The Cybersecurity and Communications Reliability Division (CCR) works with the communications industry to develop and implement improvements that help ensure the reliability, redundancy and security of the nation's communications infrastructure. CCR oversees and analyzes network outage reports submitted by communications providers to identify trends in network disruptions, and then works with communications providers to facilitate improvements to communications infrastructure reliability. CCR performs detailed technical studies of public safety and commercial communications systems during times of disaster to identify and share best practices for emergency preparedness and response.  Division staff also work with industry to improve cyber risk management in our sector.  CCR generally works through the following mechanisms:

 

The Communications Security, Reliability and Interoperability Council (CSRIC):

The Council is a federal advisory committee established at the direction of the Chairman of the Federal Communications Commission in accordance with the provisions of the Federal Advisory Committee Act, 5 U.S.C. App. 2.  The purpose of the Council is to provide recommendations to the FCC regarding actions it can take to improve security, reliability, and interoperability of communications systems. CSRIC’s recommendations focus on a range of public safety- and homeland security-related communications matters, including: (1) the reliability and security of communications systems and infrastructure, including mobile systems; (2) 911, Enhanced 911 (E911), and Next Generation 911 (NG911); and (3) emergency alerting.  CSRIC is currently operating under its fifth charter, which runs from March 19, 2015 through March 18, 2017.

 

Cybersecurity Best Practices

The best way to mitigate cyber risk is through persistent risk management processes that are baked into all levels of the corporate enterprise.  As Chairman Wheeler has recognized, voluntary commitments to address cyber risk in a structured manner are likely to be more effective than prescriptive regulatory checklists.  The Cybersecurity Risk Management Framework (Framework) developed by the National Institute of Standards and Technology (NIST) provides guidance to organizations for improving their cybersecurity risk management practices.  In March 2015, CSRIC presented recommendations to the FCC, based on the NIST Framework, to review cybersecurity risk across the communications sector.  Specifically, CSRIC recommended implementation guidance to help communication providers use and adapt the NIST Framework to the unique needs of all segments of the communications sector. 

 

Network Outage Reporting System (NORS): 

The FCC requires wireless, wireline, cable, and satellite communications providers of switched voice and paging communications, including VoIP services, to report information electronically about significant disruptions or outages to their communications systems that meet specified thresholds set forth in Part 4 of the FCC's rules, 47 C.F.R. Part 4. The Part 4 rules also require communications providers to report certain communications disruptions affecting specific aspects of 9-1-1 communications, special offices and facilities (e.g., major military installations) and communications at certain classes of airports. Given the sensitive nature of the Part 4 outage data to both national security and commercial competitiveness, this information is presumed confidential and protected from routine public disclosure. The rules were introduced along with a new secure, web-based reporting system, the Network Outage Reporting System.  The Public Safety and Homeland Security Bureau (PSHSB) coordinates with the FCC's Enforcement Bureau to ensure compliance with the outage reporting obligations.  On March 30, 2015, the Federal Communications Commission adopted a Notice of Proposed Rulemaking (NPRM) regarding proposals to update the Part 4 Outage Reporting rules to enhance the reliability and resiliency of the Nation’s communication system, in particular to strengthen the Nation’s 911 system. See Amendments to Part 4 of the Commission’s Rules Concerning Disruptions to Communications; New Part 4 of the Commission’s Rules Concerning Disruptions to Communications, PS Docket Nos. 15-80 and 04-35, Notice of Proposed Rulemaking, Second Report and Order, Order on Reconsideration, 30 FCC Rcd 3206.

 

Disaster Information Reporting System (DIRS):

DIRS is a voluntary, efficient, web-based system that communications companies, including wireless, wireline, broadcast, and cable providers, can use to report communications infrastructure status and situational awareness information during times of crisis. DIRS streamlines the reporting process and enables communications providers to share network status information with the Commission quickly and efficiently.  The FCC determines whether to activate DIRS in conjunction with FEMA, and announces to participating providers via public notice or email the area that will be covered by the activation and specifics about requested submissions.

 

911 Reliability Certification: 

In December 2013, the Federal Communications Commission adopted rules requiring 911 communications providers to take reasonable measures to provide reliable service, as evidenced by an annual certification.  The rules apply to “Covered 911 Service Providers,” defined as entities that (1) provide 911, E911, or NG911 capabilities such as call routing, automatic location information (ALI), automatic number identification (ANI), or the functional equivalent of those capabilities, directly to a public safety answering point (PSAP), or that (2) operate one or more central offices that directly serve a PSAP.  Covered entities must certify whether they have implemented specified best practices or reasonable alternative measures with respect to critical 911 circuit diversity, central office backup power, and diverse network monitoring.  Under phase-in procedures specified in the Commission’s Report and Order, an initial certification of at least 50 percent compliance with applicable certification requirements was due October 15, 2015.  Full annual certifications will be due October 15, 2016, and each year thereafter through the Commission’s online portal.  A list of frequently asked questions about the certification is available at https://apps2.fcc.gov/rcs911/911RCS_FAQ.html

 

 

Phone: (202) 418-2478

Email: pshsbinfo@fcc.gov

 

Jeffery Goldthorp, Acting Chief

Theodore Marcus, Deputy Division Chief

John Healy, Associate Chief

Updated: November 25, 2015