argues that specific NORS fields should not be shared with
agencies.
19. We reject ATIS's view as it is controverted by a number of
commenters explaining, with detailed examples and based on knowledge of
their own day to day responsibilities and operations, why the
information contained in NORS filings is relevant to public safety by
assisting in rapid communications service restoration and enhancing
situational awareness. For example, the Montrose Emergency Telephone
Service Authority (METSA) believes that if the Colorado Public
Utilities Commission (COPUC) had been granted NORS access following a
July 2019 fiber cut, ``the COPUC could have assisted with generalized
information regarding areas which were truly impacted by the outage.''
In another example, Massachusetts Department of Telecommunications and
Cable (MDTC) believes that direct access to NORS data would have
provided it, local official and town residents, businesses, and
government offices with ``timely, and therefore, actionable''
information about a recent wireline telephone service outage. MDTC also
believes that access would have helped providers avoid the burden of
being contacted multiple times by multiple parties.
B. Sharing DIRS Filings With State, Federal and Other Agencies
20. In the Second Further Notice, the Commission also proposed
sharing DIRS filings with eligible state and Federal agencies and
sought comment on the anticipated benefits of sharing DIRS filings. We
adopt this proposal, finding that sharing DIRS filings will enhance
public safety by improving participating agencies' situational
awareness regarding infrastructure status and helping to inform their
decisions on how to allocate resources. No commenters oppose the
Commission's DIRS proposal. Rather, many agree that sharing DIRS
filings will provide the benefits cited by the Commission in the Second
Further Notice, including improving the effectiveness of response and
recovery efforts during and after disasters and providing stakeholders
with actionable status of communications outages. Communications
Workers of America (CWA) states that ``information contained in the
DIRS will be very helpful to understand the status of communications
infrastructure in the impacted area and to set restoration priorities''
following major events such as wildfires and flooding. Other commenters
underscore that access to both DIRS and NORS are vital to aid in
situational awareness and emergency response initiatives because in the
counties where DIRS has been activated, NORS reporting obligations are
typically suspended for the duration of the DIRS activation.
21. Some commenters urge the Commission to make DIRS reporting
mandatory. We decline to do so, as this issue is outside of the scope
of this rulemaking. We agree with T-Mobile that such action would go
``beyond the question of sharing NORS and DIRS data and the manner in
which the information should be shared.'' We also note that as our
priority with this proceeding is ensuring that agencies begin to
receive critical information about service outages to assist them in
their service restoration initiatives, technical changes that may be
necessitated by making DIRS reporting mandatory could delay such
access.
[[Page 22799]]
C. Scope of Direct Access
22. Eligibility for direct access. In the Second Further Notice,
the Commission proposed that direct access to NORS and DIRS be limited
to agencies acting on behalf of the Federal Government, the 50 states,
the District of Columbia, Tribal Nations, and the U.S. territories
(including Puerto Rico and the U.S. Virgin Islands). We adopt this
proposal.
23. The majority of commenters agree with this proposal, typically
without significant comment. For example, T-Mobile remarks that
limiting direct access in this way strikes an appropriate balance
between disseminating NORS and DIRS information to those who most need
it (i.e., to save lives and property) and safeguarding the
information's confidential nature. The California Public Utilities
Commission believes that Tribal Nation eligibility is appropriate since
Tribal Nation governments have oversight responsibility for public
safety matters in their lands in the same manner as the other entities
that the Commission has identified for direct access. We find that
limiting direct access to NORS and DIRS filings is necessary to limit
the risk for the over disclosure of sensitive and confidential
information and to ensure administrative efficiency. While the
Commission proposed to disallow direct access by local agencies, it
proposed mechanisms to ensure that local agencies and related entities
and individuals could indirectly access NORS and DIRS information on a
case-by-case basis. We adopt some of these mechanisms today.
24. We reject Colorado Public Utilities Commission's view that
Tribal Nation entities should be eligible for direct access only if
they do not participate directly in a state 911 program or have their
own 911 program. We find no reason to treat Tribal Nations differently
than state agencies with respect to NORS or DIRS information sharing,
and commenters have offered no new evidence to warrant such a
departure. The Colorado Public Utilities Commission's approach appears
to assume that NORS and DIRS information is only beneficial as it
relates to improving 911 service. In contrast, we find that
jurisdictions, including Tribal lands, can benefit from NORS and DIRS
information for uses beyond improved 911 performance. This is
corroborated, for example, by The Utility Reform Network's comments
evidencing that agencies serving Tribal lands would have been better
able to transmit emergency evacuation alerts during the 2019 California
wildfire event had they had access to outage information. We find that
Tribal Nations have a need for NORS and DIRS information regardless of
their participation in a state's 911 program.
25. We reject the position of some commenters that at the state or
local level, only state-based fusion centers (i.e., state-owned and
operated centers that serve as focal points in states and major urban
areas for the receipt, analysis, gathering and sharing of threat-
related information among state, local, Tribal, territorial, Federal
and private sector partners) should be eligible to directly access NORS
and DIRS data. These commenters argue that fusion centers are uniquely
qualified for direct access because they work closely with state public
safety agencies, are familiar with handling, analyzing, and summarizing
sensitive information, and typically operate around the clock or
because of their ``connection to the Federal Government.'' We are not
persuaded.
26. Our experience over many years indicates that many other types
of agencies have experience in coordinating with public safety
agencies, handling sensitive information, and working tirelessly when
disasters strike. No commenter has argued or provided evidence that
fusion centers have specific expertise in interpreting NORS and DIRS
outage information such that they alone should disseminate it. Fusion
centers are not uniquely or solely qualified in this regard. We
therefore find no reason to preclude otherwise eligible state agencies
from accessing NORS and DIRS information, especially if such access
would enhance public safety response and situation awareness. Contrary
to views posited by the IACP, we find no administrative benefit in
limiting accessibility to NORS and DIRS information to fusion centers.
Instead, by exercising our administrative oversight for reviewing each
application for access to NORS and DIRS, as detailed in today's Order,
the Commission will be better able to ensure that NORS and DIRS
information is used appropriately.
27. Local Agencies. We are not persuaded by commenters who argue
that local agencies should be eligible for direct access to NORS and
DIRS because they have the primary responsibility for responding to
emergencies. We find the potential benefits of doing so are outweighed
by the substantial risks and burdens of providing local agencies with
direct access.
28. As noted by some commenters, local entity governments typically
do not have the level of experience navigating the kinds of outage and
infrastructure status information contained in NORS and DIRS filings
that state agencies do. We agree with USTelecom that providing direct
access to local entities would likely exponentially increase the number
of participating entities, thus complicating administration and
increasing opportunities for erroneous disclosure of confidential
information. We believe such a large increase would render it difficult
or impossible for the Commission to effectively administer the sharing
framework. Instead, we believe that providing local entities indirect
access, through participating agencies with direct access, will
sufficiently support the public safety needs of localities while
striking a fair balance between sharing NORS and DIRS information and
minimizing the potential for unauthorized disclosure.
29. We similarly reject the views of some commenters that request
that the Commission provide local entities with direct access
purportedly so that state agencies are not burdened by, and delays are
not created in, requiring them to provide this information to local
entities themselves. Today's framework does not require, but only
allows, these agencies to share NORS and DIRS information with local
entities. As the National Association of Regulatory Utility
Commissioners (NARUC) points out, agencies collectively have more
resources dispersed across the country than the Commission. We find
that the responsibility of disseminating information to local entities
is most efficiently placed on this range of state and other agencies,
each with specific knowledge and incentives to further public safety in
its own jurisdiction.
30. We also are not convinced that allowing an agency with direct
access to share its credentials with an associated local entity would
alleviate our administrative burdens and disclosure risk concerns, as
opined by the Texas 9-1-1 Entities. We reject this approach because it
would allow direct access to NORS and DIRS by local agencies whose
certifications have not been reviewed and approved by the Commission
and are not directly accountable to the Commission. We find that a
credential sharing scheme would unacceptably increase the risk that our
training and other procedural safeguards would not be implemented,
which would make it more likely that NORS and DIRS filings could be
improperly used or disclosed.
31. We also find unconvincing, the view of one commenter that
``advocates, researchers and the public,'' among others, should be
eligible for direct access purportedly ``to hold
[[Page 22800]]
telecommunications providers accountable and monitor the communications
rights of impacted communities.'' This approach fails to address the
Commission's findings that have long treated NORS and DIRS filings as
presumptively confidential to further national security and protect
commercially sensitive information. We find that granting such broad
access to NORS and DIRS information would effectively render that
treatment moot and thereby detract from these objectives.
32. Eligible agencies must have a ``need to know.'' In the Second
Further Notice, the Commission proposed that direct access to NORS and
DIRS be limited to eligible agencies that have a ``need to know,''
which was defined as ``reasonably requir[ing] access to the information
in order to prepare for, or respond to, an event that threatens public
safety, pursuant to its official duties.'' We today adopt a modified
definition of ``need to know'' that includes only agencies that have
official duties that make them directly responsible for emergency
management and first responder support functions.
33. Most commenters agree that direct access should be limited to
agencies with a ``need to know'' to prevent the over-disclosure of
sensitive NORS and DIRS information, though commenters differ in their
views on the appropriate definition of the term. We are persuaded by
Verizon that a ``need to know'' should be defined to refer to an agency
``having official duties making it directly responsible for emergency
management and first responder support functions.'' We find that this
definition best achieves the goal of ensuring that only agencies with
the greatest and most relevant public safety needs have access to the
sensitive information contained in our NORS and DIRS databases. We note
that this definition for ``need to know'' is more specific and narrow
than what the Commission proposed in the Second Further Notice and will
minimize the number of disputes over which agencies qualify for access,
thus preserving public safety resources. We confirm NCTA's view that an
``event'' giving rise to a ``need to know'' may be either natural or
``manmade.'' While we do not exhaustively enumerate here every type of
agency that may qualify for access under our adopted ``need to know''
standard, we expect that qualifying agencies will include state
homeland security and emergency management departments, state first
responder departments (including fire and law enforcement departments),
and state public utility (or public service) commissions. We agree with
New York State Public Service Commission and the Public Service
Commission of the District of Columbia that state public utility and
service commissions typically support public safety and emergency
response efforts, including by coordinating the restoration of
telecommunications in their jurisdictions.
34. In view of the record, we disagree with the views of the
Competitive Carriers Association and T-Mobile who argued that the
Commission's earlier proposed definition of ``need to know'' struck an
appropriate balance between ensuring that an appropriate set of
agencies will have access to NORS and DIRS data for their public safety
efforts and reducing the likelihood of improper disclosure. For the
reasons noted above, we find that a more objective and narrower
standard is necessary for today's program to be administrable and to
ensure that the sensitive information in NORS and DIRS filings is not
disseminated broadly beyond a small set of core agencies in each state
or other jurisdiction.
35. Demonstrating a ``need to know.'' An agency applying for direct
access to NORS and DIRS must demonstrate its ``need to know'' by citing
to statutes or other regulatory authority that establishes it has
official duties making it directly responsible for emergency management
and first responder support functions.
36. We agree with Verizon and NCTA that an objective showing of
legal authority, in the form of statues or other regulatory bases, is
necessary as part of the application process to ensure that only
qualified agencies have direct access to NORS and DIRS filings. We find
that the approach we adopt today will avoid protracted disputes and
subjective interpretations about what roles and responsibilities an
agency may have during an emergency and will guard against the over-
disclosure of sensitive NORS and DIRS information.
37. Scope of Use. In the Second Further Notice, the Commission
proposed that NORS and DIRS information accessed by participating
agencies be used only for public safety purposes. We adopt this
proposal and clarify that the only valid public safety purposes are the
same purposes that would give rise to a ``need to know,'' i.e.,
carrying out emergency management and first responder support functions
that an agency is directly responsible for pursuant to its official
duties.
38. Several commenters seek confirmation that certain use cases are
permitted. We confirm commenters' views that a participating agency's
dissemination of information to other individuals responsible for
preparing and responding to disasters is an acceptable use. We also
confirm commenters' views that the assessment of emergency notification
options available in areas impacted by an outage or disaster, including
determining whether Wireless Emergency Alert messages can be delivered
and, if not, coordinating alternate methods of notification, is an
acceptable use. We further confirm the views of the Telecommunications
Regulatory Bureau of Puerto Rico and other commenters that identifying
trends and performing analyses designed to make long-term improvements
in public safety outcomes are acceptable uses. We agree that these
long-term efforts are critical for preparing for events that threaten
public safety in ways that will reduce the loss of life and property in
future outage and disaster scenarios. We are similarly persuaded by the
Massachusetts Department of Telecommunications and Cable, which
explains the potential value of NORS and DIRS information in its
analyses used to improve service and avoid future outages, and the
Michigan Public Service Commission, which explains that the information
would assist in understanding the nature of outages, ultimately
resulting in more resilient networks. We find that these uses reflect
carrying out emergency management and first responder support functions
by informing the public of danger, or preparing in advance for such
danger, to avoid the loss of life and property.
39. We expressly forbid the use of NORS and DIRS information
obtained through the procedures we adopt today for non-emergency-
related regulatory purposes, including merger review, consumer
protection activities, contract disputes with a state, or the release
of competitive information to the public. We agree with commenters that
such uses of NORS and DIRS data would be inconsistent with the public
safety purposes for which the sharing framework was created. Moreover,
such uses could create counter-productive incentives for providers to
supply superfluous information in their NORS and DIRS disclosures
thereby diminishing the public safety value of these filings.
40. 911 fee diversion. In the Second Further Notice, the Commission
sought comment on whether it should exclude from eligibility agencies
located in states that have diverted or transferred 911 fees for
purposes other than 911 and how it should address agency access in
states that have inadequately responded to Commission inquiries about
their
[[Page 22801]]
practices for using 911 fees. We decline to exclude agencies located in
fee diverting states from eligibility in today's information sharing
framework.
41. Nearly all commenters reject the exclusion of agencies on
grounds that they are located in states that have engaged in fee
diversion or provided an inadequate disclosure of their fee practices
to the Commission. We agree with those commenters who remark that
access to NORS and DIRS information, and the important public safety
benefits associated therewith, should not be conditioned on whether a
state engages in 911 fee diversion. We find this point particularly
compelling since, as noted by Colorado Public Utilities Commission and
NASNA, diversion may be an act of the state legislature rather than the
agency seeking access to NORS and DIRS information.
42. We find that the benefits of providing NORS and DIRS
information to entities in these states outweigh the possibility that
withholding this information may incentivize legislatures to reconsider
fee diversion decisions, particularly as no commenters offered evidence
supporting this view. On September 30, 2020, the Commission adopted a
Notice of Inquiry seeking comment on ways to dissuade states and
territories from diverting fees collected for 911 to other purposes,
and on the effects of 911 fee diversion. We are not persuaded otherwise
by T-Mobile's conclusory statement supporting the exclusion of
agencies, which in relying on comments filed in an unrelated
proceeding, fails to address the potential negative impacts of
withholding NORS and DIRS information from agencies or the extent to
which doing so would motivate legislatures to reconsider their fee
diversion decisions.
D. Confidentiality Protections
43. Direct access conditioned on confidential treatment by
agencies. In the Second Further Notice, the Commission proposed that
the Commission make all confidentiality determinations implicating the
release of confidential NORS and DIRS information pursuant to today's
program. The Commission proposed that a participating agency only
receive direct access to NORS and DIRS filings if it could agree, under
its governing laws, that when it received a request to release NORS or
DIRS information under open record laws in its jurisdiction, it would
defer to and comply with a Commission determination and not disclose
the filings other than as expressly allowed in today's Order or any
subsequent Commission determinations. We adopt this proposal.
44. The majority of commenters, including state and local entities,
and industry advocacy organizations, support this approach. We agree
with Verizon that this approach is ``essential'' to protecting NORS and
DIRS information, because requests for disclosure of confidential
information would be determined uniformly rather than being left to a
patchwork of varying open records law standards among jurisdictions. We
also agree with the IACP, which stresses that without the Commission's
role in reviewing requests, public safety entities could face
``nuisance lawsuits'' and have their scarce public safety resources
diverted as they become ``embroiled in legal challenges or extended
discussions regarding the confidentiality of NORS and DIRS
information.'' We find that our approach would create a necessary,
simple mechanism to control the flow of confidential NORS and DIRS
information, even when state and other open records laws vary.
45. Commenters confirm that this proposal is workable in practice.
A number of state public utility commissions identify exemptions in
their open records laws that allow them to defer to the Commission's
FOIA determination in place of making their own. Moreover, no commenter
contends that there is a jurisdiction that would not be able to defer
to the Commission pursuant to the jurisdiction's open records and other
relevant laws. We agree with The Utility Reform Network that state,
Federal and Tribal Nation entities are well versed in handling
confidential material based on their other programs and that they would
therefore be able to adhere to today's confidentiality requirements. We
similarly agree with the California Public Utilities Commission and
Massachusetts Department of Telecommunications and Cable, which bolster
this point by noting that today's confidentiality requirements are
familiar to many participating agencies because they resemble ones the
Commission separately established for the sharing of presumptively
confidential data with states in separate programs involving the Form
477 database and the North American Numbering Plan Administrator
database.
46. We are unpersuaded on the current record that the presumption
of confidentiality for all NORS and DIRS information is not fully
warranted, as some commenters argue. While these commenters contend
that NORS and DIRS information often does not contain information that
is sensitive for national security reasons, no commenter provides
practical guidance on how to distinguish at an operational level those
reports that contain such sensitive national security information (or
sensitive business information) from those that do not. Because we did
not seek comment on this question, and because the record is incomplete
as to the types of information, or the specific fields in NORS and
DIRS, that these commenters believe should not receive confidential
treatment, we are not in a position today to decide upon the merits of
these views. We also find that these commenters fail to address the
possibility that a collection of NORS and DIRS filings could reflect
patterns that implicate national security, even when filings taken
individually may not. Moreover, given that we maintain the presumption
of confidentiality as to our own use of NORS and DIRS data, we find it
logical to require that participating agencies, and those who receive
information from them, be held to the same type of confidentiality
standards. To do otherwise would allow these entities to disclose the
data in ways that would contradict and render meaningless the
Commission's own presumptively confidential treatment. Based on the
lack of new information provided by commenters on the current record,
we decline to reverse at this time the Commission's long-held view that
NORS and DIRS information warrants confidential treatment. The
Commission acknowledges that some commenters assert that public access
to some outage information would benefit the public, and nothing we do
today permanently forecloses us from examining this issue further in
the future.
47. We also find unpersuasive the view of the California Public
Utilities Commission that ``industry's perception'' of the
confidentiality of NORS and DIRS data is changing, merely because
Verizon and other service providers have decided to increase their
public disclosure of outage information around major communications
outage events. On the contrary, we believe that a rollback of the
Commission's presumption of confidentiality of NORS and DIRS data would
actually have the opposite effect of discouraging companies from
voluntarily taking meaningful incremental steps to make more
information available.
48. We also reject NTCA's position that today's framework should go
further and shield NORS and DIRS filings from any disclosure in
response to a request filed under state-level FOIA-type laws. The
approach we adopt today permits disclosure only when the
[[Page 22802]]
state defers to the Commission and the Commission makes a
determination, based on the Federal FOIA standard, permitting the
disclosure. Because the Commission will consider requests made under
state-level open records laws identically to requests made under FOIA,
NORS and DIRS information would not be better protected from
inappropriate disclosure by specifically blocking from consideration
any requests received by participating agencies under their open
records laws. We also reject NARUC's view that the Commission's
proposal is unnecessary since ``to avoid concerns [in] the tiny
minority of States that have arguably deficient FOIA-type protections
in-place,'' the Commission need only condition access to the data on
states providing some level of confidential treatment. We have not
found any practical way to identify the purported ``tiny minority'' of
states that have deficient open records laws. Even among states that
have ``non-deficient laws,'' we expect that the substance of those laws
is likely to vary in ways that would result in the different treatment
of certain NORS and DIRS data fields from jurisdiction to jurisdiction.
In contrast, the Commission's proposal would advantageously provide a
uniform confidentiality standard and thus better protect confidential
NORS and DIRS information from unauthorized disclosure.
49. Agency notifications to the Commission proposed in the Second
Further Notice. In the Second Further Notice, the Commission proposed
to require that a participating agency notify the Commission: (i)
Within 14 calendar days from the date the agency receives a request
from third parties to disclose NORS filings and DIRS filings, or
related records, pursuant to its jurisdiction's open record laws or
other legal authority that could compel it to do so, and (ii) at least
30 calendar days prior to the effective date of any change in relevant
statutes or rules (e.g., its open records laws) that would affect the
agency's ability to adhere to the confidentiality protections in this
information sharing framework. We adopt these proposals.
50. Commenters generally support these proposals and no commenter
expressly opposes them. We find that the 14-day notification we adopt
today will allow the Commission take appropriate action, including (at
the Commission's option) notifying an affected service provider so that
the provider can supply its comments on the matter if permitted under
the jurisdiction's open records law. We find that the 30-day
notification we adopt today will provide the Commission with an
opportunity to determine whether to terminate an agency's access to
NORS or DIRS filings or take other appropriate steps as necessary to
protect this information. As noted in the Second Further Notice, we
find that these proposals will help ensure consistency in disclosure by
many disparate agencies that will receive this information under the
terms of today's Order and will instill confidence that submitted
information will continue to be protected as it is today.
51. Additional notifications proposed by commenters. We reject the
views of commenters that additional notifications from the Commission
or participating agencies are necessary to ensure that service
providers can dispute various types of requests for NORS and DIRS
information and thus protect the confidentiality of their shared
information. ATIS argues that we should require a notification from a
participating agency within 14 days of when it receives a request to
share NORS and DIRS data with a local agency. ATIS also argues that for
both this notification and the 14-day disclosure request notification
the Commission proposed in the Second Further Notice, the Commission
should be required (as opposed to have the option) to notify service
providers to allow them sufficient opportunity to provide any input.
ATIS further argues that we should also require participating agencies
to notify service providers at least 30 calendar days prior to the
effective date of any change in relevant statutes or rules that could
implicate the providers' filings. CenturyLink similarly argues that
service providers should be made aware when a local agency receives
access to NORS and DIRS data. ACA Connect contends that an agency
should be required to submit, apparently to the Commission, the name of
all recipients that it shares information with.
52. We reject these views, including to the extent they would
require that participating agencies provide notification directly to
service providers. Our rules require that the Commission provide notice
to service providers, and allow them an opportunity for comment, when
it receives FOIA requests for their NORS and DIRS filings. 47 CFR
0.461(d)(3). Today's rules require that a participating agency provide
the Commission, not service providers, with notice when it receives a
request for the NORS and DIRS filings under its state or other open-
records laws. We find that the burden of requiring participating
agencies to provide a voluminous number of new notifications to service
providers on receipt of sharing requests (which are likely to be
received when major outages or other public safety events are on-going)
to be an unwarranted diversion of scarce public safety resources from
state, Tribal Nation, and local agencies when they may be needed most.
We further note that providers have the ability and incentive to
monitor potential changes in confidentiality laws (where the providers
operate) as a matter of general business practice, and we find it
redundant and inefficient to ask participating agencies to commit their
limited resources to this task. To address the concerns of record that
providers would not receive notice when the Commission is notified of a
request under state-level open records laws, Commission Staff will post
a notification to the Commission's Electronic Filing Comment System
(EFCS) in the present docket, on receipt of such notification from a
participating agency, identifying the existence of the open records
request, the jurisdiction under which the request was received and the
service provider(s) whose filings are implicated by the request.
Interested parties, including service providers, may use the push
notification feature in ECFS to receive an alert when filings have been
posted in the present docket, further facilitating prompt notification.
We find that this approach appropriately balances providing
notification to service providers of the existence of such requests
with our concerns that requiring participating agencies to provide
direct notifications to providers could be overly burdensome of scarce
public safety resources.
53. We recognize, however, based on these comments, a need for
increased accountability in how participating and non-participating
agencies use NORS and DIRS information. We therefore adopt the
requirement that each participating agency make available for
Commission inspection, upon Commission request, a list of all
localities for which the agency has disclosed NORS and DIRS data. The
Commission may, at its discretion, share such lists with the implicated
providers. While this requirement falls short of some commenters'
requests for additional notifications, we find that it appropriately
balances maintaining accountability on the part of participating
agencies with minimizing the day-to-day burden on agencies for
participating in the sharing program.
54. The Commission is aware that agencies that voluntarily elect to
participate in this information sharing
[[Page 22803]]
framework may incur some costs due to the obligation to notify the
Commission when they receive requests for NORS filings, DIRS filings,
or related records and when there is a change in relevant statutes or
laws that would affect the agency's ability to adhere to
confidentiality protections. These costs include modest initial costs
to review and revise their confidentiality protections in accordance
with the framework we adopt in today's Order, and minimal reoccurring
costs to notify the Commission as described above. We cannot quantify
agency costs for these activities, which would vary based on each
participating agency's particular circumstances, including the number
of requests or changes in law that would necessitate notifications, as
we lack the record evidence to quantify such benefits. This lack of
quantification, however, does not diminish in any way the advantages of
providing access to NORS and DIRS information to improve the safety of
residents during times of telecommunications outage infrastructure
distress. We conclude that the benefits of participation would likely
exceed the costs for any agency electing to participate in today's
framework; otherwise, such an agency could avoid such costs altogether
by deciding not to participate in this information sharing. We find
that the benefits attributable to providing NORS and DIRS access to
these agencies and other parties are substantial and may have
significant positive effects on the abilities of these entities to
safeguard the health and safety of residents during times of natural
disaster or other unanticipated events that impair telecommunications
infrastructure.
55. Moreover, we are unaware of any alternative approaches with
lower costs, nor have any been identified by commenters, that would
still ensure that the Commission promptly and reliably learns of the
actions described above that may lead to the disclosure of NORS or
DIRS-related information. Lessening the promptness or reliability of
notifications to the Commission would disincentivize providers from
supplying robust and fulsome NORS and DIRS reports and therefore reduce
the benefits that those filings would provide to the Commission and
participating agencies alike. We find that this reduction in benefits
would outweigh the expected modest cost savings to those participating
agencies that would be required to provide notifications under the
framework we adopt today.
E. Preemption and its Relation to State, Federal and Other Reporting
Requirements
56. We reject requests from commenters that urge the Commission to
preempt state outage reporting requirements. Some industry commenters,
including T-Mobile and CenturyLink, generally favor preemption as they
believe it will, among other considerations, promote uniformity in the
outage reporting requirements they must observe. For example, T-Mobile
states that ``[c]onsistent with its recognition that there should be
consistency with regard to outage information available to the public,
the Commission should preempt state laws requiring the submission of
outage data by wireless carriers. These laws often establish different
thresholds for trigging outage reporting and could cause public
confusion.'' CenturyLink also comments that ``[a]pproximately 34 states
have outage reporting requirements that, in most cases, do not align
with the FCC's reporting criteria. Complying with these various state
rules poses both a resource burden and a systems burden that would lack
a corresponding benefit if states obtain outage information by
accessing NORS/DIRS.''
57. We note that the actions we take today would not place any new
NORS, DIRS or state-level filing requirements on service providers and
we find no compelling reasons to upset our information sharing
framework by implementing any additional requirements for service
providers at this time. We further agree with the California Public
Utilities Commission that ``preemption is not an issue in the FNPRM,''
and acknowledge that because the Commission did not seek comment on
this issue, the record on this significant Federalism question is not
fully developed. Nothing in this paragraph is intended to narrow limit,
or broaden a party's opportunity to seek redress under all applicable
existing laws, including through declaratory judgement in accordance
with 47 CFR 1.2 of or rules, on grounds that a state rule or law is
allegedly preempted by Federal law or rule, including our part 4 outage
reporting rules. Such rights remain undisturbed by today's Order. As we
have indicated above, we did not seek comment on the issue of
preemption in this proceeding, and the record here is insufficient to
make any determinations on a need to launch further proceedings on this
issue. For this reason, we also agree with the California Governor's
Office of Emergency Services that ``the FCC should decline any
invitation to broadly preempt state law because the question is outside
the scope of the present proceeding.'' Moreover, the Commission is
persuaded by commenters, including NASUCA, NARUC and California
Governor's Office of Emergency Services, underscoring that, currently,
states can determine what outage reporting requirements are most
appropriate for their jurisdictions.
F. Safeguards for Direct Access to NORS and DIRS Filings
58. We adopt specific safeguards to ensure the continued
confidentiality, appropriate sharing, and limited disclosure of NORS
and DIRS information. These safeguards include providing read-only
access to NORS and DIRS filings, limiting the number of users with
access to NORS and DIRS filings at participating agencies, requiring
participating agencies to receive training on their privileges and
obligations under the framework (such as reporting any known or
reasonably suspected breach of protocol to the Commission and service
providers), and potentially terminating access to agencies that misuse
or improperly disclose NORS and DIRS data.
59. As several record commenters express overall concerns about
adequately securing NORS and DIRS information, our safeguards
strategically respond to potential NORS and DIRS data security threats.
For example, our training requirements are intended to set clear
parameters for how agencies use NORS and DIRS filings, our limits on
agency user accounts will help us control account access, and our
measures to audit account access will enable us to detect and quickly
investigate potential misuse. We expect that, collectively, these
safeguards will protect the NORS and DIRS data we will share under our
framework from inappropriate use and minimize the potential harm from
data breaches as noted by certain record commenters. Based on our
review of the record, we find that the safeguards we adopt today
appropriately balance the need to preserve the confidentiality of NORS
and DIRS information against the need to provide agencies with critical
information to assist them with protecting public safety.
1. Read-Only Direct Access to NORS and DIRS and Limits on Access to
Historical Filings
60. In the Second Further Notice, the Commission renewed the
Commission's proposal, first made in the 2016 Report and Order and
Further Notice, that participating state and Federal agencies
[[Page 22804]]
be granted direct access to NORS and DIRS filings in a read-only manner
to help prevent the improper manipulation of NORS and DIRS data. We now
adopt this proposal, finding that this approach is vital to protecting
NORS and DIRS filings from improper use. We observe that all industry,
public safety organizations, and state and local government parties
commenting on the Commission's read-only proposal agree with it, with
some specifically noting that they believe it will be an effective
safeguard against the improper manipulation of NORS and DIRS data.
Further, ATIS states that it strongly supports read-only access as a
means ``to further enhance confidentiality.'' We agree with commenters
that granting read-only access will help reduce the risk that
participating agencies' employees or others could make unauthorized
modifications to the filings, whether unintentional or malicious, and
ensure the accuracy of information shared via the information sharing
framework.
61. Some commenters encourage the Commission to implement
additional technological measures to prevent the improper use of
information, including mechanisms to limit the manipulation and
improper access of printouts and downloadable NORS and DIRS data, such
as placing confidentiality notifications or headers and watermarks on
viewable and printable documents. We acknowledge that these
recommendations would serve as useful safeguards against the improper
use of outage data and find it would be in the public interest to
further develop the record on the suitability of these measures and
safeguards. We thus direct PSHSB to seek, via Public Notice, further
information on the cost, manner and technical feasibility of
implementing these technological measures and safeguards in NORS and
DIRS and to make determinations on which of these measures and
safeguards, if any, would be suitable for implementation in NORS and
DIRS. We further delegate authority to PSHSB to implement in NORS and
DIRS any measures and safeguards that it determines suitable and in the
public interest based on the record developed in response to the Public
Notice. Cognizant of the effective date of today's rules, we instruct
the Bureau to work expeditiously to make its determinations and, if
applicable, the associated revised implementations to NORS and DIRS.
These implementations should not impose new regulatory requirements on
service providers or additional conditions on agencies seeking access
to the outage data. Nothing in this paragraph will serve as basis for
delaying the effective date of the rules we adopt today.
62. The Commission also acknowledges the proposal from the
Massachusetts Department of Telecommunications and Cable that the
Commission ``establish a mechanism for Authorized State Agencies to
comment on and give feedback to the FCC on the shared data,'' as the
Massachusetts Department of Telecommunications and Cable believes that
``states may have information that does not appear in or that
contradicts NORS or DIRS data, information which could allow the FCC to
improve its data collection.'' We find that it is premature to
determine whether this would be a useful feature for participating
agencies, and we believe it is appropriate to wait until these agencies
have had experience with NORS and DIRS before building this
functionality into those systems. We suggest that participating
agencies that wish to share information related to contents of NORS and
DIRS filings instead informally contact Commission staff with their
concerns.
63. Access to Historical Filings. The Commission proposed in the
Second Further Notice to grant participating agencies access only to
those NORS and DIRS filings made after the effective date of this
proposed information sharing framework, even if the agency begins its
participation at a later date. We adopt this approach today.
64. We are persuaded by industry commenters who argue that the
Commission should not make available NORS and DIRS filings submitted
before the effective date of the framework because the Commission
should honor the expectation of confidentiality that providers had at
the time they submitted them. For example, NTCA asserts that
``providers submitted their NORS and DIRS filings with the expectation
that only the Commission would have access to those filings.'' We
agree, and believe it would be inappropriate in this context to adopt
rules to allow retroactive carte blanche access to these filings by
agencies joining the framework as providers had no notice that we would
share such confidential information with participating agencies and
maintained an expectation that we would withhold them from disclosure.
We also find that providing access to filings submitted before the
effective date of the proposal would be technically difficult to
implement, as it would require the modification of tens of thousands of
previously filed outage reports to ensure that access can be limited by
jurisdiction. Nonetheless, while we decline to adopt proposals to share
filings submitted before the effective date of the framework, we also
agree with public safety and state government commenters that having
access to past filings could help identify trends in outages and be
useful to agencies in planning and responding to outages to improve
network reliability, and we reject industry commenters like
CenturyLink, that argue to the contrary. On balance, however, we find
that the need to preserve the confidentiality of filings submitted
before the effective date of the framework is stronger than any
rationale posited to support access to these filings. We believe that
providing participating agencies with direct access to filings
submitted after the effective date of the framework, even if their
participation begins at a later date, is the optimal approach as it
provides fair notice to service providers while also providing agencies
with information to assist them with identifying outage trends over
time and enhance their preparedness and recovery efforts as noted above
and in the Second Further Notice.
65. We further note that ATIS argues that it ``does not believe
that it is necessary to provide access to filings made before a state
has been granted access,'' but ``should access to prior reports be made
available,'' access to past reports should be limited to ``no earlier
than 90 days,'' and ATIS proposes that should additional NORS and DIRS
data be needed by participating agencies, the Commission could grant it
``upon a showing of reasonable necessity. We reject ATIS's argument as
we do not find that ATIS provides a compelling explanation regarding
why limiting access to reports to no earlier than 90 days is an
appropriate window (as opposed to another window of time). Moreover,
the Commission does not find any harm in sharing filings older than 90
days so long as they were made after the effective date of the
framework, consistent with our decision today, as filers would be on
notice of the prospect that their filings could become available to
states that subsequently demonstrate their eligibility for access. The
Commission also finds that requiring participating agencies to
demonstrate a reasonable necessity for additional NORS and DIRS
reports, as ATIS suggests, could impede efficient access to available
NORS and DIRS filings.
2. Disclosing Aggregated NORS and DIRS Information
66. In the Second Further Notice, the Commission proposed to allow
[[Page 22805]]
participating agencies to provide aggregated NORS and DIRS information
to any entity including the broader public. In doing so, ``aggregated
NORS and DIRS information'' was defined to refer to information from
the NORS and DIRS filings of at least four service providers that has
been aggregated and anonymized to avoid identifying any service
providers by name or in substance.'' The Second Further Notice
articulated several potential public safety benefits stemming from the
public disclosure of aggregated NORS and DIRS information, including
its use in keeping the ``public informed of on-going emergency and
network outage situations, timelines for recovery, and geographic areas
to avoid while disaster and emergency events are ongoing.''
67. Based on our review of the record, we continue to expect that
the Commission's proposal will yield these benefits and adopt it today.
We agree with commenters that assert that appropriate use of
aggregation can provide useful information to public safety entities
and the public while still maintaining the confidentiality of data
submitted by providers.'' We disagree that agencies should be permitted
to publicly disclose NORS and DIRS data that are not aggregated and
anonymized as proposed, and accordingly, the rules we adopt today do
not permit data to be treated as disclosable under the definition of
``aggregated NORS and DIRS information'' unless the data has been drawn
from at least four service providers. Based on our experience in
determining whether aggregated disclosure is appropriate in other
contexts, we believe that where there are fewer than four service
providers, the disclosure of aggregated outage information,
particularly in combination with providers' specific knowledge of
competitors in the region, could inadvertently reveal one service
provider's commercially sensitive information to another. Even where
the data is aggregated from four service providers, however, under the
approach to disclosure we adopt today, agencies are prohibited from
publicly disclosing such data if they cannot ensure that no one can
derive the information of any individual company from the aggregation.
For example, aggregating the data from four service providers may not
sufficiently anonymize the data if one provider's data constitutes an
overwhelming share of the total.
68. To help mitigate concerns regarding improper aggregation due to
lack of expertise, we include exemplar aggregated and anonymized
reports based on hypothetical data in Appendix D. This Appendix also
contains non-binding guidelines for aggregating NORS and DIRS data. We
expect this Appendix will show participating agencies how to aggregate
users and cell sites affected by outages from NORS and DIRS reports in
a manner that ensures anonymization to prevent misuse and address any
potential confusion participating agencies have about aggregating NORS
and DIRS data. As stated in this Appendix, we note that aggregated data
may not reflect the exact number of users affected by a service
provider's outage and is only used for situational awareness, and
agencies' failure to properly aggregate data could lead to the improper
disclosure of service providers' confidential information and may
result in termination of their access to NORS and DIRS filings by the
Commission. We believe that with the guidance we provide agencies
today, they will be able to aggregate and anonymize NORS and DIRS data
in accordance with our rules.
69. Several commenters have urged the Commission to adopt a broader
definition of aggregation to enable aggregation in what they have
described as the numerous areas that have fewer than four providers.
For example, the California Public Utilities Commission comments that
the ``proposal fails to consider aggregation in the many instances
where an area is only served by two major wireline service providers.''
Allowing the public dissemination of NORS and DIRS information where
there are only two providers, for example, however, would unnecessarily
reveal confidential information about each of those providers to the
other. We believe that the dangers posed by such disclosure
substantially outweigh the benefits of disclosure to the public, given
the availability of the data to participating agencies. We recognize
that an agency's ability to provide aggregated information may depend
on the types (e.g., wireless or wireline) and numbers of providers
serving a region and the unique circumstances of an outage; there,
however, aggregated disclosure may be possible without an unauthorized
disclosure of confidential information given the multiple providers of
each type and at least four providers overall. Even so, there may be
situations where, for an example, an outage affects only the two
wireline providers in an area, and not the two wireless providers. In
that case, only the two wireline providers would be filing reports, and
any aggregation of their data would fall short of the four-or-more
provider requirement for public disclosure. We find that this approach
is necessary to ensure the confidentiality of NORS and DIRS information
and strikes a reasonable balance between the relevant policy
considerations. This policy does not override agreements certain
wireless providers have made with the Commission regarding the use of
aggregated DIRS data consistent with the Wireless Network Resiliency
Cooperative Framework.
70. We reject one commenter's proposal that, if aggregated data may
not be disclosed because of an insufficient number of providers, then
the Commission should first conduct a ``risk assessment'' to determine
how adversely affected the public would be by not receiving such data,
and second, if the risk assessment shows harm, then the Commission
should modify its ``need to know'' approach by disclosing information
under a protective order to ``public safety officials, researchers, and
public interest representatives.'' As a threshold matter, it is unclear
what this commenter means by ``risk assessment,'' what specific metrics
this commenter believes the ``risk assessment'' would use to measure
what it refers to as ``the impact of disparate access,'' and what costs
are associated with such an assessment to the Commission. To the extent
this commenter is suggesting that such a risk assessment be used to
identify parties that would qualify under the ``need-to-know'' standard
as recipients of confidential information, we believe it is more
appropriate to rely on state agencies to employ our new rules to share
outage information downstream to the extent necessary to address an
emergency situation for all affected within the community. We
anticipate that, in the appropriate circumstances, public safety
officials downstream from a participating state agency might have a
``need to know'' and may thus obtain confidential outage information
from such an agency that has determined it permissible under our rules
to share such information in this manner. It is perhaps less likely,
however, that public interest organizations or researchers would
qualify for such sharing under our rules. Insofar as this commenter
would have us relax the ``need-to know'' requirements to allow such
expanded sharing, we reject that proposal, as we believe that the
balance we have struck between disclosure of some information to
facilitate localized responses to emergencies and service outages
caused by them, on the one hand, and the protection of sensitive data
from unnecessary disclosure, on the other, will best serve the overall
public
[[Page 22806]]
interest. We also note that no commenter has recommended a practical
alternative to the Commission's proposal that would enable aggregation
at a lower threshold while ensuring that national security and
competitive concerns are addressed. Additionally, we note that under
the Commission's proposal, participating agencies in areas with fewer
than four communications providers have access to this data for public
safety purposes consistent with the rules we adopt today; they simply
may not disclose the data publicly.
71. ATIS and SIA argue that the Commission, instead of
participating agencies, should produce or approve aggregated reports
for public dissemination consistent with its existing practices and
because of the Commission's expertise with issuing these reports. We
reject these proposals. As dozens--or hundreds--of agencies might
participate in the information sharing framework, and there could be
several potential emergencies, and the need for prompt resolution of
those emergencies and related outages, we find that it would be
impractical and administratively burdensome for the Commission to
produce aggregated and anonymized reports on behalf of all
participating agencies seeking to publicly disseminate aggregated
reports under the Commission's proposal.
72. We note that T-Mobile also contends that aggregated data should
be disclosed only by the Commission because, among other
considerations, ``public disclosure by agencies other than the FCC
could ultimately mislead or confuse the public'' during times of
crises. T-Mobile asserts that agencies' unfamiliarity with the data can
lead to agencies either misinterpreting the data or producing
aggregated data reports that differ from each other, and that ``these
disparate reports would most likely cause confusion and potentially
hinder, rather than help, situational awareness.'' T-Mobile further
argues that as an alternative, the Commission should share data it
already aggregates, such as the aggregated DIRS reports it publishes on
its website. We reject T-Mobile's arguments. We find that, like the
Commission, participating agencies with a ``need to know'' have or will
quickly develop the necessary expertise to be able to understand NORS
and DIRS information, coordinate with the Commission and regional
partners where necessary, and release information to the public in a
responsible way. For example, while NORS and DIRS filings often
estimate the potential impact of service disruptions rather than
reflect the exact number of users affected by an outage, those
estimates can still effectively inform the public's understanding about
the effect outages across several providers following a disaster and we
expect that participating agencies will be able to communicate that
information to the public in a productive way.
73. We do not agree that existing Commission data aggregations can
replace state and local agencies' needs to inform the public about
outages and infrastructure status. For example, we anticipate that some
agencies will determine it is appropriate to release information to the
public more frequently than once a day or in specific regions not
covered by the Commission's public DIRS reports or any aggregations of
outage data that it might prepare. Also, as we stated above, we believe
that it would be impractical and administratively burdensome for the
Commission itself to fulfill requests to aggregate NORS and DIRS data
from potentially numerous participating agencies, and such an approach
could delay the Commission's assistance with resolution of the
underlying emergencies prompting the need to share the reports. To the
extent that the Commission identifies any instances of an agency using
NORS or DIRS information in an improper way, it will take steps to
ensure that improper disclosure does not occur in the future.
3. Direct Access to NORS and DIRS Filings Based on Jurisdiction
74. In the Second Further Notice, the Commission acknowledged that
outages and disasters can cross multiple jurisdictional boundaries and
therefore proposed enabling a participating agency to receive direct
access to all NORS notifications, initial reports, and final reports
and all DIRS filings for events reported to occur at least partially in
their jurisdiction including multistate outages. We also proposed
enabling participating agencies to receive access to NORS and DIRS
filings for outage events and disasters that occur in portions of their
jurisdictions but also span across additional states. We sought comment
on, inter alia, whether participating agencies would make use of NORS
and DIRS filings that affect states beyond their own, whether
participating agencies have a ``need to know'' about the effects of
multistate outages and infrastructure status outside their
jurisdiction, and whether any harms could potentially arise from
granting a participating agency access to multistate outage and
infrastructure information.
75. We adopt these proposals today as we expect they will enhance
public safety by providing agencies with thorough information regarding
outages to aid in their response and recovery coordination efforts.
Several public safety and state government commenters support granting
participating agencies multistate outage information about outages
occurring at least partially in their jurisdictions. We agree with
these commenters that access to this information would ensure that
participating agencies have a complete picture of outages and their
causes and would improve coordination between jurisdictions in response
to disasters. We also agree with the Pennsylvania Public Utility
Commission that participating agencies are ultimately in the best
position to determine what effects of multistate outages and
infrastructure status outside their jurisdiction are relevant to
informing their responses to the event.
76. We disagree with commenters that argue that state access should
be restricted to outage reports for those portions of events occurring
in that state. For example, the Competitive Carriers Association
contends that ``any decision to allow access to information about
adjacent states should be made on a case-by-case basis only upon a
showing of need,'' as it believes ``such geographic limitation is an
important mechanism for the Commission to ensure that data is used only
for intended purposes.'' We find that participating agencies would be
better able to address public safety matters, including by improving
their outreach and coordination with other jurisdictions in response to
disasters, if they have a more complete picture of outages and their
causes. ATIS further urges the Commission to prohibit the sharing of
data from multistate events with agencies until it addresses how to
effectuate this change in NORS. We also find that modifying NORS forms
to allow users to select more than one state when submitting a NORS
filing, as discussed further below, will be adequate to allow the
Commission to ensure that participating agencies can only access
filings for outages that at occur least partially in their
jurisdiction.
77. Sharing of Complete NORS and DIRS Reports and Filings. In their
comments concerning the scope and type of confidential information that
should be shared with participating agencies, some industry commenters
opine that some reports and fields in NORS and DIRS, such as root cause
analyses, sympathy reports, reports on simplex events, contact
information, and equipment types, are irrelevant and likely to cause
confusion and contain confidential information. ATIS also
[[Page 22807]]
states information regarding ``special offices and facilities in
Telecommunications Service Priorities (TSP) 1 and 2'' in NORS filings
``provide no relevant public safety information and should therefore
not be shared with state agencies.'' A sympathy report contains
information regarding a service outage that was caused by a failure in
the network of another company. A simplex report contains information
about which diversity of resources prevented a failure in a network
from causing a loss of service. TSP is an FCC program that directs
telecommunications service providers to give preferential treatment to
users enrolled in the program when they need to add new lines or have
their lines restored following a disruption of service, regardless of
the cause. In NORS, providers can indicate if TSP was involved during
service restoration. A root cause analysis indicates the underlying
reason why the outage occurred or why the outage was reportable. CTIA
and Verizon recommend the Commission convene a workshop to discuss
practices for inter-jurisdictional sharing of information, which
USTelecom supports as a way to determine what information is necessary
to share.
78. On review, we reject most commenters' proposals to share only
certain types of outage filings made in NORS and DIRS and reject
proposals to convene workshops to identify the appropriate types of
NORS and DIRS data to share. We agree with ATIS that reports related to
simplex events as contained in NORS filings should not be shared with
participating agencies. These reports contain information that helps
identify which diversity of resources prevented a failure in a network
from causing a loss of service, which could be helpful for analyzing
trends in outages, but we find that this information is not immediately
relevant to emergency response. However, we note that sympathy reports
and reports containing information about TSPs contain actionable
information on outages that could be of use to public safety officials
for emergency response or service restoration and we decline to exclude
these reports from NORS filings. For example, sympathy reports contain
information regarding service outages that, while caused by a failure
in the network of another provider, nonetheless have an effect on the
reporting service provider that may have public safety implications.
Moreover, information about TSPs may be helpful to emergency response
officials to indicate which repairs are being prioritized by service
providers.
79. For the NORS filings that are shared with participating
agencies, including notifications, initial and final reports, we find
that their contents about service outages, such as dates and times of
incidents, geographic areas affected, effects of outages on 911
service, the numbers of potentially affected users, and causes
(including information about any affected equipment) are highly
relevant to agencies that seek to increase their situational awareness
of emergency events and coordinate disaster response and recovery
efforts. Furthermore, in response to several commenters' position that
some fields in NORS reports are too sensitive or confusing to share and
should be excluded, we expect participating agencies will be able to
discern which information from various types of NORS and DIRS filings
is relevant to their own circumstances during various stages of public
safety events, particularly as we expect that participating agencies
will possess sufficient technical and operational expertise to
understand the information that some commenters maintain could be
confusing. We also find that the confidentiality requirements and
safeguards we adopt today will protect sensitive NORS information from
improper use and disclosure. We recognize that, once the information
sharing framework becomes effective, participating agencies may
initially engage the Commission (and potentially service providers,
through their existing relationships) with questions about NORS and
DIRS data, which will lead to more effective use of all types NORS and
DIRS filings over time.
80. We specifically reject the view that all of a service
providers' contact information should be excluded in the NORS and DIRS
filings and information we share with participating agencies. As noted
by the Michigan Public Service Commission, we expect that agencies'
technical staff will review NORS and DIRS filings and that the staff
will occasionally require contact with providers experiencing outages
in their jurisdiction to better understand and resolve substantive
issues. Because we expect that agencies will analyze NORS and DIRS
information in similar ways to the Commission, we disagree with ATIS's
view that all contact information supplied to the Commission with a
filing should be excluded from sharing. However, we agree with
commenters that it is unnecessary to share with participating agencies
the contact information of those individuals that solely file NORS or
DIRS information and do not have substantive details to share about an
outage or infrastructure status. We find that this approach strikes an
appropriate balance between ensuring participating agencies have access
to the substantive information they need and avoiding unproductive
contact that can potentially distract from the making of timely
filings. We note that, currently, NORS and DIRS give providers the
option to list primary (or first) and secondary contacts, either for an
outage (NORS) or generally for the provider (DIRS). We clarify that the
providers should enter as their primary contact an individual that they
specifically designate for substantive follow-up discussion about an
outage or about infrastructure status. For the secondary contact,
providers should identify the individual who undertakes the
administrative task of preparing and filing applicable reports in NORS
and DIRS. By following this guidance, providers can help ensure
consistency in the communications between themselves and participating
agencies.
81. Tribal Nation Government Agency/State Agency Access to
Multistate Event Data. In the Second Further Notice, the Commission
asked whether a participating Federally recognized Tribal Nation agency
that receives direct access to NORS and DIRS filings has a ``need to
know'' about events that occur entirely outside of its borders but
within the border of the state where the Tribal land is located, or if
a state agency should ``receive direct access to NORS and DIRS filings
reflecting events occurring entirely within Tribal land located in the
state's boundaries. The Commission further asked whether any harms
could ``arise from granting Tribal Nation authorities access to outage
and infrastructure information outside of their territories,'' and
sought comment on whether ``Tribal Nation authorities' access to NORS
and DIRS filings should be limited only to those aspects of multistate
outages that occur solely in their territories.''
82. NASNA and the Colorado Public Utilities Commission, the only
two commenters opining specifically on this issue, both agree that a
Federally recognized Tribal Nation agency that receives direct access
to NORS and DIRS filings can have a `need to know' about events that
occur entirely outside of its borders but within the border of the
state where the Tribal land is located. We are persuaded by NASNA and
the Colorado Public Utilities Commission's comments and note that no
commenter opposes this approach. We adopt the proposal that a Federally
recognized Tribal Nation agency may
[[Page 22808]]
receive direct access to NORS and DIRS filings for events that occur
entirely outside of its borders but within the borders of the state
where the Tribal land is located and, conversely, that a state agency
receive direct access to these filings reflecting events occurring
entirely within Tribal land located in the state's boundaries to the
extent these filings are available, and access would not impinge upon
Tribal sovereignty. We also grant Tribal Nation agencies direct access
to NORS and DIRS filings for outage events and disasters that occur in
portions of their jurisdictions but also span across additional states.
As the Commission stated in the Second Further Notice, because of the
technical nature of many outages, equipment located in a Tribal land
could impact service in the states in which Tribal lands are located,
and we expect this action to enhance the situational awareness of
Tribal Nations, and the states in which they are located, regarding
service outages and thereby improve public safety. We note that NASNA
supports the Commission's proposal to give state agencies direct access
to NORS and DIRS filings for events occurring entirely within Tribal
land located in a state's boundaries to improve information sharing
between states and Tribal nations. NASNA states that ``it would be most
efficient to allow direct access to data that relates to incidents
within a state agency's state boundaries, and to a tribal entity's
tribal jurisdiction,'' and comments that this approach ``gives the
states and tribal entities the ability to share data when it is
appropriate.'' We note that this approach does not impact Tribal
sovereignty as under our framework, outage data will be provided in the
first instance by the provider to the FCC, and only thereafter shared
with a Tribal entity.
83. Technical Implementation. In the Second Further Notice, the
Commission sought comment on aspects of the technical implementation of
its proposals regarding direct access to NORS and DIRS filings based on
jurisdiction, including its assertion that service providers would
incur minimal, if any, burdens related to DIRS because they would not
need to modify their DIRS reporting processes to accommodate multistate
reporting. The Commission also proposed changing the Commission's NORS
form to allow users to select more than one state when submitting a
NORS filing, consistent with the proposal to allow access to outages
that span multiple states. The Commission estimated the cost of such a
change for the nation's service providers to be $3.2 million and sought
comment on this proposal and any potential alternatives, including any
necessary adjustments to account for Tribal land borders. While a few
commenters expressed concerns about the accuracy of estimated costs to
service providers, no commenters provided cost data or analysis to
support their concerns or rebut the Commission's cost estimates.
Similarly, while some state agency and advocacy organizations expressed
concerns that it will be burdensome for voluntarily participating
agencies to relay information they retrieve from the NORS and DIRS
databases to ``downstream'' entities, none of these entities attempt to
quantify the costs associated with these activities. In the absence of
any cost analyses or other cost data quantifying alternative cost
estimates, the Commission continues to rely upon the estimates
discussed in the Second Further Notice indicating that the nation's
service providers will incur total initial set up costs of $3.2 million
based on the Commission's estimate of 1,000 service provider incurring
costs of $80 per hour and spending 40 hours to implement update or
revise their software used to report outages to the Commission in NORS
and DIRS.
84. We thus adopt this proposal consistent with our view that it
will allow the Commission to effectuate our provision of access to
filings for outages that span more than one state, and we conclude that
the benefits of today's program far exceed the costs. We note that
commenters did not address the Commission's assessment that service
providers would likely incur minimal to no costs to accommodate DIRS
reporting as DIRS form already requests filers to include data at the
county level. However, most parties commenting on the Commission's
proposed NORS modification support the NORS modification. For example,
NCTA supports this approach because it allows the Commission to limit
participating agencies' access to information about those outages that
occur within their jurisdiction. Furthermore, CenturyLink states that
also it prefers this approach, provided that the Commission does not
require state-specific impacts to be broken out for each reported
outage. This change in NORS reporting can be accomplished without
revising section 4.2 of our rules as section 4.11 of our rules already
requires that, inter alia, communications providers supply, in their
NORS filings to the Commission, information on the geographic area
affected by an outage using the Commission's approved Web-based outage
reporting templates. Here, the Commission is merely updating the form
of its templates to further facilitate jurisdiction-specific access.''
85. We note that NTCA ``recommends the Commission undertake a cost
benefit analysis of any proposed changes to the method in which
providers submit information into the NORS and DIRS systems to ensure
any burdens imposed on providers caused by having to modify the way
they report outages and any additional time needed to report outages to
meet any new requirements are outweighed by the benefit to public
safety.'' As we note above, we have performed this analysis and find
that the changes we adopt today ensure that the burdens imposed on
providers are outweighed by the public safety benefits of our
information sharing framework. We further acknowledge commenters'
proposals to include Tribal Nation agencies in the list of
jurisdictions for providers to choose from in NORS. However, we decline
to adopt these proposals because we find that it would be
administratively burdensome and difficult to continuously track the
full extent of existing Tribal Nation agencies to include and update in
NORS. However, we note that the approach we adopt above, to give Tribal
Nation agencies access to outage reports within the border of the state
where the Tribal land is located, would achieve the same goals in a
less burdensome manner.
86. Additionally, in the Second Further Notice, the Commission
asked, as an alternative, whether it should require service providers
to submit several state-specific filings instead of submitting single
aggregated filings for each outage that list all affected states. All
parties commenting on this issue disagree with this approach and assert
that it would increase reporting burdens on service providers. NASNA
notes that this proposal ``certainly seems less efficient and more time
consuming for the providers than making the proposed change to the
Commission's reporting form, but since the end result to the
participating state agencies is the same, NASNA leaves it to the
providers to express its preference on this matter.'' CoPUC's comments
echo NASNA's on this issue. Based on our review of the record, we are
persuaded by comments underscoring the burdens this approach would
impose on service providers and, thus, we decline to adopt it.
4. Limiting the Number of User Accounts per Participating Agency
87. Presumptive Limits on User Accounts. In the Second Further
Notice, the Commission proposed to presumptively limit the number of
user
[[Page 22809]]
accounts granted to a participating agency to five accounts for NORS
and DIRS access per state or Federal agency with additional accounts
permitted on an agency's reasonable showing of need. Furthermore, to
``reduce the reliance of any one agency on another by allowing each to
apply for direct access to NORS and DIRS filings,'' the Commission also
proposed, in the Second Further Notice, that the Commission review all
reasonable requests from state and Federal agencies, rather than
proposing a presumptive limit on the number of participating agencies
eligible for direct access to NORS and DIRS filings.
88. We adopt the Commission's proposals today as we find that that
they will limit access to NORS and DIRS information to the employees
that are intended to receive it and allow participating agencies to
identify misuse by specific employees. Colorado Public Utilities
Commission and NASNA recommend that the language of the Commission's
proposal be clarified to read that ``access should be up to five
employees per agency, not per state.'' We adopt this clarification
today for precision. We note that the majority of record commenters
support the Commission's proposal to presumptively limit the number of
user accounts, underscoring the Second Further Notice's assertion that
it is an important safeguard to minimize the potential for over-
disclosure of sensitive information. For example, ACA Connects notes
that implementing this measure will ``limit the risk of improper use or
disclosure of the data.'' However, we disagree with ATIS that we should
``better define what a `reasonable showing of need' would entail'' for
granting additional accounts to agencies. While some factors that we
expect could help demonstrate a reasonable showing of need include the
jurisdictional area that an agency serves or the number of public
safety functions for which it is responsible, we decline to require or
define specific factors and will decide all requests on a case-by-case
basis.
89. NASNA and the Colorado Public Utilities Commission support the
Commission's proposals to review all requests for direct access from
eligible agencies and not to restrict the number of potentially
participating agencies. Verizon argues that the ``Commission should
adopt a presumption that two agencies within a state may have access to
the reports,'' as it asserts this action ``would better reflect that
most states maintain both a single regulatory commission with some
public safety-related responsibilities and a statewide executive branch
emergency management agency.'' Verizon further argues that the
``Commission would have discretion to expand this number upon a good
faith showing as this governance structure may vary among states, but
reducing the presumptive number would help incent different state
agencies to coordinate their information gathering efforts in advance
of major outage events.''
90. We reject Verizon's proposal that the Commission adopt a
presumption that two agencies within a state may have access to NORS
and DIRS filings. We expect that participating agencies will indicate,
in their application for access, the legal authority that charges them
with promoting the protection of life or property. This showing will
allow us to best assess whether specific state agencies should have
access to these filings. We also find that allowing only two entities
to have access to NORS and DIRS filings could necessitate a competitive
process to determine which agency would get selected, which would delay
access, not have clear standards, and may lead to disharmony among
agencies that need to coordinate and cooperate. Additionally, we find
that granting access to all qualifying agencies will make each of those
entities more accountable to the Commission as they would have to bind
themselves to the program's requirements when signing the
certification.
91. Agency Assignment and Management of User Accounts. The Second
Further Notice proposed requiring that ``an agency assign each user
account to a unique employee and manage the process of reassigning user
accounts as its roster of employees changes.'' As we continue to find
that these proposals will minimize the improper use of NORS and DIRS
information and give participating agencies flexibility for managing
user accounts, we adopt them with certain modifications to further
strengthen our account management requirements. The Commission will
retain for its records the unique account identifiers associated with
each agency. We note that while ATIS specifically expresses support for
the Second Further Notice's proposal that agencies assign user accounts
to employees and manage the reassignment process for these accounts,
most commenters do not rebut the necessity of these proposals to
protect against improper disclosure. However, some industry commenters
propose placing additional limitations on agency access to prevent
improper use, which we adopt or reject infra.
92. AT&T recommends the Commission designate a ``coordinator'' to
be responsible for ``an agency's access to confidential NORS/DIRS
information,'' as it believes this will ``ensure that each potential
recipient has a `need to know' basis for access to the information, the
recipient understands the duty to maintain confidentiality, and the
information will be destroyed in a secure manner when there is no
longer a need to know.'' AT&T states that after designation ``the
coordinator would have the ability to approve additional requests for
access credentials for personnel from that agency,'' and that this
``approach would allow downstream sharing of information by the
coordinator who would be best positioned to ensure that recipients have
a `need to know.' '' AT&T further argues that a ``similar procedure has
worked well in the context of the 911 Reliability Certification
System,'' and states that for that procedure, ``the potential
information recipient sends a request to a designated FCC staff member
to receive coordinator status and these requests are handled on case-
by-case basis.'' No commenters oppose AT&T's recommendation.
93. We adopt AT&T's recommendation as we find that it would help
facilitate the efficient administration of our framework and provide
additional safeguards to protect NORS and DIRS data for the reasons it
describes. Therefore, we will require participating agencies, in the
Certification Form (Appendix C) we adopt today, to indicate the name
and contact information of their agency coordinator. We will require
this agency employee to serve as their agency's point of contact for
all matters related to their agency's framework access, including
managing agency accounts, submitting requests for additional user
accounts, coordinating downstream sharing consistent with our rules,
coordinating with the Commission to manage any unauthorized access
incidents, and taking reasonable efforts to make available for
Commission inspection a list of all localities for which the agency has
disclosed NORS and DIRS data.
94. Several commenters recommend the implementation of auditing and
reporting measures to minimize improper use. For example, ATIS
recommends that ``the Commission require states to conduct an internal
audit every six months . . . of individuals with access to determine
whether these accounts are still necessary and to require personnel to
regularly update passwords,'' and that ``the results of this audit
should be shared with the Commission.'' CTIA recommends that the
Commission ``develop a process for regularly
[[Page 22810]]
auditing accounts it has granted to public safety stakeholder agencies
and sharing the results of this process with providers that file
reports to NORS and DIRS.'' USTelecom proposes that the framework
``contain regular reports that provide a record of how many active
accounts are maintained by each agency and the number of reports
accessed by each,'' and that ``upon request, and in a reasonable time
frame,'' the Commission ``provide reports to carriers listing which
Federal or state government agency accounts have accessed their NORS or
DIRS outage data.'' Moreover, NCTA recommends suspending ``individual
user access if an individual has not accessed NORS or DIRS within a 12-
month period.'' We reject all commenters' auditing and report
production proposals as they would place undue obligations on the
Commission and participating agencies and could be financially
prohibitive. We further find that requiring the suspension of access to
users that are inactive over 12 months is too prescriptive. For
example, given the sporadic nature of disasters and emergency events,
users at some participating agencies might not access NORS and DIRS
filings for over a year.
95. Additionally, to increase account security, several parties
make proposals that recommend the tracking of how users access NORS and
DIRS filings. For instance, NTCA recommends requiring ``agencies
accessing the filings to track the name of the authorized individual
within the agency that accessed information and when.'' CTIA states
that the ``Commission should ensure that adequate tools are available
to aid investigations after data breaches,'' and opines that ``one such
tool is an audit log for the NORS and DIRS database, recording which
data was accessed, when, and by whom.'' NCTA recommends that
``reporting service providers should be able through online access to
obtain information identifying both the agencies and the user accounts
that accessed their information.'' We adopt CTIA's approach and will
develop auditing capabilities into NORS and DIRS that track which
reports specific users access and when they are accessed. We note that
no commenters oppose this approach. We believe this will allow the
Commission to maintain effective oversight as to how NORS and DIRS are
used, including following an incident involving unauthorized access. We
believe that this approach will be less burdensome on participating
agencies than the approaches recommended by NTCA and NCTA,
respectively. We acknowledge however the contentions of commenters who
have argued that service providers should have access to these logs so
that they can determine whether their data has been mishandled. We find
that service providers have a legitimate interest in ensuring that
their presumptively confidential data is handled appropriately even as
we remain wary that service providers could use such information to
burden participating agencies with queries based on the logs,
particularly during times of exigency. Therefore, we delegate authority
to PSHSB to consider written requests from service providers for access
to audit logs regarding their own records on a case-by-case basis and
to release requested information to the requesting service provider
only if PSHSB determines that doing so would be in the public interest.
A service provider's written request must explain the specific
circumstances that the provider believes warrants its access to audit
logs and identify, with particularity, the requested date ranges and
entities covered by in the request.
5. Training Requirements
96. In the Second Further Notice, the Commission proposed that each
individual granted a user account for direct access to NORS and DIRS
filings be required to complete security training on the proper access,
use of, and compliance with safeguards to protect these filings prior
to being granted initial access, and that this training occur on an
annual basis thereafter to make the framework more effective and reduce
the risk of over-disclosure of NORS and DIRS information. Furthermore,
the Commission sought comment on whether anyone who receives
confidential NORS and DIRS information, including downstream
recipients, be required to complete formal training. We adopt a
proposed training requirement today, and note that an overwhelming
number of commenters submit that some form of training is necessary for
participating agencies to ensure the appropriate uses of NORS and DIRS
data and minimize over-disclosure, and believe participating agencies
should certify that they have undertaken security training consistent
with the Commission's requirements. For example, the Public Service
Commission of the District of Columbia opines that it ``agrees with the
FCC and many commenters that training of authorized state agency staff
about NORS and DIRS reporting is important to ensure proper treatment
of NORS and DIRS information.'' The Competitive Carriers Association
states that it ``supports the Commission's proposal to mandate annual
security trainings to agency personnel accessing the data,'' and that
``considering the sensitive nature of NORS and DIRS data, regular
security trainings will help ensure safeguards are adhered to and that
information remains protected.''
97. We acknowledge that the Michigan Public Service Commission
states that it ``does not support the proposal for annual training
requirements as currently discussed in the FNPRM,'' as it contends that
if ``there are to be annual certifications to access NORS and DIRS
outage information, the MPSC believes that any required training should
be free of charge to applicants and centrally located or made available
online.'' The IACP also recommends that ``any required training be
accessible on-line and be time limited to that which is necessary to
cover the points required.'' As we decline to prescribe specific
training or platforms that agencies must use to facilitate training, we
respond to the Michigan Public Service Commission's concerns by noting
that we expect that the implementation of our training requirements, as
discussed below, will give agencies the opportunity to tailor training
programs to their unique needs, including considerations of cost.
98. Furthermore, in the Second Further Notice, the Commission
sought comment on whether anyone who receives confidential NORS and
DIRS information, including downstream recipients, should be required
to complete formal training. While we decline to adopt a formal
training requirement for downstream recipients, we will require
participating agencies to instruct downstream recipients to keep NORS
and DIRS information they receive as confidential and obtain a
certification from downstream entities that they will treat the
information as confidential.
99. We note that commenters are divided on this issue. For example,
while the Pennsylvania Public Utilities Commission and the Satellite
Industry Association maintain that downstream training should be
required to ensure that downstream recipients understand the
consequences of downstream sharing and to reduce the risk of the
mishandling of NORS and DIRS information. NASNA and the Colorado Public
Utilities Commission disagree. For example, the Colorado Public
Utilities Commission states that ``there are potentially hundreds of
individual agencies throughout the state that may have a ``need to
know'' during a disaster
[[Page 22811]]
or large-scale emergency, and requiring each of those agencies to have
individuals undertake a multi-hour training prior to receiving the
information is unreasonable,'' and further argues that it ``would also
be unduly burdensome for the participating state agency to keep track
of who has had training, who hasn't, and whether annual refresher
training has been maintained.'' As an alternative to downstream
training, the Colorado Public Utilities Commission and NASNA suggest
that a participating agency ``be allowed to develop an affidavit to be
signed by subrecipients prior to the receipt of confidential
information, acknowledging that they understand that un-anonymized data
is confidential and that it is not to be shared.''
100. We are persuaded by NASNA and the Colorado Public Utilities
Commission's assertion that a downstream training requirement would be
unreasonable, given the potentially hundreds of downstream entities
that might receive information through the framework. However, we find
that providing downstream access with insufficient safeguards could
amplify the possibility of unauthorized disclosure, particularly
because downstream entities will have less experience with protecting
NORS and DIRS data than participating agencies. Therefore, we also
agree with NASNA and the Colorado Public Utilities Commission's
alternative approach.
101. We will require participating agencies sharing data with
entities that have a ``need to know'' to instruct these entities that
they must treat the information as confidential, not disclose it absent
a finding by the Commission that allows it to do so, report any
unauthorized access, and securely destroy the information when the
public safety event that warrants its access to the information has
concluded. We delegate authority to PSHSB to develop a certification
for use by participating agencies. Furthermore, as we explain infra, we
will hold participating agencies responsible for inappropriate
disclosures of NORS and DIRS information by the non-participating
agencies with which they share it. We will also require participating
agencies to obtain non-participating agencies' certification, under the
penalty of perjury, that they will abide by these restrictions.
102. We note that NTCA ``encourages the Commission to adopt rules
requiring any local, state or Federal personnel with access to NORS and
DIRS filings sign a certification attesting they have undertaken
security training consistent with the Commission's recommendation . . .
and will access and use the information only for the public safety
purposes for which it is intended.'' We find that our downstream
training requirements that we adopt today, along with the required
Certification Form we discuss infra, provides for adequate training of
personnel, enables us to obtain appropriate acknowledgment from
agencies regarding their efforts to train employees on the appropriate
uses of NORS and DIRS information. Consistent with NCTA's proposal, the
Certification Form as described infra will require participating
agencies granted access to certify that they have completed security
training and will use NORS and DIRS information for public safety
purposes only. However, we decline to adopt this requirement for local
personnel through the Certification Form as we are not requiring
training for downstream entities granted access to NORS and DIRS
information by participating agencies, and we will require
participating agencies to obtain a separate certification from these
entities regarding the appropriate use of NORS and DIRS information as
described above.
103. Agency Compliance with Training Requirements. In the Second
Further Notice, the Commission sought comment on requiring third-party
audits to ``ensure that state and Federal agencies' training programs
comply with the Commission's proposed required program elements'' and
asked ``what specific steps should the Commission take, if any, to
ensure the adequacy of such programs.'' ATIS ``urges the Commission to
consider reviewing and formally approving all training programs to
ensure that they are effective and address all relevant issues.'' NASNA
and the Colorado Public Utilities Commission believe that in lieu of
requiring third-party audits of partner training programs,
participating agencies should provide a copy of their training
curriculum to the FCC. For example, NASNA states that if ``the FCC
requires reassurance that participating agencies are meeting training
requirements, those agencies could be required to provide a copy of its
training curriculum to the FCC and attest that all employees within the
agency are required to complete the training prior to applying for an
account,'' and that the ``same requirement could exist for the annual
refresher training requirement.''
104. We adopt a requirement, consistent with NASNA and the Colorado
Public Utilities Commission's proposal, to require participating
agencies to make copies of their training curriculum available for the
Commission's review upon request. We are persuaded that is approach
will be the most effective way for the Commission to confirm the
adequacy of state and Federal training programs, and mandate
remediation as necessary, without burdening participating agencies with
a requirement to procure third-party audits. We will not require
advance review and approval of agencies' training materials by the
Commission, as we find that doing so would be administratively
burdensome to the Commission and prevent efficient access to NORS and
DIRS information. We also find that requiring advance review is
unnecessary, as we believe that requiring agencies to certify to the
adequacy of their training programs, as discussed infra, is sufficient
to ensure that the plans' adequacy.
105. Training Program Required Elements and Exemplars. In the
Second Further Notice, the Commission proposed that rather than
mandating an agency's use of a specific training program, agencies
``develop their own training program or rely on an outside training
program that covers, at a minimum, specific topics or ''program
elements. These program elements are: ``(i) Procedures and requirements
for accessing NORS and DIRS filings; (ii) parameters by which agency
employees may share confidential and aggregated NORS and DIRS
information; (iii) initial and continuing requirements to receive
trainings; (iv) notification that failure to abide by the required
program elements will result in personal or agency termination of
access to NORS and DIRS filings and liability to service providers and
third-parties under applicable state and Federal law; and (v)
notification to the Commission, at its designated email address,
concerning any questions, concerns, account management issues,
reporting any known or reasonably suspected breach of protocol and, if
needed, requesting service providers' contact information upon learning
of a known or reasonably suspected breach.'' Additionally, the
Commission proposed ``that [it] direct PSHSB to identify one or more
exemplar training programs which would satisfy the required program
elements.'' We adopt these proposals today with slight modifications as
we continue to find that they are critical to ensuring participating
agencies' comprehensive understanding of our information sharing
framework. Specifically, we adopt a requirement that participating
agencies' training programs must cover the five program elements that
the Commission identified in the Second Further Notice; we enable
agencies to
[[Page 22812]]
develop their own training program or rely on an outside training
program that includes these program elements; and delegate authority to
PSHSB the duty to consult with diverse stakeholders to identify an
exemplar training program or develop exemplar training materials that
include these program elements.
106. We observe that ATIS, the only commenter specifically
addressing the proposed training program's required elements, supports
those elements. Moreover, some commenters underscore their belief that
to help facilitate uniformity of training materials and reduce burdens
on participating agencies, the Commission should identify exemplar
training programs that participating agencies can use in their efforts
to train staff on the proper uses of NORS and DIRS filings.
107. The Second Further Notice also sought comment on ``the
benefits and drawbacks to the Commission potentially working with one
or more external partners, such as ATIS, to develop exemplar training
programs.'' ATIS states that it would ``be happy to assist with
development of a training program,'' and would ``work collaboratively
with other associations so that this training would be completed within
a reasonable time after the release of the final rules.'' The Boulder
Regional Emergency Telephone Service Authority urges ``the Commission
to decline the ATIS's offer to develop training which ATIS proposes to
focus solely on limitations on use of the materials and penalties for
misuse,'' because it believes that ``training should'' ``focus on
interpretation and utility of data.'' Verizon states that training for
the confidentiality requirements it recommends ``would be appropriate,
in coordination with Commission staff, ATIS and public safety
stakeholders.'' Verizon also states that the framework safeguards it
supports in its comments ``should be another subject of the workshops
it recommends.''
108. We find that many stakeholders, including ATIS, possess
significant technical and operational expertise that could benefit the
Commission in the development of exemplar training. Thus, to identify
an exemplar training program or develop exemplar training materials,
the Commission delegates authority to PSHSB to consult with diverse
stakeholders with a range of perspectives, including state governments,
the public safety community, service providers, and other industry
representatives. We find that this approach will foster a collaborative
process to ensure training materials reflect the needs of all
information sharing framework participants. We note that ATIS also
recommends that the training specifically provide guidance on six
specific guidance topics. These topics are ``(1) The purpose of NORS
and DIRS; (2) Appropriate use of confidential and aggregated data; (3)
Who would be deemed to have a ``need to know;'' (4) What would qualify
as a public safety purpose; (5) Proper distribution and use of
printouts, including a requirement that users not delete the
notification proposed by ATIS informing readers that the information in
the document may be shared only with authorized users with a ``need to
know,'' only for public safety purposes, etc.; and (6) The requirement
that, should there be a known or suspect breach as noted above, the
party whose data was breached must be immediately notified.'' We
decline to adopt these recommendations at this time but note that ATIS
has the opportunity to recommend these specific guidance topics if it
works with the Commission and other stakeholders to develop exemplar
training materials.
109. Some commenters also suggest the Commission convene
stakeholder workshops, or facilitate other collaborative measures,
before initiating the sharing framework to further develop data sharing
protocol and other features of the framework as necessary. For
instance, Verizon contends that ``to ensure that any new rules are
implemented collaboratively among the service providers and government
agencies involved, the Commission should convene stakeholder workshops
in the months preceding adoption of final rules.'' Several other
commenters support workshops' proposals. According to Verizon, these
workshops could allow stakeholders to, in part, ``work through IT
implementation challenges to ensure compatibility with providers' and
state agencies systems,'' ``establish practices and guidance for
permissible uses and sharing of information with employees and local
government stakeholders,'' and ``help educate state and local
governments on the information not included in NORS and DIRS reports,
and on how service providers obtain information to include in the
reports.'' Verizon further opines that to establish practices for
downstream sharing and use of information, the Commission could
initiate ``workshops of its own'' and encourage ``other collaborative
discussions involving industry and public safety trade associations and
standards groups,'' and incorporate ``those practices into training.''
CTIA also argues that ``the Commission should convene a broad group of
subject matter experts to identify processes to protect data
confidentiality while advancing outage information sharing with public
safety stakeholders.'' Furthermore, AT&T recommends that ``before
initiating agency and public disclosures, the Commission should give
providers and government agencies the opportunity to review an example
of the information to be made available through this process,'' and
states that ``[i]t would be useful for the providers that submit
information to NORS/DIRS to see a mock-up format, any template, and
online access tools to be used so that they have an opportunity to
raise any concerns and recommend changes.'' AT&T also states that
``[s]imilarly, feedback from government agencies would ensure that the
Commission's final framework provides the state-specific information
sought by these parties, while potentially minimizing multiple
operationally redundant reporting regimes across providers' service
footprints,'' and ``[s]uch a collaborative process is most likely to
achieve the Commission's dual purposes of giving government agencies
useful information while also preserving confidentiality of sensitive
data.
110. We find that workshops are not an appropriate venue to develop
requirements for our framework as the open record has provided all
interested parties with an opportunity to comment on our, and other
parties', proposals in this proceeding. Thus, we reject all
recommendations that workshops be used, in any way, to develop our
framework rules, including rules regarding downstream and inter-
jurisdictional sharing. We further reject AT&T's proposal to enable
providers and participating agencies to review and provide feedback on
information to be made available through the framework before its
initiation. We expect that the exemplar training materials supplied to
agencies, which will be developed with the input of diverse
stakeholders, will provide information to help guide agencies on the
proper ways to access and use NORS and DIRS information, which they can
choose to integrate into any training materials they develop. However,
we delegate authority to PSHSB to host one or more workshops before the
effective date of the framework to educate stakeholders about NORS and
DIRS filings generally and the requirements we adopt today, including
our rules regarding the appropriate uses of NORS and DIRS data,
training measures, and aspects of IT implementation of the framework.
[[Page 22813]]
6. Sharing of Confidential NORS and DIRS Information
111. Responsibilities of Participating Agencies. In the Second
Further Notice, the Commission proposed to allow individuals granted
credentials for direct access to NORS and DIRS filings to share copies
of the filings, in whole or part, and any confidential information
derived from the filings within their agency, on a strict ``need to
know'' basis. We adopt this proposal.
112. Commenters generally support allowing individuals with direct
access credentials at a participating agency to share confidential NORS
and DIRS information with individuals within their agencies on a ``need
to know'' basis. We agree with the Pennsylvania Public Utility
Commission that this mechanism is especially important given the many
individuals involved in coordinating emergency response, many of whom
will not be credentialed for access, and we agree with T-Mobile that it
is prudent to ensure that non-participating agency officials are able
to receive NORS and DIRS information to steer their agency in improving
public safety outcomes. Moreover, we find the proposed approach to be a
practical way to enable the individuals who are credentialed to login
to our databases and thereby access NORS and DIRS filings to convey
this filed information to their agency's decision makers. We find
significant public safety benefits in ensuring that all ``need to
know'' individuals at any agency, including key executives, decision-
makers and potentially first responders, have access to NORS and DIRS
information and we find this will allow an agency to make collectively
informed decisions on how to use the information, ultimately lowering
rather than increasing the chance of misuse of the information.
113. We reject CTIA's contrasting view that restricting access to
credentialed users at an agency is a necessary safeguard for
encouraging service providers to provide robust disclosures of relevant
information in their NORS and DIRS filings. To the contrary, we find
that if credentialed users could not coordinate with non-credentialed
decision-making officials and other expert agency personnel on the
substance of NORS and DIRS reports, this would likely lead to more
instances of impermissible use and improper disclosure (and worse
public safety outcomes), rather than fewer instances. For example, if a
credentialed user cannot share NORS and DIRS information with
specialized emergency management experts within their own agency, they
would potentially use the information to make recommendations on public
safety matters that they are not qualified to make. If a credentialed
user cannot share NORS and DIRS information with agency decision-
makers, they would potentially make decisions on allocating resources
in response to a public safety threat that they would not have the
authority to make. We find that the risks of improper disclosure would
increase as credentialed users would be forced to work outside of their
agency's normal chain of command in acting on confidential NORS and
DIRS information. We believe that service providers will recognize that
this observation, along the many safeguards implemented today, provide
assurances the presumptively confidential NORS and DIRS filings the
supply to the Commission will continue to be protected, and we believe
that service providers will remain motivated in supplying robust NORS
and DIRS filings to resolve network reliability and outage issues, as
they have historically done. We note that service providers are
required to submit NORS reports that meet all the requirements of our
part 4 rules. While DIRS reporting is voluntary, our experience with
DIRS activations provides us with the insight that providers are likely
to provide complete DIRS reports in order to take advantage of the
Commission's waiver of the NORS reporting obligations in those regions
where DIRS has been activated.
114. We are also unpersuaded by NCTA's concern that ``increasing
the number of people who have access to the data inherently increases
the risk of breach or accidental disclosure'' because this conceptual
possibility of an increased risk is outweighed by the harms that arise
from disallowing intra-agency sharing, which would make it less likely
that an agency's staff and leadership will use NORS and DIRS
information to take action, thereby frustrating the purposes of the
information sharing framework we adopt today.
115. Based on concerns of commenters, we bar the sharing of
confidential NORS and DIRS information with contractors. While we
recognize that an agency's contractors can engage in public safety
functions in times of crises, we find that sharing with contractors
should be barred given the potential for conflicts of interest among
contractors, who may work on behalf of service providers as well as
public safety agencies. As no commenter has identified how NORS and
DIRS information can be shared in ways that would appropriately address
these potential conflicts of interest, we decline to make this
information available to contractors.
116. With respect to a participating agency's sharing of reports
with downstream entities (described infra), in the Second Further
Notice, the Commission proposed that the sharing agency determine
whether a ``need to know'' exists on the part of the recipient. We
adopt this proposal, which most commenters support without significant
comment. With regard to potential costs burdens, we reiterate that
participating agencies are not required to share NORS and DIRS
information but instead are permitting to do so. As previously noted in
the Second Further Notice, we find that this approach is appropriate
because the sharing agency is in a strong position, particularly in
comparison to the Commission, to make this determination based on its
``on the ground'' knowledge of the public safety-related activities,
and trustworthiness, of the downstream entities with which it elects to
share, e.g., based on its prior interactions with such agencies.
117. We reject ATIS's view that we should ``not leave it entirely
in the hands of state agencies to determine whether a local agency has
a `need to know' '' as ATIS believes this could result in misuse or
unauthorized access to the information. ATIS suggests a scheme where
agencies with direct access to NORS and DIRS would inform the
Commission of whom they may plan to share information with in advance
of a public safety event and we would then use this information to seek
input from filers, including objections, prior to any information
sharing. We find that the public safety benefits of our adopted
approach outweigh ATIS's concerns of misuse or improper access to NORS
and DIRS information. Our adopted approach ensures that decisions on
how to best resolve public safety problems are in the hands of those
closest to the issues (i.e., participating agencies). Requiring the
Commission receive notifications and solicit comments from filers, as
ATIS favors, creates delays in decision making that would make NORS and
DIRS information significantly less useful to participating agencies in
the context of exigencies. We instead agree with Colorado Public
Utilities Commission that participating agencies can make this decision
more effectively and quickly given their familiarity with on the ground
facts. Moreover, we find that the many safeguards that we have imposed
on downstream sharing today to be directly responsive to ATIS's
concerns as we believe they are sufficient to protect these sensitive
[[Page 22814]]
filings from misuse and unauthorized access.
118. We also reject ATIS's view that we should require that
participating agencies make advance arrangements with agencies they
choose to share downstream with (and that the Commission be notified of
the existence of these arrangements) prior to dealing with an on-going
public safety event. We are instead persuaded by the International
Association of Chiefs of Police's remark that these requirements would
present a ``barrier to access'' as they would consume additional
resources that agencies often do not have. We decline to require that a
participating agency make advance arrangements, or share at all, with
other entities in light of the burden concerns expressed in the record.
We find, however, that advance arrangements would likely reduce long
term burdens on all parties. We therefore encourage, but do not
require, participating agencies to make advance arrangements where they
deem it practical and in the interests of public safety to do so.
119. We reject the views of the International Association of Chiefs
of Police that we go further and require that participating agencies
share information with local police agencies having a ``need to know.''
While we share the view that police agencies play a vital role in
resolving many public safety issues, we decline to require
participating agencies share confidential NORS and DIRS information
with police agencies or any other local entity. We find that requiring
Federal, state, territory, and Tribal Nation agencies to share
information with other entities is incompatible with our decision today
to hold the participating agency accountable for the way information is
used by those entities. To maintain the reasonableness of this
accountability measure, we find it critical that participating agencies
be able to evaluate and select the entities (if any) with which they
share information. As a practical matter, however, we expect that
participating agencies will, in many cases, voluntarily share
information with police agencies when a ``need to know'' exists.
120. We also reject the views of NCTA and other commenters that a
participating agency should not be allowed to share directly with
others outside the agency on grounds that this would risk over-
disclosure. As noted above, we place safeguards on such direct sharing
that will minimize the risk of unauthorized disclosure, which we find
strikes an appropriate balance between disseminating NORS and DIRS
information to those who can act on it, thereby savings lives and
property, and protecting the sensitive nature of these filings. We also
reject ACA Connects' view that the ``need to know'' of a recipient must
be determined in advance of any sharing event (as opposed to in real-
time during the event). We find that this provision would likely create
significant and impractical delays in the transfer of critical
information to non-participating agencies, particularly during times of
severe exigency, and we find that the many safeguards that we've
introduced on direct sharing today appropriately balance disseminating
NORS and DIRS information with protecting the sensitive nature of these
filings.
121. In the Second Further Notice, the Commission proposed to allow
individuals granted credentials for direct access to NORS and DIRS
filings to share copies of particular filings, in whole or part, and
any confidential information derived from the filings outside their
agency on a strict ``need to know' '' basis. We adopt this proposal and
clarify that not only must there be a ``need to know'' for downstream
sharing, but that need must pertain to a specific imminent or on-going
public safety event.
122. Many state, local and industry commenters support allowing
credentialed individuals at a participating agency to directly share
confidential NORS and DIRS information with others outside their
agency, including individuals working for local entities, on a ``need
to know'' basis. We agree with Verizon and the City of New York that,
while state agencies are a good initial dissemination point,
effectively addressing public safety requires collaboration between
state agencies and local entities (among others). We also agree with
the Public Service Commission of the District of Columbia that this
proposal will ``assist in developing a coordinated response to a
disaster or other major outage,'' and with the Pennsylvania Public
Utility Commission, which supports this proposal as necessary to ensure
that information can be disseminated from participating agencies to
county emergency agencies, as they are often ``the key decision-makers
and first responders'' who need this information given their ``vital
role . . . in ensuring public safety during times of crisis.'' We find
that the proposed approach would provide a targeted and efficient way
to put relevant information in the hands of local entities while
minimizing the risk of over disclosure of confidential NORS and DIRS
information. We also find that the proposed approach would be an
effective way to ensure that PSAPs and 911 authorities that do not
qualify as participating agencies can obtain relevant NORS and DIRS
information.
123. We clarify, however, that not only must there be a ``need to
know'' for downstream sharing, but that it must pertain to a specific
imminent or on-going public safety event. Thus, in contrast with
today's restrictions on sharing within a participating agency, we
exclude a participating agency from sharing confidential information
downstream when a potential recipient is seeking to use the information
to identify trends and perform analyses related to long-term
improvements in public safety outcomes. Many commenters express
concerns that downstream sharing raises additional risks and would thus
appear to support today's decision to further restrict the conditions
on which it is permitted. We agree with commenters there is generally
less accountability and an increased risk of over-disclosure when NORS
and DIRS information is shared outside of those participating agencies
that have been granted direct access. We similarly agree with ATIS and
T-Mobile that the risks of improper use are heightened since outside
recipients are not directly accountable to the Commission through our
Certification Form (Appendix C). We find that these observations
justify our further restriction on a ``need to know'' in the context of
downstream sharing. Moreover, without this restriction in place, a
participating agency could simply share all (or vast amounts) of NORS
and DIRS filings with a non-participating agency on grounds of a
general ``need to know,'' which would frustrate our decision to limit
direct access to the many filings housed in our NORS and DIRS databases
to participating agencies only.
124. Responsibilities of Non-Participating Agencies. The Commission
proposed in the Second Further Notice to require that non-participating
agencies that seek NORS and DIRS information first provide
certification, to the supplying participating agency, that they will
treat the information as confidential, not publicly disclose it absent
a finding by the Commission that allows them to do so, and securely
destroy the information when the public safety event that warrants its
access to the information has concluded. We adopt this proposal while
also requiring that non-participating agencies certify that they have
completed security training using participating agencies' training
materials before being granted access to NORS and DIRS filings and
clarifying the meaning of ``secure'' destruction.
[[Page 22815]]
125. Some commenters, including state utility commissions that
would incur much of the burden associated with these proposals, agree
with the Commission's approach and find it workable. We agree with the
Pennsylvania Public Utility Commission that requiring a non-
participating agency's agreement to treat filings as confidential will
help maintain NORS and DIRS filers' trust in the confidentiality of
submitted information and ensure the continued success of our NORS and
especially voluntary DIRS programs. We also agree with both the
Colorado Public Utilities Commission and NASNA that each of these
requirements is workable and can be implemented in practice even if
they do impose some burden.
126. Moreover, while no commenter questioned what ``secure''
destruction would entail, we find that clarifying this term will
simplify implementation of this program for non-participating agencies
that are required to securely destroy information according to its
terms. We clarify that the secure destruction of confidential NORS and
DIRS information requires, at a minimum, securely cross-cut shredding,
or machine-disintegrating, paper copies of the information, and
irrevocably clearing and purging digital copies, when the public safety
event that warrants access to the information has concluded.
127. We reject the Colorado Public Utilities Commission's view that
a non-participating agency has a need to keep ``descriptions'' related
to NORS and DIRS information in their possession to the extent it would
violate our requirement for the secure destruction of the confidential
NORS and DIRS information after the conclusion of a public safety
event. We agree with Telecommunications Regulatory Bureau of Puerto
Rico's representation from its own practice, that such reports can (and
should) be ``general in nature'' and not reflect confidential NORS and
DIRS information. We find that to allow a non-participating agency to
keep more granular information on file is outweighed by the need to
restrict the dissemination of sensitive NORS and DIRS information.
128. As noted above, we will require downstream agencies to certify
that they have completed security training using participating
agencies' training materials before being granted access to NORS and
DIRS filings. We find that providing downstream access without any
safeguards could amplify the possibility of unauthorized disclosure,
particularly because downstream entities will have less experience with
protecting NORS and DIRS data than participating agencies.
129. Further downstream sharing. In the Second Further Notice, the
Commission proposed that the sharing of confidential NORS and DIRS
information be allowed further downstream as well. According to this
proposal, once an agency with direct NORS and DIRS access shared
confidential NORS and DIRS information with a recipient, that recipient
could further summarize and/or share the information with others that
also had a ``need to know.'' Based on the record before us, we decline
to adopt this proposal.
130. We find that the further downstream sharing proposal
implicates several legitimate concerns around the ability to safeguard
the confidentiality of the information and foster accountability among
individuals and entities that would receive information. We agree with
ACA Connects that the proposed approach would have made it hard to
control the flow of information and maintain accountability when
improper disclosure occurred. We agree with ATIS and T-Mobile that the
risks of improper use would be heightened if sharing were extended to
those further downstream, i.e., to those not closely associated with
agencies subject to our accountability measures, including as
signatories to our Certification Form (Appendix C). Moreover, while
some commenters suggest that these issues could be addressed through
the imposition of additional safeguards, such as instituting a
Commission ``coordinator'' (who would be responsible for releasing the
information that is to be shared downstream and ensuring that
recipients indeed have a ``need to know'') and allowing public comment
on a proposed disclosure-by-disclosure basis. We reject these views as
we find the proposed additional safeguards to be highly burdensome
since, by adding delay to decision making, they would significantly
diminish the value of the associated NORS and DIRS information in the
context of exigencies.
131. We reject the views of some local entities that believe that
the further downstream sharing proposal would be workable as-is. We
reject these views in the context of further downstream sharing. As
noted by the industry commenters, the Commission's further downstream
sharing proposal would require responsible practices not just by
participating agencies and those that are one ``hop'' removed from
these agencies, but from a larger set of entities potentially many hops
removed from the participating agency and generally not approved or
cleared by the participating agency (or the Commission) in advance. We
find that these public safety risks heighten, as do the difficulties of
identifying the source of impermissible disclosure as information
continues to be shared downstream with additional parties. Even if each
individual entity taken alone has strong incentives to protect NORS and
DIRS information, as Boulder Regional Emergency Telephone Service
Authority contends, the risk of improper disclosure increases as a
larger number of entities gains access to the information. To minimize
that risk at the launch of today's new information sharing framework,
we find that it is prudent to allow participating agencies to share
NORS and DIRS confidential information under the conditions established
in this order but not to allow further downstream sharing.
132. Penalties and Remedies. The Commission proposed in the Second
Further Notice to hold participating agencies responsible for
inappropriate disclosures of NORS and DIRS information by the non-
participating agencies with which they share it and noted that
consequences for improper disclosures by a participating agency or non-
participating agency (with which the participating agency shares
information) could result in termination of access to NORS and DIRS
data for the participating agency. We adopt this proposal. We find that
the risk of losing access is a necessary safeguard that will
incentivize participating agencies to make judicious selections up-
front on with whom they share NORS and DIRS information, if anyone.
133. In doing so, we reject the views of some commenters that
believe that it would be unfair and a disservice to terminate a
participating agency's access to NORS and DIRS information because of
the potential bad actions of a non-participating entity which it cannot
directly control. To further address the concerns in the record,
however, we confirm that in any decision to terminate access, and set a
length of time that the termination is effective, the Commission will
consider the totality of the circumstances, including the
reasonableness of the participating entity's decision to share
information with a non-participating agency, the severity of the misuse
of shared information, and the implementation of other appropriate
safeguards by the implicated participating agency.
134. To address concerns of record, to the extent that a
participating agency is unclear on whether specific downstream
individuals or entities have a ``need to know,'' despite the clarity we
[[Page 22816]]
have provided on the scope of the term in today's Order, we encourage
(but do not require) the agency to contact the Commission at
[email protected] to discuss its potential sharing
with the individuals and entities well in advance of a relevant public
safety event.
135. We reject NASNA's suggestion that when a participating
agency's direct access is terminated by the Commission, it be
terminated for exactly three years, as we find this to be an
unnecessarily rigid approach. We agree with Colorado Public Utilities
Commission and Montrose Emergency Telephone Service Authority that a
decision to terminate access need not be permanent.
136. We encourage participating agencies to proactively monitor and
terminate access to non-participating agencies when they find such
action warranted, but we reject Colorado Public Utilities Commission's
view that the Commission should defer to participating agencies on
termination decisions. The Commission has a strong incentive to
safeguard all NORS and DIRS information that it receives to ensure that
providers provide detailed reports on a nationwide basis.
137. The Commission will provide its remediation decisions,
including its reasoning and actions to be taken to hold the
participating agency accountable in a letter to the agency's
coordinator, which may also be released on the Commission's website. If
the Commission terminates an agency's access, the Commission will
specify in the letter the time duration of this penalty as well as any
conditions that must be met prior to reinstatement of access.
G. Procedures for Requesting Direct Access to NORS and DIRS
138. In the Second Further Notice, the Commission proposed
requiring eligible state, Tribal Nation and Federal agencies to apply
for direct access to NORS and DIRS filings by sending a request to the
Commission's designated email address and completing a Certification
Form. The request would include: (i) A signed statement from an agency
official, on the agency's official letterhead, including the official's
full contact information and formally requesting access to NORS and
DIRS filings; (ii) a description of why the agency has a need to access
NORS and DIRS filings and how it intends to use the information in
practice; (iii) if applicable, a request to exceed the proposed
presumptive limits on the number of individuals (i.e., user accounts)
permitted to access NORS and DIRS filings with an explanation of why
this is necessary and (iv) a completed copy of a Certification Form, a
template of which is provided in this item as Appendix C.'' On receipt,
the Commission would review the request, follow-up with the agency
official with any potential questions or issues. Once the Commission
has reviewed the application and confirmed the application requirements
are satisfied, the Commission would grant NORS and DIRS access to the
agency by issuing the agency NORS and DIRS user accounts. We adopt
these application procedures today, subject to the modification we have
discussed above to require applying agencies to identify legal
authority that charges them with promoting the protection of life or
property. We find that, generally, commenters opining on the proposed
procedures for requesting NORS and DIRS access raise no concerns with
them. For example, the Competitive Carriers Association opines that the
``FNPRM's proposed procedures for requesting data would help to ensure
data is accessed on a limited, as-needed basis.'' NASNA notes the
Second Further Notice's proposed ``procedure for potential
participating agencies to apply for direct access to NORS and DIRS
data,'' and states that it ``has no objections to the procedure
outlined.''
139. Other commenters urge additional modifications to the proposed
procedures, which we reject. For example, ACA Connects urges the
Commission ``to require agencies as part of their application to
explain precisely the public safety need that justifies access to NORS
or DIRS data, and to grant such access only to that extent necessary to
meet that need,'' and also argues that ``a participating agency should
be required to submit to the Commission the names of all individuals
with whom it will share the data, along with an explanation why each
individual ``needs to know'' the information.'' We decline to adopt
this proposal as we expect our application requirement that legal
authority be identified and certified to by agencies will address the
issue of public safety need and find that requiring agencies to submit
the names of all individuals with whom it will share data is inflexible
and disregards that agencies might not know the full extent of
individuals it will provide access to at the time of application.
Furthermore, we note that Verizon suggests that applications ``could
include point of contact information for localities seeking access to
information in the reports.'' We also reject this recommendation as our
application process is focused on reviewing the eligibility of agencies
under the sharing framework and ensuring that they will adhere to the
framework's safeguards and we defer to participating agencies to
determine whether and how they want to establish a point of contact for
requests by local agencies.
140. Moreover, some commenters propose that the Commission notify
service providers when a particular agency applies for access to allow
the provider to raise any concerns. For example, Verizon argues that
``if service providers have concern for the confidentiality protections
available in a particular state or have other issues appropriate for
the Commission's consideration, such notification would give the
service provider an opportunity to raise those concerns.'' We find
that, if implemented, this approach could lead to protracted disputes
between service providers and participating agencies and impede
efficient access to NORS and DIRS information. While Verizon does not
indicate what ``other issues'' could be raised for the Commission's
consideration through a notification process in its comments, the
Commission expects that its objective application process and its
safeguards for protecting the confidentiality of NORS and DIRS data
will help prevent improper use and disclosure.
141. Furthermore, we find that eligible agencies, which have public
safety duties, are unlikely to release sensitive information in ways
that undermine national security or other public safety purposes. These
agencies are also not in competition with service providers, and thus
lack anticompetitive motives to use the information improperly.
Moreover, we find that potentially contesting an agency's eligibility
under our framework could detract from service provider and public
safety resources that should be more immediately directed to using NORS
and DIRS information to improve public safety. However, we encourage
service providers to inform the Commission about any laws that would
prevent any eligible agencies in a jurisdiction from maintaining the
confidentiality of NORS and DIRS information, as well as any specific
concerns regarding participating agencies that may be improperly
accessing, using, or disclosing NORS and DIRS information.
142. Although we will not notify providers when an agency requests
access to NORS and DIRS information for the aforementioned reasons, we
find that providers should be kept apprised of the entities granted
direct access to NORS and DIRS filings to track the use of network
outage data. Therefore, we
[[Page 22817]]
will develop a general list of participating agencies granted access to
filings under our information sharing framework that will made
available to relevant service providers. This list will be updated on a
periodic basis. We delegate authority to PSHSB to develop, update, and
make available this list.
143. Certification Form. In the Second Further Notice, the
Commission proposed the adoption of a Certification Form ``to address
the certifications and acknowledgments required for direct access to
NORS and DIRS filings,'' and sought comment on the various elements and
requirements of the Certification Form. Based on our review of the
record, we adopt the proposed Certification Form today, with slight
modifications we discuss below, as we expect that it will provide for
adequate acknowledgment of the confidential nature of the NORS and DIRS
filings and help protect against the unauthorized use of NORS and DIRS
information. We note that several commenters support the proposed
Certification Form.
144. Many commenters offer various proposals for modifications
intended to strengthen the safeguarding of NORS and DIRS information by
requiring notice of data breaches to the Commission and service
providers. We agree with commenters that it will further public safety
to require participating agencies to certify that they will immediately
notify the Commission and affected service providers of data breaches
or the unauthorized or improper disclosure of NORS/DIRS data.
CenturyLink also comments that ``State and local agencies should be
required to immediately report to the service provider and the FCC any
unauthorized or improper disclosure of NORS/DIRS data.'' ACA Connects
further states that ``the Commission should require participating
agencies to notify the Commission and affected communications providers
in the event of a data breach, and should set forth appropriate
penalties, including revocation of the agreement, for an agency that
fails to protect or misuses the data,'' and that [a]t minimum, an
agency that demonstrates a pattern of misuse or improper disclosure of
NORS or DIRS data should be cut off from any further access.'' We find
that in addition to enabling service providers to minimize the negative
effects of improper disclosure, this modification to the Certification
Form would allow the Commission to quickly identify misuse of NORS and
DIRS information, further investigate violations of information sharing
rules, and, if necessary, restrict continued access by offending
participating agencies. NCTA also argues that ``as AT&T has previously
suggested, after any improper access to or use of NORS or DIRS data by
an employee, the Qualifying Governmental Agency should agree ``to
perform an investigation of that employee and report the results of its
investigation to the Commission and, possibly, to law enforcement.'' As
we expect that the approach we adopt today will enable the Commission
to coordinate the swift investigation of potentially improper uses of
NORS and DIRS data, which could include investigation of personnel at
participating agencies, we decline to adopt this proposal.
145. Other commenters make additional Certification Form proposals
intended to ensure confidentiality and the proper use of NORS and DIRS
filings, which we reject. We decline to adopt NCTA's recommendation
that the Commission require participating agencies ``to certify that
NORS and DIRS filings will not be accessed by individuals who are not
designated employees,'' or are no longer employed by the agency. We
note that non-participating agencies that receive NORS and DIRS
information from participating agencies will be required to complete a
certification that they will treat the information as confidential. We
also expect that the training and safeguard requirements we adopt today
will be sufficient to prevent unauthorized access to filings. We
further find that the addition of this provision could be confusing as
we note that pursuant to the rules we adopt today, participating
agencies can share copies of NORS and DIRS filings, within or outside
their participating agency. NCTA also recommends that a participating
agency certify that, among other things, it will only use NORS and DIRS
information for public safety responsibilities. ATIS also urges that
the Certification Form be modified to ``specifically require agencies
to certify that they have ``need to know'' this information and that
they agree to use this information only for public safety purposes.''
CenturyLink also agrees with NCTA that ``a certifying agency should
also describe ``how it intends to use the information in practice.'' We
further find that the limitations on NORS and DIRS data described in
the Certification Form--which requires agencies to certify that they
will comply with the restrictions we adopt today--and our application
procedures--including procedures that require agencies to identify the
legal authority that charges them with public safety responsibilities--
as adopted adequately address the remaining issues referenced in NCTA
and other commenter's proposals.
146. In addition to these arguments, some commenters urge the
Commission to adopt a certification process similar to the process the
Commission has implemented to grant state access to North American
Numbering Plan data, require state agencies to certify that they have
adequate confidentiality protections in place, or describe the
safeguards they have implemented to protect NORS and DIRS data. We
reject all proposals regarding these issues to the extent that they
differ from the provisions in the Certification Form we adopt today. We
note that the proposed Certification Form was modeled after the
certification that we require for access to North American Numbering
Plan data, but enhanced to protect NORS and DIRS information, which if
mishandled, implicates national security and competitive sensitivity
concerns. For example, the Certification Form requires agencies to
certify and acknowledge that NORS and DIRS filings are sensitive and
presumed confidential for national security and commercial
competitiveness reasons and report any suspected breaches to the
Commission immediately.
147. In addition, we will require agencies to certify that they
have implemented practical data protection safeguards including
assigning user accounts to single employees, promptly reassigning user
accounts to reflect changes as their rosters of designated employees
change, and periodically changing user account passwords to ensure that
user account credentials are not used by individuals who are not the
agency's designated employees. Furthermore, the requirements we adopt
today will obligate participating agencies to implement effective
confidentiality safeguards regardless of the level of safeguards that
exist in their states. For example, we require all participating
agencies to certify that they will ``treat NORS and DIRS filings and
information in accordance with procedural and substantive protections
that are equivalent to or greater than those afforded under Federal
confidentiality statutes and rules, including but not limited to the
Federal Freedom of Information Act,'' and to ``the extent that Federal
confidentiality statutes and rules impose a higher standard of
confidentiality than applicable state law or regulations provide,'' the
agencies must certify that they will ``adhere to the higher Federal
standard.''
[[Page 22818]]
148. Commenters also make proposals intended to ensure the
Certification Form clarifies the limitations of NORS and DIRS filings
and the scope of entities eligible to receive them. For example,
Verizon proposes that the Certification Form state that the recipient
of filings ``further acknowledges that information reported in DIRS and
NORS filings is subject to revision and correction by the reporting
service provider.'' However, we find that the proposed Certification
Form accounts for potential errors and inaccuracies in NORS and DIRS
filings by requiring participating agencies to ``acknowledge that the
Commission does not guarantee the accuracy of either the NORS or DIRS
filings.'' We note that providers can share revised and corrected
filings with us, which we will in turn make available to participating
agencies granted access to the framework. Additionally, ATIS proposes
that the Certification Form be modified to ``avoid confusion by
clarifying in the opening paragraph that state agencies may get access
only to reports for that state and cannot request nationwide filings.''
ATIS states that ``one way to achieve this would be replace the
bracketed language with ``[for state agencies, name of states; for
Federal agencies, name of states or nationwide].'' '' We agree with
ATIS that we should revise the Certification Form to clarify the scope
of entities that we intend to provide with access to our framework.
Therefore, we add bracketed language to the Certification Form to
indicate that states, the District of Columbia, Tribal Nations, and
U.S. territories may be granted access only for reports of outages
connected to their jurisdictions consistent with our rules.
149. We note that in addition to the Certification Form revisions
we describe above, and consistent with the requirements we adopt today,
we add an additional provision to the form to require the designated
agency contact for each participating agency to serve as the
coordinating point of contact for the agency consistent with the
requirements we have described.
150. Finally, in the Second Further Notice, the Commission proposed
to ``direct PSHSB to promulgate any additional procedural requirements
that may be necessary to implement the Commission's proposals for the
sharing of NORS and DIRS information, consistent with the
Administrative Procedure Act.'' The Commission also stated that ``we
foresee that such procedural requirements may include implementation of
agency application processing procedures, necessary technical
modifications to the NORS and DIRS databases (including, potentially,
modifications designed to improve data protection and guard against
unauthorized disclosure), and reporting guidelines to ensure that the
Commission receives the notifications identified in Appendix C.'' The
Commission sought comment on these proposals, and asked whether there
were additional safeguards it should adopt for the application process
or any other procedural requirements that would be necessary to
implement the Commission's proposals. No commenters addressed these
proposals or provided any evidence to rebut their necessity. Thus, we
adopt them and we are confident that PSHSB's technical and
administrative expertise will help facilitate the efficient
implementation of the information sharing framework to further enhance
public safety as contemplated by the rules we adopt today.
H. Effective Dates
151. In the Second Further Notice, the Commission proposed to have
the Public Safety and Homeland Security Bureau issue a Public Notice
that would (a) announce OMB approval of any new information collection
requirements that the Commission might adopt in modifying the DIRS and
NORS regime; and (b) set a date on which (i) service providers would be
required to conform any new filings in NORS and DIRS to any newly
adopted reporting protocols; and (ii) agencies could file certification
forms requesting access to those reports. Thus, direct NORS and DIRS
access would become available to eligible agencies as of the specified
date. Moreover, the Commission proposed that the date set by the Bureau
would be a date after the technical adjustments necessary to facilitate
sharing had been made to the Commission's NORS and DIRS databases. The
Commission tentatively concluded in the Second Further Notice that
adoption of this proposal would give interested agencies ample time to
prepare their certifications and give service providers sufficient time
to adjust their NORS and DIRS filing processes to conform with
technical changes required by today's final rule changes. While no
commenter opposed our proposals, we find it in the public interest to
adopt the proposals with one modification, i.e., to specify an
effective date, subject to extension, as part of today's decision.
152. We find that this approach provides the Commission adequate
time to implement the regime contemplated by today's rules and will
permit the Bureau time to account for contingencies, i.e., the
readiness of the databases and the OMB approval that facilitates the
implementation of the revised regime. Our experience in other contexts
informs our estimate that the NORS and DIRS database adjustments and
related transition to implement the new requirements will require
approximately 18 months. Accordingly, we set an effective date below of
September 30, 2022 for the revisions to section 4.2. We delegate
authority to the Public Safety and Homeland Security Bureau, which will
seek OMB review and make adjustments to the databases, to extend this
effective date if necessary by Public Notice published in the Federal
Register (e.g., if database adjustments take longer than we estimate
here or if the required OMB review of the modified information
collections under the new rule provisions is delayed).
IV. Procedural Matters
153. Final Regulatory Flexibility Analysis. The Regulatory
Flexibility Act of 1980, as amended (RFA), requires that an agency
prepare a regulatory flexibility analysis for notice and comment
rulemakings, unless the agency certifies that ``the rule will not, if
promulgated, have a significant economic impact on a substantial number
of small entities.'' Accordingly, the Commission has prepared a Final
Regulatory Flexibility Analysis (FRFA) concerning the possible impact
of the rule changes contained in this Second Report and Order on small
entities. The FRFA is set forth in Appendix B.
154. Paperwork Reduction Act Analysis. As described at paras. 83
and 84, supra, service providers will be required to make adjustments
to their NORS reporting processes, to accommodate the Commission's
adjustments to its NORS web-based form, pursuant to section 47 CFR 4.11
of the Commission rules. These adjustments and today's new requirement
that agencies file certification forms, pursuant to section 4.2, to
request access to NORS and DIRS reports, constitute a modified
information collection. They require that service providers modify
their NORS reporting processes to provide the Commission with
jurisdiction-specific reports and that participating agencies begin to
provide the Commission with certification forms and reports and
information related to known or reasonably suspected unauthorized use
or improper disclosure of confidential NORS and DIRS information. These
modified information collections will be submitted to the Office of
Management and Budget (OMB) for review under
[[Page 22819]]
section 3507(d) of the Paperwork Reduction Act of 1995 (PRA). OMB, the
general public, and other Federal agencies will be invited to comment
on the new or modified information collection requirements contained in
this proceeding. This document will be submitted to OMB for review
under section 3507(d) of the PRA. In addition, we note that, pursuant
to the Small Business Paperwork Relief Act of 2002, the Commission
previously sought, but did not receive, specific comment on how the
Commission might further reduce the information collection burden for
small business concerns with fewer than 25 employees. The Commission
does not believe that the new or modified information collection
requirements will be unduly burdensome on small businesses. Applying
these new or modified information collections will promote public
safety response efforts, to the benefit of all size governmental
jurisdictions, businesses, equipment manufacturers, and business
associations by providing better situational information related to the
nation's network outages and infrastructure status. We describe impacts
that might affect small businesses, which includes most businesses with
fewer than 25 employees, in the FRFA in Appendix B.
155. Further Information. For further information, contact Saswat
Misra, Attorney-Advisor, Cybersecurity & Communications Reliability
Division, Public Safety and Homeland Security Bureau, (202) 418-0944 or
via email at [email protected].
V. Ordering Clauses
156. Accordingly it is ordered that, pursuant to the authority
contained in sections 1, 4(i), 4(j), 4(o), 251(e)(3), 254, 301, 303(b),
303(g), 303(r), 307, 309(a), 309(j), 316, 332, and 403, of the
Communications Act of 1934, as amended, and section 706 of the
Telecommunications Act of 1996, 47 U.S.C. 151, 154(i)-(j) & (o),
251(e)(3), 254, 301, 303(b), 303(g), 303(r), 332, 403, and 1302, this
Second Report and Order in PS Docket No. 15-80 is adopted.
157. It is further ordered that the amendments of the Commission's
rules as set forth in Appendix A are adopted, effective September 30,
2022, as described at Sec. III.H, above.
158. The Commission will submit this Second Report and Order to the
Administrator of the Office of Information and Regulatory Affairs,
Office of Management and Budget, for concurrence as to whether these
rules are ``major'' or ``non-major'' under the Congressional Review
Act, 5 U.S.C. 804(2). The Commission will send a copy of this Second
Report and Order to Congress and the Government Accountability Office
pursuant to 5 U.S.C. 801(a)(1)(A).
Final Regulatory Flexibility Analysis
159. As required by the Regulatory Flexibility Act of 1980, as
amended (RFA), an Initial Regulatory Flexibility Analysis (IRFA) was
incorporated in the Amendments to Part 4 of the Commission's Rules
Concerning Disruptions to Communications, Second Further Notice of
Proposed Rulemaking (Second Further Notice). The Commission sought
written public comment on the proposals in the Second Further Notice,
including comment on the IRFA. No comments were received specifically
addressing the IRFA. This Final Regulatory Flexibility Analysis (FRFA)
conforms to the RFA.
A. Need for, and Objectives of, the Second Report and Order
160. In the Second Report and Order, the Commission adopts various
proposals made in the Second Further Notice adopted in February 2020.
We take specific steps to share the Commission's network outage and
infrastructure status information with state and Federal Government
agencies and others whose official duties make them directly
responsible for emergency management and first responder support
functions (i.e., have a ``need to know'').
B. Summary of Significant Issues Raised by Public Comments in Response
to the IRFA
161. No comments were submitted specifically in response to the
IRFA, however a few commenters expressed concerns about the estimated
costs to service providers discussed by the Commission in the Second
Further Notice. Despite these concerns however, none of the commenters
provided any cost data or analysis to support their concerns or rebut
the Commission's cost estimates in accordance with the Commission's
request for such data in the Second Further Notice. Similarly, while
some state agency and advocacy organizations expressed concerns that it
will be burdensome for voluntarily participating agencies to relay
information they retrieve from the NORS and DIRS databases to other
permissible ``downstream'' entities as allowed by the adopted
information sharing framework, none of these entities attempt to
quantify the costs associated with these activities.
162. Moreover, the Commission is unaware of any alternative
approaches with lower costs, nor have any been identified by
commenters, that would still ensure that the Commission promptly and
reliably learns of the actions described above that may lead to the
disclosure of NORS or DIRS-related information. Lessening the
promptness or reliability of notifications to the Commission would
disincentivize providers from supplying robust and fulsome NORS and
DIRS reports and therefore reduce the benefits that those filings would
provide to the Commission and participating agencies alike. We find
that this reduction in benefits would outweigh the expected modest cost
savings to those participating agencies that would be required to
provide notifications under the framework we adopt today.
C. Response to Comments by Chief Counsel for Advocacy of the Small
Business Administration
163. Pursuant to the Small Business Jobs Act of 2010, which amended
the RFA, the Commission is required to respond to any comments filed by
the Chief Counsel for Advocacy of the Small Business Administration
(SBA), and to provide a detailed statement of any change made to the
proposed rules as a result of those comments. No comments were filed by
the SBA.
D. Description and Estimate of the Number of Small Entities to Which
Rules Will Apply
164. The RFA directs agencies to provide a description of, and,
where feasible, an estimate of, the number of small entities that may
be affected by the rules adopted herein. The RFA generally defines the
term ``small entity'' the same as the terms ``small business,'' ``small
organization,'' and ``small governmental jurisdiction.'' In addition,
the term ``small business'' has the same meaning as the term ``small
business concern'' under the Small Business Act. A small business
concern is one which: (1) Is independently owned and operated; (2) is
not dominant in its field of operation; and (3) satisfies any
additional criteria established by the Small Business Administration
(SBA). Such entities include Interconnected VoIP services, Wireline
Providers, Wireless Providers--Fixed and Mobile, Satellite Service
Providers, and Cable Service Providers.
[[Page 22820]]
E. Description of Projected Reporting, Recordkeeping, and Other
Compliance Requirements for Small Entities
165. Service Providers. The rules adopted in the Second Report and
Order require service providers to make minor adjustments to their
existing reporting process to account for new or refined multistate
reporting for the NORS filings.
166. Voluntarily participating agencies. Pursuant to the
confidential protections adopted in the Second Report and Order,
voluntarily participating agencies, including those that are small
entities, will be required to notify the Commission when they receive
requests for NORS filings, DIRS filings, or related records, and prior
to the effective date of any change in relevant statutes of laws that
would affect the agency's ability to adhere to the confidentiality
protections that the Commission requires. Under the adopted information
sharing framework, voluntarily participating agencies will also be
required to submit to the Commission requests for direct access to NORS
and DIRS filings which include a description of why the agency has a
need to access NORS and DIRS filings (``need to know'') and how it
intends to use the information in practice. Agencies applying for
direct access to NORS and DIRS are required to demonstrate their ``need
to know'' by citing to legal authority, in the form of a statutes,
rules, court decisions, or other binding legal provisions, establishing
that it has official duties involving preparing for, or responding to,
an event that threatens public safety.
167. Additionally, participating agencies will be required to
implement initial and annual security training to each person granted a
user account for NORS and DIRS filings, and certify that they will take
appropriate steps to safeguard the information contained in the
filings, including notifying the Commission of unauthorized or improper
disclosure. In the event of any known or reasonably suspected breach of
protocol involving NORS and DIRS filings participating agencies will be
required to report this information to the Commission and all affected
providers immediately. Participating agencies will also be required to
maintain and make available for inspection, upon Commission request, a
list of all localities for which the agency has disclosed NORS and DIRS
data.
168. In the Second Report and Order, the Commission allows
participating agencies to share confidential NORS and DIRS information
within an outside the agency subject to certain limitations.
Participating agencies will also be required to execute an annual
attestation form certifying and acknowledging compliance with
requirements of the information sharing framework that the Commission
adopts.
F. Steps Taken To Minimize the Significant Economic Impact on Small
Entities, and Significant Alternatives Considered
169. The Commission has taken specific steps minimize costs for
both service providers and voluntarily participating agencies in the
NORS and DIRS information sharing framework adopted in the Second
Report and Order. The Commission did not make DIRS reporting mandatory
as urged by some commenters in the proceeding. Moreover, while the
Commission adopted changes to the NORS form filing to allow users to
select more than one state when submitting a request for NORS
information that modified the method in which service providers report
outage information in NORS, this change did not impose additional
levels of reporting to require disaggregation to provide a breakout of
state-specific impacts by submitting state specific filings We note
that service providers will not need to modify their DIRS reporting
processing to accommodate multistate reporting. To provide
participating agencies maximum flexibility and reduce potential costs
of compliance with the training requirements, rather than mandate an
agency's use of a specific training program, we adopted requirements
that allow agencies to develop their own training program or rely on an
outside training program that covers, at a minimum, a set of five
``program elements.''
170. In addition, rather than requiring third-party audits of
training programs to ensure that state and Federal agencies' training
programs comply with the Commission's proposed required program
elements, participating agencies are required to make copies of their
training curriculum available for the Commission's review upon demand
which will significantly minimize costs associated with the required
training programs. The Commission also declined to adopt a ``downstream
training'' requirement which would have required any entity receiving
NORS & DIRS information from a participating agency to complete formal
training. Similarly, the Commission declined to adopt a requirement for
participating agencies to obtain an affidavit on confidentiality from
local entities prior to receipt NORS and DIRS information. To further
assist and reduce the burden on small entities and other participating
agencies with meeting the training requirements the Commission adopted
in the Second Report and Order, the Commission will consult with
diverse stakeholders with a range of perspectives, including state
governments, the public safety community, service providers, and other
industry representatives to develop exemplar training materials, that
can be used by participating agencies to training their staffs on the
proper uses of NORS and DORS filings.
171. The Commission also declined to grant local agencies direct
access to NORS and DIRS considering among other things the burdens that
would result for local entities, many of which may be small entities.
Additionally, the Commission has adopted a single form to address the
certifications and acknowledgments required for direct access to NORS
and DIRS. The use of a single form, coupled with the fact that the
proposed certification form is similar to one that the Commission
currently requires for sharing sensitive numbering data with states
using FCC Form 477 data, should help minimize preparation time and
costs, specifically for those smaller agencies since these agencies
should be familiar with the existing requirements and have comparable
operational processes and procedures already in place.
Certification Form
Instructions: Please review and complete the form below. Please
send your completed form to [email protected]. On
review, the Commission will contact you to resolve any questions with
your application papers or issue your agency login credentials for
accessing NORS and DIRS.
[NAME OF AGENCY]
CERTIFICATION FORM FOR NORS AND DIRS SHARING
[your title]
[name of agency]
[address]
[address]
Dear Commission:
[Agency name] requests access to Network Outage Reporting System
(NORS) and Disaster Information Reporting System (DIRS) filings
involving [for states, the District of Columbia, or U.S.
Territories, the name of state(s) or jurisdiction(s); for Federal
agencies, the name of state(s) or nationwide; for Tribal nations,
the name of the Tribal Government or component thereof] (filings).
I hereby certify and acknowledge that I am authorized to act on
behalf of the [name of agency] and that [name of agency] is willing
and able to be bound by the terms and conditions provided in this
document.
[[Page 22821]]
On behalf of [agency name], I acknowledge and certify that
[agency name] agrees to the terms below.
I hereby certify and acknowledge that each user account is to be
assigned to a single employee and that [agency name] will promptly
reassign user accounts to reflect changes as its roster of
designated employees changes (e.g., due to employee departure and
arrival).
I hereby certify and acknowledge that [agency name] will change
user account passwords and take other reasonable measures to ensure
that user account credentials are not used by individuals who are
not [agency name]'s designated employees.
I hereby certify and acknowledge that NORS and DIRS filings, and
the information contained therein (collectively, NORS and DIRS
filings and information) are sensitive and presumed confidential for
national security and commercial competitiveness reasons.
I hereby certify that [agency name] will treat NORS and DIRS
filings and data as confidential under Federal and state Freedom of
Information Act statutes and similar laws and regulations and not
disclose them absent a finding by the Commission that allows [agency
name] to do so.
I hereby certify that [agency name] will treat NORS and DIRS
filings and information in accordance with procedural and
substantive protections that are equivalent to or greater than those
afforded under Federal confidentiality statutes and rules, including
but not limited to the Federal Freedom of Information Act. 5 U.S.C.
552(b)(4). To the extent that Federal confidentiality statutes and
rules impose a higher standard of confidentiality than applicable
state, U.S. territory, or Tribal law or regulations provide, I
represent that the [name of agency] is legally able to and will
adhere to the higher Federal standard. I agree that the [name of
agency] will notify the Commission, within 14 calendar days via the
email, [email protected], when [name of agency]
receives a request from a third party to disclose NORS filings and
DIRS filings, or related records, pursuant to a state's open record
laws or other legal authority that could compel [name of agency] to
do so. I agree to notify the Commission via the email,
[email protected], at least 30 calendar days
prior to the effective date of any change in relevant statutes of
laws that would affect [name of agency]'s ability to adhere to at
least the Federal confidentiality rules and statutes standard.
I hereby certify and acknowledge that the Commission's rules
place restrictions on the access to and use of NORS and DIRS filings
and information. I certify that I have reviewed and agree to comply
with the restrictions regarding information sharing as described in
part 4 of Title 47 of the Code of Federal Regulations.
I hereby certify and acknowledge that the [name of agency] will
adopt or develop a NORS and DIRS security training program, if it
has not already, that satisfies each of the required training
program elements identified at [cite to forthcoming Order], that the
[name of agency] will administer this training to each of its
designated employees prior to their access to NORS and DIRS filings
and information and then at least annually thereafter. The [name of
agency] will make copies of its training curriculum available for
the Commission's review upon demand.
I further acknowledge that [name of agency] will report
immediately to any affected service providers and to the Commission,
via the email [email protected] and
[email protected], any known or reasonably suspected breach of the
protocol specified in the training program or any other known or
reasonably suspected unauthorized use or improper disclosure of NORS
and DIRS information.
I further acknowledge that if [name of agency] needs contact
information for a provider, that [agency name] may request this
information from the Commission at
[email protected], and that this does not toll
[agency name]'s obligation to immediately notify any affected
service providers, using the best contact information known to
[agency name].
I acknowledge on behalf of [name of agency] that the Commission
does not guarantee the accuracy of either the NORS or DIRS filings
as both sets of filings are submitted to the respective web-based
databases by service providers pursuant to mandatory reporting
timeframes for NORS filings and voluntary reporting timeframes for
DIRS filings. Further, I acknowledge that there may be times access
to the filings is unavailable, e.g., due to planned or unplanned
service and maintenance.
I hereby certify and acknowledge that [agency name's] continued
access to NORS and DIRS filings and information is conditioned on
its annual recertification of a current version of this form,
available on the Commission's website. I acknowledge that the Public
Safety and Homeland Security Bureau (Bureau) of the Commission may
terminate [agency name]'s access at any time, and for any reason, by
giving written notice to [name of agency]. If access is terminated,
I agree that [name of agency] will, upon the Commission's
termination notice, cause to be securely destroyed any and all NORS
and DIRS filings and information or other data received pursuant to
this grant, whether electronic or hardcopy form.
I hereby certify and acknowledge that all the terms and
conditions provided in this document apply to past and future NORS
and DIRS filings and information.
I hereby certify that [employee name, title, phone number and
email address] will manage my agency's access to NORS and DIRS
filings by managing user accounts in accordance with the
Commission's rules; coordinating the downstream sharing of NORS and
DIRS filings; making available for Commission inspection a list of
all localities for which the agency has disclosed NORS and DIRS
data; coordinating with the Commission to manage an unauthorized
access incident; and answering any questions from the Commission
regarding my agency's access, use, or sharing of NORS and DIRS
filings.
I hereby certify and acknowledge my and [agency name]'s
obligation to inform the Commission if I cease to be the designated
representative of [agency name] with authority to obligate and bind
the agency to the statements above or if the employee listed above
ceases to be the designated agency contact.
I acknowledge that the Bureau makes no determinations about any
provisions of [name of state] law or agency regulations or your
statements about such provisions.
Sincerely,
[name and title of official], on behalf of
[name of agency]
Affirmed:
Lisa M. Fowlkes
Chief
Public Safety and Homeland Security Bureau
Federal Communications Commission
Exemplar Aggregated Data
Overview
The following provides general non-binding guidelines regarding how
to aggregate NORS and DIRS data, followed by examples of aggregated
NORS and DIRS data based on hypothetical information. The aggregated
data presented does not reflect the exact number of users affected by a
service provider's outage and is only used for situational awareness.
We remind agencies participating in our framework that failure to
properly aggregate data in accordance with the rules adopted in the
Second Order could lead to the improper disclosure of service
providers' confidential information and may result in termination of
their access to NORS and DIRS filings by the Commission. Participating
agencies with additional questions are urged to contact the Commission
for guidance.
General Aggregation Guidelines
Aggregation `Dos'
It is best to aggregate only NORS and DIRS information of
the same type (e.g., aggregate wireless data and wireline data
separately). If information is aggregated across different types, the
public release of this information should state the types of NORS or
DIRS information aggregated (e.g. ``This data includes wireless and
wireline data'').
It is best to aggregate 911 outages according to their
impact (e.g., 911 call delivery affected, only 911-caller location
information affected). If information is aggregated across different
types of 911 outages, the public release of this information should
note the approximate proportion of the effects (e.g., ``in most cases
only location information is affected'').
If aggregating NORS information, aggregate information
related to long-term trends using final reports only.
[[Page 22822]]
If aggregating NORS information from notifications or
initial reports, please be aware that this information may change as
service providers further remediate or investigate the outage. It is
recommended that agencies make clear that this information is only
preliminary and may change or be updated over time.
If several reported outages seem very large, it is good
practice to confirm the magnitude of the outage with the reporting
service providers prior to releasing any aggregated information about
them. In some instances, service providers may intentionally
overestimate the effect of an outage out of an abundance of caution.
Agencies should be aware of these circumstances prior to determining
what information would be appropriate to release to the public.
If an agency intends to aggregate the duration or the
number of users affected by multiple outages, reporting the median is
generally preferred over reporting the mean (average) because the mean
may be skewed by unrepresentatively high or low outliers.
When aggregating data for incidents occurring over a
period of time, use the incident date/time, not the creation date or
reportable date.
The frequency of NORS outage reports varies by season. If
aggregating for the purpose of comparing two time periods, it is
advisable that the time periods be of the same season of the year
(e.g., compare January to March 2020, to January to March 2019, but not
to July to August 2019.)
Be careful when aggregating outages with durations of all
9's that are greater than 99 (e.g., 999, 9999, 99999). These values can
be indicators that the outage is ongoing even though the report is
final. If in doubt, it is best to contact the reporting service
provider and/or exclude these outages from the aggregation.
Sudden increases or decreases in NORS reports may be the
result of reporting rules changes or other effects. If sudden changes
are noticed, the FCC should be consulted before data is made public. As
a corollary, personnel responsible for data aggregation should keep up
with any NORS rule changes.
Aggregation `Don'ts'
Do not release NORS data for a single outage, even if the
name of the service provider is not mentioned in the release.
Aggregation should always occur across at least four service providers,
meaning that in most instances, agencies cannot release aggregated
information about an ongoing outage.
Do not aggregate data over a geographic region which has
fewer than four service providers of that type in the region. For
example, if a county is served by only three wireless service
providers, do not report an aggregation of wireless outage data for
that county.
Do not aggregate NORS and DIRS data together.
Do not aggregate NORS data at a scope smaller than a
state, unless the reports you are aggregating all specify a smaller
region (e.g., a specific county or Tribal territory).
In NORS, do not aggregate non-service affecting outages
(i.e., OC3 Simplex outages) with service affecting outages.
Do not identify names of service providers as sources of
outage data.
Do not use the time zone data in NORS to determine outage
location. This data is used only to identify the time zone for the
incident time.
Do not include Special Facilities outage reports in any
aggregation.
Examples of Aggregated NORS and DIRS Data
NORS Example
The following table shows the total number of wireline users
affected by wireline outages in each state as reported by 4 companies
or more:
BILLING CODE 6712-01-P
[[Page 22823]]
[GRAPHIC] [TIFF OMITTED] TR29AP21.005
For the NORS aggregation example table below, the number of
wireline users affected from all reports above per state were added and
are presented in the total number of wireline users affected per state:
[GRAPHIC] [TIFF OMITTED] TR29AP21.006
[[Page 22824]]
DIRS Example
The following table shows the total number of cell sites were
affected by a disaster in each state as reported by 4 companies or
more:
[GRAPHIC] [TIFF OMITTED] TR29AP21.007
[[Page 22825]]
For the DIRS aggregation example table below, the number of cell
sites affected from all wireless reports above for each state were
added and presented in the total number of affected cell sites per
state in the table below. The percentage of cell sites out of service
were calculated by dividing the number of cell sites served by the
number of cell sites out of service for each state:
[GRAPHIC] [TIFF OMITTED] TR29AP21.008
List of Subjects in 47 CFR Part 4
Airports, Communications common carriers, Communications equipment,
Reporting and recordkeeping requirements, Telecommunications.
Federal Communications Commission.
Marlene Dortch,
Secretary.
Final Rule
For the reasons set forth above, part 4 of title 47 of the Code of
Federal Regulations is amended as follows:
PART 4--DISRUPTIONS TO COMMUNICATIONS
0
1. The authority citation for part 4 continues to read as follows:
Authority: 47 U.S.C. 34-39, 151, 154, 155, 157, 201, 251, 307,
316, 615a-1, 1302(a), and 1302(b); 5 U.S.C. 301, and Executive Order
no. 10530.
0
2. Section 4.2 is revised to read as follows:
Sec. 4.2 Availability of reports filed under this part.
Reports filed under this part will be presumed to be confidential
under Sec. 0.457(d)(1) of this chapter. Notice of any requests for
inspection of outage reports will be provided pursuant to Sec.
0.461(d)(3) of this chapter except that the Chief of the Public Safety
and Homeland Security Bureau may grant, without providing such notice,
an agency of the states, the District of Columbia, U.S. territories,
Federal Government, or Tribal Nations direct access to portions of the
information collections affecting its respective jurisdiction after the
requesting agency has certified to the Commission that it has a need to
know this information and has protections in place to safeguard and
limit the disclosure of this information as described in the
Commission's Certification Form for NORS and DIRS Sharing
(Certification Form). Sharing is restricted by the following terms:
(a) Requesting Agencies granted direct access to information
collections must report immediately to any affected service providers
and to the Commission any known or reasonably suspected unauthorized
use or improper disclosure, manage their agency's access to outage
reports by managing user accounts in accordance with the Commission's
rules, coordinate with the Commission to manage an unauthorized access
incident, and answer any questions from the Commission regarding their
agency's access, use, or sharing of reports.
(b) Agencies granted direct access to information collections may
share copies of the filings, and any confidential information derived
from the filings, outside their agency on a strict need-to-know basis
when doing so pertains to a specific imminent or on-going public safety
event. The agency must condition the recipients' receipt of
confidential NORS and DIRS information on the recipients'
certification, on a form separate from the Certification Form, that
they will treat the information as confidential, not publicly disclose
it absent a finding by the Commission that allows them to do so, and
securely destroy the information by, at a minimum, securely cross-cut
shredding, or machine-disintegrating, paper copies of the information,
and irrevocably clearing and purging digital copies, when the public
safety event that warrants access to the information has concluded.
(c) Except as permitted pursuant to paragraph (b) of this section,
agencies granted direct access to information collections may not share
filings, or any confidential information derived from the filings, with
non-employees of the agency, including agency contractors, unless such
sharing is expressly authorized in writing by the Commission.
(d) Agencies granted direct access to information collections may
disseminate aggregated and anonymized information to the public. Such
information must be aggregated from at least four service providers and
must be sufficiently anonymized so that it is not possible to identify
any service providers by name or in substance.
(e) Consequences for an Agency's failure to comply with these terms
may result in, among other measures, termination of direct access to
reports by the Commission for a time period to be determined by the
Commission based on the totality of the circumstances surrounding the
failure.
[FR Doc. 2021-07457 Filed 4-28-21; 8:45 am]
BILLING CODE 6712-01-C