Member Login


Forgot Password?
Need Login?

You are here: Home > News & Events > News > FCC Proposes New EAS…
Welcome, guest: Login to your account

FCC Proposes New EAS Cybersecurity Rules

posted on 10.10.2022

The FCC has released a Notice of Proposed Rulemaking meant to address Emergency Alert System (EAS) cybersecurity issues that have been uncovered in recent years.

Broadcasters may recall an August Federal Emergency Management Agency (FEMA) alert in which FEMA warned broadcasters of “certain vulnerabilities” in EAS encoder/decoder devices which, if not updated to most recent software versions, could allow an intruder to issue EAS alerts over the host infrastructure such as TV and Radio stations.

FEMA strongly encouraged broadcasters and other EAS participants to ensure that:

  • EAS devices and supporting systems are up to date with the most recent software versions and security patches; 
  • EAS devices are protected by a firewall; and 
  • EAS devices and supporting systems are monitored and audit logs regularly reviewed to discover unauthorized access.

FCC Chairwoman Jessica Rosenworcel followed FEMA’s warning with a September announcement that the FCC would seek to beef up the security of the U.S. EAS and WEA (Wireless Emergency Alerts).

Since some of what is proposed includes new information collection requirements, such changes to the rules would also need OMB approval before those portions of the rules can become effective. 

The Oct. 6 NPRM requires a commission adoption vote before a comment period would be scheduled.

It is tentatively listed on the agenda for the Oct. 27 FCC meeting.

The FCC proposes that if a new rule is adopted, compliance with the NPRM’s Cybersecurity Risk Management Plan commence 12 months after publication of OMB approval but asks whether small market EAS participants should be given an additional 12 months to comply. 

While it may take some time before any proposed rules are adopted, broadcasters should consider how the proposed changes could affect their operations.

Some of the proposals outlined in the FCC NPRM would increase broadcaster FCC obligations and could especially impact those stations in smaller markets with less staff.

The Principal Proposals

TAB has discussed the NPRM with attorneys Scott Flick and Lauren Lynch Flick of TAB’s FCC legal counsel, Pillsbury Winthrop Shaw Pittman. Here are the main proposals contained in the NPRM:

  • Required Reporting to the FCC of EAS Equipment Outages
    FCC is considering requiring participants to notify the FCC when EAS equipment fails, similar to broadcasters notifying the FAA when tower lighting fails in some way.  The NPRM asks numerous and searching questions about the causes of EAS equipment failures, the diligence of EAS participants in getting their equipment fixed, as well as the steps and costs involved in getting the equipment fixed. The FCC could also shorten the timeframe EAS participants have to fix broken EAS equipment.
  • Required Reporting to the FCC of Unauthorized Access of EAS Equipment 
    FCC proposes requiring EAS participants to report any incident of “unauthorized access” of a station’s EAS equipment to the FCC within 72 hours of when they knew or should have known that an incident occurred. 

“The FCC stated simply protecting just the EAS equipment from unauthorized access is not enough,” said Lauren Lynch Flick. 

“Reporting ‘unauthorized access to any aspects of an EAS Participant’s communications systems and services that potentially could affect their EAS capability’ would include the infrastructure that serves to prevent unauthorized access to EAS equipment such as firewalls and Virtual Private Networks (VPNs).”

“The NPRM proposes modifying the Network Outage Reporting System (NORS) to collect these two types of notifications, which would be a new system for broadcasters,” said Scott Flick. 

Also on the table – other means of notification such as email.

  • Developing, Implementing and Annually Certifying a Cybersecurity Risk Management Plan to Assure the Confidentiality, Integrity, and Availability of EAS
    The NPRM said at a minimum, a broadcaster would need to implement a plan that would “include security measures that address changing default passwords prior to operation, installing security updates in a timely manner, securing equipment behind properly configured firewalls or using other segmentation practices, requiring multifactor authentication where applicable, addressing the replacement of end-of-life equipment, and wiping, clearing, or encrypting user information before disposing of old devices.”  

As proposed, this certification would be collected from stations as part of the annual filing of FCC Form One in the EAS Test Reporting System (ETRS). 

“The FCC said that having and complying with the Cybersecurity Risk Management Plan would not serve as a safe harbor or excuse or any other diminishment of responsibility for negligent security practices,” said Flick. 

The Cybersecurity Risk Management Plan would have to cover all communications systems and services potentially affecting a station’s ability to provide EAS.

TAB will keep stations apprised of developments with this particular NPRM as they occur. 

Questions? Contact TAB’s Michael Schneider or call (512) 322-9944.
 

« Back to News Archive
« Back to Latest News