On March 18, the Federal Communications Commission (“FCC”) approved the Final Report on cybersecurity risk management and best practices issued by Working Group 4 (“WG4”) of its Communications, Security, Reliability, and Interoperability Council (“CSRIC”).  The CSRIC, currently in its fourth assembly, is an advisory committee tasked with providing recommendations to the FCC to achieve “among other things, optimal security and reliability of communications systems…”  The report was created in response to WG4’s mission to “develop voluntary mechanisms to provide macro-level assurance to the FCC and the public that communications providers are taking the necessary corporate and operational measures to manage cybersecurity risks across the enterprise.”  WG4 was also tasked with “providing implementation guidance” to sector members on the Cybersecurity Framework created by the National Institute of Standards and Technology (“NIST”) in February 2014.  This mission was widely understood from early in WG4’s existence to require the mapping of sector-specific best practices to the Framework.

The final report, which contains guidance for five “major” segments of the communications sector – wireless, wireline, broadcast, cable, and satellite – is intended to assist sector members to adapt the NIST framework to their segment-specific needs.  It contains considerable practical guidance, including mappings of segment-specific practices to the NIST Framework core, the group’s determinations of which categories and sub-categories of the Framework are in or out of scope for a particular segment, which in-scope categories and subcategories should be prioritized within each segment, and identification of the challenges of implementation and effectiveness for each applicable subcategory.  The report further contains use cases and advice specific to smaller entities.  It also contains extensive policy recommendations for the FCC, including on metrics, analysis of barriers to implementation of the NIST Framework, and the need for incentives.  With regard to metrics, which was one of the most anticipated elements of the report, CSRIC “recommends that the FCC adopt availability of the critical communications infrastructure as the meaningful indicator of cybersecurity risk management.”

The Final Report, at 415 pages, stands as one of the most in-depth engagements with the NIST Framework by a critical infrastructure sector to date.  The FCC has established clear expectations that the final report produced by WG4 must catalyze measurable improvement in cybersecurity practices across the communications sector.  FCC Chairman Wheeler has referred to WG4’s work as building a “new regulatory paradigm,” in which the FCC “relies on industry and the market first while preserving other options if that approach is unsuccessful.”  However, regulation could serve as a backstop if the voluntary efforts of the CSRIC are not sufficiently adopted throughout the industry, leading to measurable improvements.