By Declaratory Ruling, the Federal Communications Commission has concluded that Section 105 of the Communications Assistance for Law Enforcement Act (“CALEA”) affirmatively requires telecommunications carriers to secure their networks from unlawful access to or interception of communications. This obligation applies to telecommunication providers, facilities-based broadband Internet access service (BIAS) providers and interconnected Voice over Internet Protocol (VoIP) service providers, which are all defined as telecommunications carriers under CALEA.
Historically, CALEA obligations have been limited to requiring telecommunications carriers to design their equipment, facilities and services to ensure they have the necessary surveillance capabilities to comply with law enforcement requests for information and allow law enforcement to conduct electronic surveillance while protecting the privacy of information outside the scope of the investigation. The FCC’s updated interpretation of CALEA places an additional general obligation on carriers to protect their networks, not just their “switching premises,” from unauthorized interception to or interception of communications. The FCC suggests that under this new interpretation, carriers may fail to satisfy their obligations if they do not adopt certain basic cybersecurity practices, such as role-based access controls, changing default passwords, requiring minimum password strength, adopting multifactor authentication and otherwise failing to patch known vulnerabilities or employ best practices to protect against identified threats.
Concurrently, the FCC issued a Notice of Proposed Rulemaking (NPRM) proposing to require certain covered providers to certify, on an annual basis, to the creation, updating and implementation of cybersecurity and supply chain risk management plans. Covered providers broadly include facilities-based fixed and mobile BIAS providers, broadcast stations, cable systems, wireline video systems, wireline communications providers, commercial radio operators, interconnected VoIP providers, telecommunications service providers, satellite communications providers, commercial mobile radio providers, wireless resellers and Mobile Virtual Network Operators, covered 911 service providers, covered 988 service providers, and international section 214 holders.
If you have questions about the Declaratory Ruling, NPRM or cybersecurity in general, contact an attorney in our Privacy, Data Protection, and Cybersecurity practice groups.
© 2025 Lerman Senter
Legal Disclaimer | Privacy Policy
Website design by Beth Singer Design | Website development by The Modern Firm