Garvey Schubert Barer Legal Update, April 23, 2010.
The FCC has adopted a Notice of Inquiry seeking public comment on the proposed creation of a new voluntary cyber security certification program that would encourage communications service providers to implement a full range of cyber security best practices. See In the Matter of Cyber Security Certification Program, PS Docket No. 10-93, FCC 10-63, Notice of Inquiry (rel. Apr. 21, 2010).The FCC seeks comment on whether it should establish a voluntary program under which participating communications providers would be certified by the FCC or a yet-to-be-determined third-party entity for their adherence to a set of cyber security objectives and/or practices. It seeks comment on the components of such a program, and whether such a program would create business incentives for providers of communications services to sustain a high level of cyber security culture and practice. The FCC’s stated goals are (a) to increase the security of the nation’s broadband infrastructure; (b) to promote a culture of more vigilant cyber security among participants in the market for communications services; and (c) to offer end users more complete information about their communication service providers’ cyber security practices.
The FCC also seeks comment on, among other things, the strongest source of legal authority to create the proposed certification program; the benefits, advantages, disadvantages, and costs of the proposed voluntary incentives-based certification program; scope of participation in the certification program; the general cyber security objectives that would serve as the starting point for the program (i.e., secure equipment management, updating software, intrusion prevention and detection, and intrusion analysis and response); the role of the private sector; the overall framework for the certification criteria; and the structure of the security regime.
Comments in this proceeding are due 60 days after publication of the NOI in the Federal Register; reply comments are due 120 days following Federal Register publication.