Cybersecurity Tips for Telecommunications Carriers After FCC Updates

Purple triangle tunnel

Telecommunications carriers that implemented cybersecurity plans in response to updated rules from the Federal Communications Commission (FCC) should take a proactive approach to support their programs for long-term success.

Explore tips your organization can take to help keep programs operating seamlessly.

Background on Cybersecurity Rules

In July of 2023, the FCC issued rules for telecommunication carriers, specifically outlining cybersecurity requirements for those that chose to participate in the Enhanced Alternative Connect America Cost Model (E-ACAM) program.

The requirements stipulated that these carriers implement an operational cybersecurity and supply chain risk management plan (CSCRM), and submissions ended up being required in February 2024 after the rule was finalized and published.

Keep the Plan Operational

Now that the deadlines have passed and plans have been submitted, it’s time to start considering how to keep the plan operational throughout 2024 and beyond.

There are two categories of planned items:

  • Remediation
  • Annually recurring work

Remediation

Start by remediating any open items from building out the initial program and developing your corrective action plan. Depending on the gaps in the program, there are a few things to plan out.

Business Impact Analysis (BIA)

Assuming business continuity and disaster recovery plans need to be built, a BIA first needs to be completed. The BIA goes through your critical IT assets, identifies their importance, predicts the consequences of a disruption to your business if one or more of your critical IT assets are compromised.

The BIA is completed first because it helps inform recovery strategies that are built into business continuity plans (BCPs) and disaster recovery plans (DRPs).

Incident Response Plans (IRP)

IRPs will also need to be completed. The IRP goes through the response process in the event an incident occurs. An incident could lead to using the BCPs or DRPs previously created, but not always. The IRP is there to provide a response guide, so in moments of panic or distress you won’t have to think about what should be done next—you can just follow the plan.

If your CSCRM plan was built against National Institute of Standards and Technology (NIST) cybersecurity framework (CSF) version 1.1, it’s time to start planning the upgrade to version 2.0, which was released in February 2024. FCC regulations require that plans be uploaded within 30 days of the plans being updated, which should take place within a reasonable timeframe following a standard update, like NIST CSF version 2.0.

They key for remediation work is the order of operations. The BIA must be completed before the BCPs and DRPs are created. IRPs can be built at any time. These activities should be completed before the CSCRM plan is updated.

Annually Recurring Work

Vulnerability scanning should be done at least quarterly, monthly is better, and cover both internal and external facing IT assets. Penetration testing should be done at least annually and should be done one of the months that vulnerability scanning is done. Vulnerability scanning helps inform penetration testing work, so doing them together will help.

Tabletop Tests

You should consider running tabletop tests for BCPs, DRPs, and IRPs. During a tabletop exercise, a scenario is drafted and read to the response team, who talks through the scenario to follow the process through to resolution.

Oftentimes teams will identify gaps in their response plans and can use those lessons learned to update the respective plan. If each plan can’t be tested annually, consider a rotation schedule so each is tested on a regular basis.

All cybersecurity plans should be updated, reviewed, and approved each year.

Once annual remediation is completed and plans are approved, it will be time to get the annual assessment completed. The Cybersecurity Infrastructure Security Agency (CISA) Cybersecurity Performance Goals (CPGs) require an outside party to review these security controls each year.

The assessment will focus on the items that have been included in your cybersecurity plan, and ultimately becomes the feedback loop for how well the program is functioning. You’ll then get findings from the assessment, that go into your corrective action plan then managed and ultimately closed out.

With these items in place, the plan will be operational and simply needs to run.

We’re Here to Help

To learn more about FCC cybersecurity rules, get help with remediation work, or need a third-party to complete assessment work, contact your Moss Adams professional.

Additional Resources

Related Topics

Contact Us with Questions