In an internally contentious ruling, the U.S. Federal Communications Commission (FCC) has rescinded a previous Commission action intended to hold telecommunications carriers legally responsible for implementing and certifying cybersecurity protocols.
According to an Order on Reconsideration issued in late November, the Commission called a January 2025 Declaratory Ruling by the Commission “based in part on the Declaratory Ruling’s flawed legal analysis,” thereby making it “unlawful and ineffective.” At the same time, the Commission also withdrew a Notice of Proposed Rulemaking (NPRM) that accompanied the Declaratory Ruling.
To support its decision, the Commission cited numerous efforts this year to strengthen cybersecurity measures for communications networks, including the establishment of a Council on National Security to advise the Commission on cybersecurity issues, and the adoption of targeted but flexible rules for communications providers.
The Commission also cited its recent efforts to ban what it calls “bad labs” from the FCC’s equipment authorization program.
However, the Commission’s Order faced critical pushback from at least one Commissioner, Anna M. Gomez, who said that “By rescinding previous efforts to strengthen our networks and offering nothing in their place, the FCC leaves the country less secure at the very moment when these threats are increasing.”
The FCC’s Order on Reconsideration on cybersecurity threats is available at https://docs.fcc.gov/public/attachments/FCC-25-81A1.pdf.
The FCC press release announcing the Order is available at https://docs.fcc.gov/public/attachments/DOC-415455A1.pdf.
And the press release detailing Gomez’ objections to the Order is available at https://docs.fcc.gov/public/attachments/DOC-415409A1.pdf.