A Federal Communications Commission (FCC) working group, Cybersecurity Risk Management and Best Practices Working Group 4 (WG4), of the Communications, Security, Reliability, and Interoperability Council (CSRIC) advisory committee issued its Final Report on March 18, 2015.1
The FCC renewed the charter of the CSRIC for the fourth time on March 19, 2013 for a period of two years. 2 One of the duties of the CSRIC from this Charter was to “[d]evelop and recommend best practices and actions the FCC can take to improve the security of mobile devices and networks.” 3 As part of discharging those duties, the CSRIC established working groups including WG4. 4 CSRIC WG4 set out to “develop voluntary mechanisms to provide macro-level assurance to the FCC and the public that communications providers are taking the necessary corporate and operational measures to manage cybersecurity risks across the enterprise.” 5
WG4 delivered its Final Report for proposed adoption by the FCC on March 18, 2015. 6 The recommendations of the WG4 Final Report promote the voluntary use of the NIST Framework, a framework for improving critical infrastructure released by NIST in February 2014, among all the communication sector members.7 The WG4 Final Report also sets out guidance to individual companies in implementing the NIST Framework, as well as additional sector-specific implementation resources.8
The WG4 Final Report sets forth three specific voluntary mechanisms to provide macro-level assurances that communications providers are appropriately managing cybersecurity risks.9 The three voluntary mechanisms are:
- FCC initiated confidential company‐specific meetings.
- Enhanced Sector Annual Report focusing on segment-specific cybersecurity risk management.
- Active participation in DHS C3 Outreach and Education. 10
Each of these voluntary mechanisms incorporates interaction with the DHS, the communications sector’s Sector Specific Agency (SSA).11
The WG4 Final Report recommends the establishment of a dedicated cross-enterprise cybersecurity risk governance function as a key objective for companies. It contains segment-specific guidance provided to broadcast, cable, satellite, wireless, and wireline companies through industry subgroups along with cyber risk management recommendations that apply to the sector across-the-board.12 Companies are urged to review the WG4 report and the NIST Framework and distribute copies of those documents to company officers and personnel whose duties encompass cybersecurity management.13 Companies are also urged to ensure that operators and vendors conduct their operations with cybersecurity diligence. Sharing of threat information throughout the sector is also encouraged.14
A comprehensive identification of sector-specific operation and technical resources to implement 98 subcategories of the NIST Framework is set forth in the WG4 Final Report.15 Segment reports include information such as identification of in-scope NIST Framework subcategories for certain segments including prioritization information.16 For example, the cable segment section contains 27 pages of information directed to address alignment of existing cybersecurity practices with the NIST Framework.17 An architectural model describing cable networks, services, and assets is presented first.18 The next part of the cable segment section identifies subcategories of the NIST Framework that are in-scope and provides a prioritization of each from Not Critical to Most Critical.19 The cable segment section also outlines a hypothetical profile of how to use 24 priority practices and augments them with expected outcomes—for example, a priority practice is inventorying physical devices and the anticipated outcome is a complete inventory of physical devices and systems in direct support of critical (core) infrastructure. 20 The subgroups for the other segments (broadcast, satellite, wireless, and wireline) each took their own approach but offered similarly detailed guidance that can be used by sector organizations to manage cyber risk.
The WG4 Final Report provides organizations in the sector with guidance to take the necessary steps to manage cybersecurity and thereby reduce risk. Should it be adopted by the FCC, the guidance would be voluntary but represents the work of a large number of sector participants in analyzing the NIST Framework and providing comprehensive sector-specific implementation recommendations. In addition, the WG4 Final Report sets forth mechanisms to facilitate the exchange of knowledge to aid in managing cyber risk.
On March 19, 2015, the FCC issued a Public Notice seeking Comment on three aspects of WG4 Final Report.21 Specifically, the FCC is seeking comments by May 29, 2015 on three issues:
- In what ways the recommendations are sufficient to meet the FCC's goal of reducing cybersecurity risk and in what ways they might be improved, augmented or made more specific.
- Comments on each of the three specific Voluntary Mechanisms enumerated above.
- What barriers, if any, would inhibit industry's effective application of the voluntary mechanisms throughout the WG4 Final Report? What differences exist based on factors such as size? How might these barriers be mitigated.
Sector companies should consider submitting comments pursuant to this notice.