Federal Communications Commission FCC 16-5 Before the Federal Communications Commission Washington, D.C. 20554 In the Matters of Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System Wireless Emergency Alerts ) ) ) ) ) ) PS Docket No. 15-94 PS Docket No. 15-91 NOTICE OF PROPOSED RULEMAKING Adopted: January 28, 2016 Released: January 29, 2016 By the Commission: Chairman Wheeler and Commissioners Clyburn, Rosenworcel and Pai issuing separate statements; Commissioner O’Rielly approving in part, dissenting in part and issuing a statement. Comment Date: (45 days after date of publication in the Federal Register) Reply Comment Date: (75 days after date of publication in the Federal Register) TABLE OF CONTENTS Heading Paragraph # I. INTRODUCTION.................................................................................................................................. 1 II. BACKGROUND.................................................................................................................................... 5 A. EAS.................................................................................................................................................. 5 B. WEA ................................................................................................................................................ 9 C. IPAWS........................................................................................................................................... 10 D. Social Media Alerting.................................................................................................................... 11 III. DISCUSSION ...................................................................................................................................... 12 A. Improving Alerting Organization at the State and Local Levels ................................................... 15 1. EAS Designations.................................................................................................................... 15 2. State EAS Plan Filing Interface (SEPFI)................................................................................. 23 3. State EAS Plan Contents ......................................................................................................... 33 B. Building Effective Community-based Alerting Exercise Programs .............................................. 59 1. Live Code Tests....................................................................................................................... 59 2. EAS PSAs ............................................................................................................................... 65 3. Accessible Alerting Exercises ................................................................................................. 69 C. Leveraging Technological Advancements in Alerting .................................................................. 75 1. Cable Force Tuning and Selective Override ........................................................................... 76 2. EAS on Programmed Channels............................................................................................... 85 3. EAS Alerting and Emerging Video Technology..................................................................... 88 4. WEA Alerts to Tablets ............................................................................................................ 92 5. Technological Potential for Improvements in Accessibility ................................................... 94 D. Securing the EAS........................................................................................................................... 97 1. Background ............................................................................................................................. 97 2. Improving EAS Network Security ........................................................................................ 108 Federal Communications Commission FCC 16-5 2 3. Confidentiality and Information Sharing............................................................................... 146 4. Reach of Proposed EAS Security Rules................................................................................ 158 5. Software-defined EAS Networking....................................................................................... 162 6. Preserving EAS Defense through Planned Diversity ............................................................ 175 E. Compliance Timeframes.............................................................................................................. 179 F. Legal Authority............................................................................................................................ 184 IV. PROCEDURAL MATTERS.............................................................................................................. 187 V. ORDERING CLAUSES..................................................................................................................... 192 APPENDIX A – Proposed Rules APPENDIX B – Initial Regulatory Flexibility Analysis I. INTRODUCTION 1. In this Notice of Proposed Rulemaking (Notice), we take the next step towards strengthening the nation’s public alert and warning systems, the Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA), as community-driven public safety tools capable of ensuring that the public is able to receive and properly respond to alerts issued by alerting authorities, including the President of the United States of America (the President), in emergency situations. 1 Our proposals fall into four categories: 1) improving alerting organization at the state and local levels; 2) building effective community-based public safety exercises; 3) ensuring that alerting mechanisms are able to leverage advancements in technology, including IP-based technologies; and 4) securing the EAS against accidental misuse and malicious intrusion. 2. With respect to improving alerting organization at the state and local levels, we propose to adopt EAS designations that more accurately reflect the current roles and responsibilities of key EAS Participants. 2 We propose to streamline and update the State EAS Plan filing process by requiring State Emergency Communications Committees (SECCs) to file their Plans electronically in an online State EAS Plan filing system. 3 We further propose to adopt a standard online template for State EAS Plan 1 See 47 C.F.R. § 11 et seq. (containing the Commission’s Emergency Alert System (EAS) rules); see also 47 C.F.R. § 10 et seq. (containing the Commission’s Wireless Emergency Alerts (WEA) rules). See Review of the Emergency Alert System, EB Docket No. 04-296, Sixth Report and Order, 30 FCC Rcd 6520 (2015) (Sixth Report and Order) (adopting requirements to prepare the EAS for the second nationwide EAS test); Improving Wireless Emergency Alerts and Community-Initiated Alerting, PS Docket No. 15-91, Notice of Proposed Rulemaking, FCC 15-154 (PSHSB Nov. 19, 2015) (WEA NPRM) (improving WEA messaging, geo-targeting, and testing and seeking comment on other issues to improve WEA’s value proposition as a community alerting tool). With this action, we close EB Docket No. 04-296 for EAS proceedings and continue the use of PS Docket No. 15-94 for that purpose. 2 The Commission’s rules define EAS Participants as radio broadcast stations, including AM, FM, and low-power FM stations; digital audio broadcasting stations, including digital AM, FM, and low-power FM stations; Class A television and low-power TV stations; television broadcast stations, including digital Class A and digital low-power TV stations; cable systems; wireline video systems; wireless cable systems; direct broadcast satellite service providers; and digital audio radio service providers. See 47 C.F.R. § 11.11(a); Review of the Emergency Alert System; Independent Spanish Broadcasters Association, The Office of Communication of the United Church of Christ, Inc., and the Minority Media and Telecommunications Council, Petition for Immediate Relief; Randy Graham Petition for Rulemaking, EB Docket No. 04-296, Fifth Report and Order, 27 FCC Rcd 642, 646 ¶ 6 (2012) (Fifth Report and Order). 3 State Emergency Communications Committees (SECCs) are composed of emergency management personnel and volunteers from industry, and operate in each state and territory to prepare coordinated emergency communications systems and to develop state and local emergency communications plans and procedures for EAS alert dissemination in both the EAS Protocol and the Common Alerting Protocol (CAP), and for other public alert and warning systems the state may use in combination with EAS. See Fifth Report and Order, 27 FCC Rcd at 648 ¶ 10 (stating that CAP is an open, interoperable, XML-based standard that can include multimedia such as streaming audio or video). Federal Communications Commission FCC 16-5 3 content, to allow the SECCs to file plans that fully detail their strategy for delivering Presidential and other life-saving alerts in an evolving technological landscape. With respect to building effective community-based alerting exercise programs, we propose to expand the EAS testing regime to include “live” code tests as community public safety exercises, and to allow use of the EAS header codes and emergency alerting Attention Signal in Public Service Announcements (PSAs) by entities aiming to raise public awareness of, and alert initiator proficiency with EAS. We also emphasize the importance of reaching all community members in alerting exercises, including individuals with limited English proficiency and individuals with disabilities, and seek comment on how to best to ensure that community- based exercises address the needs of these individuals. 4 3. We also seek comment on several issues that reflect the extent to which evolving technologies are changing the alerting landscape. Specifically, we seek comment on whether to retain our current forced tuning and selective override provisions in light of stakeholder feedback and advances in technology. 5 Further, we seek comment on whether an EAS Participant cable or Internet Protocol Television (IPTV) provider should be required to deliver EAS alerts and tests over any channel, whether “programmed” or not, if it is controlled by the EAS Participant and viewable by the consumer. 6 Next, we seek comment on the extent to which EAS Participants offer over-the-top (OTT) versions of their broadcast, cable and other services, including live, “on demand,” and pre-recorded services, whether real- time EAS alerts (and only real-time EAS alerts, rather than previously recorded alerts) are provided over these services in a manner similar to the way such services are available over broadcast or set top box, whether consumers have any expectation that EAS would be available over EAS Participant OTT offerings, and what technical, policy or jurisdictional issues would need to be addressed in order to make EAS available over such services. Finally, we seek comment on the potential of technological advancements to improve alert accessibility. 4. With respect to alerting security, we propose to require certification of performance of required security measures pursuant to specific criteria that demonstrate implementation of the best practices recommended by the Communications Security, Reliability, and Interoperability Council (CSRIC) IV EAS Security Report. 7 We further propose to require reporting for false alerts and “lockouts.” 8 We propose to ensure that all alerts, especially those issued by the President, are properly 4 A “live” code, as distinguished from a “test” code, is a code that is used to indicate that an actual emergency is occurring. The EAS Protocol, which is the transmission format for all EAS alerts distributed over the legacy EAS, utilizes fixed header codes to identify various aspects of the alert. A “header code” is a parameter in the EAS Protocol that provides instructions to EAS equipment to, inter alia, identify the originator of the alert, the event giving rise to the alert, the location to which the alert is relevant, and the time period during which the alert is valid. See 47 C.F.R. § 11.31(c). 5 The terms “forced tuning” and “selective override” are defined below. See infra para.76. 6 Internet Protocol Television (IPTV) is a method of distributing television content over IP that enables a more customized and interactive user experience. SeeMargaret Rouse, IPTV (Internet Protocol Television), TECHTARGET, available at http://searchtelecom.techtarget.com/definition/IPTV (last visited Aug. 7, 2015). 7 CSRIC IV, Working Group Three, Emergency Alert System, EAS Security Subcommittee, Initial Report (2014), http://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG-3_Initial-Report_061814.pdf (CSRIC IV Initial EAS Security Report). The CSRIC IV Initial EAS Security Report is the first of two reports in which CSRIC IV adopted recommendations of the CSRIC IV Working Group 3 on Emergency Alerting. See also CSRIC IV, Working Group Three, Emergency Alert System, EAS Security Subcommittee, Final Report, (2015), https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG3-EAS_SECURITY_FINAL_011316.pdf (CSRIC IV Final EAS Security Report). Both EAS security reports made recommendations that were adopted by CSRIC IV. The second EAS security report did not amend or modify any of the findings of the first report. 8 Generally, a “lockout” can occur as a result of a forced tuning error, such as when a cable set top box (STB) cannot return to normal operation due to the failure to receive an EOM signal or otherwise correctly process an EAS alert. Commonly, these scenarios involve protracted regular programming interruption due to an EAS alert that leaves (continued….) Federal Communications Commission FCC 16-5 4 authenticated and validated to protect against malicious or accidental misuse of alerting platforms. We also seek comment on whether there are additional measures that can leverage evolving technology to help make the EAS more secure and resilient, such as adoption of a software-defined networking approach to EAS infrastructure design, either via centralizing configuration and management of EAS, or by virtualizing EAS functions. 9 Finally, we seek comment on additional measures that may be necessary to ensure access to EAS devices and the Internet Protocol (IP) network that supports them are protected from malicious damage or compromise. II. BACKGROUND A. EAS 5. The EAS is a national public warning system through which EAS Participants deliver alerts to the public to warn them of impending emergencies and dangers to life and property. The primary purpose of the EAS is to provide the President with “the capability to provide immediate communications and information to the general public at the national, state and local levels during periods of national emergency.” 10 The EAS also is used to distribute alerts issued by state and local governments, as well as weather alerts issued by the National Weather Service (NWS). 11 The Federal Communications Commission (FCC or Commission), the Federal Emergency Management Agency (FEMA), and the NWS implement the EAS at the federal level. 12 6. The EAS is a broadcast-based, hierarchical alert message distribution system through which an alert message originator at the local, state or federal level encodes (or arranges to have encoded) (Continued from previous page) viewers unable to change their channels, and often require rebooting (by unplugging and re-plugging) the STB to resume normal programming. See also infra para. 132 (seeking comment on a proposed definition of “lockout”). 9 Software-defined Networking (SDN) is an emerging architecture that is dynamic, manageable, cost-effective, and adaptable, making it ideal for the high-bandwidth, dynamic nature of today's applications. This architecture decouples the network control and forwarding functions enabling the network control to become directly programmable and the underlying infrastructure to be abstracted for applications and network services. Implementations of SDN include centralized configuration and management, and network function virtualization. See OPEN NETWORKING FOUNDATION, SOFTWARE DEFINED NETWORKING DEFINITION, available at https://www.opennetworking.org/sdn-resources/sdn-definition (last visited Sept. 22, 2015). 10 47 C.F.R. § 11.1. Under the Part 11 rules, national activation of the EAS for a Presidential alert message, initiated by the transmission of an Emergency Action Notification (EAN) event code, is designed to provide the President the capability to transmit an alert message (in particular, an audio alert message) to the American public within ten minutes from any location at any time and must take priority over any other alert message and preempt other alert messages in progress. See Review of the Emergency Alert System, EB Docket No. 04-296, First Report and Order and Further Notice of Proposed Rulemaking, 20 FCC Rcd 18625, 18628 ¶ 8 (2005) (First Report and Order and Further Notice of Proposed Rulemaking). 11 EAS Participants are required to broadcast Presidential Alerts; they participate in broadcasting state and local EAS alerts on a voluntary basis. See 47 C.F.R. § 11.55(a); see also First Report and Order and Further Notice of Proposed Rulemaking, 20 FCC Rcd at 18628 ¶ 8. According to NWS, about 90 percent of all EAS activations are generated by NWS and relate to short-term weather events. See NATIONAL WEATHER SERVICE, NOAA’S NATIONAL WEATHER SERVICE (NWS) AND THE EMERGENCY ALERT SYSTEM (2014), available at http://www.nws.noaa.gov/nwr/resources/EAS_factsheet.pdf. 12 The respective roles of the Commission, FEMA, and NWS are defined in a series of executive documents. See 1981 State and Local Emergency Broadcasting System (EBS) Memorandum of Understanding Among the Federal Emergency Management Agency (FEMA), Federal Communications Commission (FCC), the National Oceanic and Atmospheric Administration (NOAA), and the National Industry Advisory Committee (NIAC), reprinted as Appendix K to Partnership for Public Warning Report 2004-1, The Emergency Alert System (EAS): An Assessment; see also Assignment of National Security and Emergency Preparedness Telecommunications Functions, Exec. Order No. 12,472, 77 Fed. Reg. 40779 (2012); Memorandum, Presidential Communications with the General Public during Periods of National Emergency, The White House (Sept. 15, 1995). Federal Communications Commission FCC 16-5 5 a message in either the EAS Protocol or the Common Alerting Protocol (CAP). 13 If an alert originator, such as the NWS, initiates an alert using the EAS Protocol, 14 it is transmitted from one EAS Participant to another in a process that is often referred as the “daisy chain.” A diagram of the daisy chain process is included below. Figure 1: EAS Protocol Alert Distribution Diagram 7. As of June 30, 2012, authorized emergency alert authorities also have been able to distribute EAS alerts over the Internet to EAS Participants (who in turn deliver the alert to the public) by formatting those alerts in CAP, 15 and delivering those alerts through the FEMA-administered Integrated Public Alert and Warning System (IPAWS) Open Platform for Emergency Networks (IPAWS-OPEN). 16 CAP is an open, interoperable standard developed by the Organization for the Advancement of Structured Information Standards (OASIS), and incorporates a language developed and widely used for web documents. 17 CAP-formatted alerts can include audio, video or data files; images; multilingual translations of alerts; and links providing more detailed information than what is contained in the initial 13 See infra para. 7 (discussing CAP in greater detail). 14 See 47 C.F.R. § 11.31. Under the EAS Protocol, an EAS alert uses a four-part message: (1) preamble and EAS header codes (which contain information regarding the identity of the sender, the type of emergency, its location, and the valid time period of the alert); (2) audio Attention Signal; (3) audio message, if included by the alert originator; and (4) preamble and “end of message” (EOM) codes. See 47 C.F.R. § 11.31(a). The EAS Protocol is identical to the Specific Area Message Encoding (SAME) digital protocol used by NWS for weather alerts. See Independent Spanish Broadcasters Association, the Office of Communication of the United Church of Christ, Inc., and the Minority Media and Telecommunications Council, Petition for Immediate Relief; Randy Gehman Petition for Rulemaking, EB Docket No. 04-296, Third Further Notice of Proposed Rulemaking, 26 FCC Rcd 8149, 8154 ¶ 5 (2011). 15 See Review of the Emergency Alert System; Independent Spanish Broadcasters Association, the Office of Communication of the United Church of Christ, Inc., and the Minority Media and Telecommunications Council, Petition for Immediate Relief; Randy Gehman Petition for Rulemaking, EB Docket 04-296, Fourth Report and Order, 26 FCC Rcd 13710, 13719 ¶ 20 (2011) (Fourth Report and Order). 16 See infra Section II.C (discussing IPAWS and IPAWS-OPEN in further detail). 17 See Fifth Report and Order, 27 FCC Rcd at 648 ¶ 10. CAP messages contain standardized fields that facilitate interoperability between and among devices, and are backwards-compatible with the EAS Protocol. See id. Federal Communications Commission FCC 16-5 6 alert (such as streaming audio or video). 18 An EAS Participant that receives a CAP-formatted message can utilize its contents to generate messages in synchronous audio and visual formats, which can then be broadcast to local viewers and listeners. 19 CAP also provides each alert with a unique alert identifier and supports alert authentication through the provision of a digital signature and an encryption field that enables greater protection of the CAP message. 20 Figure 2: CAP Alert Distribution Diagram 21 8. The manner in which each EAS Participant is required to operate within the state alerting systems that comprise the overall national alerting system is reflected in a State EAS Plans, the structure for which is codified in the Commission’s EAS rules. 22 The entities that draft these plans, SECCs and Local Emergency Communications Committees (LECCs), respectively, are composed of EAS Participants, emergency management personnel and other volunteer stakeholders. SECCs and LECCs 18 See id.. However, any data contained in a CAP-formatted message beyond the EAS codes and audio message (if present), such as enhanced text or video files, can be utilized locally by the EAS Participant that receives it, but cannot be converted into the EAS Protocol and thus cannot be distributed via the daisy chain process. The Part 11 rules reflect this reality. See, e.g., 47 C.F.R. §§ 11.51(d), (g)(3), (h)(3), (j)(2). 19 See 47 C.F.R. §§ 11.51(d), (g)(3), (j)(2). 20 See OASIS, COMMON ALERTING PROTOCOL VERSION 1.2 (2010), available at http://docs.oasis- open.org/emergency/cap/v1.2/CAP-v1.2-os.html (last visited Oct. 19, 2015). 21 As indicated in the EAS Plan filed by the Washington State SECC, alert originators can augment or bypass use of IPAWS by originating local weather EAS alerts in CAP for distribution by State EAS CAP Aggregators, as depicted above. EAS Participants monitor the State CAP Aggregator for state and local weather alerts in addition to their two traditional monitoring assignments. 22 See 47 C.F.R. § 11.21. Federal Communications Commission FCC 16-5 7 operate in each state and territory to prepare coordinated emergency communications systems and develop state and local emergency communications plans and procedures for EAS alert dissemination in both the EAS Protocol and CAP, as well as other public alert and warning systems the state may use in combination with EAS. 23 SECCs grew out of a directive in Executive Order No. 11,092 that tasked the Commission with overseeing the development, structure, and administration of national, state and local plans relating to the Emergency Broadcast System (EBS). 24 The Commission has traditionally provided SECCs with templates for State EAS Plans that describe the kinds of information that their plans should provide. 25 The nationwide EAS distribution architecture for a Presidential Alert is derived from the aggregation of state-based EAS distribution architectures, as memorialized in State EAS Plans. B. WEA 9. In 2008, pursuant to the Warning, Alert and Response Network (WARN) Act, 26 the Commission adopted rules allowing Commercial Mobile Service (CMS) Providers to voluntarily deliver timely and accurate emergency alerts to subscribers’ mobile devices. 27 Since WEA was launched on 23 See FEDERAL COMMUNICATIONS COMMISSION, PLAN FOR THE EMERGENCY BROADCAST SYSTEM (EBS) (1964). These committees also have other responsibilities, including the establishment of EAS testing programs, as discussed in further detail below. See infra para. 34 (discussing the Commission’s expectations for SECCs). 24 Assigning Emergency Preparedness Functions to the Federal Communications Commission, Exec. Order No. 11,092, 63 Fed. Reg. 2216 (1963). In 1976, the FCC, in conjunction with the Defense Civil Preparedness Agency (DCPA), the National Weather Service (NWS), the National Oceanic and Atmospheric Administration (NOAA) and the National Industry Advisory Committee (NIAC) signed a subsequent Memorandum of Understanding to promote efforts to develop state and local plans for voluntary use of EBS for local disasters. Federal Communications Commission, National Weather Service, Defense Civil Preparedness Agency, National Industry Advisory Committee, Plan for Nationwide Use of the Emergency Broadcast System for State and Local Emergencies (June 28, 1976) (renaming State Industry Advisory Committees (SIACs) as “State Emergency Communications Committees (SECCs)” and Local Industry Advisory Committees (LIACS) as “Local Emergency Communications Committees (LECCs)”). FCC responsibilities in the Plan included ensuring that EBS was operational and available at the state and local level, for immediate activation, coordination of expanded usage of the EBS for local emergencies with other Federal, State and local government agencies, development, coordination and preparation for distribution procedures to permit designated government officials to issue emergency warning information and instructions, including guidance for authentication procedures to ensure that only bona fide and approved individuals or activities may request activation, and finally maintaining and updating specific local EBS procedures as addenda to State EBS Plans. See CSRIC IV, WORKING GROUP THREE, EMERGENCY ALERT SYSTEM, STATE EAS PLANS SUBCOMMITTEE, FINAL REPORT 17 (March, 2014), available at https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG3_EAS_Plans_Final_Report_032514.pdf (last visited Aug. 6, 2015) (CSRIC EAS State Plan Report); see also Amendment of Part 73, Subpart G, of the Commission’s Rules Regarding the Emergency Broadcast System, FO Docket Nos. 91-301, 91-171, Report and Order and Further Notice of Proposed Rulemaking, 10 FCC Rcd 1786, 1834 ¶¶ 132-35 (1994) (communicating new expectations for SECC organization and governance, and noting the increased importance of State EAS Plans under the EAS because they specify which alerts will be transmitted by key EAS sources in each state and local area in a system where voluntary participation in state and local alerting was growing in popularity). 25 See FEDERAL COMMUNICATIONS COMMISSION, NATIONAL WEATHER SERVICE, DEFENSE CIVIL PREPAREDNESS AGENCY, NATIONAL INDUSTRY ADVISORY COMMITTEE, PLAN FOR NATIONWIDE USE OF THE EMERGENCY BROADCAST SYSTEM FOR STATE AND LOCAL EMERGENCIES 12 (1976). LECCs were given essentially the same responsibilities as SECCs for the local area in which they operated. See id. 26 On October 13, 2006, the President signed the Security and Accountability for Every Port (SAFE Port) Act into law. Title VI of the SAFE Port Act, also known as the WARN Act, establishes a process for the creation of a national mobile alerting system, now known as WEA, whereby Participating CMS Providers transmit emergency alerts to their subscribers. See Warning, Alert and Response Network (WARN) Act, Title VI of the Security and Accountability For Every Port Act of 2006, Pub. L. No. 109-347, 120 Stat. 1884 (2006) (WARN Act). 27 See 47 C.F.R. § 10; see also The Commercial Mobile Alert System, PS Docket No. 07-287, First Report and Order, 23 FCC Rcd 6144 (2008) (WEA First Report and Order); The Commercial Mobile Alert System, PS Docket (continued….) Federal Communications Commission FCC 16-5 8 April 7, 2012, 28 the system has been used to issue over 21,000 emergency alerts, including severe weather warnings, evacuate and shelter-in place alerts, and AMBER Alerts. 29 WEA is a tool for authorized federal, state and local government entities to geographically target 90-character Presidential, Imminent Threat, and AMBER Alerts to the WEA-capable mobile devices of Participating CMS Providers’ subscribers. 30 Figure 3: WEA Alert Distribution Diagram 31 (Continued from previous page) No. 07-287, Second Report and Order and Further Notice of Proposed Rulemaking, 23 FCC Rcd 10765 (WEA Second Report and Order); Commercial Mobile Alert System, PS Docket 07-287, Third Report and Order, 23 FCC Rcd 12561, (2008) revised by Erratum (dated Sept. 5, 2008) (WEA Third Report and Order). 28 See FCC's Public Safety and Homeland Security Bureau Sets Timetable in Motion for Commercial Mobile Service Providers To Develop a System That Will Deliver Alerts to Mobile Devices, PS Docket No. 07-287, Public Notice, 24 FCC Rcd 14388 (PSHSB 2009). 29 See Letter from Alfred Kenyon, IPAWS Program Office, National Continuity Programs, Department of Homeland Security, FEMA, PS Docket No. 15-91 (filed Jan.6, 2016). See also CTIA, WIRELESS EMERGENCY ALERTS, http://www.ctia.org/your-wireless-life/consumer-tips/wireless-emergency-alerts (last visited Apr. 30, 2015). The AMBER (America’s Missing: Broadcast Emergency Response) program is a nationwide alerting program designed to help bring missing children to safety. See OFFICE OF JUSTICE PROGRAMS, AMBERALERT.GOV, http://www.amberalert.gov/about.htm (last visited May 7, 2015). 30 See, e.g., 47 C.F.R. § 10.450 (geo-targeting); 47 C.F.R. § 10.430 (character limit); 47 C.F.R. § 10.400 (classification). 31 Figure 3 depicts a WEA alert sent by an authorized federal, state or local government entity using CAP to the Federal Emergency Management Agency (FEMA)-operated Alert Aggregator via a secure, Internet-based interface (the A-Interface) where it is authenticated, validated and delivered to FEMA’s Alert Gateway (the B-Interface). At the FEMA Alert Gateway, the alert is prepared for delivery to the Participating CMS Provider by being converted to Commercial Mobile Alert for C-Interface (CMAC) format to render it readable by mobile devices. The alert is then disseminated across a secure Internet-based interface (the C-Interface) to the Participating CMS Provider’s Alert Gateway (CMSP Gateway) for distribution to mobile customers over cell broadcast (CMSP Infrastructure). Federal Communications Commission FCC 16-5 9 C. IPAWS 10. IPAWS is the nation’s federal alert and warning system, and is administered by FEMA. 32 It consists primarily of the EAS, described above, and the IPAWS Open Platform for Emergency Networks (IPAWS-OPEN), an IP-based system that allows for efficient integration of CAP-based alerting platforms such as WEA with the IPAWS infrastructure. 33 IPAWS-OPEN receives and authenticates messages transmitted by alerting authorities in CAP, and routes them to CAP-compliant public alerting systems such as the Commercial Mobile Service Provider infrastructure used to transmit WEA messages, and CAP-compliant EAS equipment. 34 In addition to EAS and WEA, “[e]xisting state or locally owned and operated warning systems –– can be configured to receive alerts from [IPAWS-OPEN].” 35 D. Social Media Alerting 11. Social media platforms are increasingly used for alerting, and represent valuable tools that are more frequently being included in emergency managers’ alerting toolbox. In addition to regulated alerting tools (e.g., EAS and WEA), alternative alerting mechanisms such as social media platforms may offer benefits in appropriate situations, including crowdsourced data, multilingual accessibility, multimedia capability, and alert personalization options. 36 For example, Twitter allows first responders to assess real-time, crowdsourced data using hashtag and geotagging features. 37 Further, Google offers a suite of information through multimedia, including crisis maps and shared spreadsheets and documents, for emergency responders to use to illustrate an emergency event. 38 Twitter Alerts improves the accessibility of emergency messages by offering the ability to translate alerts into over forty languages using the Bing-powered automatic translation feature, and Google can translate entire web pages into multiple languages. 39 Twitter, Google, and Facebook also personalize alerting profiles for 32 See INTEGRATED PUBLIC ALERT & WARNING SYSTEM, https://www.fema.gov/integrated-public-alert-warning- system (last visited Dec. 10, 2015). 33 See INTEGRATED PUBLIC ALERT & WARNING SYSTEM OPEN PLATFORM FOR EMERGENCY NETWORKS, https://www.fema.gov/integrated-public-alert-warning-system-open-platform-emergency-networks (last visited Jun. 19, 2015). 34 Id. FEMA provides informational materials on IPAWS on its web site. See FEMA, INFORMATIONAL MATERIALS, http://www.fema.gov/informational-materials (last visited Aug. 7, 2015). 35 INTEGRATED PUBLIC ALERT & WARNING SYSTEM OPEN PLATFORM FOR EMERGENCY NETWORKS, https://www.fema.gov/integrated-public-alert-warning-system-open-platform-emergency-networks (last visited Jun. 19, 2015). 36 See Best Practices for Using Twitter in Times of Crisis, TWITTER, available at https://about.twitter.com/products/alerts/helpful-assets (last visited Jul. 27, 2015); see also Safety Check: Connect with Friends and Loved ones During a Disaster, FACEBOOK, available at https://www.facebook.com/about/safetycheck/ (last visited Jul. 27, 2015); GOOGLE CRISIS RESPONSE, available at http://www.google.org/crisisresponse/howwerespond.html (last visited Aug. 6, 2015). 37 See Gabriela Pena, Twitter Alerts: Critical Information When You Need it Most, TWITTER BLOG (Sep. 25, 2013, 4:58 PM), available at https://blog.twitter.com/2013/twitter-alerts-critical-information-when-you-need-it-most (stating that on September 25, 2013, Twitter Alerts partnered with federal, state, and local emergency management agencies to send distinct tweets through push notifications or text messages to users who opt-in to receive them). 38 See For Responders, GOOGLE.org CRISIS RESPONSE, available at https://www.google.org/crisisresponse/resources.html (last visited Aug. 6, 2015). 39 See BING TRANSLATOR, available at https://www.bing.com/translator/ (last visited Sept. 21, 2015); CAP and Google Crisis Response, GOOGLE.ORG CRISIS RESPONSE, available at https://www.google.org/crisisresponse/pdfs/CAP_and_Google_Crisis_Response_Partner_Landi.pdf (last visited Sept. 21, 2015); Enabling Public Safety Organizations to Keep People Safe and Well-informed, TWITTER ALERTS (2013), available at https://g.twimg.com/about/alert-page/attachments/TwitterAlerts_OnePager.pdf (last visited (continued….) Federal Communications Commission FCC 16-5 10 individual users, allowing them to opt-in to receiving emergency alert messages from only those emergency management agencies or friends that they affirmatively select. 40 Facebook also allows users to opt-in to receive safety assurances from their friends when a person is in a geographic location where there is an emergency. 41 Despite the many benefits of crowdsourcing, verification by emergency operations centers of emergency information posted by the general public via social media platforms is problematic. We understand that government entities seeking to assess the extent of and impacts from emergency situations are challenged by social media reports that are difficult to validate, can give a distorted view of greatest community need, and are prone to spoofing and other malicious activity. 42 III. DISCUSSION 12. Technological advancements continue to change the landscape of alerting for emergency managers. Alerting tools such as EAS and WEA that had previously occupied fundamentally different infrastructures now share common platforms and a common language. Social media such as Google and Twitter provide emergency managers with entirely new ways of informing the public of dangers to life and property, and new ways of assessing the public’s response. 43 The interactivity enabled by IP-based systems may provide emergency managers with the opportunity to receive rapid feedback from the public on the effectiveness of alerts and warnings. 13. The Commission is obligated to ensure that the President can reach the public in times of (Continued from previous page) Sept. 21, 2015); but see Nataly Kelly, Why Machines Alone Cannot Solve the World’s Translation Problem, HUFFINGTONPOST (Mar. 11, 2014, 5:59am EDT), available at http://www.huffingtonpost.com/nataly-kelly/why- machines-alone-cannot-translation_b_4570018.html (last visited Sept. 21, 2015) (stating that, despite regular advances in machine translation, including recent efforts by Google, machine translation is not ready to replace human translation because 1) Even perfectly bilingual human beings cannot always perform perfect translations; 2) Translation quality is highly subjective; 3) There are too many languages to translate (Google Translate currently supports 80 of 6,000-7,000); 4) Most languages are not written; 5) Context is key; and 6) The role played by language is too important). 40 Using Twitter Alerts, TWITTER HELP CENTER, available at https://support.twitter.com/articles/20170444-using- twitter-alerts#; (last visited Aug. 6, 2015); Public Alerts, GOOGLE.ORG CRISIS RESPONSE, available at https://www.google.org/crisisresponse/publicalerts/ (last visited Aug. 6, 2015); Safety Check: Connect with Friends and Loved Ones During a Disaster, FACEBOOK, available at https://www.facebook.com/about/safetycheck/ (last visited Aug. 6, 2015). 41 See FACEBOOK SAFETY CHECK, https://www.facebook.com/about/safetycheck/ (last visited Dec. 1, 2015); see also Samuel Gibbs, Facebook’s Safety Check Leads Technology’s Support of Paris, THE GUARDIAN (Nov. 16, 2015, 7:34 AM EST), http://www.theguardian.com/technology/2015/nov/16/facebook-safety-check-technology-paris-terrorist- attacks (last visited Dec. 1, 2015) (stating that “Facebook activated its Safety Check service for a terrorist incident for the first time during the Paris Attacks, allowing people to notify their loved ones that they were safe.”). 42 Government alert initiators, as “trusted sources,” must authenticate alerts. See Vernon Keenan and Dawn Diedrich, Developing Policy on Using Social Media for Intelligence and Investigations, THEPOLICECHIEF (2013), available at http://www.policechiefmagazine.org/magazine/index.cfm?fuseaction=display_arch&article_id=2951&issue_id=620 13 (last visited Oct. 30, 2015); see also Christopher Boehning and Daniel Toal, Authenticating Social Media Evidence, NEWYORKLAWJOURNAL (2012), available at http://www.paulweiss.com/media/1211973/4oct12tt.pdf (last visited Oct. 30, 2015). 43 See, e.g., Steve Hakusa, Public Alerts Now on Google Maps, GOOLGE.ORG BLOG (Jan. 25, 2012 6:00 AM), http://blog.google.org/2012/01/public-alerts-now-on-google-maps.html (announcing the launch of Google Alerts); Gabriela Pena, Twitter Alerts: Critical Information When You Need it Most, TWITTER BLOG (Sept. 25, 2013, 4:58 PM), https://blog.twitter.com/2013/twitter-alerts-critical-information-when-you-need-it-most (announcing the launch of Twitter Alerts); Naomi Gleit, Sharon Zeng, & Peter Cottle, Facebook Newsroom (Oct. 15, 2014) https://newsroom.fb.com/news/2014/10/introducing-safety-check/ (introducing Facebook Safety Check). Federal Communications Commission FCC 16-5 11 national emergency. 44 In light of continuous technological advancements, the Commission has taken significant steps to ensure that the nation’s public alert and warning systems perform this function in an effective and accessible manner. 45 At the same time, we must continue to review our rules to ensure that the EAS and WEA perform this important function in a manner that minimizes burdens for stakeholders and safeguards these alerting systems against inherent vulnerabilities and attacks. 46 Accordingly, this Notice proposes rules and seeks comment on alerting issues in an evolving technological climate in order to continue to provide emergency managers with effective tools to assess and coordinate available alerting systems to securely deliver an alert from the President during a national crisis, and to improve the ability of emergency managers to alert and train those communities to take protective action in response to national, regional and local emergencies. 14. As discussed in greater detail below, we estimate that the cost of the proposed changes would be more than offset by the public benefit of lives saved, together with the reduction in human suffering and property loss. 47 One measure against which we can balance costs associated with complying with our proposed rules is the Department of Transportation (DOT) model, which estimates the value of risk reduction, measured in terms of an expected life saved, to be $9.1 million. 48 Using the Value of a 44 See Public Alert and Warning System, Exec. Order No. 13,407, 71 Fed. Reg. 36975 (Jun. 26, 2006) (directing the Commission to “adopt rules to ensure that communications systems have the capacity to transmit alerts and warnings to the public as part of the public alert and warning system”); see also 47 U.S.C. § 606 (War Powers Act) (authorizing the President to direct such communications as in his judgment may be essential to the national defense and security during the continuance of a war in which the United States is engaged). 45 See, e.g., WEA NPRM, FCC 15-154; Sixth Report and Order, 30 FCC Rcd 6520 (adopting requirements to prepare the EAS for the second nationwide EAS test); Fifth Report and Order, 27 FCC Rcd 642 (revising the Part 11 rules to specify the manner in which EAS Participants must be able to receive alert messages formatted in the CAP); Fourth Report and Order, 26 FCC Rcd 13710 (amending the Part 11 rules to require EAS Participants be able to receive CAP formatted EAS alerts); Review of the Emergency Alert System, Third Report and Order, 26 FCC Rcd 1460 (2011) (Third Report and Order) (amending the Part 11 rules to provide for national testing and collection of data); Review of the Emergency Alert System; Independent Spanish Broadcasters Association, The Office of Communication of the United Church of Christ, Inc., and the Minority Media and Telecommunications Council, Petition for Immediate Relief, EB Docket No. 04-296, Second Report and Order and Further Notice of Proposed Rulemaking, 22 FCC Rcd 17023 (2007) (Second Report and Order and Further Notice of Proposed Rulemaking) (amending the Part 11 rules to provide public with next-generation EAS); Review of the Emergency Alert System, EB Docket No. 04-296, First Report and Order and Further Notice of Proposed Rulemaking, 20 FCC Rcd 18625 (2005) (First Report and Order and Further Notice of Proposed Rulemaking) (seeking comment on amending EAS rules to efficiently reach individuals with hearing and vision disabilities). 46 See ANGELOS KEROMYTIS, VOICE OVER IP: RISKS, THREATS AND VULNERABILITIES 6 (2009), available at http://www.cs.columbia.edu/~angelos/Papers/2009/cip.pdf (last visited Aug. 7, 2015) (stating that threats to IP- based communications include social, eavesdropping, interception, modification, denial of service, service abuse, physical access, and interruption of service threats). 47 We estimate the proposed rules would result in a one-time cost of $5.3 million and an annual cost of $596,560. See infra para. 145 (estimating a one-time cost of $2.2 million in order to update EAS equipment firmware to support our proposed authentication and validation measures); see infra para. 111 (estimating a one-time cost of $879,040 in order for the ten percent of EAS Participants estimated to not adhere to EAS security best practices to implement them); see infra para. 26 (estimating a one-time cost of $25,000 to resupply State EAS Plan data); see infra para. 111 (estimating a potential one-time $2,179,440 cost for initial review of EAS Participants’ annual security certifications); see infra para. 111 (estimating an annual cost of $549,360 in order to produce annual certifications of adherence to required security procedures); see infra para. 130 (estimating an annual cost of $46,400 to report an estimated two false alerts per year); see infra para. 133 (estimating an annual cost of $800 per year to report an estimated one lockout per year). 48 An accepted model developed by the United States Department of Transportation presently estimates the value of a statistical life (VSL) at $9.1 million. See Memorandum from Polly Trottenberg, Under Secretary for Policy, Office of the Secretary for Transportation, and Robert S. Rivkin, General Counsel, Department of Transportation, (continued….) Federal Communications Commission FCC 16-5 12 Statistical Life (VSL) as a benchmark, even one life saved could more than offset the one-time costs potentially imposed by our proposals. 49 We anticipate that our proposed rules represent an incremental improvement to the nation’s alerting capability that could readily save multiple lives per year in the foreseeable future. 50 We seek comment on this analysis, and on whether the DOT statistic is the most appropriate yardstick to measure the benefits our proposals. We seek comment on whether there is a better measure for quantifying the benefits of establishing a new alerting paradigm. If so, commenters should specify what specific measure should be used. We encourage commenters to include with their comments any data relevant to our analysis of the costs and timing involved with the implementation of today’s proposals. A. Improving Alerting Organization at the State and Local Levels 1. EAS Designations a. Background 15. The Commission created EAS designations to “use succinct terminology to more clearly define EAS functions.” 51 The current EAS designations are: ? Primary Entry Point (PEP) System. Defined in Section 11.2 as “a nationwide network of broadcast stations and other entities connected with government activation points . . . used to distribute EAS messages . . . formatted in the EAS Protocol . . . , including the [Emergency Action Notification (EAN)] and EAS national test messages” that includes “some of the nation's largest radio broadcast stations,” as approved by FEMA, and is “designated to receive the Presidential alert from FEMA and distribute it to local stations.” 52 ? National Primary (NP) stations. Defined in Section 11.2 as “the primary entry point for Presidential messages delivered by FEMA . . . responsible for broadcasting a Presidential alert to the public and to State Primary stations within their broadcast range,” 53 and by Section 11.18 simply as “a source of EAS Presidential messages.” 54 ? State Primary (SP) stations. Defined in Section 11.2 as “the entry point for State messages, which can originate from the Governor or a designated representative.” 55 Section 11.18 defines SP stations as “a source of EAS State messages” and adds that such messages originate from the (Continued from previous page) Guidance on Treatment of the Economic Value of a Statistical Life in U.S. Department of Transportation Analyses, 1 (2013), http://www.dot.gov/sites/dot.gov/files/docs/VSL Guidance_2013.pdf. The Department of Transportation defines VSL as “the additional cost that individuals would be willing to bear for improvements in safety (that is, reductions in risks) that, in the aggregate, reduce the expected number of fatalities by one.” Id. at 2. 49 See, e.g., Sixth Report and Order, 30 FCC Rcd at 6545 ¶ 53. 50 See id.; see also EAS Trigger Saved Lived in Samoa Tsunami, RADIOWORLD (Sep. 30, 2009), http://www.radioworld.com/article/eas-trigger-saved-lives-in-samoa-tsunami/4745 (last visited Jan. 26, 2016) (stating that EAS saved lives by alerting citizens to take protective action moments before a destructive tsunami impacted the American Samoa); NOAA, NOAA Weather Radio Leads to Kentucky AMBER Alert Success, NEWS RELEASE (2003), available at http://www.publicaffairs.noaa.gov/releases2003/aug03/noaa03r288.html (last visited Jan. 26, 2016) (stating that NOAA Weather Radio’s use of the EAS to issue an AMBER Alert led to the successful return of a kidnapped teenager). 51 EAS Deployment Order, 10 FCC Rcd at 1833 ¶ 129. 52 47 C.F.R. § 11.2(b). 53 47 C.F.R. § 11.2(g). 54 47 C.F.R. § 11.18(a). 55 47 C.F.R. § 11.2(h). Federal Communications Commission FCC 16-5 13 “State Emergency Operating Center (EOC) or State Capital,” and that such messages “are sent via the State Relay Network.” 56 ? State Relay Network. Defined in Section 11.20 as a network composed of “State Relay (SR) sources, leased common carrier communications facilities or any other available communication facilities. The network distributes State EAS messages originated by the Governor or designated official.” 57 ? State Relay (SR). Defined in Section 11.18 as “a source of EAS State messages” that is “part of the State Relay Network and relays National and State common emergency messages into Local Areas.” 58 ? Local Primary (LP) stations. Defined in Section 11.2 as radio or TV stations that act as key EAS monitoring sources, stating that each LP station “must monitor its regional PEP station and a back-up source for Presidential messages.” 59 LPs are further defined in Section 11.18 as “a source of EAS Local Area messages . . . responsible for coordinating the carriage of common emergency messages from sources such as the National Weather Service or local emergency management offices as specified in its EAS Local Area Plan.” 60 According to Section 11.18, if an LP “is unable to carry out this function, other LP sources in the Local Area may be assigned the responsibility as indicated in State and Local Area Plans” and “LP sources are assigned numbers (LP-1, 2, 3, etc.) in the sequence they are to be monitored by other broadcast stations in the Local Area.” 61 ? Participating National (PN) sources. Defined in Section 11.18 as sources that “transmit EAS National, State or Local Area messages . . . for direct public reception,” as defined in Section 11.18. 62 ? NP, SP, LP and SR stations are defined collectively in Section 11.21 as “key EAS sources.” 63 16. Since the Commission defined these EAS designations, SECCs have taken disparate approaches to their implementation, leading to the inconsistent use of these terms among State EAS Plans. 64 For example, not all State EAS Plans contain an NP-designated station, and it is unclear whether, 56 47 C.F.R. § 11.18(c). 57 47 C.F.R. § 11.20. 58 47 C.F.R. § 11.18(d). 59 47 C.F.R. § 11.2(c). 60 47 C.F.R. § 11.18(b). 61 47 C.F.R. § 11.18(b). 62 47 C.F.R. § 11.18(e). 63 47 C.F.R. § 11.21. 64 See, e.g., STATE OF ALABAMA, STATE OF ALABAMA EMERGENCY ALERT SYSTEM (EAS) PLAN (1996) (Alabama State EAS Plan); STATE OF ALASKA, STATE OF ALASKA EMERGENCY ALERT SYSTEM PLAN (2003) (Alaska State EAS Plan); STATE OF CALIFORNIA, STATE OF CALIFORNIA EMERGENCY ALERT SYSTEM (EAS) FCC EAS OPERATIONS PLAN (2002) (California State EAS Plan); STATE OF COLORADO, STATE OF COLORADO EMERGENCY ALERT SYSTEM STATE PLAN (2002) (Colorado State EAS Plan); STATE OF FLORIDA, STATE OF FLORIDA EMERGENCY ALERT SYSTEM PLAN (2014) (Florida State EAS Plan) ; STATE OF INDIANA, REVISED INTERIM STATE EAS EMERGENCY ALERT SYSTEM (Indiana State EAS Plan); STATE OF KANSAS, STATE EMERGENCY ALERT SYSTEM PLAN (2013) (Kansas State EAS Plan); STATE OF NEW MEXICO, STATE OF NEW MEXICO EMERGENCY ALERT SYSTEM STATE EAS PLAN (2011) (New Mexico State EAS Plan); STATE OF OREGON, THE OREGON STATE EMERGENCY ALERT SYSTEM PLAN (2014) (Oregon State EAS Plan); STATE OF TENNESSEE, TENNESSEE STATEWIDE EMERGENCY ALERT SYSTEM (1998) (continued….) Federal Communications Commission FCC 16-5 14 in some states, the designations PEP and NP are used interchangeably. 65 Further, while some State EAS Plans refer to primary sources of state and local alerts as SPs, others identify primary sources as SRs. 66 A number of State EAS Plans term the system of transmitting state alerts from SR to LP stations and from LP stations to PN stations and the public as the State Relay Network, but many State EAS Plans do not include SR or State Relay Network designations at all. 67 As the Nationwide EAS Test Report indicated, such disparate use of what should be common terminology makes it difficult for Commission staff to determine how the distribution systems described in various state plans can be aggregated into a single comprehensive nationwide alerting architecture. 68 b. Discussion 17. In order to ensure that the Commission can meaningfully review and confirm states’ preparedness to deliver Presidential Alerts we propose to revise our EAS designation scheme to more accurately and consistently describes key EAS sources. Specifically, we propose to continue to designate the primary entry point for a Presidential Alert as a PEP, as that is a designation determined by FEMA. For each State EAS Plan, however, we propose that the entity tasked with primary responsibility for delivering the Presidential Alert to that state’s EAS Participants will be designated as the National Primary (NP). Thus, for a state that has a FEMA-designated PEP, that station would also be designated as that state’s NP. For a state that does not have a PEP, another station would have to be identified to act as the state’s NP. We further propose that an entity tasked with initiating the delivery of a state EAS alert will be designated as a State Primary (SP). An SP may be a broadcaster, a state emergency management office, or other authorized entity capable of initiating a state-based EAS alert. We propose that the same entity may be designated as an SP and as an NP. In that case, each designation for that station would have to be separately listed in the State EAS Plan. We would retain the current definition of Participating National (PN) and Local Primary (LP). In cases where geography or other reasons necessitate another layer of monitoring and retransmission between the LP and PN levels, we propose that such stations be designated in State EAS Plans as “Relay Stations.” We anticipate that this proposed terminology scheme would more clearly define key EAS functions in a manner that could be used consistently across all State EAS Plans. As discussed in further detail below, the standard SEPFI template provides an opportunity to ensure that, going forward, these terms are used pursuant to a common understanding of their meaning. 69 18. We seek comment on the designations we have identified, based on our analysis of State EAS Plans, as necessary for the successful distribution of Presidential, state and local EAS alerts. We also seek comment on whether additional EAS designations may be needed, for example to encompass new roles EAS Participants may play in an evolving technological environment, non-traditional monitoring sources, CAP-formatted alerts, and a more accurate way to account for the significant number of viewers served by cable service providers. 70 We seek comment on whether our proposed designations could be used as a uniform vernacular to clarify the roles of EAS Participants, including key EAS sources, in each state and territory. (Continued from previous page) (Tennessee State EAS Plan); STATE OF WYOMING, WYOMING STATE PLAN FOR THE EMERGENCY ALERT SYSTEM (2008) (Wyoming State EAS Plan). 65 See New Mexico State EAS Plan at 5; Oregon State EAS Plan at 5. 66 See Alabama State EAS Plan at Section IV; Kansas State EAS Plan at 3. 67 See Indiana State EAS Plan at 9; Kansas State EAS Plan at 48; but see, e.g., Tennessee State EAS Plan (containing no reference to the State Relay Network). 68 FCC, PUBLIC SAFETY & HOMELAND SECURITY BUREAU, STRENGTHENING THE EMERGENCY ALERT SYSTEM (EAS): LESSONS LEARNED FROM THE NATIONWIDE EAS TEST 17 (2013) (EAS Nationwide Test Report). 69 See infra paras.21, 38. 70 See infra para.22. Federal Communications Commission FCC 16-5 15 19. Roles and Designations. Do the current EAS designations limit SECCs ability to adequately assign roles and responsibilities to EAS Participants in their respective states? Or, on the other hand, does the Commission currently maintain more EAS designations than are necessary for this task? We seek comment on how SECCs currently distinguish between PEPs and NP stations. Can one station have both designations? Do the meanings of these terms overlap, as they are used in State EAS Plans? If not every state contains a PEP station, do states designate as NP the station or stations in their state responsible for monitoring the nearest PEP? If so, how does this designation differ from that of an SP station? Are some SPs also denominated as NPs where they act as the primary entry point for both the presidential and some or all state and local alerts? If the definitions of the terms PEP, NP, and SP significantly overlap, is it appropriate that we simplify our EAS denominations by eliminating extraneous terms? 20. Do all state and local alerts originate at the same source? If not, should we provide SECCs with terms that allow them to distinguish among the primary initiation points for the various types of state and local alerts that are initiated in their respective states? What would be an appropriate title for such designations? For example, would it be appropriate to designate the source responsible for originating an AMBER Alert as a State AMBER Alert Primary? Conversely, are some state or local alerts likely to initiate from more than one source, frustrating the use of a single designation? Is it appropriate that we continue to use LP as the denomination for those stations that are monitored by PN stations? Is it appropriate that we continue to use the term PN for stations that are not monitored, in light of the fact that the Non-Participating National (NN) designation was deleted from the rules when the Commission required all EAS Participants to carry the Presidential Alert? 71 If not, what designation would be preferable? 21. Uniform Vernacular. Can the designations we propose be used as a uniform vernacular for referring to the roles of EAS Participants in State EAS Plans? CSRIC IV notes that there is “no one- size-fits-all framework” that can be applied to every SECC because SECCs have limited resources to write State EAS Plans. 72 Although each SECC must create a State EAS Plan that addresses the needs of their respective states, fundamental components of EAS are uniformly implemented nationwide. In our analysis, these commonalities are sufficient to support successful implementation of a uniform set of EAS designations, and the uniform designations that we propose to adopt are sufficient to describe states’ varied approaches to EAS. We seek comment on this analysis, and on any idiosyncrasies in states’ approaches to EAS that may merit special consideration. We also seek comment on whether the same EAS designations can be used both for EAS Participants’ role in transmitting the Presidential Alert, as well as for state and local EAS alerts. Finally, we also seek comment on CSRIC IV’s conclusion that limitations on state resources frustrate the use of uniform designations. What additional resources, if any, would be necessary to utilize the EAS designations that we propose to adopt? 22. Additional Designations. Are additional EAS designations necessary to reflect changes in the alerting landscape? Should EAS designations reflect the service provided by the designated entity in light of the fact that EAS Participants are no longer only broadcasters, and that many EAS Participants monitor non-broadcast sources, such as satellite? For example, would it be appropriate for State EAS Plans to designate a “satellite NP?” Are EAS designations useful for CAP monitoring, or does the fact that most EAS Participants receive an EAS alert by monitoring a CAP feed preclude the need for designations? Further, we seek comment on whether any EAS Participants other than broadcasters (e.g., analog and digital cable systems, wireline video systems, wireless cable systems and direct broadcast satellite) are currently designated as key EAS sources. Should they be? We note, for example, that an individual cable headend can be responsible for delivering an EAS alert to as many as 803,000 71 See Fifth Report and Order, 27 FCC Rcd at 717 ¶ 215. 72 See CSRIC State EAS Plans Report. Federal Communications Commission FCC 16-5 16 subscribers. 73 In light of these facts, we believe that the ability of cable providers, DBS providers and wireline video providers to effectively transmit an EAS alert would be crucial to the American public’s ability to receive a Presidential Alert. Should we update EAS designations to add a category for cable and other Multichannel Video Programming Distributors (MVPDs) that monitor LPs but serve a significant number of people? What about any other EAS Participant that serves a significant portion of the public? Should the EAS Participants with the most extensive coverage or subscribership in a state be given a specific EAS designation? Should they be considered key EAS sources, notwithstanding the fact that they are not monitored by other EAS Participants? Should entities other than broadcasters be monitored by EAS Participants? We also seek comment on the extent to which non-broadcaster EAS Participants are members of or otherwise involved in the operations of their SECCs. What steps can we take to facilitate increased participation by representatives of these entities in the SECC and State EAS Plan process? 2. State EAS Plan Filing Interface (SEPFI) a. Background 23. The Commission adopted rules requiring states to file State EAS Plans that “contain guidelines which must be followed by EAS Participants’ personnel, emergency officials, and National Weather Service (NWS) personnel to activate the EAS.” 74 These rules maintain the role of state and local committees in strategically organizing state and local EAS Participants into a network capable of ensuring the proper dissemination of, inter alia, the Presidential Alert. 75 State EAS Plans are required to be submitted for review and approval by the Chief, Public Safety and Homeland Security Bureau (Bureau) prior to their implementation “to ensure that they are consistent with national plans, FCC regulations, and EAS operation.” 76 This requirement was adopted in light of commenters’ assertions that the Commission must adopt safeguards to ensure that EAS is not abused, and that alerts are used only for genuine emergencies. 77 24. Following the first nationwide EAS test in 2011, the Bureau recommended that the Commission “consider whether to make the State EAS Plan filing process into an online, rather than a paper-based process” in light of inconsistencies identified in the structure of State EAS Plans. 78 Subsequently, in the Sixth Report and Order, the Commission adopted the Electronic Test Reporting System (ETRS), which provides a standardized, online reporting mechanism for the submission and analysis of monitoring assignment data 79 that can be cross-referenced with the EAS Participant designations and monitoring assignments contained in the State EAS Plans. 80 Further, the Commission 73 See VERIZON SOUTH, ANNUAL REPORT AND CABLE TELEVISION SYSTEMS, FORM 325 (2011). 74 47 C.F.R. § 11.21. 75 EAS Deployment Order, 10 FCC Rcd 1786. 76 47 C.F.R. § 11.21. 77 See Amendment of Part 73, Subpart G, of the Commission’s Rules Regarding the Emergency Broadcast System, Memorandum Opinion and Order, 10 FCC Rcd 11494, 11501 ¶ 47 (1995) (EAS Deployment Order on Reconsideration). 78 EAS Nationwide Test Report at 17. 79 Monitoring assignments are made by the SECC to each broadcast station and cable system to designate the sources each facility should monitor for incoming EAS messages. State EAS Plans should reflect monitoring assignments, but data gathered in the monitoring process is supplemental to the monitoring assignments themselves. See State of Washington Emergency Alert System, Glossary of EAS Terms, available at http://www.wsab.org/eas/eas_tab7.html (last visited Oct. 29, 2015). 80 Sixth Report and Order, 30 FCC Rcd at 6534 ¶ 28. Federal Communications Commission FCC 16-5 17 tasked CSRIC IV with recommending actions to improve the State EAS Plan filing process, 81 and received a recommendation that State EAS Plans should be filed online. 82 CSRIC IV also adopted recommendations regarding access to the recommended online platform, State EAS Plan template design, and identification mechanisms for facilities and geographic areas contained within State EAS Plans. 83 We seek comment on these recommendations below. b. Discussion. 25. We propose to convert the paper-based filing process for State EAS Plans into a secure, online process using a State EAS Plan Filing Interface (SEPFI) that would be designed to interoperate with the ETRS. The data collected in SEPFI would complement the monitoring assignment data already collected by ETRS. 84 The data collected via ETRS and SEPFI would provide an end-to-end picture of the EAS distribution architecture for each state that could be used to populate an EAS Mapbook. 85 We propose that the entry format for State EAS Plan data into SEPFI would be a pre-configured online template to be designed by the Bureau in collaboration with SECCs and other stakeholders, using a similar to process to the one we directed the Bureau to use when designing the templates for ETRS. 86 CSRIC IV observes that State EAS Plans are inconsistent in both structure and content, and that “[t]his lack of consistency makes it difficult for the FCC to determine if a proper distribution network exists for . . . distribution [of the Presidential Alert] in each state.” 87 We seek comment on this proposed online filing process below. 26. Costs. We seek comment on the cost savings likely to result from adopting SEPFI. The EAS collection approved by the Office of Management and Budget (OMB) estimates that each State EAS Plan takes twenty hours to complete, and that the average hourly wage of an individual who completes a State EAS Plan is $25 per/hour. 88 Accordingly, OMB approves of our estimate that the production of State EAS Plans, nationwide, costs $25,000. 89 How much reporting time and cost would be saved by 81 LARISSA HERDA, CSRIC IV WORKING GROUP DESCRIPTIONS AND LEADERSHIP 4 (2014), available at https://transition.fcc.gov/bureaus/pshs/advisory/csric4/CSRIC%20IV%20Working%20Group%20Descriptions%201 0%2023%2014.pdf (last visited Aug. 7, 2015). The Communications Security, Reliability and Interoperability Council (CSRIC) is a federal advisory committee charged with providing recommendations to the FCC to ensure, among other things, the optimal security and reliability of communications systems, including telecommunications, media, and public safety systems, subject to the requirements of the Federal Advisory Committee Act (FACA). See 5 U.S.C.A. § 10. 82 See CSRIC EAS State Plan Report at 20. 83 See id. at 13, 20. 84 ETRS is designed to collect monitoring assignment data from all EAS Participants in conjunction with nationwide testing. State EAS Plans filed in SEPFI would contain instructions for participation in EAS, including monitoring assignments for key EAS sources. 85 These data sets could also be cross-referenced in order to discover inconsistencies between SECC’s planned monitoring assignments, and the manner in which EAS monitoring is actually carried out. “The FCC Mapbook is based on the consolidation of the data table required in each State EAS plan with the identifying data contained in the ETRS. The Mapbook organizes all EAS Participants according to their State, EAS Local Area, and EAS designation.” 47 C.F.R. § 11.21(c). 86 See Sixth Report and Order, 30 FCC Rcd at 6534 ¶ 28. 87 CSRIC State EAS Plans Report at 11. 88 See Public Information Collections Approved by the Office of Management and Budget (OMB), 76 Fed. Reg. 68756-01 (November 7, 2011); see also Information Collection Being Submitted for Review and Approval to the Office of Management and Budget (OMB), 80 Fed. Reg. 190 (Oct. 1, 2015). 89 Where $25,000 = 50 states x 20 hours x $25 per hour. See Information Collection Being Submitted for Review and Approval to the Office of Management and Budget (OMB), 80 Fed. Reg. 190 (Oct. 1, 2015). Note that SECCs (continued….) Federal Communications Commission FCC 16-5 18 bringing this process online if certain aspects of State EAS Plans could be automatically updated and populated by cross-referencing data already collected by the FCC, as recommended by CSRIC IV? For example, could SEPFI be pre-populated with data contained in the Consolidated Database System (CDBS), Licensing and Management System (LMS), or other relevant databases? 90 We seek comment on CSRIC IV’s recommendation. Would additional time and cost be saved by offering users drop-down menus for each EAS designation that could include every licensed EAS Participant in the state? 91 We also seek cost on any legal fees that SECCs may incur in order to ensure compliance with our proposed State EAS Plan requirements. In light of these potential improvements, we seek comment on whether any cost associated with requiring SECCs to reenter State EAS Plan data online would be significantly lower than those required to draft a new paper-based plan, and would be outweighed over time by the efficiency and/or other benefits (such as standardization of the information offered by the State EAS Plans, as described below) of an online, template-based process. 27. With respect to the potential administrative cost savings, we anticipate that the proposed use of a template will facilitate the agency’s review of the Plans. 92 Because the State Plans currently are submitted in differing formats, with different levels of detail and using inconsistent terminology, it can be time-consuming and difficult to conduct a review that ensures that each Plan contains the elements required by the rules, or that the Plans, in concert, will function efficiently and effectively as a nationwide daisy chain that can pass along alerts in a seamless manner. We believe that with the use of an on-line template, the Commission’s ability to review the Plans for compliance with the required elements and to identify potential problems that might hinder achieving the basic goals of the EAS will be improved by enabling us to conduct such reviews in a quicker and more accurate fashion. Facilitating the review process in this manner may not only improve the effectiveness of the EAS, but it could yield significant administrative cost savings to the extent that FCC review and approval of the Plans could be automated, at least in part. We seek comment on the likelihood and weight of such potential benefits. 28. Standardization. Would adopting a standardized online template dramatically increase the consistency and thoroughness of State EAS Plans? According to CSRIC IV, “SECCs need the resource of a federal government database to assure EAN dissemination.” 93 We seek comment on CSRIC IV’s conclusion. On the other hand, CSRIC IV notes that there is “no one-size-fits-all framework” that can be applied to every SECC, because SECCs have limited resources to write State EAS Plans. 94 We seek comment on the extent to which a standardized template for State EAS Plans would contribute to improving the efficacy and standardization of EAS, as well as streamline the development of State EAS Plans by identifying the appropriate informational parameters for State EAS Plans. What resource limitations do SECCs encounter that potentially challenge their ability to produce standardized State EAS Plans, and what measures could the Commission take to help address these constraints? 29. Structure. What is the optimal structure for the SEPFI template? CSRIC IV recommends that the Commission should follow the matrix-based model exemplified by the Washington (Continued from previous page) are volunteer committees and their members may not be compensated at all for participation therein, including for the creation of State EAS Plans. 90 See CSRIC State EAS Plans Report at 12; MEDIA BUREAU CONSOLIDATED DATABASE SYSTEM ELECTRONIC FILING SYSTEM, https://licensing.fcc.gov/prod/cdbs/forms/prod/cdbs_ef.htm (last visited Dec. 1, 2015). LMS is planned to replace CDBS as the primary method for broadcasters and cable providers to file required forms with the Commission. 91 Designations for key EAS sources used in the template are proposed in Section III(A)(1), above. See supra Section III.A.1 92 See 47 C.F.R. § 11.21. 93 CSRIC State EAS Plans Report at 9. 94 Id. at 17. Federal Communications Commission FCC 16-5 19 State EAS Plan to quickly, clearly, and efficiently identify the dissemination path of the Presidential Alert through each state. 95 We seek comment on whether the SEPFI template should be based on the matrix used by the Washington State EAS Plan. 96 Could this matrix be adapted to also illustrate the dissemination path for alerts formatted in CAP, including state and local alerts? We seek comment on how the SEPFI template should identify EAS Participants. CSRIC IV recommends that EAS Participants be identified by FCC Facility ID as well as by a station’s call letters in order “to reduce the need for frequent changes and updates to the database, and state plans due only to changes in call letters.” 97 We seek comment on CSRIC IV’s recommendation, as well as on the optimal implementation of other structural elements of SEPFI. 30. Security. We seek comment on whether access to State EAS Plan data should be limited and secured, as CSRIC IV recommends, and on the steps we should take to safeguard against unauthorized access to SEPFI. 98 Specifically, CSRIC IV recommends that the Commission should follow the Disaster Information Reporting System (DIRS) access model. 99 We observe that DIRS utilizes a two- layer access model and provides a secure methodology for multiple company employees to access the DIRS database, causing us to believe that the model could be easily adaptable to the State EAS Plan context. 100 We seek comment on whether access to SEPFI should be based on access provisions for DIRS. Similar to DIRS, should SEPFI utilize a two-layer security system, requiring both a SECC ID and an individual User ID to prevent any unauthorized person from establishing a fraudulent User ID under the company’s name? We seek comment on the identifying information that SECCs should be required to provide for the individuals authorized to access the SEPFI. Should such information include a contact name, affiliated company name, office and cell phone numbers, and an e-mail address? Should additional information be required? 31. What is the most cost-effective way to protect potentially sensitive data contained in State EAS Plans? 101 We seek comment on specific aspects of State EAS Plan data that may implicate national security or that otherwise could present security concerns when aggregated into a single database. Are there any particular aspects of State EAS Plans that should be made confidential in light of this sensitivity? Would it be sufficient to provide such data with the same level of confidentiality as test 95 See id. at 22; see also STATE OF WASHINGTON, EMERGENCY ALERT SYSTEM (EAS ) STATE PLAN (2014), available at http://mil.wa.gov/other-links/emergency-alert-system-eas-state-plan (last visited Nov. 10, 2015). 96 See STATE OF WASHINGTON, EMERGENCY ALERT SYSTEM (EAS) STATE PLAN (2014), available at http://mil.wa.gov/other-links/emergency-alert-system-eas-state-plan (last visited Nov. 10, 2015). 97 CSRIC State EAS Plans Report at 12. We observe that the recently established ETRS also requires broadcasters to identify themselves by the FCC Facility ID and Call Sign associated with their transmitter, and requires cable providers to identify themselves by the Physical System ID (PSID) associated with their headend. See Sixth Report and Order, 30 FCC Rcd at 6534 ¶28. 98 See CSRIC State EAS Plans Report at 9. 99 See id. at 13. DIRS is a voluntary, web-based system established by the Commission that communications providers can use to report communications infrastructure status and situational awareness information during times of crisis. See The FCC’s Public Safety and Homeland Security Bureau Announced the Activation of the Disaster Information Reporting System (DIRS) in Response to Hurricane Irene, DA 11-1464, Public Notice, 26 FCC Rcd 12506 (2011). 100 See PUBLIC SAFETY AND HOMELAND SECURITY BUREAU DISASTER INFORMATION REPORTING SYSTEM, https://transition.fcc.gov/pshs/services/cip/dirs/dirs.html (last visited Aug. 6, 2015). 101 Potentially sensitive data in State EAS Plans include the call signs and locations of key EAS sources that would become more sensitive if all State EAS Plan data were to be aggregated in a single location. Some State EAS Plan data is password protected, and/or requires user log-in information. Federal Communications Commission FCC 16-5 20 data submitted to the Commission via ETRS? 102 If not, how should sensitive SEPFI data be protected? 103 Even if data contained in an individual State EAS Plan may not be sensitive or present national security concerns, would State EAS Plan data become more sensitive when aggregated via SEPFI? If so, what additional protections should be afforded to aggregated data versus individual state data, and how could this be implemented? What costs, if any, would those additional protections impose on reporting entities? 32. National Advisory Committee (NAC). The NAC succeeded the Emergency Broadcast System Advisory Committee (EBSAC) as the Federal Advisory Committee responsible for assisting the Commission with administration of the EAS. 104 CSRIC IV recommends that the Commission should reestablish a NAC to facilitate communication with SECCs. 105 We seek comment on CSRIC IV’s recommendation. Is there a need for additional and routine communication with another organization that is not already taking place today between the Commission and the SECCs? Could a reestablished NAC be charged with initial approval of State EAS Plans? Could they be charged with performing outreach to SECCs to answer any questions about our new State EAS Plan filing process, and encouraging the timely completion of up-to-date State EAS Plans? With what other responsibilities should the NAC be charged? Should membership in the NAC continue to consist of SECCs Chairs, and representatives from the National Association of Broadcasters (NAB), the Society of Broadcast Engineers (SBE) and the NWS? If not, then how should the membership of the NAC be modified? 3. State EAS Plan Contents a. Background 33. The Commission’s EAS rules currently state that State EAS Plans must contain the following elements: 1) A list of the EAS header codes and messages that will be transmitted by key EAS sources; 106 2) Procedures for state emergency management and other state officials, NWS, and EAS Participant personnel to transmit emergency information to the public during an emergency using EAS; 107 3) A data table, in computer-readable form, clearly showing monitoring assignments and the specific primary and backup path for the EAN formatted in the EAS Protocol from the PEP to each station in the plan; 108 4) A description of how CAP-formatted messages will be aggregated and distributed to EAS 102 See Sixth Report and Order, 30 FCC Rcd at 6533, n.90 (stating that “the Commission will allow test data and reports containing individual test data to be shared on a confidential basis with other Federal agencies and state governmental emergency management agencies that have confidentiality protection at least equal to that provided by the Freedom of Information Act (FOIA)”) citing 5 U.S.C. § 552 (2006), amended by OPEN Government Act of 2007, Pub. L. No. 110-175, 121 Stat. 2524 (stating the FOIA confidentiality standard, along with relevant exemptions). 103 The manner in which State EAS Plans themselves address security is discussed in Section III.A.3 below. See infra Section III.A.3. 104 See FCC Restructures and Renews the Emergency Broadcast System Advisory Committee, and Renames it the National Advisory Committee, 1996 WL 341341 (OHMSV Jun. 24, 1996). The charter of the NAC was not renewed after 1998. 105 See CSRIC IV State EAS Plans Report at 20. 106 See 47 C.F.R. § 11.21. 107 See id. 108 See 47 C.F.R. § 11.21; 47 C.F.R. § 11.52(d)(1). Federal Communications Commission FCC 16-5 21 Participants within the state, including the monitoring requirements associated with distributing such messages; 109 5) A statement of any unique methods of EAS message distribution; 110 6) Instructions for state and local activations of EAS, including a list of all authorized entities participating in State or Local Area EAS; 111 and 7) Procedures for conducting special EAS tests. 112 The EAS rules require that EAS operations must be conducted as specified in State EAS Plans in order to ensure that the Presidential Alert can be effectively delivered. 113 The Commission adopted these requirements in the EAS Deployment Order, communicating expectations for the structure and administration of State EAS Plans and for the SECCs that create them. 114 SECCs and State EAS Plans have fallen short of these expectations in some respects, including a lack of active cable service provider participation in SECCs, and the failure of some states to file State EAS Plans. 34. In 2013, the Commission evaluated the state of SECCs and State EAS Plans in the EAS Nationwide Test Report, summarizing the successes of the first nationwide EAS test, but observing specific shortcomings in EAS operations, 115 including a lack of clarity in State EAS Plans. 116 Specifically, the EAS Nationwide Test Report observed that the Commission’s rules do not require SECCs Participants to provide monitoring assignment data below the LP level. 117 The EAS Nationwide Test Report further observed that many State EAS Plans did not identify the alternative monitoring sources that EAS Participants relied upon to receive the EAN during the first nationwide EAS test, or define SECCs’ administration and governance practices. 118 Accordingly, the Bureau recommended that the Commission “consider reviewing its State EAS Plan rules.” 119 CSRIC IV further recommends that the role of the SECC should be strengthened, and that “SECCs must be free to design and maintain their respective state’s own robust and redundant EAS relay networks in the best and most practical ways possible.” 120 We seek to address the substantive shortcomings in State EAS Plans identified by CSRIC IV 109 See 47 C.F.R. § 11.21; 47 C.F.R. § 11.52(d)(3). 110 47 C.F.R. § 11.21. 111 See 47 C.F.R. § 11.54(a)(1); 47 C.F.R. § 11.55(b). 112 See 47 C.F.R. § 11.61(a)(4). 113 See 47 C.F.R. § 11.55(b). 114 EAS Deployment Order, 10 FCC Rcd at 1834 ¶ 132. The Commission expected SECCs to, inter alia, organize to include a Broadcast Co–Chair and Cable Co–Chair, and expected State EAS Plans to, inter alia, include all authorized sources for initiating EAS alerts. See id. at 1834 ¶¶ 134-35. 115 The purpose of the first nationwide EAS test was to allow FEMA and the Commission to assess how the broadcast-based, national EAS architecture would perform in practice, and to develop and implement any necessary improvements to ensure that the national EAS, if activated in a real emergency, would perform as designed. See EAS Nationwide Test Report at 3. The first nationwide EAS test did not test CAP or the entirety of the IPAWS- OPEN-based delivery system. See id. at 17 n.45. 116 EAS Nationwide Test Report at 17. The Bureau observed in this regard, for example, that “several EAS Participants reported difficulties in understanding their monitoring assignments as set forth under their state’s EAS plan.” Id. 117 Id. The Bureau further explained that “the lack of consistency among plans made it very difficult for the Commission and FEMA to create a national propagation map.” Id. 118 Id., citing Fifth Report and Order, 27 FCC Rcd at 734 ¶ 27. 119 Id. 120 CSRIC State EAS Plans Report at 20. Federal Communications Commission FCC 16-5 22 and the EAS Nationwide Test Report. 35. Since the adoption of State EAS Plan rules in 1994, the alerting landscape has dramatically changed. Local alerts now originate from a wider array of sources, such as Public Safety Answering Points (PSAPs) and nuclear power plants. 121 Local weather alerts continue to increase in frequency, 122 and new alerting platforms such as WEA, SMS- and social media-based alerts are being rapidly added to the toolbox available to each community’s alerting authority. 123 For many alert initiators, WEA acts in concert with the EAS and other systems to transmit alerts to the public. Further, alert initiators may offer both EAS and WEA through IPAWS-OPEN, which serves as an interconnected CAP alert aggregator for previously siloed alerting platforms. 124 In the EAS Nationwide Test Report we observed that many EAS Participants utilized the satellite-based National Public Radio (NPR) News Advisory Channel (Squawk Channel) to receive the Presidential Alert, as opposed to their regular monitoring assignment in the daisy chain. 125 Even for state and local alerts, many EAS Participants use satellite-based distribution systems to supplement or replace the traditional alert distribution architecture. 126 We seek comment on the extent to which these developments, as discussed in greater detail below, need to be included in State EAS Plans to provide the FCC with the information necessary for it to ensure that the EAS can allow the President to reach the entire American public in time of national emergency. b. Discussion 36. We propose to amend Section 11.21 to integrate State EAS Plan requirements contained in other portions of Part 11, and to include new elements designed to enhance the value of State EAS Plans as community alerting tools, as well as to inform the Commission that the EAS remains an efficient and effective method to deliver a Presidential Alerts in an evolving technological landscape. 127 We propose that State EAS Plans should include organizational, operational, testing/outreach, and security elements, as set forth below, and seek comment on these proposals. While we propose to afford states considerable flexibility within these categories, to provide information they deem relevant to designing and maintaining their respective states’ own robust and redundant EAS relay networks, we believe these general categories will help establish a baseline level of information across states nationwide. 121 See Letter from Wade Witmer, Deputy Director, FEMA IPAWS Division, and Mark Lucero, Chief Engineer, FEMA IPAWS Division, to Marlene H. Dortch, Secretary, FCC, PS Docket No. 15-91, at 3 (filed Jun. 18, 2015) (stating that the Nuclear Regulatory Commission requires coordinated public warning); Elizabeth Dexter, Watch Officer, Arlington County Emergency Communications, Address at the Federal Communications Commission’s Workshop to Promote Accessibility and Wider Use of EAS (Aug. 27, 2015) (stating that the Arlington County PSAP uses alerting to communicate emergency information to the public, and that they are in the process of becoming approved alert originators with IPAWS). 122 See STEPHANIE SANOK KOSTRO ET AL., U.S. DISASTER PREPAREDNESS AND RESILIENCE: RECOMMENDATIONS FOR REFORM (CSIS-Pennington Family Foundation 2013). 123 See Elizabeth Dexter, Watch Officer, Arlington County Emergency Communications, Address at the Federal Communications Commission’s Workshop to Promote Accessibility and Wider Use of EAS (Aug. 27, 2015) (stating that Arlington, VA uses the SMS-based Everbridge platform for community alerting). 124 See supra Section II.C (discussing IPAWS and IPAWS-OPEN). 125 EAS Nationwide Test Report at 10; see also Comments of National Public Radio, Inc. in EB Docket No. 04-296 (Nov. 4, 2013) at 1 (NPR Comments) (stating that the NPR News Advisory Channel, also known as the “Squawk Channel,” was offered to provide support for the first nationwide EAS test over the Public Radio Satellite System (PRSS), along with a supplemental digital stream). 126 See, e.g., COMLABS, EMNET, http://comlabs.com/emnet-eas (last visited Sept. 17, 2015). 127 See CSRIC State EAS Plans Report at 10 (noting that “[w]e must treat all emergencies, including national level events that would require use of the EAN, as local emergencies.”). Federal Communications Commission FCC 16-5 23 (i) Organizational Elements 37. State EAS Plans and the SECCs that create them are designed to organize EAS Participants representing a variety of industries and regions into a cohesive whole capable of efficiently and reliably distributing emergency information to the public, including the Presidential Alert. In order to fulfill this purpose, SECCs and EAS Participants must be well organized. Accordingly, we propose that State EAS Plans filed with the Commission via SEPFI template include uniform designations for the roles of EAS Participants, a list of entities authorized to activate EAS, a description of SECC governance structure, and a clear role for Local Area EAS Plans, should they continue to be necessary. 38. Uniform Designations. We propose that SECCs input State EAS Plan monitoring assignment data into an online template using the uniform designations for key EAS sources that we propose above. We note that in Section III(A)(1) we seek comment on whether additional roles within the alert distribution hierarchy should be defined and given designations in order to reflect their importance to the success of EAS. 128 We also seek comment on whether any of these additional designations should be included in State EAS Plans. 39. A List of Entities Authorized to Activate EAS. We propose that State EAS Plans should contain a list of all entities authorized to activate EAS for state and local emergency messages (e.g., Public Safety Answering Points (PSAPs)) whose transmissions might be interrupted by a Presidential Alert. We seek comment on this proposal. We note that the Presidential Alert is required to take priority over all other alerts, 129 and as such, might interrupt alerts initiated by any state-based entities. We seek comment on whether state and local alert originators would have reason to activate the EAS during a national crisis concurrent with a Presidential Alert. If so, is it reasonable to require that all entities authorized to activate the EAS should be included in State EAS Plans? Would such an inclusion ensure that SECCs are able to conduct outreach to these entities in order to organize and coordinate emergency managers’ alert messaging should a Presidential Alert become likely, and to mitigate the potentially chaotic alerting situation that could result from a national crisis? 40. A Description of SECC Governance Structure. We propose that State EAS Plans should specify the SECC governance structure used to organize state and local resources to ensure the efficient and effective delivery of a Presidential Alert, including the duties of SECCs, the membership selection process utilized by the SECC, and the administrative structure of the SECCs. We seek comment on this proposal in light of the expectations expressed by the Commission in the EAS Deployment Order for the administration and governance of SECCs, and subsequent observations by the Bureau, CSRIC IV and EAS stakeholders that the Commission should provide further guidance on the issue. 130 We seek comment on whether by soliciting information on SECC administration in State EAS Plans, both in the form of comments in this docket and via the SEPFI, we can develop a basis for analysis of SECC administration that we may leverage to produce best practices for SECC governance or otherwise offer guidance to these volunteer committees, as requested by CSRIC IV. 131 Is there a need for a consistent, uniform governance structure for SECCs nationwide to ensure effective functioning of EAS? If so, what specific elements should such structure contain? Should the Bureau coordinate with SECCs to determine an optimal, uniform governance structure? We acknowledge that CSRIC IV did not find that a “one size fits all” approach would work for SECC governance. 132 Given the disparity of size and resources from 128 See supra Section III.A.1 (discussing EAS designations). 129 See 47 C.F.R. § 11.2 (“A national activation of the EAS for a Presidential message with the Event code EAN as specified in §11.31 must take priority over any other message and preempt it if it is in progress”). 130 See EAS Deployment Order, 10 FCC Rcd at 1834 ¶ 132. 131 See State EAS Plans Report at 20 (recommending increased Commission involvement with SECCs). 132 See State EAS Plans Report at 17. Federal Communications Commission FCC 16-5 24 state to state, is there guidance we can issue that could clarify the roles and responsibilities of SECCs in a manner that would be useful in each state? 41. LECCs and Local Area EAS Plans. Finally, we seek comment on the role that LECCs continue to perform, and whether they serve a vital role in the delivery of EAS messages to local areas. We seek comment on whether LECCs perform a function that requires a separate Local Area EAS Plan to be filed with the Commission, or whether Local Area EAS Plans could be subsumed within State EAS Plans. CSRIC IV observes that “[a]ll federal emergency alert systems, of which EAS is an essential component, depend on local distribution” and recommends that policies be developed “that will encourage local communications distribution systems to participate in the emergency warning process.” 133 Consistent with that observation, we seek comment on whether SECCs currently have the expertise to describe and plan local alerting responsibilities. Do LECCs and Local Area EAS Plans provide an additional value not captured by SECCs and State EAS Plans? Does the size of some large states or the lack of SECC resources present challenges for comprehensive local planning? With SEPFI, information relevant to state and local plans will be filed in a single system. Will there be a continued need for local plans, assuming we move forward with implementing SEPFI? (ii) Operational Elements 42. The primary purpose of EAS is to transmit a message from the President to the public during an emergency of national significance. In order to achieve that purpose, SECCs must maintain a detailed understanding of how multiple alerting platforms operate in concert with one another to create a seamless information distribution system within their respective states. Accordingly, we propose that State EAS Plans should include emergency alerting procedures for EAS alerts transmitted via all available alert distribution mechanisms that the state utilizes (e.g., EAS and WEA, as well as any alternative mechanisms the state may use, such as the NPR Squawk Channel, highway signs, and social media), up- to-date monitoring assignments for each key EAS source that reflect how those entities actually receive alerts, and a description of whether and to what extent these elements work in concert to create a cycle of information sharing through a “many-to-one/one-to-many” alerting dynamic. 134 43. Expanded Emergency Alerting Procedures. We propose that State EAS Plans should contain a comprehensive listing of procedures by which state emergency management officials, local NWS forecasting stations, and EAS Participant personnel transmit emergency information to the public during an emergency using regulated alerting tools (e.g., EAS and WEA) as well as any alternative alerting mechanisms (e.g., the NPR Squawk Channel, highway signs, and social media). We propose that this revised language would subsume the Section 11.21 language that State EAS Plans include a “statement of any unique methods of EAS message distribution such as the use of the Radio Broadcast Data System (RBDS).” 135 We seek comment on this proposal. Would this proposed rule change allow SECCs to adequately capture the different alerting methods that EAS Participants may leverage? Would it accurately reflect how emergency managers utilize the suite of alerting tools available to them? 44. In light of the monitoring assignments that EAS Participants used successfully during the first nationwide EAS test, and for the reasons provided below, we propose to encourage SECCs to specify a satellite-based source, such as the NPR Squawk Channel, in State EAS Plans as an alternate monitoring assignment for the Presidential Alert where it presents a reliable source of EAS messages. We seek 133 CSRIC State EAS Plans Report at 14. 134 “One-to-Many” describes a communications technique whereby one entity is able to send a notification, message, alert or warning to a scalable number of individuals. “Many-to-One” describes a communications technique that enables a scalable number of individuals to provide feedback on a developing situation to an authority capable of aggregating, analyzing and responding to the information provided. Combining these two techniques gives rise to a virtuous cycle of information sharing that can dramatically improve situational awareness and response. 135 47 C.F.R. § 11.21. Federal Communications Commission FCC 16-5 25 comment on this approach. In the Second Report and Order, we observed that “the vast coverage area of satellite signal footprints would allow immediate alerting of substantial portions of the country with appropriate equipment” and that satellite systems are “generally immune from natural disasters and therefore may provide critical redundancy in the event that terrestrial wireline or wireless infrastructure is compromised.” 136 CSRIC IV notes that many EAS Participants are currently unable to meet their requirement to monitor two sources for the Presidential Alert without recourse to such satellite-based communications technologies because of incomplete PEP coverage. 137 NPR states that in instances where EAS Participants monitored both the Squawk Channel and their regular monitoring assignment, the Squawk Channel actually triggered EAS equipment ahead of the terrestrial relay network by 10-20 seconds in most cases. 138 Does the NPR Squawk Channel provide a faster and equally reliable alternative to the daisy chain process? Do other satellite-based monitoring sources, such as EMnet? Are such technologies sufficiently reliable to serve as a primary or secondary EAS monitoring assignment for the Presidential Alert? If so, how should use of the Squawk Channel and other satellite-based communications resources approved by FEMA be codified in the Commission’s EAS rules? 139 45. We also seek comment on whether and how alert originators use alternative alert distribution platforms, such as social media and highway signs, to supplement their traditional alerting channels. What is the extent to which emergency managers at the federal, state, and local levels currently leverage targeted feedback during emergency situations to disseminate and gather information? We seek comment on the extent to which social media has served as a reliable and effective source of crowdsourced data about developing situations. To what extent have alert originators begun taking advantage of social media’s crowdsourced communications functionality in order to establish a real-time conversation with individuals and communities in crisis? Is the information generated by social media platforms reliable enough to be trusted by emergency managers, and if not, what challenges are involved? We seek comment on the steps that emergency managers currently take to confirm the accuracy of crowdsourced reports of emergency situations in order to act on, correct or clarify, or otherwise respond to such reports. Are the platforms secure enough to be used in emergency situations? To what extent has the use of social media platforms supplemented alert accessibility, either by providing translations of alerts in languages other than English or by providing alerts in multiple formats? To what extent has the personalization of alerts facilitated and encouraged public engagement and participation with alerting platforms, and, in turn, instigated more rapid protective action taking? We seek comment on whether state and local use of social media alerting tools should be included in State EAS Plans. Further, we seek comment on the extent to which highway signs are used to retransmit EAS alerts formatted in CAP. If IPAWS-OPEN is capable of distributing CAP-formatted alerts to highway signs, do any barriers currently exist to such use? We seek comment on what, if any, other alternative alerting systems alert originators are relying upon to supplement their use of EAS and WEA, and seek comment on our proposal that this information be specified in State EAS Plans. 46. Are there examples of best practices from our federal, state and local government partners for using crowdsourced information in an emergency situation? We observe that the Peta Jakarta initiative in Indonesia may provide an example of how a government alert initiator can leverage crowdsourced data to increase the overall effectiveness of alerts. The Peta Jakarta project piloted a 136 Second Report and Order, 22 FCC Rcd at 13291 ¶ 31. 137 See CSRIC State EAS Plans Report at 9. 138 See NPR Comments in EB Docket No. 04-296, at 3 (filed Nov. 4, 2014) (“In almost all instances the PRSS feed was the first to trigger local receivers, typically ahead of the terrestrial relays network by 10-20 seconds, but in some instances by one minute or more.”). 139 FEMA has also authorized Premier Network to carry the Presidential Alert over its satellite-based distribution system. Federal Communications Commission FCC 16-5 26 program that monitored Twitter for posts mentioning the word for “flood” during flooding season. 140 The system would automatically respond to such messages, asking whether the user saw flooding, at which point the user could confirm their report either by turning geo-location on in their device settings, or by responding, in turn, with the word for “flood.” 141 Peta Jakarta then incorporated the results of this information-gathering process into a live, public crisis map that depicted in real time areas in the city that were affected by flooding. 142 To what extent would it be possible to leverage this model as a best practice for automated crowdsourcing of reliable emergency response data, using regulated alerting platforms in the United States? To what extent is a similar model to the one utilized by Peta Jakarta feasible using EAS and/or WEA, in order to provide an authoritative source of information? We observe that emergency managers used Twitter in a 2013 flood in Boulder, Colorado to prioritize deployment of satellite- and drone-based imaging platforms to the most severely impacted areas. 143 To what extent could community feedback via EAS or WEA be similarly used to prioritize emergency managers’ information gathering efforts? 47. Monitoring Assignments. In this section, we propose rules and seek comment on issues designed to optimize monitoring assignments in State EAS Plans. First, we seek comment on methods of improving and clarifying monitoring assignments as currently implemented in State EAS Plans. Specifically, we seek comment on how to define operational areas, on whether to include CAP-based monitoring assignments in State EAS Plans, and on how to remove single points of failure from EAS monitoring assignments. Next, we propose to expand the monitoring assignments section of State EAS Plans to reflect more accurately the various methods that EAS Participants use to monitor sources for EAS. Specifically, we propose that State EAS Plans should include the extent to which monitoring assignments for state and local alerts differ from monitoring assignments for the Presidential Alert. Finally, we propose to clarify that EAS operations must be implemented in a manner consistent with guidelines established in a State EAS Plan submitted to the Commission. 48. We propose that State EAS Plans should continue to divide their respective states into geographically-based operational areas, specifying primary and backup monitoring assignments for EAS Participants to receive the Presidential Alert in each operational area. We seek comment on this proposal. We seek comment on whether dividing states into operational areas facilitates EAS administration by more clearly defining responsibilities for EAS alert distribution by geographic area for key EAS sources. CSRIC IV notes a lack of uniformity among State EAS Plan definitions of “operational areas,” and recommends that such service areas should be uniformly identified. 144 We seek comment on CSRIC IV’s conclusion. Is it possible to standardize the definition of an operational area nationwide? If so, how should SEPFI define operational areas? Could the definition of an operational area have implications for President’s ability to transmit a regional Presidential Alert? 49. We propose to remove the current restriction that State EAS Plans include monitoring assignments for Presidential Alerts formatted in the EAS Protocol only. We seek comment on this proposed change. As technologies evolve, the Presidential Alert may not necessarily be issued using the EAS Protocol, and we seek to remain technologically neutral so that our rules may evolve 140 See Peter Meier, Social Media for Disaster Response Done Right, EMERGENCY JOURNALISM (Jul. 29, 2015), http://emergencyjournalism.net/social-media-for-disaster-response-done-right/ (last visited Jan. 25, 2016); see also PETA JAKARTA, https://petajakarta.org/banjir/en/ (last visited Jan. 27, 2016). 141 See Peter Meier, Social Media for Disaster Response Done Right, EMERGENCY JOURNALISM (Jul. 29, 2015), http://emergencyjournalism.net/social-media-for-disaster-response-done-right/ (last visited Jan. 25, 2016). 142 See id. 143 See, e.g., Guido Cervone, et al., Using Twitter for Tasking Remote Data Collection and Damage Assessment: 2013 Boulder Flood Case Study (2016), http://dx.doi.org/10.1080/01431161.2015.1117684 (last visited Jan. 25, 2016). 144 CSRIC State EAS Plans Report at 13. Federal Communications Commission FCC 16-5 27 correspondingly. We seek comment on the extent to which EAS Participants are prepared to receive a Presidential Alert formatted in CAP. We observe that new alerting protocols may be developed in the future, and we seek comment on whether removing this technology-specific limitation from our rules better prepares the nation for receiving the Presidential Alert. 50. CSRIC IV observes that, as currently written, State EAS Plans reflect the requirement in the EAS rules that each EAS Participant monitor at least two sources for the Presidential Alert by including two monitoring assignments for the Presidential Alert, but also observes that merely listing two monitoring sources may not serve to remove single points of failure from EAS alert distribution where, for example, both monitored EAS sources, in turn, monitor the same source. 145 We agree with CSRIC IV’s observation and seek comment on whether we should require that the two sources that EAS Participants are required to monitor for the Presidential Alert as specified in their State EAS Plan, cannot, in turn, monitor the same key EAS source. Are there further steps that we can take to remove single points of failure within the EAS Protocol-based alert distribution architecture, and from EAS in general, and if so, what are they? 51. We further propose that State EAS Plans should include the extent to which monitoring assignments for state and local alerts differ from monitoring assignments for the Presidential Alert. To what extent do states’ Presidential and local alerting strategies differ? We seek comment on whether the importance of transmitting state and local alerts to communities has had any impact on the ability of the community to deliver a Presidential Alert. Has the use of alternative alerting structures led to innovations that augment the ability of EAS Participants to efficiently and effectively receive and retransmit a Presidential Alert during a national crisis? Alternatively, has the use of such alternatives resulted in lack of use of the EAS and lack of proficiency in its use by local emergency managers and EAS Participants? In either case, would including in State EAS Plans a description of the extent to which a state’s alerting strategy for the Presidential Alert differs from their state and local alerting strategy serve to facilitate dialogue at the state and local level about the extent to which new and emerging technologies could be used to improve the ability of EAS Participants to receive and retransmit the Presidential Alert? 52. In order to address all State EAS Plan monitoring requirements in the same Section of Part 11, we propose to relocate State EAS Plan requirements currently contained in Sections 11.52 and 11.55 to Section 11.21. 146 We propose to merge those requirements into one Section by amending Section 11.21 to state that EAS Participant monitoring assignments and EAS operations must be implemented in a manner consistent with guidelines established in a State EAS Plan submitted to the Commission, and by removing that language from Sections 11.52 and 11.55. We seek comment on whether this proposal is consistent with CSRIC IV’s recommendation that the Commission amend Section 11.21 to state that “[s]tates that want to use the EAS shall submit a State EAS Plan.” 147 We seek comment on whether the data submitted in State EAS Plans must accurately reflect actual monitoring assignments for the EAS Mapbook to be a useful tool to analyze and address issues with EAS functionality. Would State EAS Plans be more up-to-date, inclusive, and effective given the improvements we propose in this Notice? If so, does this militate for the use of State EAS Plan provisions other than monitoring assignments (e.g., expanded emergency alerting and testing procedures) as mandatory instructions for participation in EAS? We seek comment on whether, contrarily, failing to require EAS Participant monitoring assignments to be 145 See id. at 9. 146 47 C.F.R. § 11.52(d)(1) (“The monitoring assignments of each broadcast station and cable system and wireless cable system are specified in the State EAS Plan and FCC Mapbook. They are developed in accordance with FCC monitoring priorities”); 47 C.F.R. § 11.52(d)(3) (“Monitoring specifications associated with the distribution of CAP- formatted alert messages by state alert message systems are described in the State EAS Plan, as set forth in §11.21(a)”); 47 C.F.R. § 11.55(b) (“EAS operations must be conducted as specified in State and Local Area EAS Plans. The plans must list all authorized entities participating in the State or Local Area EAS.”). 147 CSRIC State EAS Plans Report at 35. Federal Communications Commission FCC 16-5 28 implemented pursuant to State EAS Plans would risk making the state EAS planning process a hollow exercise without bearing on the actual organization of EAS. 53. A Description of “One-to-Many, Many-to-One” Alerting Implementation. We propose that State EAS Plans should describe the extent to which alert originators coordinate alerts with community feedback mechanisms, such as 9-1-1, to make full use of public safety resources. We seek comment whether 9-1-1 call takers are well positioned as a nexus of communications between first responders and communities in crisis. We seek further comment on whether, notwithstanding that this has been true in the context of state and local emergencies, 148 it would also be the case during a national crisis giving rise to a Presidential Alert. We seek comment on the extent to which alert originators are prepared to gather, analyze and act upon community feedback in crafting and initiating alert content. Relatedly, we seek comment on the extent to which first responder entities, such as PSAPs, are currently authorized as alert originators, and, if desirable, on the steps that we can take to facilitate increased participation. Can PSAPs play an important role in ensuring that alerts are accessible or available in languages other than English if the 9-1-1 call(s) giving rise to the alert suggest that such measures could facilitate alert interpretation and impact? Finally, we seek comment on the impact that any potential next generation television capabilities may have on the ability to support two-way communications. (iii) Testing/Outreach Elements 54. In order to properly utilize EAS to fulfill its purpose to transmit a Presidential Alert, emergency managers must be assured that the alerting platforms available to them will function as intended when needed, and the public must be assured that those alerts will be made accessible to them, irrespective of disability or language preference. To this end, we propose that State EAS Plans include testing procedures and security elements. 55. Testing Procedures. We propose that State EAS Plans should continue to contain procedures for special EAS tests, as required by Section 11.61, including the new “live code” tests that we propose to include as part of the Commission’s Part 11 testing regime below. 149 We also propose that State EAS Plans should be required to include procedures for Required Monthly Tests (RMTs), Required Weekly Tests (RWTs) and national tests designed to ensure that the system will function as designed when needed for a Presidential Alert. We seek comment on this proposal. We seek comment on whether specifying the schedule, origination source, and script are necessary components of the successful operation of RMTs, RWTs, and national tests, and on whether SECCs already communicate this information to EAS Participants in their state even where it is not included in State EAS Plans. Further, we propose that this section of State EAS Plans should include a description of the extent to which State/Local WEA Tests are utilized by alert originators as a complement to the Presidential Alert distribution system to verify that WEA is both capable of disseminating a Presidential Alert, and informing the public that a Presidential Alert is presently being delivered over EAS. We seek comment on these proposals. 56. We seek comment on whether State EAS Plans should include a listing of the manners in which a state or community conducts such live code tests. 150 Should the Plan include the language of the notification to be provided during the test (e.g., audio voiceovers, video crawls) to make sure the public 148 See Interesting 9-1-1 Calls and Success Stories, SANTA CLARA COUNTY COMMUNICATIONS 9-1-1, https://www.sccgov.org/sites/911/Pages/Interesting-9-1-1-Calls-and-Success-Stories.aspx (last visited Aug. 6, 2015). 149 47 C.F.R. § 11.61(a)(3)(iv)(A) (stating that EAS Participants shall renew the identifying information required to be filed in ETRS “on a yearly basis or as required by any revision of the EAS Participant's State EAS Plan filed pursuant to §11.21.”). 150 See CSRIC State EAS Plans Report at 10 (recommending that states and communities “must devise, manage, exercise and review” testing and exercise procedures in order to ensure that EAS alert dissemination will function as intended when needed). Federal Communications Commission FCC 16-5 29 understands that the test is not, in fact, a warning about an actual emergency? We also seek comment on whether the notification requirement should incorporate the new accessibility component of Section 11.51 of our EAS rules, which establishes requirements for the visual message portion of an alert. 151 Should the Plan contain pre-test outreach procedures to coordinate with EAS Participants, state and local emergency authorities, and first responder organizations and the public? 57. We seek comment on whether each of these testing procedures continues to play an important role in ensuring system readiness for a Presidential Alert. In particular, with respect to State/Local WEA Testing, we seek comment on whether the ubiquity of smartphone technology makes it likely that, in the event of a Presidential Alert, members of the public would likely have their smartphone closer at hand than any traditional EAS source. If so, we seek comment on whether it is likely that the first medium through which members of the public would receive notice that a Presidential Alert is occurring is through their smartphone, notwithstanding the fact that the actual alert may be aired over EAS. We seek comment on whether this makes State/Local WEA Testing procedures a necessary component of state-level preparedness to receive a Presidential Alert. 152 If so, should the manner in which a state or community uses smartphone technology, through WEA or otherwise, to augment an EAS alert be included in State EAS Plans? (iv) Security Elements 58. Security and reliability are critical components of an alerting system, especially one that may be used by the President. A public safety communications system that is vulnerable to mistaken use or malicious intrusion poses as much of a threat to public safety as an efficient, secure system offers a benefit. A compromised alerting system could be used to misdirect public safety resources, or lead members of the public into harm’s way. 153 Accordingly, we propose to require certification of performance of required security measures, as discussed in greater detail below. 154 Should State EAS Plans also describe the measures EAS Participants have taken to comply with our proposed security requirements? Should State EAS Plans include any additional information regarding their approach to cyber risk management, including if and how they use tools like the National Institute for Standards and Technology (NIST) Cybersecurity Framework (NSF), 155 or other risk management construct, and how this has been extended to their emergency alerting system? In the alternative, do the certifications proposed below provide adequate disclosures regarding EAS Participants’ security efforts, obviating the need for the separate inclusion of such information in State EAS Plans? 151 47 C.F.R. § 11.51 (The visual portion of an alert “whether video crawl or block text, must be displayed: (A) At the top of the television screen or where it will not interfere with other visual messages; (B) In a manner (i.e., font size, color, contrast, location, and speed) that is readily readable and understandable; (C) That does not contain overlapping lines of the text of the notification or extend beyond the viewable display (except for video crawls that intentionally scroll on and off of the screen), and (D) In full at least once during any notification, and the audio portion of a notification must play in full at least once during any notification.”). 152 Participation in WEA is voluntary. See 47 C.F.R. §§ 10.210 - 10.280. 153 For examples see infra Section III.D.1.a (discussing recent EAS security incidents). 154 See infra Section III.D.2.a(proposing to require annual certification of patch management, account management, segmentation, and integrity, and proposing to require false alert reporting and lockout notification, as well as alert authentication and validation). 155 See NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY, FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY 3 (2014), www.nist.gov/cyberframework/upload/cybersecurity-framework- 021214-final.pdf (Cybersecurity Framework). Federal Communications Commission FCC 16-5 30 B. Building Effective Community-based Alerting Exercise Programs 1. Live Code Tests a. Background 59. Section 11.45 of the Commission’s EAS rules provides in pertinent part that “[n]o person may transmit or cause to transmit the EAS codes or Attention Signal, 156 or a recording or simulation thereof, in any circumstance other than in an actual National, State or Local Area emergency or authorized test of the EAS.” 157 The Commission adopted this restriction because it found that a specific prohibition against the misuse of the EAS audio Attention Signal and codes was necessary in light of the “enormous detriment to the system” that might result from improper use. 158 As a general matter, the EAS audio Attention Signal is used exclusively to alert the public that an emergency message is about to be distributed. Section 11.31(e) lists the “live” event header codes that are used for alerts in specific emergency situations, e.g., tornadoes, tsunamis, and other natural and weather-related emergencies, as well as the specific test codes that are to be used for national periodic, required monthly and required weekly tests, as well as for practice/demonstration warnings. 159 In the Live Code Testing Public Notice, the Bureau noted that EAS Participants have expressed a desire to use live EAS header codes and the EAS audio Attention Signal to conduct local public awareness and proficiency training EAS exercises, and stated that engaging in such activity would require a waiver of Section 11.31(c) of the Commission’s EAS rules. 160 The Bureau also provided the following guidance to SECCs on the recommended contents of their waiver requests: 1) A description of the test and test participants, including when the test is scheduled to occur, when it will conclude, and what notification is being provided during the test (e.g., audio voiceovers, video crawls) to make sure the public understands that the test is not, in fact, warning about an actual emergency, plus a statement whether the proposed test is designed to substitute for a “RWT” (required weekly test) or a “RMT” (required monthly test) or would constitute a “special test,” 161 pursuant to 47 C.F.R. § 11.61; 2) An explanation why the EAS Participant or the state authority conducting such tests has concluded that use of live codes is necessary; e.g., what live code testing is expected to achieve that could not be achieved by using standard test codes; 3) A statement about how the test has been coordinated among EAS Participants and with state and local emergency authorities, as well as first responder organizations such as police and fire agencies; and 4) A description of those public information steps that have been taken before the test occurs to notify the public about the test (specifically, that live event codes will be used, but that no emergency is in fact occurring). This should include a statement 156 The EAS Attention Signal is a loud, attention-grabbing, two-tone audio signal that consists of the fundamental frequencies of 853 Hz and 960 Hz transmitted simultaneously. See 47 C.F.R. §§ 11.31(a)(2). 157 47 C.F.R. § 11.45. The text of 47 C.F.R. § 11.45 was derived from Section 325(a) of the Communications Act, and Section 47 C.F.R. § 73.1217. 47 U.S.C. § 325(a) (prohibiting false distress signals); 47 C.F.R. § 73.1217 (prohibiting broadcast hoaxes). 158 EAS Deployment Order, 10 FCC Rcd at 1815 ¶¶ 83-84. 159 See 47 C.F.R. § 11.31(e). 160 Public Safety and Homeland Security Bureau Provides Guidance Regarding “Live Code” Testing of the Emergency Alert System, Public Notice, 24 FCC Rcd 3701, 3701 (2009). 161 See 47 C.F.R. § 11.61(a)(4) (stating that “[t]he EAS may be activated for emergencies or special tests at the State or Local Area level by an EAS Participant instead of the monthly or weekly tests required by this section”). Federal Communications Commission FCC 16-5 31 about all media that have participated in the public awareness/information campaign (e.g., broadcasters, cable, print media, etc.). 162 Live code tests are currently performed as “special” tests under Section 11.61. 163 A “special” test may fulfill an EAS Participant’s weekly testing obligation provided that the test includes transmission of the EAS header codes and End of Message (EOM) codes, 164 and may fulfill an EAS Participant’s monthly testing obligation provided that the test also includes the emergency alerting Attention Signal and emergency message. 165 In either case, the test message must meet a minimum standard of accessibility, as discussed in further detail below. 166 b. Discussion 60. We propose to amend our EAS rules to authorize EAS Participants to conduct periodic EAS exercises using live event header codes, provided that they are used in a non-misleading manner, and that steps are taken to prevent public confusion prior to and during the test. Specifically, we propose to amend Section 11.61 to include “Live Code Tests” as a separate category of alerting exercise that may be undertaken periodically provided that: 1) The state or local entity provides accessible notification during the test (e.g., audio voiceovers, video crawls) to make sure the public understands that the test is not, in fact, warning about an actual emergency; 167 2) Coordinates the test among EAS Participants and with state and local emergency authorities, as well as first responder organizations such as Public Safety Answering Points (PSAPs), police and fire agencies; and 3) Notifies the public before the test (specifically, that live event codes will be used, but that no emergency is in fact occurring). We further propose to amend Section 11.45 to exempt state-designed EAS live code exercises from our prohibition against false or misleading use of the EAS Attention Signal. We seek comment on these proposals. 61. Benefits. Would expanding our Part 11 rules to permit live code testing facilitate opportunities for system verification, proficiency building, and raising public awareness about EAS? We seek comment on whether, as certain SECCs claim, using a live code enables more realistic system verification because use of a live code is the only way to determine how EAS equipment will react to 162 Public Safety and Homeland Security Bureau Provides Guidance Regarding “Live Code” Testing of the Emergency Alert System, Public Notice, 24 FCC Rcd 3701, 3702 (2009). 163 47 C.F.R. § 11.61(a). 164 47 C.F.R. § 11.61(a)(4). 165 Id. 166 See id.; see also infra Section III.B.3. 167 See 47 C.F.R. § 11.51. To make EAS alerts accessible to people with disabilities, the visual message portion of an EAS alert, whether video crawl or block text, must be displayed (A) At the top of the television screen or where it will not interfere with other visual messages; (B) In a manner (i.e., font size, color, contrast, location, and speed) that is readily readable and understandable; (C) That does not contain overlapping lines of EAS text or extend beyond the viewable display (except for video crawls that intentionally scroll on and off of the screen), and (D) In full at least once during any EAS message. Further, the audio portion of an EAS message must play in full at least once during any EAS message. Notifications must comply with the same requirements to ensure that they are accessible. Federal Communications Commission FCC 16-5 32 certain live event header codes that are not activated by default in EAS equipment. 168 Further, we seek comment on whether live code testing promotes alert originator proficiency by providing an opportunity for alert originators to practice selecting an appropriate event code for simulated emergency events, and practice crafting a message that informs the public of the occurrence of that specific event that would effectively motivate the public to take protective action. We also seek comment on whether live code testing facilitates opportunities for EAS stakeholders to raise public awareness about EAS. Some SECCs requesting a live code waiver state that their live code testing will coincide with “Severe Weather Preparedness Week” scheduled in their state, and the live code presents a visual crawl that is distinct from the visual crawl associated with test messages that better facilitates schools’ businesses’ and homeowners’ own emergency preparedness drills. 169 We seek comment on this claim. Finally, we seek comment on the extent to which live code testing offers superior public awareness and proficiency training opportunities than RMT and RWTs because they present testing conditions that more accurately reflect actual emergency conditions. 62. Notification and Outreach. We seek comment regarding the steps that EAS stakeholders could take to minimize any public confusion that may result from live code testing. We seek comment on the methods used by EAS Participants to inform the public that the Attention Signal they hear does not indicate an actual emergency. Is it necessary to codify specific notification procedures, or are available best practices sufficient? We seek comment on the extent to which outreach to first responder agencies has mitigated public confusion about the use of live codes. How can first responder organizations, such as PSAPs, be utilized as an integral part of an alerting exercise in a manner that harnesses their potential as a nexus for emergency information? We seek comment on whether our proposed rule adequately circumscribes the use of the emergency alerting attention signal in a manner that maximizes its utility while minimizing over-alerting and public confusion. 63. Frequency of Live Code Testing. How often should live code testing occur? We observe that some EAS stakeholders have requested a waiver of the Commission’s EAS rules to conduct live code tests as often as annually. 170 We seek comment on whether the removal of this regulatory burden would lead EAS stakeholders to engage in more frequent live code testing. If so, we seek comment on whether we should limit how often live code tests may occur in a particular geographic area, and, if so, on what that limit should be. We observe that our EAS rules currently allow special tests to be conducted as often as daily. 171 Are there steps that we should take to prevent over-alerting and alert fatigue? On the other hand, should SECCs be required to conduct live code EAS tests at certain predetermined intervals in 168 See, e.g., Letter from Frank Jazzo, Counsel for Alaska Broadcasters Association, to Tom Beers, Chief, Policy & Licensing Division, at 2-3 (filed Feb. 18, 2015) (requesting a waiver of the Commission’s rules to engage in live code testing, stating that EAS encoder/decoder equipment in Alaska is not consistently programmed to allow for the automatic relay of Tsunami messages containing the TSW event code, and that use of a test code only demonstrates the ability of EAS Participants’ equipment to relay the test code). The Commission has filed this document into the record of this proceeding to facilitate commenter access to all documents that have informed our proposals in this NPRM. 169 See, e.g., Letter from Joseph Misiewicz, President and CEO, Indiana Broadcasters Association, to Tom Beers, Chief, Policy & Licensing Division, at 2-3 (filed Nov. 25, 2014). The Commission has filed this document into the record of this proceeding to facilitate commenter access to all documents that have informed our proposals in this NPRM. 170 See, e.g., Letter from Frank Jazzo, Counsel for Alaska Broadcasters Association, to Tom Beers, Chief, Policy & Licensing Division, at 2-3 (filed Feb. 18, 2015); Letter from Joseph Misiewicz, President and CEO, Indiana Broadcasters Association, to Tom Beers, Chief, Policy & Licensing Division, at 2-3 (filed Nov. 25, 2014). The Commission has filed these documents into the record of this proceeding to facilitate commenter access to all documents that have informed our proposals in this NPRM. 171 47 C.F.R. § 11.61(a)(4). Federal Communications Commission FCC 16-5 33 order to ensure that emergency managers in each state have opportunities for system verification, proficiency training, and public awareness outreach? 64. Cost Savings. Would this action remove regulatory burdens for EAS stakeholders and reduce costs? We seek comment on the anticipated extent of these cost savings. We also seek comment on any operational concerns that EAS stakeholders believe to be implicated by this proposal. 2. EAS PSAs a. Background 65. EAS Participants may use Public Service Announcements or obtain commercial sponsors for announcements, infomercials, or programs explaining the EAS to the public to increase awareness of the EAS. 172 Our rules state that “[s]uch announcements and programs may not be a part of alerts or tests, and may not simulate or attempt to copy alert tones or codes.” 173 Since that time, we have granted requests for waiver to use the emergency alerting Attention Signal in PSAs to entities other than EAS Participants in order to raise public awareness about EAS. 174 The Commission has also granted similar requests from FEMA to use the emergency alerting Attention Signal in WEA PSAs provided that the PSA presents the tones in a non-misleading manner. 175 In light of the value of the success of these PSAs, in the WEA Fourth NPRM, we proposed to allow the use of the WEA Attention Signal in WEA PSAs, subject to the same limitation. 176 b. Discussion 66. Consistent with our approach to the use of the emergency alerting attention signal in PSAs in the WEA Fourth NPRM, we propose to amend Section 11.46, which currently prohibits the use of the EAS alert tones or codes in otherwise permitted PSAs, to allow federal, state and local government entities to issue PSAs that use the EAS header codes and Attention Signal, provided that they are presented in a non-misleading and technically harmless manner. In so doing, we allow entities other than EAS Participants to conduct EAS PSAs, and allow such PSAs to be used in connection with testing exercises that may include use of live event codes and the emergency alerting Attention Signal. We seek comment on these proposals. We seek comment on whether limiting the use of PSAs to EAS Participants and federal, state, and local government entities offer an optimal balance between ensuring that the emergency alerting Attention Signal is not over-used, on the one hand, and ensuring that the public is familiar with the EAS and understands its public benefits on the other hand? We seek comment on whether this is the appropriate subset of entities who should be able to use the emergency alerting Attention Signal in PSAs. 172 EAS Deployment Order, 10 FCC Rcd at 1838 ¶ 146. 173 47 C.F.R. § 11.46. 174 See, e.g., Letter from Lillian McDonald, Managing Director, ECHO, to David Simpson, Chief, Public Safety and Homeland Security Bureau, FCC (Aug. 20, 2015); Request for Waiver of Sections 10.520, 11.45 and 11.46 of the Commission’s Rules to Allow Broadcast of Public Service Announcements Produced by Emergency, Community, Health and Outreach to Educate the Public on the Wireless Emergency Alert System and the Emergency Alert System, PS Docket Nos. 07-287, 15-94, Order, 30 FCC Rcd 10182 (2015). 175 SeeWaiver of Section 11.45 of the Commission’s Rules To Allow Broadcast of Public Service Announcements Produced by the Federal Emergency Management Agency to Educate the Public on the Wireless Emergency Alert System, PS Docket No. 07-287, Order, 28 FCC Rcd 8176 (2013) (2013 FEMA WEA PSA Waiver); see also Waiver of Section 11.45 of the Commission’s Rules to Allow Broadcast of Public Service Announcements Produced by the Federal Emergency Management Agency to Educate the Public on the Wireless Emergency Alert System, PS Docket No. 07-287, Order, 29 FCC Rcd 5373 (2014) (2014 FEMA WEA PSA Waiver). 176 WEA NPRM, at 35 ¶ 70. Federal Communications Commission FCC 16-5 34 67. How can we ensure that PSAs designed to raise public awareness about EAS do not have the unintended consequence of causing public confusion about whether the use of the EAS header codes and Attention Signal signify that an actual emergency is occurring? 177 We seek comment on whether the Commission should require entities that wish to use PSAs to coordinate with other EAS Participants and state and local authorities and the public to minimize any confusion. As with the use of the EAS header codes and Attention Signal for live code EAS tests, should entities seeking to use the EAS header codes and Attention Signal for EAS PSAs provide notification during the PSA to make sure the public understands that the use of the EAS header codes and Attention Signal does not, in fact, signify the occurrence of an actual emergency? Should entities seeking to use the EAS header codes and Attention Signal for use in EAS PSAs be required to coordinate the test among EAS Participants and with state and local emergency authorities, as well as first responder organizations such as PSAPs, police and fire agencies? 68. We seek comment on whether there is a negative public perception of EAS that deserves to be redressed, and on whether the public has a clear understanding of what EAS is. In its requests for waiver, FEMA stated that “many people are startled or annoyed when hearing the WEA Attention Signal for the first time.” 178 We note that the WEA Attention Signal is a loud, attention-grabbing, two-tone audio signal that uses frequencies and sounds identical to the distinctive and familiar Attention Signal used by the EAS. 179 We seek comment on whether alerts become more annoying when multiple alerts are received at the same time on a variety of platforms. We also note that the Commission has received a number of complaints from individuals stating that the EAS Attention Signal is intrusive, and annoying. 180 Accordingly, we seek comment on the public perception of EAS, and the EAS Attention Signal. To this point, we also seek comment on whether PSAs would be a useful tool for changing public perceptions about EAS for the better by, for example, providing them with information on how EAS saves lives and helps people to protect their property. As a testament to the success of the WEA PSA in this regard, FEMA offers that it has earned over $30 million in free media, and that the WEA PSA is currently the most played FEMA PSA. 181 We seek comment on the success of any EAS PSAs that EAS Participants have issued pursuant to Section 11.46. Further, we seek comment on additional steps that EAS stakeholders could take to improve the efficacy of EAS PSAs at raising public awareness about, and shifting public perceptions of EAS. What effect on public perception would likely result were EAS PSAs allowed to be conducted in connection with EAS tests, including live code tests? 3. Accessible Alerting Exercises a. Background 69. Accessibility is a crucial aspect of alerting exercises because members of communities with disabilities or with limited English proficiency are particularly vulnerable to being excluded from 177 We are mindful that public confusion and alert fatigue may result when EAS alerting is improperly used. We take such potential consequences seriously and seek to avoid such a result here. We are interested in comment on whether that may be avoided with the right coordination, as discussed below. 178 See Letter from Roger L. Stone. Assistant Administrator (Acting) National Continuity Programs, Federal Emergency Management Agency, to David Simpson, Chief, Public Safety and Homeland Security Bureau, FCC (dated Nov. 6, 2015) (FEMA Letter, Nov. 6, 2015). 179 Compare 47 C.F.R. § 10.520(b) with 47 C.F.R. § 11.31(a)(2). 180 See, e.g., Complaint #318670. Excessive and Inaccurate Emergency Alert System Broadcasts, FCC CONSUMER PORTAL (Jun. 2, 2015) (“Not only are these alerts excessive in number and exceedingly annoying, they indicate an actual emergency rather than just a test of the system. This obviously is incorrect since it is a test and no actual emergency exists.”); Complaint #344761, Excessive Emergency Alert System (EAS) Testing, FCC CONSUMER PORTAL (Jun. 19, 2015) (“I have received the following EAS alerts at 1:00am, 1:25am, 2:15am and 2:27am. It is my understanding that EAS test are done each month. I feel that this has been excessive, boarding [] on harassment.”). 181 See FEMA Letter, Nov. 6, 2015 at 1. Federal Communications Commission FCC 16-5 35 community preparedness initiatives. 182 Accordingly, in order to substitute for an RMT, a live code test must “comply with the visual message requirements in Section 11.51,” and in order to substitute for an RWT, it must comply with both the aural and visual requirements contained therein. 183 Recently, the Bureau granted a request from Emergency and Community Health Outreach (ECHO), in partnership with Twin Cities Public Television (tpt) and FEMA, for a waiver of our rules to allow use of the WEA and EAS attention signal, as well as an audible portion of the EAS tones in PSAs, in conjunction with providing EAS PSAs in languages other than English, including Spanish, Hmong and Somali. 184 The Bureau reasoned that including the EAS Attention Signal in educational media materials is essential to ensure that members of the public, including individuals with limited English proficiency, are familiar with EAS as an alert and warning methods. 185 b. Discussion 70. We seek comment on how to best ensure that community-based alerting exercises address the accessibility needs of individuals with limited English proficiency and individuals with disabilities. Specifically, we seek comment on the extent to which live code testing may be used by local emergency managers to target the particular needs of communities with accessibility needs, such as individuals with sensory disabilities and individuals with limited English proficiency, and on how to better prepare such communities for emergencies through PSAs. 71. Accessible Live Code Testing. Is an accessible video crawl or full-screen replacement slide sufficient to overcome the public’s preconception of the meaning of the Attention Signal? Are there additional steps that we should take to ensure that the public is not misled or confused by state use of live codes for testing purposes? For example, might persons with cognitive or intellectual disabilities benefit from color-coding a border around different categories of warning, such as weather, terrorism, or earthquake? 186 What technical and operational issues might be implicated by such an approach? We observe that many entities requesting waiver of our Part 11 rules in order to conduct a live code test do so because of their concern that a “test” code might not be relayed through law enforcement communication, thus weakening the designation of a “statewide exercise.” 187 In this way, does live code testing facilitate the transmission of EAS tests over a larger variety of media, and therefore improve their accessibility? 72. Further, we observe that live code testing often does not occur in a vacuum, and is requested to supplement larger efforts to raise public awareness of emergency response resources, such as 182 See FEMA, IS-0368 INCLUDING PEOPLE WITH DISABILITIES AND OTHERS WITH ACCESS AND FUNCTIONAL NEEDS IN DISASTER OPERATIONS, COURSE SUMMARY, https://emilms.fema.gov/IS0368/DIS01summary.htm (last visited Nov. 9 2015). 183 47 C.F.R. § 11.61(a)(4). 184 See Request for Waiver of Sections 10.520, 11.45 and 11.46 of the Commission’s Rules to Allow Broadcast of Public Service Announcements Produced by Emergency, Community, Health and Outreach to Educate the Public on the Wireless Emergency Alert System and the Emergency Alert System, PS Docket Nos. 07-287, 15-94, Order, 30 FCC Rcd 10182 (2015). 185 Id. at paras. 10-11. 186 See, e.g., NATIONAL ALLIANCE FOR PUBLIC SAFETY GIS FOUNDATION, ET AL., OVERVIEW DOCUMENT: INCIDENT SYMBOLOGY – PHASE 3 (2015), available at http://www.napsgfoundation.org/wp- content/uploads/2015/01/NAPSG_Symbology_OverviewDoc_Final_20150128_v2.3.pdf (last visited October 30, 2015) (outlining some possible symbols and icons to enhance accessibility to emergency alerts). This could be an issue for further exploration by the Disability Advisory Committee’s subcommittee on emergency communications. 187 See, e.g., Letter from Mark Gordon, President and CEO, Missouri Broadcasters Association, to James W. Wiley, III, Legal Advisor, Public Safety & Homeland Security Bureau, FCC (Oct. 26, 2015). The Commission has filed this document into the record of this proceeding to facilitate commenter access to all documents that have informed our proposals in this NPRM. Federal Communications Commission FCC 16-5 36 during a “Severe Weather Preparedness Week.” 188 Does live code testing promote and facilitate such community engagement? Do such events provide opportunities for those that might not normally be able to access the emergency alerting attention signal to create community response mechanisms that ensure that some community members, such as those who do not speak English or those with disabilities, are not left behind during an emergency? What role should community stakeholders, including those who deliver alerts as well as those who benefit from the receipt of alerts, play in the design, execution, and subsequent evaluation of live code tests and subsequent alerts? How can the Commission work with public safety officials, SECCs, EAS Participants and other stakeholders to facilitate the inclusion of the entire community, including non-English speakers and those with disabilities, in such planning, execution and evaluation? Would the Commission’s proposed testing rules provide transparency and allow collection of best practices results that would enhance this facilitation role? How should broadcasters and other EAS Participants, as well as PSAPs and emergency managers that coordinate live code tests, be equipped with the tools necessary to serve multilingual communities and communities of individuals with disabilities? Could tests be designed to allow broadcasters and other EAS Participants to share resources during an emergency, such as non-English speaking personnel and air time, to ensure that non-English speakers maintain access to EAS and emergency information? 73. How, if at all, should the Commission conduct outreach and gather feedback on the ability of public safety officials, SECCs, EAS Participants and other stakeholders to plan and execute community tests and exercises to reach populations with limited English proficiency and individuals with disabilities? How should the Commission evaluate the results? What steps, if any, should the Commission take in response to any such information it may collect? For example, should the Bureau conduct outreach to EAS Participants and other stakeholders in particular regions that have non-English speaking communities to gather information about best practices for ensuring alerts reach non-English speaking communities? What accountability measures should be instituted or encouraged if the tests fail to reach citizens due to their lack of English proficiency or disability? 74. Accessible PSAs. We seek comment on whether EAS PSAs in languages other than English are particularly effective at informing individuals who would otherwise not be able to understand the contents of an English-language EAS message about how to respond should they hear the common alerting Attention Signal. We note that notwithstanding the ubiquity of the EAS and its familiar audible signal, the tpt/ECHO waiver request indicates that at least one population, i.e., recently arrived individuals with limited English proficiency, was not familiar with the EAS Attention Signal, and needed the PSAs to become familiar with these sounds and their meaning. 189 Are there other groups or individuals for which EAS PSAs would provide this value? Would it be helpful if EAS PSAs were made available in American Sign Language (ASL) in order to better meet the needs of certain individuals with hearing loss? To what extent can PSAs transmitted over the Internet, including via OTT services, offer enhanced utility and accessibility to the public, as well as to individuals with disabilities? C. Leveraging Technological Advancements in Alerting 75. In this section, we seek comment on the extent to which the communications infrastructure underlying the nation’s alerting capability should be – and already is – taking steps to leverage technological advancements to improve the content, accessibility and security of emergency alerts. In addressing these issues, we intend to initiate a dialogue about creating a voluntary industry 188 See, e.g., Letter from Monte Loos, Chairman, SECC for South Dakota, to Tom Beers, Chief, Public Safety and Homeland Security Bureau, FCC (Dec. 17, 2014). 189 See Letter from Lillian McDonald, Managing Director, ECHO, to David Simpson, Chief, Public Safety and Homeland Security Bureau, FCC (Aug. 20, 2015). Federal Communications Commission FCC 16-5 37 roadmap for further enhancing the capability of the nation’s alerting infrastructure to carry a Presidential Alert in a manner consistent with consumer expectations of IP-based communications technologies. 190 1. Cable Force Tuning and Selective Override a. Background 76. The EAS “force tuning” provisions allow wireless and digital cable service providers and wireline video service providers to satisfy the general requirement that they transmit EAS audio and visual information over all channels by automatically tuning the subscribers’ set top boxes (STB) to a designated channel (usually an otherwise empty control channel) that carries the required audio and video EAS message. 191 The Commission’s “selective override” provisions allow cable service providers to elect not to deliver EAS audio and visual information over channels that are carrying news or weather related emergency information with state and local EAS message. 192 Such elections are made pursuant to a written agreement between the cable service provider and broadcaster. 193 Use of selective override by the cable service provider is voluntary. 77. The Commission has received requests that it reexamine the selective override policy. 194 Most recently, for example, the NAB requested that the Commission “permit local television stations to opt out of cable system-wide overrides, provided such stations participate in the EAS system.” 195 NAB contends that cable overrides “disrupt viewers’ access to the critical, often life-saving emergency information provided by local television broadcasters, including shelter-in-place or evacuation directions, storm pathways, and the status of power outages . . . [and] frequently cause confusion and distress among viewers.” 196 NAB proposes that cable operators be required to “implement ‘selective override,’ so that certain [broadcast] channels can be selectively omitted during a cable system’s EAS interruption,” thus 190 Apart from the proposals set forth in this Notice, other initiatives to facilitate this dialogue could include reference to an advisory committee for further consideration or a workshop on the issue conducted by PSHSB. 191 See 47 C.F.R. § 11.51(g)(5), (h)(5). Analog and digital cable systems serving 5,000 subscribers or more per headend, and wireline video systems and wireless cable systems serving 5,000 subscribers or more, are generally required to transmit the EAS audio message and visual information on all programmed channels. See 47 C.F.R. § 11.51(h). Analog and digital cable systems serving fewer than 5,000 subscribers per headend, and wireline video systems and wireless cable systems serving fewer than 5,000 subscribers, may transmit the EAS audio message and visual information on all programmed channels or may elect to transmit such information on at least one designated channel, provided that they employ video interrupt and an audio alert message on all channels to notify subscribers which designated channel contains the alert information. See 47 C.F.R. § 11.51(g). 192 See 47 C.F.R. § 11.51(g)(4), (h)(4). 193 Id. 194 See, e.g., Reply Comments of Hearst Television Inc., EB Docket No. 04-96, at 1 n. 1 (filed Nov. 19, 2013); Joint Reply Comments of the Named State Broadcasters Associations, EB Docket No. 04-96, at 4 (filed Nov. 19, 2013); Comments of the Ohio Association of Broadcasters, North Carolina Association of Broadcasters, and Virginia Association of Broadcasters, EB Docket No. 04-96, at 2 (filed Nov. 19, 2013); Comments of the National Association Of Broadcasters, EB Docket No. 04-96, at 10-13 (filed Nov. 4, 2013). The cable industry, through its primary trade association, the National Cable & Telecommunications Association (NCTA), routinely responds to these requests by asserting that it is unnecessary to change the Commission’s selective override policy. See, e.g., Reply Comments of the National Cable & Telecommunications Association, EB Docket No. 04-96, at 6-7 (filed Nov. 19, 2013); Reply Comments of the National Cable & Telecommunications Association, EB Docket No. 04-96, at 5-7 (filed Jun. 14, 2010). 195 The National Association of Broadcasters, Comments, EB Docket No. 04-296, at ii (filed on Aug. 14, 2014) (NAB Aug. 14, 2014, Comments). See also The National Association of Broadcasters, Reply Comments, EB Docket No. 04-296, at 4, n.9 (filed on Aug. 29, 2014). 196 NAB Aug. 14, 2014, Comments at 9. Federal Communications Commission FCC 16-5 38 providing local broadcast television stations with the ability to opt out of the cable system’s universal forced-tuning of all cable channels, enabling the station to offer uninterrupted emergency information. 197 78. The Commission is also aware of reported instances where force tuning STBs has caused the subscriber’s picture and audio to freeze, sometimes requiring a reboot of the STBs to restore normal access to channels. Viewers have claimed that during the period when the force tuned alert was active, they were unable to change channels and were stuck on the force-tuned EAS channel for extended periods of time. 198 For example, on March 30, 2015, an in-house test conducted by a cable service provider was inadvertently distributed beyond the cable provider’s test environment equipment to cable subscribers across several states, force-tuning most, if not all of them to a control channel where they were denied access to programming for approximately ten minutes. 199 Commission staff has learned that over two million STBs likely were affected in that one example alone. b. Discussion 79. We seek comment on the propriety of our selective override and forced tuning rules in an evolving alerting landscape. Specifically, we seek comment on whether the Commission’s existing cable force tuning and selective override provisions continue to serve the public interest, and whether technological advancements should impact that analysis. We seek comment on the extent to which alerting functions incorporate (or are being modified to incorporate) advanced technology, in order to improve functionality and better support the conveyance of emergency information. Finally, we seek comment on technical issues that may suggest that forced tuning has an unacceptably negative impact on consumers viewing force tuned broadcast and cable channels. 80. Impact of Technological Advancements. In light of technological advancements or other factors that may impact cable operators’ capacity to implement selective override, should selective override remain an acceptable voluntary EAS alternative for cable systems, or should all cable system providers refrain from interrupting local broadcast programming where the broadcast provider is participating in the EAS system and thus transmitting state and local EAS alerts? Alternatively, are there reasons why smaller cable systems (e.g., those serving fewer than 5,000 subscribers), would need the selective override option, in contrast to the larger systems, and would a regime that maintained the option for smaller cable systems only – while larger systems uniformly delivered broadcast-originated state and local EAS alerts, news or weather-related emergency information – make sense? If smaller cable providers need this exception, should it be permanent? If not, for how much time should smaller cable systems fit into an excepted category? 81. Have technological advancements enabled cable operators’ ability to selectively override broadcast signals? For example, cable services now benefit from the introduction of digital technologies, 197 See id. at 9-10. NAB observed that such approach “would provide local broadcast television stations with the ability to opt out of the cable system’s universal forced-tuning of all cable channels.” Id. at 10. See also Letter from Richard R. Zaragoza, Counsel to the Named State Broadcasters Associations, EB Docket No. 04-296, at 4 (filed Sept. 8, 2014) (“[T]he Commission should grant all television stations the right of ‘selective override,’ thereby allowing such stations to opt out of a cable system’s EAS override.”). 198 See, e.g., EAS Freezes my Ability to Change Channels (Comcast), Broadband DSL Reports.com (Jan. 5, 2009, 9:26 AM), http://www.dslreports.com/forum/r21687226-EAS-freezes-my-ability-to-change-channels-Comcast (containing consumer complains about EAS alerts force tuning STBs and causing a system lock out); Amber Alert Freeze Up?!?!?, Tivo Community Forum (Oct. 18, 2006, 11:43AM), http://www.tivocommunity.com/tivo- vb/showthread.php?t=322560 (STBs freezing when force tuned for an amber alert). The Commission is also in receipt of multiple informal complaints from consumers claiming they were unable to change channels after being force tuned due to an EAS alert. 199 Commission staff has coordinated with the cable service provider and has been assured that measures have been taken to address the system error that resulted in distribution of the test alert, in order to prevent similar instances in the future. Federal Communications Commission FCC 16-5 39 including “smart” STBs. How do these and related technologies affect the use of selective override? Have STB and headend technologies advanced to the point where selective override on a channel-by- channel basis can be readily programmed into cable equipment, without imposing undue burdens on cable providers? Is it reasonable to assume that all content delivered by STB shall be interruptible, such that EAS warnings could be delivered in banner form or otherwise for all content (without directing the subscriber to another channel through force tuning or by other means)? Have technological advances in EAS equipment made it easier and more affordable to engage in selective override? We note in this regard that some parties maintain that force tuning via the STB is not the only way that MVPD EAS Participants can display EAS information. 200 82. Does the widespread and growing availability of programming distributed by IP-based networks, including STBs and “smart” TVs capable of “on-screen” graphical user interface (GUI) user input, suggest that greater user control with respect to EAS acknowledgement and/or feedback should be supported or encouraged? Do our current cable force tuning and selective override requirements affect emergency operators’ ability to leverage these technological advancements to rapidly and efficiently obtain feedback from consumers, in response to EAS messages? What regulatory obstacles exist that might unnecessarily impede greater consumer interaction with received alerting messages? Would facilitating this interaction introduce the capability for crowdsourced citizen feedback during emergencies and disasters that would improve community, state and national response? What possible consequences or potential for abuse, if any, would need to be addressed in harnessing this capability? 83. Delivery of EAS Messages through Different Platforms. Looking only at the content of the EAS messages transmitted through the EAS system, are there or can there be any differences between the EAS messages that consumers see when viewing the alert on their local broadcast channel as compared to the EAS alert transmitted by a cable system provider? Are those EAS messages always identical in a given geographic area regardless of whether it is transmitted over the air or through a cable provider’s system? Should they be identical? Specifically, has the implementation of Common Alert Protocol (CAP)-based alerting made it more likely that cable providers can relay more detailed EAS alert information (e.g., based upon the enhanced text in a CAP message) than what has been possible in the past or via the traditional broadcast-based EAS architecture? 201 If so, have cable providers been originating EAS messages that have a greater emergency response value when using the force tuning option? Is there a significant difference in the accessibility of alerts offered by broadcasters and cable providers? To what extent, if at all, do cable franchise agreement provisions govern whether cable operators may participate in selective override where local broadcast providers are delivering state and local EAS alerts, news or weather-related emergency information? How should any differences in the 200 See Letter from Angie Kronenberg, Chief Advocate & General Counsel, INCOMPAS, to Marlene H. Dortch, Secretary, FCC, MB Docket No. 15-64, at 2 (filed Dec. 14, 2015) (demonstrating a technological solution using off- the-shelf equipment and open standards capable of allowing consumers full access to MVPD programming, including emergency alerts). 201 EAS Participants have, since June 2012, been required to be capable of receiving and processing CAP-formatted alert messages. See 47 C.F.R. § 11.56. CAP is an open, interoperable standard developed by the Organization for the Advancement of Structured Information Standards (OASIS), and incorporates a language developed and widely used for web documents. See Review of the Emergency Alert System; Independent Spanish Broadcasters Association, The Office of Communication of the United Church of Christ, Inc., and the Minority Media and Telecommunications Council, Petition for Immediate Relief, ET Docket No. 04-296, Fifth Report and Order, 27 FCC Rcd 642, 648-49 paras. 10-11 (2012). CAP-formatted alerts can include audio, video or data files; images; multilingual translations of alerts; and links providing more detailed information than what is contained in the initial alert (such as streaming audio or video). See id. However, any data contained in a CAP-formatted message beyond the EAS codes and audio message (if present), such as enhanced text or video files, can be utilized locally by the EAS Participant that receives it, but cannot be converted into the EAS Protocol and thus cannot be distributed via the daisy chain process. See, e.g., 47 C.F.R. § 11.51(d), (g)(3), (h)(3), (j)(2). Federal Communications Commission FCC 16-5 40 actual EAS messages impact our analysis of the force tuning and selective override issues? Does the variation stemming from selective override complicate response from community emergency managers? 84. Technical Issues. Can STB technology advancements significantly reduce the risk that force tuning will cause the picture and/or audio to freeze, or lock out consumers from changing back to the channels they were watching? Are there any changes to the manner in which force tuning is implemented that could ensure that subscribers are not locked on the designated EAS channel? More broadly, are there steps or precautions cable service providers could take to prevent such events in the future? In light of technological advancements, does any public interest benefit remain by allowing cable service providers to satisfy their requirements to transmit EAS audio and visual information by force tuning? If not, would the immediate (“flash cut”) elimination of the force tuning option create any avoidable or unnecessary hardships, and, if so, would a sunset period for force tuning provide any relief? 2. EAS on Programmed Channels a. Background 85. As discussed above, the Part 11 EAS rules allow wireless and digital cable provider EAS Participants to comply with their obligations to deliver EAS messages by force tuning viewers to a channel that carries the alert or test. The rules limit the obligation of a cable EAS Participant to deliver EAS to “programmed channels,” which, under the current rules do not include “channels used for the transmission of data such as interactive games,” 202 “channels used for the transmission of data services such as Internet,” 203 or “channels used for the transmission of data services such as Internet access.” 204 b. Discussion 86. We initially seek comment on what basis exists today, when technical advances have expanded the scope of programming and other services delivered by cable and other MVPD EAS Participants, to distinguish channels as “programmed channels” for purposes of receiving EAS messages. 205 Is there a technical basis to continuing the distinction among channels? If so, is there some other basis that would be more suitable for making this distinction? For example, should the distinction be based on channels that are made available for consumer use versus channels not for consumer use and/or not part of the services that EAS Participants offer their customers? Channels not for consumer use would include diagnostic channels used to monitor the health and quality of the system, those used to transfer and manipulate metadata necessary to create the user interface (e.g., the program guide), or those used to deliver broadband access. Would it serve the public interest to require EAS Participants to support EAS alerts on all channels over which they offer services to the consumer? Is there a reason to exempt any such channels from our EAS rules? 87. We also seek comment on the public safety benefits that could be derived from requiring that EAS Participants support EAS alerts over all channels that are part of the service package offered to the consumer. To what extent would requiring support for EAS alerts on all such channels increase the likelihood that the public will receive potentially life-saving alerts? To what extent might such channels offer opportunities to improve alert quality or accessibility? Further, what additional costs, if any, would EAS Participants expect to result from requiring EAS alerts to be supported on all channels that are part of the service package offered to the consumer by the EAS Participant? Would this approach fully address National Security and community alerting needs in the evolved technology landscape for typical 202 47 C.F.R § 11.11, Table 2, n.3. 203 47 C.F.R § 11.11, Table 3, n.4 204 47 C.F.R § 11.11, Table 2, n.3, Table 3, n.4, Table 4, n.4 205 Our approach to the meaning and use of the term “programmed channel” also does not relate to the meaning of the terms “video programming” or “activated channels” as defined in Section 602 of the Act. See 47 U.S.C. §§ 522(1), (20). Federal Communications Commission FCC 16-5 41 residential consumers? Would this approach require hardware and/or software replacement? What standards, if any, would be affected by these proposed changes? How long should we expect that it would take industry to comply with this alternative approach? 3. EAS Alerting and Emerging Video Technology a. Background 88. The Commission has consistently striven to ensure that, as technologies evolve, EAS continues to meet consumer expectations for basic emergency communications. For example, in preparation for the transition to digital television, Commission staff held a series of ex parte meetings with affected industry segments to ensure that the EAS would continue uninterrupted throughout the HD transition. 206 As a result, when the Commission ultimately adopted the rules that included wireline video providers among EAS Participants, the record reflected almost unanimous support for the new rules. 207 Now, emerging technologies are changing the EAS landscape again. 208 A wealth of video content is now available to consumers online. For instance, Multichannel Video Programming Distributors (MVPDs) are beginning to offer IP-based versions of their programming, including providing consumers with apps to view content. 209 Broadcast television is exploring IP-based offerings as well. 210 A number of other entities are also entering the video space. Accordingly, in this section we seek to initiate a conversation regarding how the EAS may remain durable as the ways in which consumers view content evolves. b. Discussion 89. In order to implement our statutory obligations in a manner consistent with the public interest, we seek to understand whether and how the way in which consumers view content has changed consumer expectations for how they will receive EAS messages. In this regard, we seek to ensure that EAS alerts endure and remain reliable as technology advances. 211 We seek comment on the extent to 206 Review of the Emergency Alert System, Notice of Proposed Rulemaking, 19 FCC Rcd. 15775, 15786 ¶ 29 (2004) (EAS Digital NPRM). 207 See Second Report and Order, 22 FCC Rcd at 13296 ¶ 44. 208 See, e.g., Annual Assessment of the Status of Competition in the Market for the Delivery of Video Programming, MB Docket No. 14-26, Sixteenth Report, 30 FCC Rcd 3253, 3395-3402 ¶¶ 301-12 (2015) (expressing unanimity among commenters, including NAB, that consumers are replacing MVPD services with streaming video services, and only expressing differences in opinion as to the degree, while also citing increases in subscribership for streaming video offerings); Annual Assessment of the Status of Competition in the Market for the Delivery of Video Programming, MB Docket No. 07-269, Fourteenth Report, 27 FCC Rcd 8610, 8669 ¶ 140 (2012) (stating that “[c]onsumers watch delivered video programming that appeals to them even when the programming is not provided by MVPDs. From 2006 to 2010, an increasing number of consumers streamed an increasing amount of video content directly from the Internet to computers, television sets, tablets, and smartphones.”). 209 See Sarah Perez, Cablevision Becomes First Pay TV Provider to Distribute CBS and Showtime Over-the-Top to Broadband Customers, TECHCRUNCH (Aug. 25, 2015), http://techcrunch.com/2015/08/25/cablevision-becomes- first-pay-tv-provider-to-distribute-cbs-and-showtime-over-the-top-to-broadband-customers/ (last visited Aug. 31, 2015) (stating that Cablevision is the first traditional cable provider to offer services like HBO, Showtime and CBS over the top without an accompanying pay subscription). Verizon and Comcast are developing OTT services Go90 and Stream, respectively, which they expect will compete in this space. See id. See, e.g., Emily Steele, Suddenly, Plenty of Options for Cord Cutters, NY TIMES, http://www.nytimes.com/interactive/2015/business/media/streaming- tv-cord-cutting-guide.html (last visited Jan. 26, 2016). 210 For example, the Advanced Television Systems Committee (ATSC) is developing ATSC 3.0, a next-generation broadcast standard. See Rick Chernock, ATSC 3.0, Where We Stand, ATSC.ORG, http://atsc.orgerorg/newsletter/atsc-3-0-where-we-stand/ (last visited Dec. 8, 2015). 211 See, e.g., Accessible Emergency Information, and Apparatus Requirements for Emergency Information and Video Description: Implementation of the Twenty-First Century Communications and Video Accessibility Act of 2010, MB Docket No. 12-107, Second Report and Order and Second Further Notice of Proposed Rulemaking, 30 (continued….) Federal Communications Commission FCC 16-5 42 which entities offering content outside of traditional broadcast or pay TV modes of architecture are making EAS alerts available to consumers. From a technical perspective, what hardware, software, and standards updates would need to be addressed before alerts could be delivered via alternative means, such as via IP-based platforms? Are the potential issues with offering alerts outside traditional broadcast or pay TV delivery mechanisms? What kind of strategies could be employed to standardize the availability of alerts across technologies, applications, and platforms? To what extent are these efforts already underway? 90. We further seek comment on whether consumers have an expectation that alerts will be durable across different technology platforms. Do consumers expect that the alerts provided with programming offered via traditional technologies would still be provided when programming is offered through some other means, such as through an online offering? To the extent that commenters believe the Commission should take action to address consumer expectations with respect to receiving EAS alerts through new technologies, on what statutory basis would the Commission take such action? Commenters should also address any possible unintended consequences of Commission action. 91. We seek comment on whether EAS alerts offered through different technologies may have a greater potential to meet the emergency information needs of the public than do alerts offered via traditional media. What, if any, potential do these services have to improve EAS geo-targeting, for example, by using a devices’ geolocation technology when the consumer is viewing content over the Internet? 212 We seek comment on this assertion. Could alerts via non-traditional platforms offer consumers greater personalization options? For example, could consumers elect to receive alerts for geographic areas other than the location in which their device is located, in order to remain vigilant of prospective threats to loved ones living in other parts of the country? Further, we seek comment on how new technologies could facilitate consumer feedback on, and interaction with alert content. Could the text crawl of such alerts potentially contain clickable URLs and phone numbers directing the recipient to additional resources and information about developing emergency situations? We seek comment on the extent to which the advancements in technology may allow for customer feedback on alerts, such as confirming that an individual is threatened by a certain emergency condition, or enabling that individual to request specific emergency assistance by interacting with an alert. We seek comment on whether these technologies could give rise to a cycle of information sharing consistent with a “many-to-one/one-to- many” alerting dynamic. 213 4. WEA Alerts to Tablets a. Background 92. Section 10.10 of the Commission’s WEA rules defines a “mobile device” as “the subscriber equipment generally offered by CMS providers that supports the distribution of WEA Alert Messages.” 214 Pursuant to Section 10.500, support for the distribution of WEA Alert messages entails “(a) Authentication of interactions with CMS Provider infrastructure; (b) Monitoring for Alert Messages; (c) Maintaining subscriber alert opt-out selections, if any; (d) Maintaining subscriber alert language (Continued from previous page) FCC Rcd 5186, 5191, 5193 ¶¶ 9, 13 n.41 (2015) (requiring MVPDs to pass through the audible version of televised (non-EAS) emergency information for individuals who are blind or visually impaired in accordance with Section 79.2 when they permit consumers to access linear programming (i.e., scheduled programming) on tablets, smartphones, laptops, and similar devices over the MVPD’s network as part of their MVPD services, and describing MVPD mobile offerings). We note that in comments submitted in another Commission proceeding, Public Knowledge stated that, “as a technological matter, it is generally easier for an online service to geographically tailor its service than for a DBS system to do so.” Public Knowledge Reply Comments, MB Docket No. 14-261, at 8. 213 See supra note 134 (defining many-to-one/one-to-many alerting dynamic). 214 47 C.F.R § 10.10(j). Federal Communications Commission FCC 16-5 43 preferences, if any; (e) Extraction of alert content in English or the subscriber's preferred language, if applicable; (f) Presentation of alert content to the device, consistent with subscriber opt-out selections . . . ; and (g) Detection and suppression of presentation of duplicate alerts.” 215 Electing to participate in WEA entails a commitment by the Participating CMS Provider “to support the development and deployment of technology for . . . mobile devices with WEA functionality.” 216 Pursuant to the Commission’s CMS Provider election procedures, Participating CMS Providers must support WEA on at least one device. The Department of Homeland Security’s (DHS) report on WEA penetration strategy states that “[t]he most significant WEA penetration gap over the long term regarding mobile wireless devices is the lack of WEA capability in the tablet computers.” 217 DHS recommends that the Commission should find a way to encourage Participating CMS Providers and tablet computer manufacturers to add WEA capability to their tablet offerings that have wireless cellular data connectivity. 218 b. Discussion 93. We seek comment on whether we should consider tablets that consumers use to access mobile services as “mobile devices” under our Part 10 WEA rules. Do 4G LTE-enabled tablets currently support the distribution of WEA messages? 219 If not, we seek comment on what, if any, standards, software, or hardware modifications would be required to enable 4G-LTE-enabled tablets to support the distribution of WEA messages? Would 4G-LTE tablets be able to receive WEA alerts when they are connected to a Wi-Fi network or other unlicensed spectrum, based on the user’s preference (such as when the user is at home and connected to their own Wi-Fi network), but while the tablet still remains within range of the Participating CMS Providers’ 4G-LTE network? We seek comment on any costs commenters believe would likely be attendant to providing WEA alerts to 4G LTE-enabled tablets. We also seek comments on any benefits likely to result from the delivery of WEA alerts to 4G LTE-enabled tablets. Specifically, we seek comment on whether modernizing alerting platforms in this manner would increase the likelihood that individuals would receive potentially life-saving alerts by requiring that they be transmitted to the devices and services they use most. Are Participating CMS Providers prepared to develop a voluntary roadmap for providing WEA alerts to 4G LTE-enabled tablets? 5. Technological Potential for Improvements in Accessibility 94. We seek comment on the potential of new and emerging technologies to improve alert accessibility. In particular, we seek comment on the state of technology for machine-generated translation (i.e., the use of software to translate text or speech from one language to another), to provide emergency alerts in non-English languages, and whether and how such technology could be leveraged by both the EAS and WEA systems. 220 Are languages such as Spanish, that share a character set with 215 47 C.F.R § 10.500; 47 C.F.R §§ 10.330(a), (b) (requiring Participating CMS Providers to perform “distribution of Alert Messages to mobile devices” and “authentication of interactions with mobile devices”). 216 47 C.F.R § 10.210(a)(2). 217 Daniel Gonzales, Department of Homeland Security, Science and Technology, Wireless Emergency Alerts Mobile Penetration Strategy at 124 (2013) (WEA Mobile Penetration Strategy). 218 See WEA Mobile Penetration Strategy at 129. 219 Rick Wimberly, Is Apple on Board with the National Alerting Program? EMERGENCY MANAGEMENT BLOG (Jun. 15, 2012), http://www.emergencymgmt.com/emergency-blogs/alerts/Apple-On-Board-with-061512.html (“In September 2012, WEA capability was added as part of the software upgrade to iOS 6 for the Apple iPad 2 and iPad”); see also WEA Mobile Penetration Strategy at 124 (stating that Android tablets are not WEA-capable, so far as can be determined). 220 A recent press article notes that technological advancements “have led to the development of sophisticated translation technology with minimal errors and grammatical coherence, which has considerably widened the scope for machine translation,” creating an expanding global market that is expected to reach USD 983.3 million by 2022. http://www.businesswire.com/news/home/20151103005900/en/Research-Markets-Machine-Translation-MT- Market-Analysis (last visited Nov. 10, 2015). Federal Communications Commission FCC 16-5 44 English, more easily machine translatable than languages that use other character sets? How advanced are machine translation technologies for English to ideographic languages, such as Chinese? Could such translators be incorporated into EAS equipment? We also seek comment on the potential utility of platform-based video relay service capabilities to enhance the understanding of alerts and warnings for individuals with hearing and vision disabilities. We seek comment on these questions in order to gain a better understanding of achievable alert accessibility technologies. 95. Further, we seek comment on the ability of OTT alerting to improve EAS alert personalization. Could OTT EAS alerting be leveraged to improve alert accessibility for all Americans, including those with sensory disabilities those with limited English proficiency? For example, could the availability of URLs make it possible for alert content to be presented in languages other than English and in American Sign Language (ASL)? Could consumers personalize alert preferences with respect to text size, crawl speed, and contrast based on their unique needs? Could alerting via OTT services facilitate the use of symbols as accessible replacements or supplements to alert messages? Is it technically feasible and should consumers be given the ability to control the volume of the emergency alerting Attention Signal or audio message, independent of the volume settings in place for other activity on their device, in order to ensure that the alert is audible from anywhere in the home, or at least is appropriate for the user who may be deaf or hard of hearing? Similarly, is it technically feasible and should there be a requirement for any consumer, with or without a disability, to be given the flexibility and capability to control other settings of the alerting signals and audio levels, such as the type and intensity of vibrations and flashing lights, in order to accommodate their individual needs? Alternatively, would it be appropriate to enable users to lower the volume of an EAS alert in certain circumstances? 96. In the WEA NPRM, we seek comment on the feasibility of providing WEA messages in languages other than English and on the extent to which accessibility requirements would improve the presentation of multimedia content in WEA messages. 221 Would extending WEA rules to include tablets and other mobile devices, as defined in the Commission’s Part 10 rules, 222 further enhance the accessibility of alerting to the public and to persons with disabilities? To what extent should WEA messages be subject to Commission accessibility requirements? Would the larger screen of tablet computing devices enable them to provide WEA messages that are more accessible to individuals with visual disabilities? D. Securing the EAS 1. Background 97. As described below, several high-profile and other less widely-known EAS security breaches in recent years have demonstrated that there are significant vulnerabilities in the nation’s EAS infrastructure that must be addressed comprehensively. We are concerned about the severity, frequency and nature of the risks associated with these EAS attacks and the related implications for the readiness of the nation’s critical means of alerting and informing citizens of threats to safety of life and property, consistent with our statutory mission. 223 We start to address those concerns with the proposals in this Notice, including those discussed in this section and upon which we seek comment, which will help to ensure that the nation is better prepared in its ability to alert citizens of such threats, particularly to support the need of the President to communicate with the public during times of emergency and the need to ensure the system is reliable and secure in advance, in order to preserve that capability. 221 WEA NPRM, at 18-20 ¶¶ 31-33. 222 See 47 C.F.R. § 10.10 (defining a “mobile device” as “[t]he subscriber equipment generally offered by CMS providers that supports the distribution of WEA Alert Messages”). 223 See supra paras. 97-101 . Federal Communications Commission FCC 16-5 45 a. Recent EAS Security Incidents 98. February 11, 2013 Incident. On February 11, 2013, unidentified hackers accessed EAS equipment at several TV stations to perpetrate a “zombie attack” hoax. The false alerts affected television stations KRTV in Great Falls, Montana, WBUP and WNMU in the vicinity of Marquette, Michigan, and other stations in Michigan, Utah, New Mexico and California. 224 The stations were vulnerable to this particular attack because they failed to change manufacturer default passwords on their EAS equipment, install firewalls, or take other appropriate security measures, which left the equipment easily accessible from the Internet. 225 99. October 24, 2014 Incident. On October 24, 2014, station WSIX-FM in Nashville, Tennessee aired a false emergency alert during the broadcast of the nationally-syndicated “The Bobby Bones Show.” 226 Bobby Bones, the show’s host, ran an audio clip from a November 9, 2011 nationwide EAS test that contained the live EAN code reserved for Presidential EAS activations. Mr. Bones’ apparent intent was to mock a local cable company’s airing of a mandatory monthly EAS test during the second game of the 2014 World Series. 227 The “gag,” however, had serious consequences: the clip was replayed by other radio stations, as well as cable TV and wireline video television systems in 32 states and the District of Columbia. Indeed, for approximately two hours, more than half a million television subscribers found their set top boxes locked on a false EAS message stating that regular programming had been interrupted by order of the White House. 228 Had an appropriate authentication mechanism or date validation EAS protocol been established and installed on equipment that received the false alert, this incident likely would have been prevented. 100. Other Incidents. While the incidents described above are perhaps the most widely known EAS security breaches in the recent past, they are not isolated. Other, less notorious system breaches 224 Hereinafter, “Zombie Attack Hoax.” SeeMichael Beall, Police Say Mont. TV Zombie Attacks Likely Linked to Others, USA TODAY (Feb. 13, 2013, 10:49 AM, EST), http://www.usatoday.com/story/news/nation/2013/02/13/police-believe-zombie-hoax-attacks-linked/1915921 (last visited Oct. 21, 2015). 225 See David Moye, KRTV’s Emergency Alert System Hacked to Warn of Fake Zombie Apocalypse, HUFFINGTON POST (Feb. 11, 2013, 8:32 PM EST), http://www.huffingtonpost.com/2013/02/11/krtv-fake-zombie- alert_n_2665469.html (last visited Oct. 21, 2015); Zombie Warning Shown on Michigan TV Stations after Emergency Alert Systems Hacked (VIDEO), HUFFINGTON POST (Feb. 12, 2013, 3:58 PM, EST), http://www.huffingtonpost.com/2013/02/12/zombie-warning-michigan-tv-alert-video_n_2671044.html (last visited Oct. 21, 2015). The false message warned that dead bodies were rising from their graves and that citizens should not try to apprehend them. 226 Hereinafter, “Bobby Bones Show Incident.” See Jon Brodkin, “Multi-state Cascade” of False Emergency Alerts Nets $1 Million Fine, ARSTECHNICA (May 19, 2015, 5:38 PM, EDT), http://arstechnica.com/business/2015/05/multi-state-cascade-of-false-emergency-alerts-nets-1-million-fine/ (last visited Oct. 21, 2015). 227 See News Release, FCC Fines iHeart Communications $1 Million for Transmitting Fake Emergency Alerts during “The Bobby Bones Show” (EB rel. May 19, 2015), available at https://apps.fcc.gov/edocs_public/attachmatch/DOC-333516A1.pdf (last visited Oct. 21, 2015). 228 See Jennifer Waits, FCC Fines iHeart $1 Million for Airing Fake Emergency Alert Tone during Bobby Bones Show, RADIO SURVIVOR (May 19, 2015), available at http://www.radiosurvivor.com/2015/05/19/fcc-fines-iheart-1- million-for-airing-fake-emergency-alert-tone-during-bobby-bones-show/ (last visited Oct. 21, 2015); Ted Johnson, FCC Fines iHeartRadio $1 Million for Improper Emergency Alerts, VARIETY (May 19, 2015, 11:03 AM, PT), available at http://variety.com/2015/biz/news/fcc-fines-iheartradio-1-million-for-improper-emergency-alerts- 1201500717/ (last visited Oct. 21, 2015); Jon Brodkin,“Multi-state Cascade” of False Emergency Alerts Nets $1 Million Fine, ARSTECHNICA (May 19, 2015, 5:38 PM, EDT), available at http://arstechnica.com/business/2015/05/multi-state-cascade-of-false-emergency-alerts-nets-1-million-fine/ (last visited Oct. 21, 2015). Federal Communications Commission FCC 16-5 46 have occurred that also generate cause for serious concern. One fairly common scenario in this regard involves inadvertent activation/improper test alerts. For example, in December 2010, an unauthorized EAN alert was issued by WBLE, a radio station operating in northwest Mississippi. 229 According to WBLE, a part-time engineer attempting to issue a required monthly EAS test accidentally pressed the wrong button and issued an EAN alert instead. This error, according to AT&T, affected approximately 17,000 U-verse subscribers in their Memphis Video Hub Office (VHO). The impact was similar to that of the Bobby Bones Show Incident in that subscribers’ set top boxes were force tuned to the designated EAS alert channel and remained locked on that channel for approximately four-and-a-half hours. 230 Proper originator authentication included in the EAS protocol would have prevented the incident. 101. Additionally, on June 26, 2007, a government contractor installing satellite equipment in Springfield, Illinois triggered an accidental EAN activation when he incorrectly left the receiver connected to a state EAS transmitter before final testing of that delivery path had been completed. 231 The false EAS alert repeatedly interrupted programming for three or four minutes at a time and, in Chicago, triggered channel switchovers to a single area broadcaster, WGN. 232 Proper originator authentication included in the EAS protocol would have prevented the incident. 102. Improper retransmission of dated EAS alerts, similar to the Bobby Bones Show incident, are also somewhat common. On February 12, 2013, for example, WIZM-FM in La Crosse, Wisconsin inadvertently triggered an EAS warning on neighboring station WKBT-DT by playing a recording of the Zombie Attack Hoax incident during its morning show. 233 Another inadvertent retransmission occurred in a September 2010 advertisement for ARCO/BP aired by stations in several states including Oregon and Kansas. 234 The advertisement included the EAS attention signal and header codes from an EAS RWT that triggered EAS devices in multiple stations nationwide. The inclusion of originator authentication or date validation in the EAS protocol would have prevented the incident. 103. Collectively, the incidents described above reveal an unacceptably high risk of unauthorized EAS signal broadcasts and insufficient real-time Commission awareness of, and visibility into the possible negative impacts of unauthorized alerts. 235 In combination, they point to troubling 229 Hereinafter, “December ‘10 Unauthorized EAN.” 230 See AT&T Comments, PS Docket No. 14-200, at 1-2. 231 Phil Rosenthal, If This Had Been an Actual Emergency Goof Sends Presidential Alert Code Over the Air, Hijacking Illinois Radio and TV Transmission, CHICAGO TRIBUNE (Jun. 27, 2007), available at http://articles.chicagotribune.com/2007-06-27/news/0706260865_1_emergency-alert-system-false-alarm-sirens (last visited Mar. 6, 2015); see also Emergency Alert System Activated by Mistake (EAS Fail), YOUTUBE (Sept. 20, 2009), available at https://www.youtube.com/watch?v=2F5a2qd0J3s (last visited Mar. 6, 2015). Hereinafter, “Springfield, Illinois Incident.” 232 See Phil Rosenthal, If This Had Been an Actual Emergency Goof Sends Presidential Alert Code Over the Air, Hijacking Illinois Radio and TV Transmission, CHICAGO TRIBUNE (June 27, 2007), available at http://articles.chicagotribune.com/2007-06-27/news/0706260865_1_emergency-alert-system-false-alarm-sirens (last visited Mar. 6, 2015). 233 See WKBT News 8 Determines Cause of Strange Message about Zombies, NEWS8000 (Feb. 12, 2013, 12:24 PM, CST), available at http://www.news8000.com/news/WKBT-News-8-determines-cause-of-strange-message-about- zombies/18513890 (last visited Oct. 13, 2015). 234 See Arco Oil Radio Ads Include False EAS Header, RADIOMAGONLINE (Sept. 8, 2010), available at http://www.radiomagonline.com/industry/0003/arco-oil-radio-ads-include-false-eas-header/32508 (last visited Oct. 13, 2015). Hereinafter, “ARCO/BP Advertisement Incident.” 235 For example, see Meg James, FCC Fines Viacom, ESPN $1.4 Million for Emergency Alert Misuse, LA TIMES (Jan. 20, 2015), available at http://www.latimes.com/entertainment/envelope/cotown/la-et-ct-fcc-fines-espn-viacom- for-emergency-alert-misuse-20150120-story.html (last visited Oct. 13, 2015).For another example, see Chris Welch, FCC Fines TBS $25,000 for Simulating Emergency Alert Tones in 'Conan' Ad, THE VERGE (Nov. 6, 2013), available (continued….) Federal Communications Commission FCC 16-5 47 security vulnerabilities associated with the nation's EAS. Unless appropriate actions are taken to enhance the broadcast network security environment through which the nation’s EAS operates, these risks, vulnerabilities, and resulting problems are likely to persist, and indeed grow. That potential is likely to be exacerbated by the Nation’s ongoing national transition to CAP alerts because of the increasing reach and number of originators capable of transmitting alerts. b. Earlier Commission-Related Efforts 104. Until now, the Commission has sought to ensure EAS security by encouraging EAS Participants to voluntarily adopt EAS security best practices. These efforts, however, have not always borne the intended fruits of a highly secure, highly reliable and unquestionably credible system. Indeed, the record tends to suggest a certain level of complacency by at least some EAS Participants with respect to system security. A brief discussion of that history illustrates the shortcomings of the voluntary approach and further highlights the need for the new approach we explore below. 105. Best Practices – CSRIC IV. On June 18, 2014, CSRIC IV unanimously adopted a set of voluntary best practices to be recommended to the EAS Participant community for the improvement of EAS security. 236 Shortly thereafter, on November 7, 2014, the Bureau sought comment on CSRIC IV’s recommendations. 237 Surprisingly, the Commission received no substantive comments from EAS Participants, which raises questions regarding the extent to which EAS Participants are taking appropriate measures to manage security risk and ensure system performance at the levels necessary to achieve national public safety goals. 106. Also on November 7, 2014, the Bureau released a Public Notice announcing an inquiry into the impact of false EAS alerts on the security, reliability and integrity of EAS. 238 As part of this inquiry, the Bureau held meetings with EAS Participants, FEMA, equipment manufacturers and other EAS stakeholders. The record developed through these activities suggests that the EAS’ present authentication methodology warrants further examination in terms of its adequacy, systemic security, and reliability. 239 107. Bobby Bones Show Incident and Other Assessments. As discussed above, Commission staff studied the Bobby Bones Show Incident, a separate “zombie attack” hoax and other similar incidents to identify causes and issues associated with EAS security. All of these incidents involved a lack of built- in EAS user authentication and validation procedures, as well as weak implementation of other readily employable security best practices that would have prevented such unauthorized actors from entering and misusing the system. (Continued from previous page) at http://www.theverge.com/2013/11/6/5072954/fcc-fines-tbs-25000-for-simulating-emergency-alert-in-conan-ad; For another example, see Turner Broadcast System, Inc., Notice of Apparent Liability for Forfeiture, 28 FCC Rcd 15455, 15458 (EB 2013). 236 See CSRIC IV Initial EAS Security Report at 10-18. 237 See Public Safety and Homeland Security Bureau Requests Comment on Implementation of Emergency Alert System Security Best Practices, Public Notice, 29 FCC Rcd 13737 (Nov. 7, 2014) (EAS Best Practices PN). 238 See Public Safety and Homeland Security Bureau Issues Advisory to EAS Participants to Check Equipment for Possible queuing of Unauthorized EAS Message for Future Transmission; Requests Comment on Impact of Unauthorized EAS Alerts and Announces Inquiry into the Circumstances of Retransmission off Unauthorized EAS Message in Several States, PS Docket No. 14-200, Public Notice, 29 FCC Rcd 13723 (rel. Nov. 7, 2014) (Unauthorized Presidential EAS PN). 239 For example, EAS protocol header codes fail to include complete time stamp parameters (no year), a factor that increases EAS security risk. Federal Communications Commission FCC 16-5 48 2. Improving EAS Network Security 108. Unauthorized EAS alerts generate a host of ills, from consumer inconvenience and frustration over TV lockouts, to broad public fear and confusion about the existence and nature of threats. False alerts divert public safety and other government resources from other important activities, impose costs on licensees that have to deal with many of the consequences of false alerts and, ultimately, desensitize the public to legitimate alerts. The Commission, consistent with its fundamental public safety mandate, must ensure that the public has complete confidence in the EAS as one of the nation’s essential public safety communications tools. 240 Thus, if EAS Participants cannot effectively secure the system through voluntary mechanisms, the Commission must explore regulatory solutions to achieve EAS security. Accordingly, we now propose rules designed to safeguard the EAS and maintain continued public trust in the system. 109. In this section, we seek comment on proposals intended to decrease the likelihood of false or malicious EAS broadcasts, and to codify best practices consistent with CSRIC IV’s recommendations. We also propose rules requiring the reporting of false alerts, i.e., alerts issued in situations other than a bona fide emergency, test, or public awareness campaign, and lockouts, and new rule changes for alert authentication and validation. We believe that these proposed rules ? backed by an annual certification of specific actions from EAS Participants demonstrating adherence to the security best practices recommended by CSRIC IV ? will fundamentally enhance the security of the EAS and help provide a baseline of actions from which to initiate risk management processes to protect the EAS. Additionally, the proposed reporting requirements would provide a minimum set of actions to assist in the communication of incident detection and response. These proposals are intended to complement, rather than replace, the Commission’s current support for voluntary implementation of best practices developed through cooperation with industry and advisory bodies. Each proposal is intended to be flexible, so commenters should describe in detail how they propose to implement any preferred approach they may have, and how those choices advance the goals of this Notice. We encourage EAS Participants to examine all of their approaches to managing security risk, including planning and recovery, to inform their recommendations for improvements. 110. Also, we invite alternative proposals from commenters on how best to promote EAS security. Commenters should support such proposals with sufficient information and analysis to provide a basis for thorough consideration. Given the importance of ensuring the authenticity and security of presidential EAN messages, we also seek comment on whether our proposed changes are sufficient for all EAS messages, or whether additional measures should be taken to secure particular alerts, such as the EAN. Assuming such additional measures are indicated, commenters should describe them and explain how they would better secure the EAS. Finally, commenters should address relative costs and benefits of the Commission’s proposed rules as well as any proffered alternative proposals. a. Annual Certification 111. In light of the issues raised above, we propose action to ensure that EAS Participants are following EAS security best practices, which in turn will make our nation’s alerting system more secure and reliable. We propose that EAS Participants must submit an annual reliability certification form that attests to performance of required security measures with a baseline security posture in four core areas, as described in the following sections. We believe this annual certification would establish minimum expectations for security, and provide the Commission with the necessary assurances that EAS Participants are adhering to industry best practices and therefore taking appropriate measures to secure the EAS. We believe this requirement would be minimally burdensome, and would allow EAS Participants ample flexibility in implementing core security mechanisms based on the individual entity’s particular needs. As an initial matter, we seek comment on whether an annual certification would achieve these objectives, and on the relative costs and benefits of this approach. We expect that the information 240 See First Report and Order and Further Notice of Proposed Rulemaking, 20 FCC Rcd at 18626 ¶ 1. Federal Communications Commission FCC 16-5 49 required to make a determination by the certifying official is readily available as part of the Participant’s normal operations, and that the amount of legal and management review is negligible given that the best practices to which they certify are well known and have been carefully assessed by industry in the CSRIC process. We estimate that certification should add an average of fifteen minutes to the annual update of the “identifying information” section in ETRS, resulting in an increased cost to industry of approximately $549,360 per year. 241 If additional legal and management review would be required, we assume it would only be required the first year to ensure appropriate internal processes were in place and would amount to no more than an average of one hour per company for an additional $2,179,440 the first year. 242 For those EAS Participants who are not using best practices, we estimate it should take no more than four hours per device to perform the necessary changes, resulting in an estimated cost of $879,040 to industry. 243 We seek comment on the accuracy of the estimates of the expected number of Participants that are not using best practices, the accuracy of the assumptions underlying the amount of time required for compliance, and the accuracy of cost estimates. Are there additional costs that are not sufficiently captured by these proposed cost estimates? Administratively, should the “identifying information” section of ETRS be used to provide an EAS Participant’s certification, or should a different mechanism be used for making and recording the certification? Is it reasonable and efficient to require the certification to be part of the current required annual update of ETRS identifying information? What ways might there exist to further reduce the burden on EAS Participant while achieving the same result? Would the longer term burden be reduced by including a provision to review the certification requirement in five years with the intent to sunset the requirement if it becomes clear that Participants are effectively managing cybersecurity risk through mature implementation of the NIST Cybersecurity Framework or suitable equivalent as demonstrated through the planned cyber risk assurance meetings and Sector Annual Report recommended by CSRIC IV? 112. Further, we seek comment on each of the four core elements that would be addressed in the annual certification. Particularly, we ask whether these four areas of certification provide sufficient assurance that security best practices are being followed. Are there any additional – or alternative – areas that should be subject to certification to achieve system security assurance aims? Are there measures that the Commission or industry stakeholders can take to ensure performance of the proposed security measures are minimally burdensome for all EAS Participants, from the largest broadcasters and cable systems to the smallest independent operators? For example, could industry organizations at the national and state levels work with their members to conduct outreach to smaller and less resourced EAS Participants to educate them and otherwise help them to successfully certify their compliance with the security guidelines we propose today? What, if any, should the Commission’s role be in such an outreach effort? We note in this regard that the Bureau has already released a Public Notice reminding EAS Participants of the EAS security best practices recommended by the CSRIC IV Initial EAS Security Report 244 and has participated in a number of industry-related panels discussing cybersecurity as well as a webinar on cybersecurity for broadcasters. Are there other outreach steps in the CSRIC IV Final EAS 241 Where (.25 hours) x ($80.00 per hour salary) x (27,468 EAS Participants required to file) = $549,360. See Amendments to Part 4 of the Commission’s Rules Concerning Disruptions to Communications; New Part 4 of the Commission’s Rules Concerning Disruptions to Communications, PS Docket No. 15-80, ET Docket No. 04-35, Notice of Proposed Rulemaking, Second Report and Order and order on Reconsideration, 30 FCC Rcd 3206, 3221 ¶ 44 (2015) (estimating that staff completing comparable reports would be paid a $80/per hour salary); see also Review of the Emergency Alert System, EB Docket No. 04-296, Notice of Proposed Rulemaking, 29 FCC Rcd 8123, 8147, n.162 (2014) (estimating that there are a total of 27,468 EAS Participants). 242 Where (1 hour) x ($80.00 per hour salary) x (27,468 EAS Participants required to file) = $2,179,440. 243 Where (4 hours) x ($80.00 per hour salary) x (2,747 entities [or ten percent of all EAS Participants] expected to not be in compliance with EAS security best practices) = $879,040. 244 See EAS Best Practices PN; see also CSRIC IV Final EAS Security Report at 11-14 (suggesting methods for raising awareness of EAS security best practices). Federal Communications Commission FCC 16-5 50 Security Report that the Commission should undertake to raise public awareness regarding EAS security and to help EAS Participants incorporate EAS security best practices? (i) Patch Management 113. A basic network security hygiene practice for any communications- and computer-based system – EAS included – is ensuring that the system runs up-to-date, secure software and firmware. This practice is included in various best practice documents, surveys and security guidelines, 245 including one of the “first five” controls from the SANS Institute Critical Security Controls, control CSC 3-2. 246 For more than a decade, the Commission and a series of communications security authorities and expert bodies have stressed the importance of regular system patching and updating, starting with Network Reliability and Interoperability Council (NRIC) V, and continuing through NRIC 7, CSRIC 2, and CSRIC 3. Despite continued attention to patching as a needed part of basic security hygiene, attackers continue to exploit unpatched systems. According to Verizon’s 2015 Data Breach Investigations Report, 247 99.9 percent of all computer system exploits target vulnerabilities that have persisted for at least a year. Additionally, SANS control CSC 6-1 – updating to the most current software and firmware version and patch level – would be the recommended mitigation strategy in 24 percent of all incidents Verizon reviewed. 248 114. In the Bobby Bones Show incident, for example, vendors with properly updated software and firmware for their EAS equipment resisted the false alert. Others, whose system software/firmware were unpatched, either broadcast the false alert or queued it for later broadcast. 249 Had all equipment been updated to the latest version and in the correct configuration, it is highly likely the alert would not have been rebroadcast. 115. Proactive management of system vulnerabilities tends to reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after an exploitation has occurred. 250 Accordingly, we propose, and seek comment on, requiring EAS Participants to certify annually that they keep their systems updated with the latest firmware and software patches. We observe that three of the thirteen best practice controls recommended by CSRIC IV cover patch management. 245 See NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY (NIST), SPECIAL PUBLICATION 800-53 VERSION 4 F- 215 (2005), available at http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf; NIST, SPECIAL PUBLICATION 800-40 PATCH MANAGEMENT PROGRAM (2005), available at http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf; IEEE WORKING GROUP T1M1.5/2003- 007R5, DRAFT PROPOSED AMERICAN NATIONAL STANDARD FOR TELECOMMUNICATIONS – OPERATIONS, ADMINISTRATION, MAINTENANCE, AND PROVISIONING SECURITY REQUIREMENTS FOR THE PUBLIC TELECOMMUNICATIONS NETWORK: A BASELINE OF SECURITY REQUIREMENTS FOR THE MANAGEMENT PLANE 47 (2003), available at http://www.ieee802.org/1/ecsg-linksec/meetings/July03/3m150075.pdf. 246 See SANS INSTITUTE, CRITICAL SECURITY CONTROLS: GUIDELINES, https://www.sans.org/critical-security- controls/guidelines (last visited Oct. 21, 2015) (stating that the “First Five” controls “are being implemented first by the most security-aware and skilled organizations because they are the most effective means yet found to stop the wave of targeted intrusions that are doing the greatest damage to many organizations”); see also COUNCIL ON CYBERSECURITY, CRITICAL SECURITY CONTROLS FOR EFFECTIVE CYBER DEFENSE VERSION 5 19 at CSC 3-2, available at https://www.sans.org/media/critical-security-controls/CSC-5.pdf. 247 See VERIZON 2015 DATA BREACH INVESTIGATIONS REPORT 15 (2015), available at http://www.verizonenterprise.com/DBIR/2015/. 248 See VERIZON 2015 DATA BREACH INVESTIGATIONS REPORT 56 (2015), available at http://www.verizonenterprise.com/DBIR/2015/. 249 See Monroe Comments, PS Docket 14-200 (filed Dec. 8, 2014) at 3 (Monroe Comments). See Sage Comments, PS Docket 14-200 (filed Dec. 5, 2014) at 2 (Sage Comments). 250 See NIST, SPECIAL PUBLICATION 800-40 VERSION 2 ES1 (2005), available at http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf. Federal Communications Commission FCC 16-5 51 Specifically, Recommended Control No. 1 states that “EAS participants should regularly monitor EAS Manufacturer information resources (e.g., websites) to obtain vendor patch/security notifications and services to remain current with new vulnerabilities, viruses, and other security flaws relevant to systems deployed on the network”; Recommended Control No. 6 states that EAS Participants should “regularly seek and install software updates and patches”; and Recommended Control No. 7 states that they should “expedite general system updates and security patching.” 251 116. Would effective implementation of best practice Control Nos. 1, 6 and 7 be assured by requiring participants to certify that they have followed a program to identify and install updates and patches to EAS devices and attached systems in a timely manner, verified EAS devices are running the current version and patch level of software and firmware, and verified that systems connected to EAS devices are running the current version and patch level of software and firmware? If so, is that sufficient to demonstrate basic security hygiene in the EAS? What alternatives would be acceptable if a participant does not comply with the above elements? Should we allow participants to instead certify the measures they have taken to provide equivalent security or the explanation of how the above elements do not apply to their network? How extensive should such descriptions or explanations be? What issues could arise from requiring that the certification apply to both EAS equipment and all network equipment on the same network? Are there any reasons to refrain from applying the certification requirement to all network equipment connected to an EAS device? Is an annual performance certification from an EAS Participant sufficient? If not, what is a more appropriate interval for filings attesting to performance of required security measures? Alternatively, should the Commission require EAS Participants to update their systems when a patch or update is released and report that they have done so to the Commission? How much time would EAS Participants need to comply with a requirement to identify, acquire, test, apply and verify such updates? Are any of the specific actions proposed above unnecessary, and, if so, why? Alternatively, what other measures should be included in the certification? 117. We seek comment on the cost of complying with an annual requirement to certify as part of the required information in ETRS that systems are fully patched and running the most current firmware. Since ensuring proper patching and updating is already a common best practice across the communications sector, we assume that, for most EAS Participants, there would be no additional cost related impact to keeping EAS related systems current. Is this a reasonable assumption? Are there other factors that should be taken in to account when determining whether complying with this particular best practice would require additional effort? Would the benefits from increased performance of required security measures for EAS Participants who are not currently practicing them outweigh the costs of filing? We request that commenters be specific about costs and provide support and documentation accordingly. (ii) Account Management 118. A second basic security hygiene practice is proper control, assignment and management of user and administrative accounts. Poor password practices are directly responsible for the Zombie Attack Hoax that had an impact on multiple stations in the northern and western regions of the nation. Due to stations not changing the manufacturer default passwords on their Internet-accessible equipment, hackers were able to log in, generate and send false EAS alerts. 252 As a result, we issued an urgent notice 251 See CSRIC IV Initial EAS Security Report at 11. 252 See David Moye, KRTV’s Emergency Alert System Hacked to Warn of Fake Zombie Apocalypse, HUFFINGTON POST (Feb. 11, 2013, 8:32 PM EST), http://www.huffingtonpost.com/2013/02/11/krtv-fake-zombie- alert_n_2665469.html (last visited Oct. 21, 2015); see also Zombie Warning Shown on Michigan TV Stations after Emergency Alert Systems Hacked (VIDEO), HUFFINGTON POST (Feb. 12, 2013, 3:58 PM, EST), http://www.huffingtonpost.com/2013/02/12/zombie-warning-michigan-tv-alert-video_n_2671044.html (last visited Oct. 21, 2015). Federal Communications Commission FCC 16-5 52 to change default passwords on EAS devices. 253 119. Despite the existence of well-known user account management best practices, the security breaches described above show that a number of EAS Participants fail to follow them. Thus, we propose a rule that would require EAS Participants to certify that they are following specific, common, EAS user account management best practices. Had such a rule been in effect at the time of the Zombie Attack Hoax, the targeted entities would have had certifications on file with the Commission that they had changed the default password for the system, had removed or disabled improper accounts, and routinely enforced complex passwords. We believe such certifications, submitted upon penalty for false statements, would have induced the stations to change their default passwords, thus preventing the Zombie Attack Hoax. We seek comment on this belief and on our underlying analysis. 120. Accordingly, we seek comment on rules requiring EAS Participants to certify annually that they have a control system in place to restrict access to EAS devices, that all EAS devices and connected system passwords have been changed from the default passwords, that password complexity is required, and that default, unnecessary, and expired accounts have been removed or disabled. Would these requirements be sufficient to ensure proper control over EAS device access? If not, what other user account management requirements should be added? What account management alternatives would be acceptable in lieu of these specific elements? In that vein, should participants be required instead to certify as to measures taken to provide equivalent security, or to explain how the account management elements described do not apply to their network? How extensive should such descriptions or explanations be? Should they apply to both EAS equipment and all network equipment on the same network? Should the ETRS identifying information section be used to provide an EAS Participant’s certification? Is there a better method of recording certification? Is it reasonable and efficient to require certification as part of the currently required annual update of ETRS identifying information? 121. We also seek comment on the costs of complying with this particular element of the certification process. Since accepted best practices require basic account management, we assume that there would be little or no additional effort required to implement those best practices. Is this a reasonable assumption? We request that commenters be specific about costs and their sources. (iii) Segmentation 122. In the Zombie Attack Hoax, outside actors used default passwords to gain remote Internet access to EAS devices allowing them to transmit false alerts. Had the impacted stations implemented best practices to prevent unauthorized remote access, it is far less likely that the intruders would have been able to penetrate the systems and log in with the default password. A firewall or other architectural separation would have impeded their ability to discover, access and utilize the EAS devices, and would likely have prevented the intrusion. Further, proper remote access security would have provided indications of the access attempt to system administrators who, in turn, could have acted upon that information to safeguard the system. 123. Accordingly, we propose requiring EAS Participants to certify annually that they have achieved a minimum level of segmentation of the EAS system. We define segmentation here for certification purposes as a category of best practice-based actions that logically group and compartmentalize assets and restrict trusted access to those compartments. Specifically we propose that EAS Participants certify that none of their EAS devices is directly accessible through the Internet, (for example, by configuring a firewall to deny access from the public Internet) and that any other type of remote access is properly secured and logged. We believe this would have prevented the fraudulent remote access experienced in the Zombie Attack Hoax and in other similar attacks. We specifically seek comment on the effectiveness and desirability of the proposed rule. Would such a requirement adequately ensure proper separation of EAS equipment from Internet-connected network equipment? What other 253 See Unauthorized Presidential EAS PN. Federal Communications Commission FCC 16-5 53 specific actions normally included in best practices to segregate control traffic from public access should be included in the certification? What segmentation alternatives would be acceptable to prevent unauthorized remote access? Should participants be required to certify as to the taking of specified measures or, in lieu of those measures, explain how the elements described do not apply to their network? How extensive should such descriptions or explanations be? We also seek comment on the definition and use of segmentation as a category of certification items. Should the ETRS identifying information section be used to report EAS Participants’ certification, or should a different mechanism be employed? 124. We seek comment on the cost of complying with an annual certification requirement that EAS devices are not directly accessible from the Internet. We further seek comment on the cost of complying with a requirement that any means of remote access is properly secured and logged. Since accepted best practices (as well as recommendations in vendor guides and industry publications) specify a firewall or other method of segmenting the EAS device from the Internet, 254 our assumption is that there would be no additional cost associated with having to institute these best practices. Is this a reasonable assumption? Are there other factors that should be taken in to account when determining whether complying with the best practice would require additional effort? (iv) Annual Certification of CAP Digital Signature Validation 125. Based on comments received in response to the Commission’s inquiry into the Bobby Bones Show Incident, it is apparent that EAS Participants may opt not to filter CAP messages based on the digital signature parameter, or may only filter based on digital signature for selected CAP monitoring sources. 255 This raises the risk that even if State or Local authorities include a digital signature in a CAP- formatted message, EAS Participants may disregard the signature if the message was received from a source other than IPAWS-OPEN. By ensuring, and accordingly certifying, that their equipment is configured to validate CAP digital signatures on all CAP messages that include them, EAS Participants increase the security of the entire system by ensuring that CAP messages are unmodified and have been sent by a party with a valid digital certificate and, thus, are trustworthy messages. 126. We seek comment on the effectiveness and desirability of rules requiring EAS Participants to certify annually that their EAS devices are configured to validate digital signatures on CAP messages if the source of the CAP message includes this feature. Are there any technological or other barriers to certifying devices that are configured to validate digital signatures? If so, what actions could be taken to mitigate or remove those barriers? 127. We also seek comment on the cost of complying with an annual requirement to certify, as part of the required information in ETRS, that EAS devices are configured to validate digital signatures on CAP messages for all CAP messages that include a digital signature. We request that commenters be specific about costs and their sources. b. False Alert Reporting 128. There currently is no requirement that EAS Participants report to the Commission or FEMA that they have generated a false EAS alert or what circumstances led to the false alert; thus requiring the Commission to rely on reports from the public and the press. This situation has often hampered the Commission’s real-time awareness and ability to respond to a crisis or emergency associated with these activities. The Commission’s experience over the last decade of collecting and analyzing communications network outage data through its Network Outage Reporting System (NORS) 254 See, e.g., DIGITAL ALERT SYSTEMS, UNDERSTANDING SECURITY FOR YOUR EAS EQUIPMENT (2014), available at http://www.digitalalertsystems.com/pdf/DAS%20EAS%20Security%20WhitePaper%2001152014.pdf (last visited Oct. 14, 2015). 255 See Monroe Comments at 4. Federal Communications Commission FCC 16-5 54 shows the value of acquiring network reliability data. 256 False EAS alerts, if reported, could similarly provide situational awareness about the health of the EAS to the Commission in real time, and facilitate the Commission’s ability to take action to mitigate the effects of the alert. 257 129. Accordingly, we propose, and seek comment on, a rule requiring EAS Participants to report the issuance or retransmission of a false EAS message via ETRS. 258 Should an initial report including only EAS header codes, source, area affected, and time discovered of the false message be required? Is that information sufficient for an initial report? Is it reasonable to require such information or should less be required of the initial report? What other information should be included? We also seek comment on whether EAS Participants should be required to file their false alert report in ETRS within thirty minutes of identification of a false EAS message transmission. Is there a more appropriate time frame for a required initial report? Should a final report be required 72 hours after the initial report that includes an explanation of the root cause of the improper transmission? What other information should be included? Is that time frame long enough for EAS Participants to provide a final report? Is there a more appropriate time frame for the final report? Should any information in the final report be considered confidential? If so, what information should be covered as such? We seek comment on the effectiveness and appropriateness of using the ETRS as a reporting tool. Is there a better method of reporting false message transmission? 130. Finally, we request comments on the costs, burdens and benefits of the proposed mandatory reporting requirement; whether the requirement would promote the reliability, resiliency and security of EAS services; and whether we could more narrowly tailor the requirement or otherwise pursue an alternative that would maximize the potential benefits to society or would accomplish the proceeding’s objectives in a less costly, less burdensome, or more effective manner. Based on similarities with our Part Four outage reporting requirements for the notification and initial reports, we estimate that complying with the reporting requirement will require approximately fifteen minutes for the initial report and forty- five minutes for the final report, for a total of one hour and an estimated cost of $46,400 per year. 259 We seek comment on the reasonableness and accuracy of this estimate. Commenters should be specific about costs and their sources. 256 Information from NORS has enabled Commission staff to work with communications providers in a data-driven fashion on collaborative reliability improvement initiatives that have produced measurable results. See, e.g., Proposed Extension of Part 4 of the Commission’s Rules Regarding Outage Reporting To Interconnected Voice Over Internet Protocol Service Providers and Broadband Internet Service Providers, PS Docket No. 11-82, Notice of Proposed Rulemaking, 26 FCC Rcd 7166, 7171-73 ¶¶ 16-17 (2011) (describing, among other improvements, a 50 percent reduction in lost wireline calls to 911 as a result of the Commission’s systematic analysis of network outages). 257 For instance, in the past we have taken such actions as sharing our situational awareness with EAS device manufacturers and EAS Participants, as well as providing guidance to such entities, to the extent appropriate, on how to remediate any damage. 258 In the EAS context, such reporting will also help the Commission and FEMA respond more quickly to allay public fears and assist EAS Participants in acting more swiftly to minimize the impact of unauthorized EAS alerts. Further, having quick confirmation of unauthorized EAS alerts would allow EAS Participants to swiftly issue manual EOM codes to restore normal programming, thus significantly reducing program interruption time (i.e., ‘lockouts’). Our proposed reporting requirement is intended to address circumstances where the EAS is activated in the absence of an actual alert condition or authorized test. We note that the proposed mandatory reporting requirement for false alerts shall not be construed as narrowing or otherwise affecting the scope of the prohibitions set forth in Section 11.45(a), which, as described above, limit the circumstances in which any person may transmit (or cause to be transmitted) the EAS codes or Attention Signal, or a recording or simulation thereof. 259 Where (1 hour) x ($80 hourly salary) x (an estimated 2 incidents per year based on receiving reports of two false alerts in 2013, and one in 2014 and in 2015 ) x (290 entities estimated to file based on the results of the Bobby Bones Incident in which 290 entities would have been required to file a report) = $46,400. Federal Communications Commission FCC 16-5 55 c. Lockout Notifications 131. As described above, the Bobby Bones Show Incident’s audio clip did not contain the EOM code to return subscribers to regular programming. This resulted in 667,195 AT&T U-verse customers across the United States being locked out for several hours, unable to change their television to other programming while leaving them wondering what was happening. 260 During this lockout period, the viewers were left confused about the validity of the alert, placing the credibility of the alert messaging system in question. We believe that viewers must be able to rely on the alerting system for timely, accurate alerting information on which they can depend. We believe that EAS reliability would be greatly enhanced by taking necessary steps to prevent the conditions that would result in the inability of devices to resume normal operation after an EAS alert. We believe this would further public safety interests and address credibility issues that currently linger with the current system. Mandatory reporting via ETRS of instances when EAS Participant equipment causes, contributes to, or participates in a lockout that adversely affects the public would assist the Commission in identifying and assessing the nature and extent of the lockout issue, as well as the impact of false alerts reported separately. 132. Accordingly, we seek comment on a proposed rule to require all EAS Participants to report instances when their EAS equipment causes, contributes to, or participates in a lockout that adversely affects the public (e.g., when multiple cable STBs cannot return to normal operation due to the failure to receive an EOM signal or otherwise correctly process an EAS alert). Is this definition of a lockout sufficient to capture all such events where the public’s access to cable programming a cable- based alerts are concerned? We seek comment on whether there are some lockouts below a certain threshold that would be unnecessary to report because of limited effect on consumers. To what extent would excluding some lockouts from reporting requirements reduce the burden on EAS Participants? What threshold would strike an optimal balance between minimizing costs and keeping the Commission informed of significant incidents? Is there a better reporting method or definition for what constitutes a lockout that would provide the Commission with the appropriate amount of information to monitor and address this issue? Given that such false EAS alert-driven lockouts can have a significant impact on potentially millions of viewers, should an initial report should be required within fifteen minutes of identification of such an incident? Is there a more appropriate timeframe for a required initial report? We also seek comment on the scope of information that should be included with a lockout notification. For example, would the date and time, message source, affected device type(s), and estimate of the number of devices affected be sufficient for an initial report? If not, what other information should be included? Should a final report be required seventy-two hours after the initial report including the root cause of the incident? Is that time frame sufficient to provide a complete and thorough final report? We seek comment on the effectiveness and appropriateness of using the ETRS as a reporting tool for this type of incident. 133. Finally, we request comments on the costs, burdens and benefits of the proposed mandatory reporting requirement; whether the requirement would promote the reliability, resiliency and security of EAS services; and whether we could more narrowly tailor the requirement or otherwise pursue an alternative that would maximize the potential benefits to society or would accomplish the proceeding’s objectives in a less costly, less burdensome, or more effective manner. We estimate that complying with the reporting requirement will require approximately fifteen minutes for the initial report and forty-five minutes for the final report, for a total of one hour and an estimated cost of $800 per year. 261 We seek comment on the reasonableness and accuracy of this estimate. We request that commenters be specific about costs and their sources. 260 See AT&T Comments. This lockout implicates forced tuning issues addressed above. See supra Section III.C.1. 261 Where (1 hour) x ($80 hourly salary) x (an estimated 1 lockout per year based on historical patterns) x (10 entities estimated to be required to file based on historical patterns) = $800. Federal Communications Commission FCC 16-5 56 d. Alert Authentication 134. The EAS Protocol 262 does not currently include a method to ensure that an alert received by EAS equipment was originated by an authorized source, i.e., that the message is “authenticated.” 263 EAS equipment will respond as designed to any Presidential Alert regardless of the actual originator or broadcaster. There are two approaches, described below, that could effectively address this issue. The first approach leverages the existing features of digital signatures available on CAP-formatted messages – transmitted via IPAWS-OPEN or other IP-based connections, and the second approach explores the possibility of adding analog authentication mechanisms to EAS Protocol messages. 135. CAP allows for the use of a digital signature to be used as one method of message authentication. 264 A message may be authenticated by using a digital signature when a federal, state or local CAP alert originator signs a CAP message using its unique originator key, and that signature is decrypted using a single decryption key provided by FEMA/DHS. 265 An EAS Participant can know that a message was sent from a trusted source if it contains a digital signature that can be decrypted by the FEMA/DHS-provided key. Currently, all IPAWS-OPEN-originated CAP messages require digital certificate authentication, but some state and local CAP systems do not, and EAS Participants may elect not to filter CAP messages on the digital signature parameter for all, or only for selected CAP monitoring sources. 266 As EAS Participants and federal authorities comply with CAP-related requirements in accordance with the EAS Second Report and Order, 267 there is a clear and practical opportunity, presumably, to implement digital signature EAS authentication concurrently with those efforts. We believe digital signature authentication for CAP messages adds a significant layer of security to EAS. Thus, we propose to require that EAS Participants process and validate digital signatures when handling CAP-formatted EAS alerts, and discard as invalid any CAP message where the digital signature does not match an authorized source from FEMA or from a designated source specified in the State EAS Plan. 136. Accordingly, we seek comment on the desirability and feasibility of discarding CAP formatted EAS alerts where the digital signature is invalid. What barriers to the implementation of such a rule exist? Is a requirement for all EAS Participants to treat as invalid any CAP-formatted message signed with an invalid signature sufficient to achieve the desired goals? We also seek comment on the desirability and feasibility of digital signature authentication for all CAP messages, not only those originated by IPAWS-OPEN. Should we require all CAP-formatted messages to be digitally signed? Are there any technical barriers to such a requirement? Is the current process for digitally signing CAP messages for IPAWS-OPEN sufficient? Could it be effectively used for all CAP messages? Should we specify a method of ensuring that all EAS Participants can properly authenticate the alert originators they are responsible for monitoring, or should that be specified within the State EAS Plans? Are State EAS Plans the appropriate location for defining the authentication process for State and Local digital 262 See supra note 14. 263 Alert “authentication” refers to a determination of whether an alert came from the intended trusted source. Alert “validation,” on the other hand, assumes that an alert came from a trusted source, and asks only whether the alert is appropriate for retransmission. Current EAS protocol does not require information showing that the alert came from a trusted source. Id. 264 See Second Report and Order, 22 FCC Rcd at 13282 n.48. 265 See OASIS, COMMON ALERTING PROTOCOL VERSION 1.2 (2010), available at http://docs.oasis- open.org/emergency/cap/v1.2/CAP-v1.2-os.html (last visited Oct. 14, 2015). 266 See Monroe Comments at 4. 267 See Second Report and Order, 22 FCC Rcd at 13284; see also 47 C.F.R. § 11.51(d) (stating that all EAS Participants, including those using intermediary devices, must be able to accept CAP-formatted messages by June 30, 2015). Federal Communications Commission FCC 16-5 57 signatures? What impact would there be to state and local authorities from requiring all CAP-formatted EAS messages be digitally signed? Is this rule – in conjunction the certification requirement described above – the most effective and efficient means of ensuring performance of required security measures? If not, what other methods of ensuring performance of required security measures should be adopted? Would any of the questions or proposals in this paragraph apply equally to the WEA system? If so, then to what extent? Commenters should include detail concerning such proposals, including costs and benefits of applying these types of security measures to the WEA system. 137. While CAP digital signatures can provide authentication for messages propagated via IPAWS-OPEN or other IP-based systems, they do not address traditional analog EAS messages transmitted over the air using the EAS Protocol. To address this issue previous commenters have suggested two methods of adding analog authentication mechanisms to EAS Protocol messages. Some EAS stakeholders support the use of an analog version of the CAP digital signature to confirm the authenticity of EAS messages originated in the EAS Protocol. To confirm the authenticity, Monroe proposes a solution of adding a unique message ID or authenticator after the existing EAS header codes. 268 As an example, their TDX solution utilizes Audio Frequency Shift Keyed (AFSK) data in the audio portion of the message to provide an analog version of the CAP digital signature to be decoded downstream. 269 Monroe suggests that “the use of only a few bits of data could suffice as an authenticator value,” and that “such a solution would not overly burden the EAS message, lasting only two to four seconds, and would significantly improve message security.” 270 According to Monroe, such a solution would allow authentication of EAS Protocol messages without reference to an ulterior authentication source. There may be other potential solutions leveraging an analog version of the CAP digital signatures that would prevent retransmission of unauthorized audio alerts. If such an analog version of a digital signature had been in use during the Bobby Bones Show Incident, EAS equipment would have treated the unauthorized EAN alert as inauthentic because it lacked a signature. The same is true in the case of the February 12, 2013 retransmission of the Zombie Attack Hoax, and in the case of the ARCO/BP Advertisement Incident. Additionally, utilizing such an analog signature would have prevented the airing of a number of mistaken test events where an EAN was sent instead of a required test alert, including the December ’10 Unauthorized EAN and the Springfield, Illinois Incident. 138. A second solution to EAS alert authentication that could be applied to alerts formatted in the EAS Protocol is a Virtual Red Envelope (VRE) system. While the EAS’s predecessor, the Emergency Broadcast System (EBS), used red envelopes to send authentication codes to EAS Participants so that the EAS Participant could confirm the authenticity of subsequent alerts, this proposed virtual solution would use “IPAWS servers to distribute a short validation code as part of the Required Weekly Test.” 271 The Broadcast Warning Working Group (BWWG) advises that such a method could maintain fidelity to the EAS Protocol by appending the validation field to the end of the EAS message header. 272 The message would be considered valid only if the validation code provided in the most recent required monthly test (RMT) matched a corresponding code included in the EAN message. 273 Under the VRE model, “[t]he code match would compel the recipient equipment to automatically and immediately proceed to forward 268 Specifically, Monroe proposes use of its proprietary solution, Textual Data Exchange (TDX), which it claims is capable of adding a unique message ID and/or authenticator ancillary to the EAS Protocol header codes. See Monroe Comments at 5. 269 See 47 C.F.R. § 11.31. 270 See Monroe Comments at 5. 271 Broadcast Warning Working Group Comments, PS Docket 14-200 (filed Dec. 8, 2014) at 3 (BWWG Comments); NAB Comments at 2-3. 272 See BWWG Comments at 3. 273 Id. Federal Communications Commission FCC 16-5 58 the entire enhanced EAS message in accordance with the Commission’s EAS requirements.” 274 On the other hand, if the code did not match, this would trigger an alarm within the VRE system which would prompt manual authentication of the message. 275 If a VRE system had been in use during the Bobby Bones Show Incident, EAS equipment would have treated the unauthorized Presidential EAS alert as inauthentic because it would have lacked an authentication code. Further, if the alert used for the first Nationwide EAS test in November 2011 had contained an authentication code, that code would not have matched the authentication code specified for alerts received in October 2014, which would have prevented retransmission. If EAS equipment were programmed to respond to such a mismatch by holding such an alert for manual inspection, the inspection would have revealed that the message was not sent by a trusted source, and it could have been discarded. 139. Accordingly, we seek comment on the desirability and feasibility of including a unique message ID and/or authenticator ancillary to the EAS Protocol header codes and how to accomplish this in a manner that respects technological neutrality. We seek comment on the advantages and disadvantages of including a digital signature in CAP- and EAS Protocol-formatted EAS messages. We also seek comment on the desirability and feasibility of adopting a VRE solution to alert authentication that includes an authentication code within the EAS alert. Is a technical solution currently available that would allow the community to rapidly implement such a capability? What advantages and disadvantages would such a solution have? What would the impact of requiring such a solution be on small and medium businesses? What would the costs of such an implementation be? Should one, two or all of these solutions be required? Should each be considered an independent means of compliance? e. Alert Validation 140. Alert message “validation” refers to a technical check of a message by EAS equipment that allows for confirmation that a message received is in fact a valid EAS message. 276 The sole method currently available to EAS equipment for performing alert message validation makes use of a time stamp, 277 which contains an inherent ambiguity in that no year parameter is specified in the time stamp. 278 EAS equipment, therefore, is not always capable of determining whether an alert is valid. 279 The Broadcast Warning Working Group (BWWG) notes that “[i]f a fake EAS event is sent or an operator makes a mistake but has the right credentials and timestamp, it will be propagated as programmed, even if it is a recording of a previous alert.” 280 141. EAS alert validation could be improved by revising Section 11.31 of the Commission’s EAS rules to include a year parameter “YYYY” in the time stamp (“JJJHHMM”), and requiring devices 274 See id. at 3; see also 47 C.F.R. § 11.31. 275 See BWWG Comments at 3. 276 See 47 C.F.R. § 11.33. An EAS Decoder must provide error detection and validation of the header codes of each message to ascertain if the message is valid. A header code must only be considered valid when two of the three headers match exactly. Id. 277 The “time stamp” is represented in the Commission’s EAS rules defining EAS header codes as “JJJHHMM.” “This is the day in Julian Calendar days (JJJ) of the year and the time in hours and minutes (HHMM) when the message was initially released by the originator using 24 hour Universal Coordinated Time (UTC).” 47 C.F.R. § 11.31(c). 278 See 47 C.F.R. § 11.31(c). 279 For example an alert with a time stamp indicating that the alert was transmitted on November 7 and 2:00pm would be processed as valid if replayed at that date and time during each subsequent year, so long as it was received during the period indicated by the “valid time code.” See 47 C.F.R. § 11.31(c) (stating that the valid time code is represented as “+ TTTT” and “indicates the valid time period of a message in 15 minute segments up to one hour and then in 30 minute segments beyond one hour; i.e., + 0015, + 0030, + 0045, + 0100, + 0430 and + 0600.”). 280 BWWG Comments at 2. Federal Communications Commission FCC 16-5 59 to ensure the expiration time of the alert is in the future. If a year field had been included in the time stamp during the Bobby Bones Show Incident, EAS equipment would have recognized that it was dated and, thus, could have prevented the unauthorized EAS alert from being processed as valid by downstream equipment. Such date validation also could have prevented the ARCO/BP Advertisement Incident and the Springfield, Illinois Incident since they were also caused by replay of previous outdated alerts. 142. Further, the Station identification (ID) header code (“LLLLLLLL”) could be a useful validation parameter if the station ID parameter is based on a static designation, such as a station’s Physical System ID (PSID), and if EAS Participants accurately maintain the station ID parameter of their EAS equipment as well as the station IDs of the facilities they are assigned to monitor. If EAS equipment always verifies that the station indicated by an alert’s station ID header code matches the station ID of an EAS Participant’s assigned monitoring sources, use of station ID as a validation parameter could increase the security and reliability of the EAS ecosystem by not retransmitting EAS messages that have originated from outside its area. 143. Accordingly, we seek comment on the desirability and feasibility of amending Part 11.31 to include a year parameter in the time stamp, and to require devices to only transmit valid alerts. What hardware or software changes would be necessitated by adding a year parameter to the time stamp? How could any costs associated with this change be mitigated? Should we define as valid only alerts with an expiration time in the future? Are there other validation criteria we should consider based on the date- time fields? 281 Are there other actions that we should specify EAS Participants must take based on date- time fields? We also seek comment on the desirability and feasibility of requiring that the station ID header code be anchored to a static identifier, and on amending the Commission’s EAS rules to require alert validation based on the station ID header code. Is PSID an appropriate unique station identifier suitable for use as the station ID header code? Are there other existing identifiers that would be more suitable? Is requiring devices to validate that the station ID header code matches one of the monitoring stations listed in the State EAS Plan, alone or in combination with other methods, a reasonable and effective way of ensuring stations do not retransmit alerts from unauthorized sources? 144. There are some indications that checking for interstitial alerts 282 as a means of alert validation might have prevented the Bobby Bones Show Incident. Recent recommendations from CSRIC IV, however, advise against discarding all interstitial alerts, as some such alerts may be damaged or otherwise inappropriate for retransmission, and some such alerts may be valid and appropriate. 283 In light of the CSRIC IV recommendations on this issue, we seek comment on the desirability and feasibility of revising Part 11 of the rules to require discard of none, some or all interstitial alerts. 145. Finally, we request comments on the costs, burdens and benefits of the above proposed changes; whether the changes would reduce the incidence of inadvertent or false alerts; and whether we could more narrowly tailor the changes or otherwise pursue an alternative that would maximize the potential benefits to society or otherwise would accomplish the proceeding’s objectives in a less costly, less burdensome, and/or more effective manner. In the Sixth Report and Order, we estimated the total cost to EAS Participants to modify software and firmware to accommodate the “six zeroes” nationwide location code at $2.2 million. 284 Would the changes to include a year parameter and to check validity 281 In addition to the valid time code. See supra note 279. 282 Interstitial alerting occurs when subsequent, redundant header codes are transmitted prior to the transmission of the EOM code to terminate the original alert. 283 See CSRIC IV, WORKING GROUP THREE, EMERGENCY ALERT SYSTEM, NATIONAL TESTING AND OPERATIONAL ISSUES TASK GROUP, FINAL REPORT APPENDIX B (2014), available at https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_IV_WG-3_Final-Report_061814.pdf 284 See, e.g., Sixth Report and Order, 30 FCC Rcd at 6527 ¶ 17. Federal Communications Commission FCC 16-5 60 based on time and the station ID header code entail similar costs and would that estimate be accurate for this purpose? 3. Confidentiality and Information Sharing 146. In this section, we seek comment on the degree of confidentiality that should be provided for security certifications and reporting-related information submitted to the Commission via ETRS. 285 Under Sections 0.457(d)(1)(vi) and 4.2 of the Commission’s rules, we currently treat reports that are filed in our Network Outage Reporting System (NORS) as presumptively confidential, thus allowing such reports to be withheld from routine public inspection. 286 This presumption recognizes both the “likelihood of substantial competitive harm from disclosure of information” and the Commission’s concern that “the national defense and public safety goals that we seek to achieve by . . . these . . . reports would be seriously undermined if we were to permit these reports to fall into the hands of terrorists who seek to cripple the nation’s communications infrastructure.” 287 The Commission currently share NORS reports with the Department of Homeland Security (DHS), which may “provide information from those reports to such other [federal] governmental authorities as it may deem to be appropriate.” 288 147. Treatment of Certification-Related Information. We seek comment on whether the Commission should treat certification-related information with the same confidentiality as the Commission treats NORS information. We recognize that the EAS presents a somewhat different set of circumstances than NORS. EAS is not a revenue-generating apparatus designed by EAS Participants as part of the delivery of services to customers for remuneration. Rather, EAS is a system that exists solely for the generation of critical public safety messages. Further, EAS Participants do not risk competitive disadvantage due to disclosure of the kind of information we now seek. Against this backdrop, we must weigh the public’s presumed benefit in being able to assess, in real time, the security of its EAS, and we tend to generally favor disclosure over confidentiality. In the alternative, should we treat certification- related information as presumptively confidential, as we do in DIRS? 148. We tentatively conclude that the act of filing an annual certification should not be treated as presumptively confidential; however, we recognize that the data reported on the certification should be treated as presumptively confidential. We recognize the potential utility in treating as presumptively confidential information submitted in addition to annual certifications that describe alternative measures employed by the EAS Participant to mitigate the risks of nonconformance with certification elements. Accordingly, we propose the act of filing, and the contents of that addenda to EAS Participants annual certifications describing alternative approaches to performance of required security measures should be treated as presumptively confidential. We believe this approach and rationale are consistent with other similar certification reporting requirements. 289 We seek comment on these tentative conclusions, and on our analysis. 285 We note that the confidentiality of test data submitted to the Commission via ETRS has already been established in the Sixth Report and Order as allowing “test data and reports containing individual test data to be shared on a confidential basis with other Federal agencies and state governmental emergency management agencies that have confidentiality protection at least equal to that provided by FOIA.” Id. at 6533, n.90. Our discussion regarding the confidentiality of proposed annual certification information does not affect this prior determination regarding test data. We also note that we separately seek comment, above, on whether that level of confidentiality is also appropriate for State EAS Plan data submitted via SEPFI. See supra para.31. 286 47 C.F.R. § 0.457, 4.2. 287 See New Part 4 of the Commission’s Rules Concerning Disruptions to Communications, ET Docket No. 04-35, Report and Order and Further Notice of Proposed Rulemaking, 19 FCC Rcd 16830, 16855 para. 45 (2004). 288 Id. at 16856, para. 47 (making NORS reports available to DHS “in encrypted form and immediately available upon request”). 289 See 47 C.F.R. § 12.4 (treating the mere fact of filing or not filing Annual 911 Reliability Certification as not confidential but information submitted with or in addition to such certification as presumptively confidential).). Federal Communications Commission FCC 16-5 61 149. Treatment of Reporting-Related Information. Following the same underlying rationale for treatment of certifications above, we tentatively conclude that the mere fact that an EAS Participant has filed a false alert report or lockout notification, as described in this Notice, should not be treated as presumptively confidential. We seek comment on this tentative conclusion. 150. We believe that a need exists to presumptively treat as confidential the information submitted by an EAS Participant pursuant to reporting on the issuance or retransmission of a false EAS message via ETRS, or on instances when an EAS Participant’s equipment causes, contributes to, or participates in an incident that adversely affects the public and equipment does not return to normal operation after receiving an EAS alert. We recognize that some of the information in both contexts may contain material that, if disclosed, could potentially cause substantial competitive harm to the EAS Participant or even undermine national defense and public safety. Conversely, the same information may provide valuable insight into EAS vulnerabilities, information detailing specific corrective action(s) taken, the need for specific corrective action(s), or reasons why the EAS may have functioned sub- optimally. Given these competing concerns, we tentatively conclude that treating such information in a presumed confidential manner is justified. We seek comment on this view. We also seek comment on whether there are sound reasons why the Commission should treat submissions related to EAS annual certifications, false alert reporting, and lockout notifications differently with respect to their respective presumptive confidential treatment. 151. Sharing with Other Entities. In our effort to strengthen the nation’s public alert and warning systems as community-driven public safety tools capable of ensuring that the public can receive and respond to alerts issued by alerting authorities in an effective, timely manner, it will be essential to integrate and enhance timely cooperation and information exchanged among federal, state and local officials. We therefore seek comment on whether, if we adopt presumptively confidential reporting and certification requirements, as proposed above, the Commission should share the information with other federal agencies, as the Commission deems appropriate and consistent with the requirements of Section 0.442 of the Commission’s rules? 290 Should the Commission restrict such sharing to only certain named federal agencies? We ask for commenters to share their views not only on the extent and limits of such sharing, but provide underlying rationale to support their views. With which state entities, if any, should the Commission share this information? With which non-governmental entities, if any, should it share this information? 152. We further seek comment on whether information should be shared under Part 11 with the National Coordinating Center for Communications (NCC), a government-industry initiative led by DHS representing 24 federal agencies and more than 50 private-sector communications and information technology companies. Would access to data collected pursuant to Part 11 contribute to the NCC’s mission? Under what terms, if any, should such access be provided? Should the Commission instead leave to the discretion of the EAS Participants what Part 11 information they chose to share with the NCC? Would the Commission’s sharing of Part 11 information with NCC discourage Part 11 reporting? Is there a subset of data proposed to be collected under Part 11 that the Commission should share with the NCC while upholding the confidentiality presumption that we propose be established for information submitted pursuant to Part 11? Would the sharing of Part 11 data in aggregate or generalized form be useful to NCC? Finally, it would appear that such information sharing would not have any appreciable cost impact. We seek comment on this view. 153. Conditions on Sharing. We seek comment on whether before the Commission should allow data sharing with other entities as we did in the Sixth Report and Order that a state be required to first certify that it will keep the data obtained confidential and that it has in place confidentiality protections in place at least equivalent to those set forth in the federal Freedom of Information Act 290 See 47 C.F.R. § 0.442. Federal Communications Commission FCC 16-5 62 (FOIA). 291 If the Commission allows the sharing of Part 11 information to another entity, what conditions, if any, should be placed on the use of such information? Should use of Part 11 information by shared entities be restricted to activities relating to protecting public safety, health or national security? Should the entities with which the Commission authorizes the sharing of information be limited in terms of access to the ETRS database on a “read-only” basis? Balancing EAS Participant interest in confidentiality with the need for timely sharing of information when appropriate, it would seem that Part 11 information sharing should be permitted by the Commission only if stringent measures are in place to protect the data from public disclosure. We seek comment on this analysis and what measures, if any, should be in place if the Commission shares Part 11 information with any appropriate entity. 154. Given the national security and critical infrastructure concerns with having access to this data, what additional assurances can the Commission provide to ensure that any Part 11 information shared with appropriate entities will be properly safeguarded? Should personnel charged with obtaining Part 11 information be required to have security training? Should the identity of these individuals be supplied to the Commission? Should states be required to report breaches of confidentiality of information obtained as a result of compliance with our Part 11 rules? Should an EAS Participant be permitted to audit a state’s handling of its information submitted in accordance with Part 11? 155. Potential Alternative, Incremental Approach. One way for the Commission to gain experience on the best path forward for the sharing of confidential information under our proposed Part 11 rules may be to study the issues involved by developing an interim information sharing capability. As appropriate, the Commission may implement a prototype exchange of Part 11 information sharing with interested states and EAS Participants on mutually agreeable terms, as a means of building confidence among stakeholders and informing its development of proposed rules. As another example, the Commission could seek to establish a negotiated, temporary information-sharing program with the NCC for a specified period of time (e.g., eighteen months), after which time the program would be evaluated by the Commission, NCC, its members and other stakeholders for its effectiveness and whether it should continue unchanged, continue with modifications, or be terminated. We seek comments on this possible incremental approach. 156. In addition to any EAS information that the Commission ultimately may receive through the reporting processes outlined in this Notice, the Commission may also obtain information through other sources (public and non-public) revealing vulnerabilities in the EAS. While we propose to treat information contained in certifications as presumptively confidential, as discussed above, we do not presently have an established regime for other information that we may receive that is in addition to information received through the reporting processes. As potential threats increase, and as we receive more information on related threats to EAS and its potential vulnerabilities, should we establish a set of controls within the Commission to limit the distribution of and otherwise safeguard the information that we receive? For example, should such information be treated as presumptively confidential as well? Further, should there be specific methodologies for the handling of information on EAS vulnerabilities, beyond simply the confidential treatment of that information? Should the Commission apply physical and IT security controls to protect information regarding EAS vulnerabilities, and limit access to such information on EAS vulnerabilities to a validated subset of Commission staff? We ask commenters to address whether and what controls should be used in the Commission’s handling of such information, and the duration for which such controls should remain in force or effect. We seek comment on these or other potential approaches to the treatment of information that reveals potential vulnerabilities in the system, and to the designation and handling of such information once received by the Commission. We also ask commenters to address whether the designation, treatment and handling processes proposed ought to concern both the physical EAS architecture as well as IT security controls, or just one of those areas and, if the latter, which and why? 291 See supra note 102. Federal Communications Commission FCC 16-5 63 157. We also seek comment on the extent to which EAS stakeholders, including EAS Participants and EAS equipment vendors, should take measures to ensure that potential architectural or configuration vulnerabilities are safeguarded from inappropriate public disclosure. For example, we observe that EAS equipment manufacturers may provide encoder/decoder information available to users on public websites, including default equipment passwords. Despite our proposal to require participants change default equipment passwords, does such practice create potential vulnerabilities? We ask commenters whether information on the EAS architecture, including equipment instructions, can be subject to safeguards, and if so by what means? For example, should instructions be made available only to validated entities and thus, not made publicly available on websites? How could the effectiveness in increasing security of such a restriction be measured compare to the costs of administering such a program and of limiting access to operators, maintainers, and researchers? What other measures should stakeholders take to keep information regarding EAS architecture and configuration secure? To the extent the Commission were to take measures to ensure that information on EAS architectural and IT configuration vulnerabilities is made more secure, what specific legal and regulatory authorities would apply? 4. Reach of Proposed EAS Security Rules 158. As a logical extension of our discussion above of the costs and operational issues associated with implementing new security measures for EAS, we seek comment on whether our proposed security rules should apply to all EAS alerts, and to all EAS Participants. Specifically, we seek comment on whether the Presidential Alert may warrant additional and/or heightened security measures, whose implementation costs may exceed the benefits when applied to local alerts that are issued more commonly, and that have a less immediate impact on national security. In the discussion below, we seek comment on whether to except EAS Participants currently designated as PN stations from some or all of the security requirements we propose. We also seek comment on potentially excusing EAS Participants that qualify as “small businesses” under the Small Business Association (SBA) standard for their respective industries from some or all of the security requirements we propose today. 292 159. EAN Only. Would applying the above-proposed security measures to the EAN only recognize that the Presidential Alert presents heightened security concerns and more complex technical implementation issues than other EAS alerts? On the other hand, would application of enhanced security rules to the EAN risk dividing the Part 11 rules into two separate sets of requirements that may be burdensome or incompatible to implement using a unified EAS protocol, or when implemented in the same EAS equipment. In light of the fact that EAS Participants maintain only one piece of EAS equipment for both the Presidential Alert and all other alerts, notwithstanding their distinct functionalities and purposes, would an EAN-only approach obviate any technical or financial benefit that might result from limiting application of security measures to the Presidential Alert? Does the fact that alert authentication and validation are automated processes similarly undermine the potential for cost savings that might result from forbearing from applying the proposed heightened security measures on all but the Presidential Alert? If EAS equipment is capable of providing heightened security for one kind of alert, would there be any reason not to provide that functionality for all alerts? Additionally, would improving alert authentication and validation for the EAN require changes to the EAS header codes that would be best applied consistently to all alerts? 160. Exception for PN Stations. Are security concerns attendant to participation in EAS less pronounced for PN stations than key EAS sources in light of the fact that they are not monitored by other EAS Participants? Would the severity of an EAS security breach be directly related to the designation of the attacked EAS Participant in the EAS alert distribution hierarchy? If so, does that militate for a graduated application of the security provisions proposed above such that key EAS sources are subject to stricter security requirements than PN stations? Should the application of our security rules be even more 292 See infra Appendix B (Initial Regulatory Flexibility Analysis). Federal Communications Commission FCC 16-5 64 granular, for example, with NP stations being subject to more strict security requirements than Relay stations? 161. Small Entities. Would it be preferable to allow the EAN to be delivered only by more sophisticated or secure systems, preserving the flexibility for smaller EAS Participants alert originators at the state and local levels to participate in state and local alerting without the need for certain additional security measures? If we were to except small entities from application of some or all of our security rules, is the SBA size standard the appropriate metric for determining whether a business should be considered “small,” or would another standard be appropriate and, if so, on what basis(es)? 5. Software-defined EAS Networking 162. In this section, we initiate a dialogue about whether the level of administrative upkeep and oversight required to ensure that all security and performance updates required to maintain EAS equipment are uniformly implemented across a heterogeneous EAS system, and the level of coordination and planning needed to satisfactorily address the complex and varied threat vectors that exist for attacking EAS militate in favor of a new approach to EAS design. In particular, we seek comment on the efficacy of two potential software-defined networking approaches to a new EAS paradigm: 1) centralized configuration and management of EAS updates and security; and 2) virtualization of EAS equipment. We also seek comment on whether and how these approaches could be implemented in order to improve EAS security, and increase the consistency of EAS operations. a. Centralized Configuration and Management (i) Background 163. Centralization of EAS configuration and management entails logically connecting EAS equipment to a remote, central controller or database. 293 In the Fifth Report and Order, the Commission declined to require that EAS equipment contain an Ethernet port, reasoning that the decision of how to fulfill CAP monitoring obligations is best made by EAS equipment manufacturers. 294 That said, Trilithic commented that “we expect an Ethernet connection to be the input/output of choice for future (and present) EAS Encoder/Decoders.” 295 Using an Internet connection, either through Ethernet or wireless, the central controller could have visibility to every piece of equipment in the EAS alert distribution network. By performing routine checks, the central controller could be able to distribute and install software patches to close security vulnerabilities in EAS equipment, as required. 296 It could also control the distribution path of EAS alerts nationwide in a manner that precluded single points of failure. Centralization could supplement, rather than replace, traditional alert distribution mechanisms. A high- level depiction of a centralized EAS controller concept is depicted in Figure 4. 293 We observe that some EAS equipment already has Internet connectivity, in order to receive alerts configured in CAP. 294 Fifth Report and Order, 27 FCC Rcd at 675, para. 86. 295 Id. at 675, para. 85. 296 The operation of the central controller with respect to EAS equipment is illustrated in Figure 4 below. See infra Figure 4. Federal Communications Commission FCC 16-5 65 Figure 4: Diagram of Centralized EAS Configuration and Management Concept (ii) Discussion 164. We seek comment on whether a centralized configuration and management structure for EAS would result in significant security and operational benefits. The security of the EAS platform has been compromised on several occasions. 297 While we have proposed to adopt measures to further authenticate and validate EAS messages above, given the scope of human intervention required to completely inoculate the EAS against unauthorized alerts and other security threats, is it possible that continued piecemeal modification of the Part 11 rules, even with greater diligence on the part of EAS Participants in adhering to security best practices, might not be sufficient to fully secure the EAS? We seek comment on whether a broader approach to EAS architecture design may be necessary. Particularly, as threats evolve, what steps should we take now as a proactive response to such threats? Specifically, we seek comment on whether centralization has potential to augment EAS capabilities, whether it has the potential to improve EAS security and reliability, and on the engineering challenges and operational issues, including cost, that implementation would entail. 165. Augmented Capabilities. Would centralization of EAS configuration and management have the potential to transform EAS into a more capable system? If so, to what extent and in what ways? If the distribution pathway of alerts were configured by a central controller connected to EAS equipment 297 See, e.g., Bobby Bones Could Face Heavy Fines after EAS Triggered, SAVING COUNTRY MUSIC (Oct. 27, 2014), available at http://www.savingcountrymusic.com/bobby-bones-could-face-heavy-fines-after-youtube-vid-triggers- emergency-message (last visited Sept. 21, 2015); Zombie Attack Emergency Alert in Montana: “Dead Bodies Rising from the Grave,” EXAMINER (Feb. 11, 2013, 11:41 PM), available at http://www.examiner.com/article/zombie- attack-emergency-alert-montana-dead-bodies-rising-from-the-grave (last visited Sept. 21, 2015). Federal Communications Commission FCC 16-5 66 via an Internet connection, could a centralized configuration and management model for EAS be used to ensure that no single point of failure exists in the EAS alert distribution hierarchy? Could a tiered control model be developed such that SECCs could continue to determine the distribution paths and monitoring assignments for alerts and EAS Participants, respectively, in their states, pursuant to a “no single point of failure” principle that could be maintained by a central controller? Relatedly, could the ability to configure EAS alert distribution pathways improve geo-targeting, especially if it is implemented for all EAS Participants, not just key EAS sources? Indeed, could such a model enable EAS alerts to be targeted to not only geographic areas, but to specific EAS Participants? In the cable environment, could the centralization concept be expanded to include a connection to STBs that would enable alerts to be targeted to specific individuals? Further, we seek comment on whether a centralized configuration and management model could be made capable of ensuring that all EAS equipment across the nation is running the most up-to-date software available by performing periodic version checks of EAS software via the Internet. We seek comment on the extent to which this approach could bring uniformity and consistency to EAS equipment operation, and ensure that all EAS equipment is able to take advantage of the improvements that equipment manufacturers make available through software updates, obviating the risk of human error. We also seek comment on how the underlying heterogeneity of the EAS environment might complicate centralized control and uniform operation. 166. Improved Security, Reliability and Resiliency. Would central configuration and management increase EAS security and reliability by relying on a secure Internet connection for communication between EAS devices? We seek comment on whether a central controller could provide a more efficient and effective solution than is currently available to prevent and redress malicious attack on, or mistaken use of EAS by pushing a software patch to EAS equipment that could address the issue. How could the central controller detect misuse in the nationwide EAS network? How quickly could software patches be developed and deployed? Further, we seek comment on whether the central controller could provide an additional layer of alert authentication and validation for alerts transmitted via traditional EAS alert distribution systems? Would EAS equipment be capable of performing the alert validation and authentication procedures proposed above while concurrently using the Internet to request that the central controller confirm the validation and authenticity of each message? 298 We seek comment on the alert authentication and validation processes that should be tasked to the central controller. Further, we seek comment on whether intermittent traffic between EAS receivers and the controller, such a data traffic to transmit a software update, could be encrypted. Would such communications be as vulnerable as, if not more vulnerable than actual EAS alerts? What encryptions techniques would be best suited for this purpose? Finally, we seek comment on whether centralized configuration and management would improve EAS’ resiliency. Could a centrally configured and managed EAS system continue to function properly after a catastrophic event that, for example, limited access to the Internet, or resulted in an electromagnetic pulse? In case of such an event, could all EAS equipment continue to operate pursuant to the most recent software update issued prior to the outage until a subsequent update is received? How would this level of resiliency compare with the current PEP-reliant model? 167. Engineering Challenges. Notwithstanding the tremendous potential benefits, could implementing centralized configuration and management of EAS present complex engineering challenges for EAS stakeholders? We seek comment on the engineering challenges implicit in developing a central controller, new EAS equipment, and protocols for communication between them. Specifically, we seek comment on the hardware, operating system, and software required to maintain a central controller. Would it be necessary to maintain multiple back-up copies of the controller on a fortified or cloud-based server to be used in the event of failure or attack? We also seek comment on whether and how EAS equipment would have to be redesigned. Would every EAS encoder/decoder require an Ethernet connection in order to successfully implement centralized configuration and management? Could EAS 298 See supra Sections III.D.2.d and III.D.2.e (proposing alert authentication and validation procedures, respectively). Federal Communications Commission FCC 16-5 67 equipment connect to the Internet wirelessly? We seek comment on the optimal method of allocating responsibility for administrative tasks among nodes in a tiered control model, including if SECCs were to be given control over alert distribution pathways in their respective states. Could a centralized configuration and management EAS network design be implemented during an interim phase during which only some EAS equipment would be connected to the central controller? Does an Ethernet port provide the optimal method of connecting EAS equipment to the Internet? If not, what would be the ideal method? 168. We seek comment on whether centralized configuration and management would also include the development of at least three new, secure protocols. First, we seek comment on whether a secure protocol would be necessary to govern all communications between the central controller and EAS equipment. We also seek comment on whether a second secure protocol would be required to describe the master-slave relationship between the central controller and EAS receivers. Third, we seek comment on whether a secure protocol would be required to automatically hand over control from one controller to another in the event of such an equipment failure or attack. Are there are additional protocols, equipment upgrades or engineering challenges of which we should be aware? 169. Operational Issues. What operational issues might be raised by centralizing control of EAS? We seek comment on what, if any entities are well positioned to take responsibility for managing the EAS controller. Would it be preferable to have only one entity assume this role in order to ensure accountability? Would this entity also have to assume liability for interoperability, system misuse and error? Could this entity be required to finance system conversion and subsequent upgrades? Further, we seek comment on whether such a model would likely require EAS manufacturers to open their devices to receiving “push” updates. What, if any impact would “push” updates have on MVPD EAS Participants that currently do their own failure testing and regression analysis of all software updates prior to installation in order to ensure that the new software will not jeopardize the proper functionality of their system? Would EAS Participants, including such MVPDs, welcome a system of EAS governance where they could externalize the costs of failure and regression testing of EAS software to an entity charged with managing the central controller? Further, would a centralized model require vendors to disclose their customer lists to a third party? Do EAS equipment vendors maintain customer lists that could be shared, on a confidential basis, with the appropriate entity or entities? 299 170. Costs. What costs would EAS stakeholders expect to result from centralizing configuration and management of EAS? Would centralized configuration and management obsolete all legacy equipment, necessitating replacement? Would the augmented capabilities and improved security, reliability and resiliency potentially offered by centralization outweigh the costs? We seek comment on any steps that we could take to help minimize these costs, particularly for small businesses. b. Network Function Virtualization 171. We seek comment on the benefits of virtualization of aspects of EAS equipment or alert distribution in the context of a wider transition among EAS Participants to IP-based platforms, and cloud- based network architectures and strategies in particular. 300 Specifically, we seek comment on the benefits of virtualizing EAS equipment, operational issues and costs implicated by implementation, and on whether virtualization should be considered in the alternative, or as a complement to centralization. 172. Benefits. Would the virtualization of EAS equipment in the context of a larger industry- wide transition to cloud-based computing bring homogeneity, consistency and reliability to the EAS computing environment by allowing software to operate independently of the underlying hardware and 299 For example, pursuant to the same principles of confidentiality proposed above. See supra Section III.D.3. 300 See supra Section III.B.3; see also KPMG, THE CLOUD: CHANGING THE BUSINESS ECOSYSTEM (2011), available at https://www.kpmg.com/IN/en/IssuesAndInsights/ThoughtLeadership/The_Cloud_Changing_the_Business_Ecosy stem.pdf. Federal Communications Commission FCC 16-5 68 operating systems produced by various equipment manufacturers? Specifically, could virtualizing EAS equipment result in a completely homogenous operating environment in which every EAS node (formerly EAS equipment) would be programmed to authenticate, validate, and process EAS alerts in an identical matter, with the caveat that users could continue to specify which event codes should be carried by their EAS nodes based on the event’s relevance to the geographic area in which the node is located, and the responsibilities of the alert originator? Would such a homogenous environment lead to alerts being processed in a more consistent manner? Is it likely that such a system would more reliably ensure that alerts are delivered to all intended recipients in a secure manner? 173. Operational Issues and Costs. Would the virtualization of EAS equipment implicate costs and operational issues for EAS equipment manufacturers, EAS Participants and alert originators not already subsumed within the costs of ongoing efforts to transition business operations to the cloud? Would a virtualized EAS architecture entirely obviate physical EAS equipment used for decades as the cornerstone of EAS alert transmission? We seek comments on the costs that might be imposed by such a transition, both in terms of short term equipment replacement, and long term savings on software updates, testing, and future hardware replacement. Would EAS software updates become less complex, and therefore less costly to develop? Similarly, would a homogenous operating environment for EAS reduce EAS costs for EAS Participants associated with failure testing and implementing equipment updates? Could virtualization reduce equipment costs in the long run by obviating the need for future hardware replacement? Would virtualization reduce the need for complexity in alert origination software? Would this increased simplicity lead to EAS alerts being more consistently delivered in an accurate manner? 174. Would virtualization add value to an EAS implementation that included a central controller? We seek comment on whether the system checking function of the central controller is sufficient to achieve consistency in function without the homogeneity of form that could be created by virtualization. Are there any additional benefits to a virtualized system not captured by centralized configuration and management? Would a virtualized approach to EAS implementation be consistent with our operating principle of technological neutrality? 6. Preserving EAS Defense through Planned Diversity a. Ensuring a Modern and Effective EAS Structure 175. The NPRM in its background section discusses the two complementary mechanisms by which EAS messages are transmitted: (1) through the traditional, broadcast-based EAS Protocol; and (2) through the newer, Internet-based, CAP-formatted, IPAWS system. We seek comment on how stakeholders believe those two systems should relate to each other going forward. For example, does it make sense to keep the two different systems solely for resiliency considerations? Can the Commission, FEMA and other Federal partners and EAS Participants sufficiently secure the broadcast-based EAS to achieve appropriate levels of resiliency and to ensure that this EAS path does not expose EAS more generally to undue security risks? Are the failure modes of the two paths sufficiently different to suggest an enduring unique value from both elements? Does a sufficient number of EAS Participants, particularly in rural and other underserved areas have the internet access or other technologies necessary to participate in the CAP-formatted system? Ultimately, does it make sense to migrate to one system? If so, over what time period? What should that new system look like? Would purely internet-based systems be overly reliant on the need for strong cybersecurity? 176. Are stakeholders confused or is there any inefficiencies we should be aware of because there are two systems? Also, given the ways in which communications have changed since the EAS and its predecessor system was introduced, e.g., the introduction of social media alerts, WEA mobile alerts, and other technical innovations, do we have an alerting system that is appropriate and tailored to today’s communications landscape, both in terms of the technology in use and anticipated and in terms of the usage and communication patterns of today’s public? If not, do we need a wholesale re-thinking of the alerting system or is the current system sufficiently flexible that we can evolve it over time so that it remains appropriate in light of today’s technology, usage patterns and emerging security threats? Federal Communications Commission FCC 16-5 69 b. Securing the EAS Broadband Architecture 177. The current adoption of IPAWS-OPEN as a delivery method of alerts to all EAS participants in accordance with our requirements in the Fifth Report and Order, as well as its use in WEA, have increased the dependence of the EAS and related systems on broadband (i.e., IP) networks. This migration will entail a shift from the legacy environment for EAS which was marked by physical route diversity. The nature of IP systems, however, will not reproduce this security element; indeed, several of the proposals above depend on movement toward centralized management and virtualization, which involve significant dependence on IP that, in turn, will require highly reliable, redundant, and secure Internet connectivity to mimic the security that physical diversity in the legacy EAS network currently provides. We seek comment on the nature and extent to which new alerting technologies will create such dependencies. What methods of securing the EAS would best maintain at least an equivalent level of redundancy and security as the legacy daisy chain presently provides? What additional considerations does this shift require we take into account when testing the EAS system? Do existing and planned test strategies adequately cover all redundant paths used to disseminate the alert? As we continue the focus on the IPAWS-OPEN path, do we risk less frequent use of the legacy broadcast paths? ? If so, what are the implications for seamless operation of legacy paths and the resiliency of the entire system, and how can we mitigate any deficiencies that may arise from any reduced dependability? 178. Given the importance of physical security in maintaining the integrity of the EAS system, what additional measures may be necessary to ensure access to EAS devices and the IP network that feeds them are protected from malicious damage or compromise? Are the existing practices and continuity of operation plans sufficient to ensure reliable delivery of EAS alerts to the public? What additional levels of redundant paths, equipment, power, and other services should be required to ensure operation? For example, in addition to the security measures proposed earlier in Section III(D)(2), what other methods could we use to prevent IP-based attacks from compromising the EAS system? 301 Should we maintain a secondary broadcast EAS system based on legacy EAS in addition to and separate from the IPAWS- OPEN-based system? E. Compliance Timeframes 179. We seek comment on the timeframes in which the proposals in this NPRM, if adopted, could reasonably be implemented by EAS Participants. As discussed in greater detail below, we propose that EAS Participants must comply with our proposed rules that include new information collection requirements (i.e., the State EAS Plan rules, initial annual security certification, and security incident reporting requirements) within six months from the release of a Public Notice announcing Office of Management and Budget (OMB) approval of related information collection requirements, or within 60 days of a Public Notice announcing the availability of the Commission’s relevant database to receive such information, whichever is later; with subsequent annual certifications due by June 30th of each calendar year. We propose that EAS Participants must comply with proposed alert authentication and validation measures within one year of the rules’ publication in the Federal Register. We note that no action is required to comply with our live code test and PSA rules, and encourage EAS Participants to begin engaging in testing and outreach efforts pursuant to those rule amendments as soon as those rules become effective, thirty days from the date those rules are published in the Federal Register. 302 We seek comment on whether this framework appropriately balances the burdens of compliance with the need for rapid improvement of EAS organization, testing, outreach, and security. For ease of reference and comment, Figure 5, below, sets forth proposed timeframes for those instances where we propose specific implementation deadlines. 301 Supra Section III.D.2. 302 Thirty days from publication in the Federal Register is the soonest that newly adopted rules can become effective. See 47 C.F.R. § 1.427(a). Federal Communications Commission FCC 16-5 70 PROPOSED RULE AMENDMENTS PROPOSED COMPLIANCE TIMEFRAMES EAS Designations Rules would be effective within 30 days of publication in the Federal Register State EAS Plan Contents Within six months of release of a Public Notice announcing OMB approval of related information collection requirements, or within 60 days of release of a Public Notice announcing the availability of SEPFI to receive State EAS Plans, whichever is later Live Code Tests No action required; rules would be effective within 30 days of publication in the Federal Register EAS PSAs No action required; rules would be effective within 30 days of publication in the Federal Register Annual Certification For the first certification: within six months of the release of a Public Notice announcing OMB approval of related information collection requirements, or within 60 days of release of a Public Notice announcing the availability of ETRS to receive such reports, whichever is later. For subsequent annual certifications: by June 30 th of each calendar year. Reporting False Alerts and Lockouts Within six months of the release of a Public Notice announcing OMB approval of related information collection requirements, or within 60 days of release of a Public Notice announcing the availability of ETRS to receive such reports, whichever is later Authentication and Validation Measures Within 1 year of the rules’ publication in the Federal Register Figure 5: Proposed Implementation Timeframes 180. State EAS Plan Rules. We propose that the new EAS Designations would take effect 30 days from the publication of final rules in the Federal Register, and to require compliance with our State EAS Plan rules within six months of the release of a Public Notice announcing OMB approval of related information collection requirements, or within 60 days of release of a Public Notice announcing the availability of SEPFI to receive State EAS Plans, whichever is later. States should already have State EAS Plans in place, and our proposed rules would not require that states adopt any particular alerting strategy or necessitate any changes in alerting implementation. We do anticipate, however, that producing State EAS Plans that include the new elements we propose would require additional discussion, strategic planning, and outreach. This discussion may entail a rigorous assessment of state preparedness along the axes discussed above. 303 For example, SECCs may need to perform outreach in order to ascertain the extent to which EAS Participants in their state are using alternative alerting mechanisms such as the satellite-based monitoring sources, highway signs or social media, and the extent to which they are prepared to leverage available technologies to implement “one-to-many, many-to-one” alerting. SECCs may also need to engage with key EAS sources in their state in order to aptly apply our proposed EAS Designations. We seek comment on whether requiring compliance with our proposed State EAS Plan rules within this proposed timeframe would provide SECCs with sufficient time to 303 See supra Section III.A.3.b. Federal Communications Commission FCC 16-5 71 complete any required strategic planning, discussion and outreach necessitated by these proposed rules. Commenters are encouraged to specify an alternative timeline if compliance within six months is considered infeasible, or if compliance can be achieved earlier. 181. Alert Authentication and Validation Rules. We propose that EAS Participants should be required to comply with our alert authentication and validation rules within one year of the date of their publication in the Federal Register. In the Sixth Report and Order, we provided EAS Participants one year to develop, test, and deploy any necessary software updates to support the national location code and National Periodic Test (NPT) code, and to replace any EAS equipment that no was no longer supported by the manufacturer. 304 We seek comment on whether the changes that may be necessitated by our proposed alert validation and authentication requirements may be accomplished through a software update, 305 and reason similarly that EAS Participants may be expected to develop, deploy and test any required software updates within a year’s timeframe. Alternatively, could compliance with some or all of the proposed rules be satisfied within a shorter timeframe? Given the importance to our nation’s safety of securing the EAS, we seek comment on the shortest practicable amount of time in which these measures could be implemented. To the extent an alternative timeframe would be more appropriate, we ask commenters to provide a detailed explanation. 182. Security Incident Reporting and Annual Security Certification. We propose to require initial compliance with our security incident reporting and annual security certification requirements within six months of the release of a Public Notice announcing OMB approval of related information collection requirements, or within 60 days of release of a Public Notice announcing that ETRS is capable of receiving such reports, whichever is later. With respect to subsequent annual certifications, we propose that this timeframe apply to the first certification, with subsequent certifications due by June 30 of each calendar year. We expect that EAS Participants are already complying with most, if not all, of the best practices described above, and to the extent additional time is necessary to ensure that best practices are fully implemented, we believe that 60 days provides a reasonable timeframe to accomplish that goal while also ensuring that security measures are taken as swiftly as possible. We seek comment on this proposed timeframe, and on our rationale. 183. Live Code Tests and EAS PSAs. We propose that our live code testing and PSA rules would become effective thirty days from the date of their publication in the Federal Register. We observe that no action is required in order for EAS Participants to comply with these proposed rules. Further, in the meantime, EAS Participants may continue to conduct live code tests as regularly scheduled pursuant to the guidance the Bureau provided in the Live Code Testing Public Notice. 306 This proposed rule, if adopted, would alleviate the burden on EAS Participants to seek waiver of our rules in order to engage in this common practice. With respect to EAS PSAs, we propose to expand the set of entities that are permitted to conduct EAS PSAs, and to allow them to include the EAS header codes and Attention Signal. This proposed rule, if adopted, would allow EAS PSAs to become more flexible tools for community public safety outreach. We believe it would serve the public interest for the proposed live code testing and PSA rules to become effective as soon as possible, and seek comment on our rationale. F. Legal Authority 184. Under the Communications Act of 1934, as amended (Act), the Commission was established, among other things, to “make available rapid, efficient . . . wire and radio communication service with adequate facilities . . . for the purpose of the national defense” and “for the purpose of 304 Sixth Report and Order, 30 FCC Rcd at 6545-46 ¶ 54. 305 See supra Sections III.D.2.d, III.D.2.e. 306 Public Safety and Homeland Security Bureau Provides Guidance Regarding “Live Code” Testing of the Emergency Alert System, Public Notice, 24 FCC Rcd 3701, 3701 (2009). Federal Communications Commission FCC 16-5 72 promoting safety of life and property.” 307 The Commission’s regulation of emergency broadcasting, both of the EBS and EAS, has been grounded, in significant part, in Sections 1, 4(i) and (o), 303(r), and 706 of the Act. 308 Additionally, the Commission has authority to impose EAS obligations on cable systems under Section 624(g) of the Act, regulate participation by Commercial Mobile Service in the emergency alerting process under the WARN Act, 309 and to ensure that emergency information is accessible under the Twenty-First Century Communications and Video Accessibility Act. 310 185. In order to enable the President to reliably execute this authority in the public interest, the Commission has long considered it necessary to ensure that our national alerting architecture is ready to transmit an alert authorized by the President (i.e., a Presidential Alert) in an appropriate situation. 311 Further, the President has defined roles and responsibilities for federal agencies to create a “comprehensive system to alert and warn the American people” in several executive documents, 312 specifically directing the Commission to “adopt rules to ensure that communications systems have the capacity to transmit alerts and warnings to the public as part of the public alert and warning system.” 313 We seek comment on whether this legal authority extends to mobile apps when offered by a covered entity. 186. In addition to the authorities discussed above, we believe the Commission has authority to adopt alert authentication and validation rules, require security certifications, and collect false alert and lockout reports from EAS Participants. First, the Commission has express authority under Title III to make changes to alert authentication and validation and to require EAS security certifications from Title III licensees. Title III directs the Commission to “maintain the control of the United States over all channels of radio transmission” and charges the Commission with protecting the viability of local broadcasting. 314 Section 303 of the Act states that the Commission shall “[p]rescribe the nature of the service to be rendered by each class of licensed stations” where public convenience, interest, or necessity 307 47 U.S.C. § 151. 308 47 U.S.C. §§ 151, 154(i) and (o), 303(r), 606. 309 See WARN Act §§ 602(a), (b), (c), (d), (f), 603, 604, 606 (directing the Commission to adopt rules and regulations to enable Commercial Mobile Service Providers to voluntarily transmit emergency alerts). 310 See 47 U.S.C. § 544(g) (requiring the Commission to ensure that cable viewers are afforded the same access to emergency communications as broadcast viewers and listeners); Twenty-First Century Communications and Video Accessibility Act of 2010, Pub. L. No. 111-260 (requiring, among other things, that the Commission promulgate rules to require video programming providers, distributors, and owners to convey emergency information in a manner accessible to people who are blind or visually impaired); 47 U.S.C. § 613 (video programming accessibility). 311 See, e.g., Sixth Report and Order, 30 FCC Rcd at 6548 ¶ 64; Fifth Report and Order, 27 FCC Rcd at 737 ¶ 283. 312 Assignment of National Security and Emergency Preparedness Telecommunications Functions, Exec. Order No. 12,472, 77 Fed. Reg. 40779 (2012); see also 1981 State and Local Emergency Broadcasting System (EBS) Memorandum of Understanding Among the Federal Emergency Management Agency (FEMA), Federal Communications Commission (FCC), the National Oceanic and Atmospheric Administration (NOAA), and the National Industry Advisory Committee (NIAC), reprinted as Appendix K to Partnership for Public Warning Report 2004-1, The Emergency Alert System (EAS): An Assessment; Memorandum, Presidential Communications with the General Public during Periods of National Emergency, The White House (Sept. 15, 1995); Assigning Emergency Preparedness Functions to the Federal Communications Commission, Exec. Order No. 11,092, 63 Fed. Reg. 2216 (1963). 313 Public Alert and Warning System, Exec. Order No. 13,407, 71 Fed. Reg. 36975 (2006). 314 47 U.S.C. § 301; see also § 307(a)-(b). The Supreme Court acknowledged the Commission has “broad responsibilities for the orderly development of an appropriate system of local television broadcasting.” U.S. v. Sw. Cable Co., 392 U.S. 157, 177 (1968). Federal Communications Commission FCC 16-5 73 requires and encourage the effective use of radio in the public interest. 315 Further, the Act prohibits the transmission or rebroadcast of “false distress signals,” a prohibition that includes false or fraudulent EAS alerts. 316 Finally, we believe that the Commission’s authority to assure that the EAS is delivered in a secure fashion extends to requiring EAS Participants to provide reports that would allow the Commission to investigate, study, and be aware of any potential issues that may preclude the secure and reliable transmission of the EAN. 317 Fraudulent EAS alerts create widespread public confusion and even panic. We seek comment on the Commission’s authority under all the foregoing provisions discussed in this section to adopt the proposals in this Notice, all of which are primarily intended to prepare the nation’s alerting infrastructure for successful transmission of a Presidential Alert. We also seek comment on whether there are other sources of legal authority for the Commission to enact these rules. To the extent commenters believe that additional sources of authority would be necessary or relevant to allowing the Commission to address commenters’ concerns, we encourage commenters to offer additional sources of authority on which the Commission may rely for this purpose. IV. PROCEDURAL MATTERS A. Ex Parte Rules 187. The proceeding initiated by this Notice of Proposed Rulemaking shall be treated as “permit-but-disclose” proceedings in accordance with the Commission’s ex parte rules. 318 Persons making ex parte presentations must file a copy of any written presentation or a memorandum summarizing any oral presentation within two business days after the presentation (unless a different deadline applicable to the Sunshine period applies). Persons making oral ex parte presentations are 315 See 47 U.S.C. § 303(b); § 303(g). The Supreme Court has emphasized that Title III endows the Commission with “expansive powers” and a “comprehensive mandate to ‘encourage the larger and more effective use of radio in the public interest.’” National Broadcasting Co. v. U.S, 319 U.S. 190, 219 (1943) (quoting 47 U.S.C. § 303(g)). See also Cellco Partnership v. FCC, 700 F.3d 534, 541-42 (D.C. Cir. 2012) (“Title III affords the Commission “broad authority to manage spectrum . . . in the public interest”) (quoting Reexamination of Roaming Obligations of Commercial Mobile Radio Service Providers and Other Providers of Mobile Data Services, WT Docket No. 05-265, Second Report and Order, 26 FCC Rcd 5411, 5440, para. 62 (2011). 316 See 47 U.S.C. § 325(a); see also Turner Broadcasting System, Inc., Notice of Apparent Liability for Forfeiture, 28 FCC Rcd 15455 (Enf. Bur. 2013) (forfeiture paid). 317 Moreover, this regulatory approach to system security is not unlike that taken by the Commission with respect to the security of spectrum and its uses in other contexts. See, e.g. Amendment of the Commission’s Rules with Regard to Commercial Operations in the 3550-360 MHz Band, GN Docket No. 12-354, Report and Order and Second Further Notice of Proposed Rulemaking, 30 FCC Rcd 3959, 4033-34, 4060-61 (2015). See also Amendment of Part 15 of the Commission’s Rules for Unlicensed Operations in the Television Bands, Repurposed 600 MHz Band, 600 MHz Guard Bands and Duplex Gap, and Amendment of Part 74 of the Commission’s Rules for Low Power Auxiliary Stations in the Repurposed 600 MHz Band and 600 MHz Duplex Gap, Expanding the Economic and Innovation Opportunities of Spectrum Through Incentive Auctions, ET Docket No. 14-165, GN Docket No. 12-268, Report and Order, FCC 30 Rcd 9551, 9650-54, Appendix A- Revision to Subpart H (2015). See also Use of Spectrum Band Above 24 GHz For Mobile Radio Services, Establishing a More Flexible Framework to Facilitate Satellite Operations in the 27.5-28.35 GHz and 37.5-40 GHz Bands, Petition for Rulemaking of the Fixed Wireless Communications Coalition to Create Service Rules for the 42-43.5 GHz Band, Amendment of Parts 1, 22, 24, 27, 74, 80 90, 95, and 101 To Establish Uniform License Renewal, Discontinuance of Operation, and Geographic Partitioning and Spectrum Disaggregation Rules and Policies for Certain Wireless Radio Services, Allocation and Designation of Spectrum for Fixed-Satellite Services in the 37.5-38.5 GHz, 40.5- 41.5 GHz and 48.2-50.2 GHz Frequency Bands; Allocation of Spectrum to Upgrade Fixed and Mobile Allocations in the 40.5-42.5 GHz Frequency Band; Allocation of Spectrum in the 46.9-47.0 GHz Frequency Band for Wireless Services; and Allocation of Spectrum in the 37.0-38.0 GHz and 40.0-40.5 GHz for Government Operations, GN Docket No. 14-177, RM-11664, WT Docket No. 10-112, IB Docket No. 97-95, Notice of Proposed Rulemaking, FCC 15-138 ¶¶ 255-60. 318 47 C.F.R. §§ 1.1200 – 1.1216. Federal Communications Commission FCC 16-5 74 reminded that memoranda summarizing the presentation must: 1) list all persons attending or otherwise participating in the meeting at which the ex parte presentation was made; and 2) summarize all data presented and arguments made during the presentation. If the presentation consisted in whole or in part of the presentation of data or arguments already reflected in the presenter’s written comments, memoranda, or other filings in the proceeding, the presenter may provide citations to such data or arguments in his or her prior comments, memoranda, or other filings (specifying the relevant page and/or paragraph numbers where such data or arguments can be found) in lieu of summarizing them in the memorandum. Documents shown or given to Commission staff during ex parte meetings are deemed to be written ex parte presentations and must be filed consistent with rule 1.1206(b). In proceedings governed by rule 1.49(f) or for which the Commission has made available a method of electronic filing, written ex parte presentations and memoranda summarizing oral ex parte presentations, and all attachments thereto, must be filed through the electronic comment filing system available for that proceeding, and must be filed in their native format (e.g., .doc, .xml, .ppt, searchable .pdf). Participants in this proceeding should familiarize themselves with the Commission’s ex parte rules. B. Comment Filing Procedures 188. Pursuant to Sections 1.415 and 1.419 of the Commission’s rules, 47 CFR §§ 1.415, 1.419, interested parties may file comments and reply comments on or before the dates indicated on the first page of this document. Comments may be filed using the Commission’s Electronic Comment Filing System (ECFS). See Electronic Filing of Documents in Rulemaking Proceedings, 63 FR 24121 (1998). ? Electronic Filers: Comments may be filed electronically using the Internet by accessing the ECFS: http://apps.fcc.gov/ecfs/. ? Paper Filers: Parties that choose to file by paper must file an original and one copy of each filing. If more than one docket or rulemaking number appears in the caption of this proceeding, filers must submit two additional copies for each additional docket or rulemaking number. Filings can be sent by hand or messenger delivery, by commercial overnight courier, or by first- class or overnight U.S. Postal Service mail. All filings must be addressed to the Commission’s Secretary, Office of the Secretary, Federal Communications Commission. 1. All hand-delivered or messenger-delivered paper filings for the Commission’s Secretary must be delivered to FCC Headquarters at 445 12 th St., SW, Room TW-A325, Washington, DC 20554. The filing hours are 8:00 a.m. to 7:00 p.m. All hand deliveries must be held together with rubber bands or fasteners. Any envelopes and boxes must be disposed of before entering the building. 2. Commercial overnight mail (other than U.S. Postal Service Express Mail and Priority Mail) must be sent to 9300 East Hampton Drive, Capitol Heights, MD 20743. 3. U.S. Postal Service first-class, Express, and Priority mail must be addressed to 445 12 th Street, SW, Washington DC 20554. 189. People with Disabilities: To request materials in accessible formats for people with disabilities (braille, large print, electronic files, audio format), send an e-mail to fcc504@fcc.gov or call the Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202-418-0432 (TTY). C. Regulatory Flexibility Analysis 190. As required by the Regulatory Flexibility Act of 1980, see 5 U.S.C. § 604, the Commission has prepared an Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact on small entities of the policies and rules addressed in this document. The IRFA is set forth in Appendix B. Written public comments are requested in the IRFA. These comments must be filed in accordance with the same filing deadlines as comments filed in response to this Notice of Proposed Rulemaking as set forth on the first page of this document, and have a separate and distinct heading designating them as responses to the IRFA. Federal Communications Commission FCC 16-5 75 D. Paperwork Reduction Analysis 191. This document contains proposed new or modified information collection requirements. The Commission, as part of its continuing effort to reduce paperwork burdens, invites the general public and the Office of Management and Budget (OMB) to comment on the information collection requirements contained in this document, as required by the Paperwork Reduction Act of 1995, Public Law 104-13. In addition, pursuant to the Small Business Paperwork Relief Act of 2002, Public Law 107- 198, see 44 U.S.C. 3506(c)(4), we seek specific comment on how we might further reduce the information collection burden for small business concerns with fewer than 25 employees. V. ORDERING CLAUSES 192. Accordingly, IT IS ORDERED that pursuant to 47 U.S.C §§ 151, 152, 154(i), 154(o), 301, 303(b), (g) and (r), 303(v), 307, 309, 335, 403, 544(g), 606, 613, 615 and 1302; The Warning, Alert and Response Network (WARN) Act, WARN Act §§ 602(a), (b), (c), (d), (f), 603, 604, and 606; Twenty- First Century Communications and Video Accessibility Act of 2010, Pub. L. No. 111-260 and Pub. L. No. 111-265, this Notice of Proposed Rulemaking IS hereby ADOPTED. 193. IT IS FURTHER ORDERED that the Commission’s Consumer and Governmental Affairs Bureau, Reference Information Center, SHALL SEND a copy of this Notice of Proposed Rulemaking including the Regulatory Flexibility Analysis, to the Chief Counsel for Advocacy of the Small Business Administration. FEDERAL COMMUNICATIONS COMMISSION Marlene H. Dortch Secretary Federal Communications Commission FCC 16-XXXX 0 APPENDIX A Proposed Rules For the reasons discussed in the preamble, the Federal Communications Commission amends 47 C.F.R. Part 11 to read as follows: PART 11 – EMERGENCY ALERT SYSTEM (EAS) 1. The authority citation for Part 11 continues to read as follows: Authority: 47 U.S.C. 151, 154 (i) and (o), 303(r), 544(g) and 606. 2. Amend § 11.2 by removing 11.2(b), (c), (f), (g), and (h): § 11.2 Definitions. The definitions of terms used in part 11 are: (a) Emergency Action Notification (EAN). The Emergency Action Notification is the notice to all EAS Participants and to the general public that the EAS has been activated for a national emergency. EAN messages that are formatted in the EAS Protocol (specified in §11.31) are sent from a government origination point to broadcast stations and other entities participating in the PEP system, and are subsequently disseminated via EAS Participants. Dissemination arrangements for EAN messages that are formatted in the EAS Protocol (specified in §11.31) at the State and local levels are specified in the State and Local Area plans (defined at §11.21). A national activation of the EAS for a Presidential message with the Event code EAN as specified in §11.31 must take priority over any other message and preempt it if it is in progress. *.*.* (d) EAS Participants. Entities required under the Commission's rules to comply with EAS rules, e.g., analog radio and television stations, and wired and wireless cable television systems, DBS, DTV, SDARS, digital cable and DAB, and wireline video systems. (e) Wireline Video System. The system of a wireline common carrier used to provide video programming service. *.*.* (i) Intermediary Device. An intermediary device is a stand-alone device that carries out the functions of monitoring for, receiving and/or acquiring, and decoding EAS messages formatted in the Common Alerting Protocol (CAP) in accordance with §11.56, and converting such messages into a format that can be inputted into a separate EAS decoder, EAS encoder, or unit combining such decoder and encoder functions, so that the EAS message outputted by such separate EAS decoder, EAS encoder, or unit combining such decoder and encoder functions, and all other functions attendant to processing such EAS message, comply with the requirements in this part. 3. Amend § 11.18 to read as follows: § 11.18 EAS Designations. (a) The Primary Entry Point System is a nationwide network of broadcast stations and other entities connected with government activation points. It is used to distribute EAS messages that are formatted in the EAS Protocol (specified in §11.31), including the EAN and EAS national test messages. FEMA has designated some of the nation's largest radio broadcast stations as PEPs. The PEPs are designated to receive the Presidential alert from FEMA and distribute it to local stations. Federal Communications Commission FCC 16-5 1 (b) A National Primary (NP) is the entity tasked with the primary responsibility of delivering the Presidential alert to a state’s EAS Participants. Thus, for a state that has a FEMA-designated PEP, that station would be designated as that state’s National Primary. For a state that does not have a PEP, another station would act as National Primary. (c) A State Primary (SP) is a broadcaster tasked with initiating the delivery of a state EAS alert will be a State Primary. A State Primary may be a broadcaster, a state emergency management office, or other entity authorized to and capable of initiating a state-based EAS alert. A State Primary and a National Primary may be the same broadcaster, but would need to be separately designated as such in any State EAS Plan. (d) A Relay Station (RS) retransmits EAS messages, including the Presidential Alert and state and local alerts, to Local Primary (LP) sources for distribution to Participation National sources, and the public, as necessary. (e) A Local Primary (LP) serves as a monitoring assignment for a Participating National (PN) entity. An LP source is responsible for coordinating the carriage of common emergency messages from sources such as the National Weather Service or local emergency management offices as specified in its State EAS Plan. If it is unable to carry out this function, other LP sources in the Local Area may be assigned the responsibility as indicated in State EAS Plans. LP sources are assigned numbers (LP-1, 2, 3, etc.) in the sequence they are to be monitored by other broadcast stations in the Local Area. (f) Participating National (PN) entities transmit EAS National, State or Local Area messages. The EAS transmissions of PN sources are intended for direct public reception. 4. Amend § 11.21 to read as follows: § 11.21 State and Local Area plans and FCC Mapbook. (a) EAS plans contain guidelines which must be followed by EAS Participants' personnel, emergency officials, and National Weather Service (NWS) personnel to activate the EAS. The plans include the following elements: (1) A list of the EAS header codes and messages that will be transmitted by key EAS sources (National Primary (NP), State Primary (SP), Local Primary (LP), and State Relay (SR) stations); (2) Procedures for state emergency management officials, the National Weather Service, and EAS Participant personnel to transmit emergency information to the public during an emergency using regulated alerting tools (e.g., EAS and WEA) as well as any non-regulated alerting mechanisms (e.g., highway signs, social media), including the extent to which the state’s dissemination strategy for state and local emergency alerts differs from their Presidential Alerting strategy; (3) A list of all entities authorized to activate EAS for state and local emergency messages (e.g., Police and Public Safety Answering Points (PSAPs)), whose transmissions might be interrupted by a Presidential Alert; (4) Monitoring assignments to receive the Presidential Alert, and the primary and back-up paths for the dissemination of the Presidential Alert to all key EAS sources organized by operational areas within the state; (5) State procedures for special EAS tests, Required Monthly Tests (RMTs), Required Weekly Tests (RWTs) and national tests designed to ensure that the system will function as designed when needed for a Presidential Alert, including a description of the extent to which State and Local WEA Tests are utilized by alert originators as a complement to the Presidential Alert distribution system to verify that WEA is capable of informing the public that a Presidential Alert is presently being delivered over EAS; Federal Communications Commission FCC 16-5 2 (6) The extent to which alert originators coordinate “one-to-many” alerts with “many-to-one” community feedback mechanisms, such as 9-1-1, to make full use of public safety resources; (7) Specific and detailed information describing the procedures for ensuring EAS Participants can authenticate the current assigned state, local and tribal originators, if the state initiates EAS messages formatted in the Common Alerting Protocol (CAP) signed with a digital signature as specified in the Organization for the Advancement of Structured Information Standards (OASIS) Common Alerting Protocol Version 1.2 (July 1, 2010), its EAS State Plan; and (8) The SECC governance structure utilized by the state in order to organize state and local resources to ensure the efficient and effective delivery of a Presidential Alert, including the duties of SECCs, the membership selection process utilized by the SECC, and the proposed administration of the SECCs. (b) The Local Area plan contains procedures for local officials or the NWS to transmit emergency information to the public during a local emergency using the EAS. Local plans may be a part of the State plan. A Local Area is a geographical area of contiguous communities or counties that may include more than one state. (c) The FCC Mapbook is based on the consolidation of the data table required in each State EAS plan with the identifying data contained in the ETRS. The Mapbook organizes all EAS Participants according to their State, EAS Local Area, and EAS designation. EAS Participant monitoring assignments and EAS operations must be implemented in a manner consistent with guidelines established in a State EAS Plan submitted to the Commission in order for the Mapbook to accurately reflect actual alert distribution. 5. Amend § 11.31 by revising paragraph (c) to read as follows: § 11.31 EAS protocol. * * * * * (c) The EAS protocol, including any codes, must not be amended, extended or abridged without FCC authorization. The EAS protocol and message format are specified in the following representation. Examples are provided in FCC Public Notices. [PREAMBLE]ZCZC-ORG-EEE-PSSCCC+TTTT-YYYYJJJHHMM-LLLLLLLL-(one second pause) [PREAMBLE]ZCZC-ORG-EEE-PSSCCC+TTTT-YYYYJJJHHMM-LLLLLLLL-(one second pause) [PREAMBLE]ZCZC-ORG-EEE-PSSCCC+TTTT-YYYYJJJHHMM-LLLLLLLL-(at least a one second pause) *.*.* YYYYJJJHHMM—This is the year (YYYY), day in Julian Calendar days (JJJ) of the year and the time in hours and minutes (HHMM) when the message was initially released by the originator using 24 hour Universal Coordinated Time (UTC). LLLLLLLL—This is the PSID identification of the EAS Participant, NWS office, etc., transmitting or retransmitting the message. These codes will be automatically affixed to all outgoing messages by the EAS encoder. 6. Amend § 11.32 by revising paragraph (a)(5) to read as follows: § 11.32 EAS Encoder. * * * *.* (5) Day-Hour-Minute and Identification Stamps. The encoder shall affix the YYYYJJJHHMM and LLLLLLLL codes automatically to all initial messages. *.*.*.*.* Federal Communications Commission FCC 16-5 3 7. Amend § 11.33 by revising paragraph (a)(10) to read as follows: § 11.33 EAS Decoder. * * * * * (10)Message Validity. An EAS Decoder must provide error detection and validation of the header codes of each message to ascertain if the message is valid. Header code comparisons may be accomplished through the use of a bit-by-bit compare or any other error detection and validation protocol. A header code must only be considered valid when two of the three headers match exactly, the Station ID header code matches one of the assigned monitoring sources as specified in the state plan and the expiration time is in the future. Duplicate messages must not be relayed automatically. *.*.*.*.* 8. Amend § 11.44 to read as follows: § 11.44 Security of EAS Participants (a) Definitions. Terms in this section shall have the following meanings: (1) Certification. An attestation by a Certifying Official, under penalty of perjury, that an EAS Participant: (i) Has satisfied the obligations of subsection (b) of this section. (ii) Has adequate internal controls to bring material information regarding network architecture, operations, and maintenance to the Certifying Official’s attention. (iii) Has made the Certifying Official aware of all material information reasonably necessary to complete the certification. (2) Certifying Official. A corporate officer of an EAS Participant with supervisory and budgetary authority over network operations in all relevant service areas. (3) Segmentation. A category of best practice actions for certification purposes that logically group and compartmentalize assets and restrict trusted access to those compartments. (b) Annual EAS Security Certification. The identifying information required by the ETRS as specified in §11.61(a)(3)(iv) shall include a Certification to the Commission by a Certifying Official of every EAS Participant as follows. (1) Patch Management. (i) An EAS Participant shall certify whether it has, within the past year: (A) Followed a program to identify and install updates and patches to EAS devices and attached systems in a timely manner; (B) Verified EAS devices are running the current version and patch level of software and firmware; and (C) Verified systems connected to EAS devices are running the current version and patch level of software and firmware. (ii) If an EAS Participant does not conform with the elements in subsection (b)(1)(i) above it must certify: (A) Whether it has taken alternative measures or remediation to meet or exceed the security provided by the current version and patch level, in which case it shall provide a brief explanation of such alternative measures or such remediation steps, the date by which it anticipates such remediation will be completed, and why it believes those measures are reasonably sufficient to mitigate such risk; or (B) Whether it believes that one or more of the requirements of this subsection are not applicable to its network, in which case it shall provide a brief explanation of why it believes any such requirement does not apply. (2) Account Management. (i) An EAS Participant shall certify that: (A) All EAS device and connected system passwords have been changed from the default; Federal Communications Commission FCC 16-5 4 (B) Where passwords are used, password complexity is required; and (C) Default, unnecessary, and expired accounts have been removed or disabled. (ii) If an EAS Participant does not conform with all of the elements in subsection (b)(2)(i) above, it must certify: (A) Whether it has taken alternative measures to mitigate the risk of a unauthorized access or is taking steps to remediate any issues it has identified in complying with the above elements, in which case it shall provide a brief explanation of such alternative measures or such remediation steps, the date by which it anticipates such remediation will be completed, and why it believes those measures are reasonably sufficient to mitigate such risk; or (B) Whether it believes that one or more of the requirements of this subsection are not applicable to its network, in which case it shall provide a brief explanation of why it believes any such requirement does not apply. (3) Segmentation. (i) An EAS Participant shall certify that: (A) All of its EAS devices are not directly accessible from the Internet; and (B) If remote access to EAS devices is required, such access is properly logged and secured in accordance with industry best practices. (ii) If an EAS Participant does not conform with all of the elements in subsection (c)(3)(i) above, it must certify: (A) Whether it believes that one or more of the requirements of this subsection are not applicable to its network, in which case it shall provide an explanation of why it believes any such requirement does not apply. (4) CAP Digital Signature Validation. (i) An EAS Participant shall certify that: (A) EAS devices are configured to validate digital signatures on CAP messages if the source of the CAP message includes this feature. (c) Other Matters (1) Confidential Treatment. (i) The fact of filing or not filing an Annual EAS Security Certification and the responses on the face of such certification forms shall not be treated as confidential. (ii) Information submitted with or in addition to such Certifications shall be presumed confidential to the extent that it consists of descriptions and documentation of alternative measures to mitigate the risks of nonconformance with certification elements, information detailing specific corrective actions taken with respect to certification elements, or supplemental information requested by the Commission or Bureau with respect to a certification. * * * * * 9. Amend § 11.45 to read as follows: § 11.45 Prohibition of false or deceptive EAS transmissions. (a) No person may transmit or cause to transmit the EAS codes or Attention Signal, or a recording or simulation thereof, in any circumstance other than in an actual National, State or Local Area emergency or authorized test of the EAS; or as specified in Section 11.46 and 11.61. (b) All EAS Participants shall submit electronically a Notification to the Commission via ETRS: (1) An initial report within 30 minutes of discovering the transmission of a false EAS alert by their station. The report shall include the time discovered, transmitted EAS alert fields, message source, and area covered by the transmission. (2) An initial report within 15 minutes of discovering that EAS Participant equipment causes, contributes to, or participates in a lockout that adversely affects the public. The report shall include the Federal Communications Commission FCC 16-5 5 time discovered, message source, and affected devices. (3) Not later than 72 hours after discovering the event, the EAS Participant shall submit a final report to the Commission describing the root cause of the event, number of affected customers, and mitigation steps taken. (c) Confidential Treatment. (1) The fact of filing or not filing a false EAS alert report shall not be treated as confidential. (2) Information submitted with or in addition to such reports shall be presumed confidential to the extent that it consists of descriptions and documentation of proprietary company information, root causes, or supplemental information requested by the Commission or Bureau with respect to an incident. 10. Amend § 11.46 to read as follows: § 11.46 EAS code and Attention Signal Monitoring requirements. Public Service Announcements and commercially-sponsored announcements, infomercials, or programs may be used to explain the EAS to the public, provided that the entity using the codes and Attention Signal presents them in a non-misleading and technically harmless manner. 11. Amend § 11.52 by revising paragraph (d)(1) to read as follows, and by removing paragraph (d)(3): § 11.52 EAS code and Attention Signal Monitoring requirements. * * * * * (d) EAS Participants must comply with the following monitoring requirements: (1) With respect to monitoring for EAS messages that are formatted in accordance with the EAS Protocol, EAS Participants must monitor two EAS sources. * * * 12. Amend § 11.54 to read as follows: § 11.54 EAS operation during a National Level emergency (a) Immediately upon receipt of a valid EAN message, or the NPT Event code in the case of a nationwide test of the EAS, EAS Participants must comply with the following requirements, as applicable: * * * (1) Analog and digital broadcast stations may transmit their call letters and analog cable systems, digital cable systems and wireless cable systems may transmit the names of the communities they serve during an EAS activation. * * * 13. Amend § 11.55 by removing paragraph (b): § 11.55 EAS operation during a State or Local Area emergency * * * * * 14. Amend § 11.56 by adding paragraph (c) to read as follows: §11.56 Obligation to process CAP-formatted EAS messages. Federal Communications Commission FCC 16-5 6 *.*.*.*.* (c) EAS Participants shall configure their systems to treat as invalid all CAP-formatted EAS messages that include a digital signature that does not match an authorized source from FEMA or from a designated source as specified in the state EAS plan. (d)The standards required in this section are incorporated by reference into this section with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. To enforce any edition other than that specified in this section, the Federal Communications Commission must publish notice of change in the FEDERAL REGISTER and the material must be available to the public. All approved material is available for inspection at the Federal Communications Commission, 445 12th Street SW., Washington, DC (Reference Information Center) and is available from the sources indicated below. It is also available for inspection at the National Archives and Records Administration (NARA). For information on the availability of this material at NARA, call 202-741-6030 or go to http://www.archives.gov/federal_register/code_of_federal_regulations/ibr_locations.html. 15. Amend § 11.61 to read as follows: §11.61 Tests of EAS procedures (a) * * * (3) * * * (iv) * * * (A) EAS Participants shall provide the identifying information required by the ETRS initially no later than sixty days after the publication in the Federal Register of a notice announcing the approval by the Office of Management and Budget of the modified information collection requirements under the Paperwork Reduction Act of 1995 and an effective date of the rule amendment, or within sixty days of the launch of the ETRS, whichever is later, and shall renew this identifying information on a yearly basis. (4) EAS activations and special tests. The EAS may be activated for emergencies or special tests at the State or Local Area level by an EAS Participant instead of the monthly or weekly tests required by this section. To substitute for a monthly test, activation must include transmission of the EAS header codes, Attention Signal, emergency message and EOM code and comply with the visual message requirements in §11.51. To substitute for the weekly test of the EAS header codes and EOM codes in paragraph (a)(2)(i) of this section, activation must include transmission of the EAS header and EOM codes. Analog and digital television broadcast stations, analog cable systems, digital cable systems, wireless cable systems, and DBS providers shall comply with the aural and visual message requirements in §11.51. Special EAS tests at the State and Local Area levels may be conducted on daily basis following procedures in State and Local Area EAS plans. (5) Live Code Tests. Live Code Tests may be conducted to exercise the EAS and raise public awareness, provided that the entity conducting the test: i. Provides notification in accessible formats during the test (e.g., audio voiceovers, video crawls as described in 47 C.F.R. § 11.51) to make sure the public understands that the test is not, in fact, warning about an actual emergency; ii. Engages in outreach pre-test to coordinates among EAS Participants and with state and local emergency authorities, as well as first responder organizations (e.g., Public Safety Answering Points (PSAPs), police and fire agencies, and the public in order to notify them that live event codes will be used, but that no emergency is in fact occurring. Federal Communications Commission FCC 16-5 APPENDIX B Initial Regulatory Flexibility Analysis 1. As required by the Regulatory Flexibility Act of 1980, as amended (RFA), 1 the Commission has prepared this present Initial Regulatory Flexibility Analysis (IRFA) of the possible significant economic impact of the proposals described in the attached Notice of Proposed Rulemaking on small entities. Written public comments are requested on this IRFA. Comments must be identified as responses to the IRFA and must be filed by the deadlines for comments in the Notice of Proposed Rulemaking. The Commission will send a copy of the Notice of Proposed Rulemaking, including this IRFA, to the Chief Counsel for Advocacy of the Small Business Administration (SBA). 2 In addition, the Notice of Proposed Rulemaking and IRFA (or summaries thereof) will be published in the Federal Register. 3 A. Need for, and Objectives of, the Proposed Rules 2. The proposals outlined in this Notice fall into four categories: (1) improving alerting organization at the state and local levels, (2) building stronger community-based alerting exercise programs, (3) modernizing and (4) encouraging the adoption of basic security hygiene by proposing rules to resolve problems with security vulnerabilities in the EAS. 3. With respect to improving alerting organization at the state and local levels, we propose to adopt EAS designations that reflect the manner that SECCs organize EAS Participants in their respective states. We further propose to streamline the aggregation of State EAS Plan data by allowing SECCs to file their Plans electronically in an online database by utilizing a template designed to allow SECCs to fully detail their strategy for providing the public with access to alerts initiated by, inter alia, the President. With respect to building stronger community-based alerting exercise programs, we propose to codify our “live code” waiver process to facilitate state and local exercises of alerting platforms that improve public preparedness for response to actual emergencies, and to allow PSAs and commercially-sponsored announcements, infomercials and programs to be used to explain the EAS to the public, provided that the entity using the codes and Attention Signal presents them in a non-misleading and technically harmless manner. 4 We seek specific comment on how the use of these tools can be targeted to communities with accessibility needs. With respect to alert platform modernization, we seek comment on whether the Commission’s existing cable force tuning and selective override provisions continue to serve the public interest. We seek comment on whether it would be in the public interest to require EAS Participants to support EAS alerts on all channels they control that are viewable by consumers, as opposed to only those that the rules currently consider “programmed channels.” We also seek comment on consumer expectations for alerting in emerging video technologies. Further, we seek comment on whether 4G-LTE tablets should be considered as “mobile devices” for the purpose of the Part 10 rules. Finally, we also seek comment on how technological developments can be leveraged to serve the needs of communities with accessibility needs. 1 See 5 U.S.C. § 603. The RFA, see 5 U.S.C. §§ 601-612, has been amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Pub. L. No. 104-121, Title II, 110 Stat. 857 (1996). 2 See 5 U.S.C. § 603(a). 3 Id. 4 The EAS Protocol, which is the transmission format for all EAS alerts distributed over the legacy EAS, utilizes fixed header codes to identify various aspects of the alert. A “header code” is a parameter in the EAS Protocol that provides instructions to EAS equipment to, inter alia, identify the originator of the alert, the event giving rise to the alert, the location to which the alert is relevant, and the time period during which the alert is valid. See 47 C.F.R. § 11.31(c). A “live” code, as distinguished from a “test” code, is a code that is used to indicate that an actual emergency is occurring. Federal Communications Commission FCC 16-5 4. With respect to securing the EAS, in the Notice we propose that EAS Participants annually certify that (1) they have kept their systems updated with the latest firmware and software patches, (2) they have a program in place to control access to EAS devices that includes changing default passwords, requiring password complexity, and removing or disabling expired accounts, (3) they have ensured that all EAS devices are not directly accessible from the Internet, and that, if required, any remote access is properly secured and logged, and (4) EAS devices are configured to validate digital signatures on CAP messages if the source of the CAP message requires this feature. We also propose a digital signature alert authentication requirement for all CAP messages, not only those originated by IPAWS-OPEN, revising section 11.31 of the Commission’s EAS rules to include a year parameter “YYYY” in the time stamp, and revising Part 11 of the rules to require EAS Participants to discard interstitial alerts. We propose to establish a reporting requirement for false alert events through the ETRS and instances when EAS Participant equipment causes, contributes to, or participates in a lockout that adversely affects the public. Finally, we seek comment on whether SDN techniques such as centralizing configuration and management of EAS or network function virtualization should be the basis for our new EAS paradigm, and on how to ensure a modern and effective EAS architecture. B. Legal Basis 5. Authority for the actions proposed in this Notice of Proposed Rulemaking may be found in 47 U.S.C §§ 151, 152, 154(i), 154(o), 301, 303(b), (g) and (r), 303(v), 307, 309, 335, 403, 544(g), 606, 613, 615 and 1302; The Warning, Alert and Response Network (WARN) Act, WARN Act §§ 602(a), (b), (c), (d), (f), 603, 604, and 606; Twenty-First Century Communications and Video Accessibility Act of 2010, Pub. L. No. 111-260 and Pub. L. No. 111-265. C. Description and Estimate of the Number of Small Entities to Which Rules Will Apply 6. The RFA directs agencies to provide a description of, and where feasible, an estimate of the number of small entities that may be affected by the proposed rules, if adopted. 5 The RFA generally defines the term “small entity” as having the same meaning as the terms “small business,” “small organization,” and “small governmental jurisdiction.” In addition, the term “small business” has the same meaning as the term “small business concern” under the Small Business Act. A “small business concern” is one which: (1) is independently owned and operated; (2) is not dominant in its field of operation; and (3) satisfies any additional criteria established by the Small Business Administration (SBA). Below, we describe and estimate the number of small entity licensees that may be affected by the adopted rules. 7. Small Businesses, Small Organizations, and Small Governmental Jurisdictions. Nationwide, there are a total of approximately 28.2 million small businesses, according to the SBA. 6 In addition, a “small organization” is generally “any not-for-profit enterprise which is independently owned and operated and is not dominant in its field.” 7 Nationwide, as of 2007, there were approximately 1,621,315 small organizations. 8 Finally, the term “small governmental jurisdiction” is defined generally as “governments of cities, towns, townships, villages, school districts, or special districts, with a population of less than fifty thousand.” 9 Census Bureau data for 2007 indicate that there were 89,476 local governmental 5 See 5 U.S.C. § 603(b)(3). 6 See SBA, Office of Advocacy, Frequently Asked Questions, http://www.sba.gov/sites/default/files/FAQ_March_2014_0.pdf (last accessed Jan. 25, 2015). 7 5 U.S.C. § 601(4). 8 Indep. Sector, The New Nonprofit Almanac and Desk Reference (2010). 9 5 U.S.C. § 601(5). Federal Communications Commission FCC 16-5 jurisdictions in the United States. 10 We estimate that, of this total, as many as 88,761 entities may qualify as “small governmental jurisdictions.” 11 Thus, we estimate that most governmental jurisdictions are small. 8. Radio Stations. This Economic Census category comprises establishments primarily engaged in broadcasting aural programs by radio to the public. Programming may originate in the station’s own studio, from an affiliated network, or from an external source. 12 The SBA defines a radio broadcasting entity that has $38.5 million or less in annual receipts as a small business. 13 According to Commission staff review of the BIA Kelsey Inc. Media Access Radio Analyzer Database as of June 5, 2013, about 90 percent of the 11,340 of commercial radio stations in the United States have revenues of $38.5 million or less. Therefore, the majority of such entities are small entities. The Commission has estimated the number of licensed noncommercial radio stations to be 3,917. 14 We do not have revenue data or revenue estimates for these stations. These stations rely primarily on grants and contributions for their operations, so we will assume that all of these entities qualify as small businesses. We note that in assessing whether a business entity qualifies as small under the above definition, business control affiliations must be included. 15 In addition, to be determined to be a “small business,” the entity may not be dominant in its field of operation. 16 We note that it is difficult at times to assess these criteria in the context of media entities, and our estimate of small businesses may therefore be over-inclusive. 9. Low-Power FM Stations. The same SBA definition that applies to radio broadcast licensees would apply to low power FM (“LPFM”) stations. The SBA defines a radio broadcast station as a small business if such station has no more than $38.5 million in annual receipts. Currently, there are approximately 864 licensed LPFM stations. Given the nature of these services, we will presume that all of these licensees qualify as small entities under the SBA definition. 10. Television Broadcasting. The SBA defines a television broadcasting station that has no more than $38.5 million in annual receipts as a small business. 17 Business concerns included in this industry are those primarily engaged in broadcasting images together with sound. 18 These establishments 10 U.S. Census Bureau, Statistical Abstract of the United States: 2012, Section 8, page 267, tbl. 429, https://www.census.gov/compendia/statab/2012/tables/12s0429.pdf/ (data cited therein are from 2007). 11 The 2007 U.S. Census data for small governmental organizations are not presented based on the size of the population in each such organization. There were 89,476 local governmental organizations in 2007. If we assume that county, municipal, township, and school district organizations are more likely than larger governmental organizations to have populations of 50,000 or less, the total of these organizations is 52,095. As a basis of estimating how many of these 89,476 local government organizations were small, in 2011, we note that there were a total of 715 cities and towns (incorporated places and minor civil divisions) with populations over 50,000. City and Town Totals Vintage: 2011 – U.S. Census Bureau, http://www.census.gov/popest/data/cities/totals/2011/index.html. If we subtract the 715 cities and towns that meet or exceed the 50,000 population threshold, we conclude that approximately 88,761 are small. U.S. Census Bureau, Statistical Abstract of the United States: 2012, Section 8, page 267, tbl. 429, https://www.census.gov/compendia/statab/2012/tables/12s0429.pdf/ (data cited therein are from 2007). 12 U.S. Census Bureau, 2007 NAICS Definitions, “515112 Radio Stations”; http://www.census.gov/cgi- bin/sssd/naics/naicsrch?code=515112&search=2007 NAICS Search. 13 See 13 C.F.R. § 121.201, NAICS Code 515112. See also Small Business Size Standards, 77 Fed. Reg. at 72704. 14 March 31, 2013 Broadcast Station Totals Press Release. 15 “[Businesses] are affiliates of each other when one [business] controls or has the power to control the other or a third party or parties controls or has the power to control both.” 13 C.F.R. § 121.103(a)(1). 16 See 13 C.F.R. § 121.102(b). 17 Television broadcasting stations with no more than $35.5 million in annual receipts are considered a small business pursuant to the SBA’s standards. See Small Business Size Standards: Information, 77 Fed. Reg. 72702, 72704 (Dec. 6, 2012). 18 See 13 C.F.R. § 121.201, NAICS Code 515120 (2007). Federal Communications Commission FCC 16-5 operate television broadcasting studios and facilities for the programming and transmission of programs to the public. 19 These establishments also produce or transmit visual programming to affiliated broadcast television stations, which in turn broadcast the programs to the public on a predetermined schedule. 20 Programming may originate in the station’s own studio, from an affiliated network, or from an external source. 21 11. According to Commission staff review of the BIA Financial Network, Inc. Media Access Pro Television Database as of March 31, 2013, about 90 percent of an estimated 1,385 commercial television stations in the United States have revenues of $38.5 million or less. Based on this data and the associated size standard, we conclude that the majority of such establishments are small. The Commission has estimated the number of licensed noncommercial educational (“NCE”) stations to be 396. 22 We do not have revenue estimates for NCE stations. These stations rely primarily on grants and contributions for their operations, so we will assume that all of these entities qualify as small businesses. In addition, there are approximately 567 licensed Class A stations, 2,227 licensed low-power television (“LPTV”) stations, and 4,518 licensed TV translators. 23 Given the nature of these services, we will presume that all LPTV licensees qualify as small entities under the above SBA small business size standard. 12. We note that in assessing whether a business entity qualifies as small under the above definition, business control affiliations must be included. 24 Our estimate, therefore, likely overstates the number of small entities affected by the proposed rules, because the revenue figures on which this estimate is based do not include or aggregate revenues from affiliated companies. 13. In addition, an element of the definition of “small business” is that the entity not be dominant in its field of operation. The Commission is unable at this time and in this context to define or quantify the criteria that would establish whether a specific television station is dominant in its market of operation. Accordingly, the foregoing estimate of small businesses to which the rules may apply does not exclude any television stations from the definition of a small business on this basis and is therefore over- inclusive to that extent. An additional element of the definition of “small business” is that the entity must be independently owned and operated. It is difficult at times to assess these criteria in the context of media entities, and our estimates of small businesses to which they apply may be over-inclusive to this extent. 14. Wired Telecommunications Carriers. This industry comprises establishments “primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired telecommunications networks.” 25 Transmission facilities “may be based on a single technology or a combination of technologies.” 26 Establishments in this industry use the wired telecommunications network facilities that 19 Id. 20 Id. 21 U.S. Census Bureau, 2007 NAICS Definitions, “515112 Radio Stations”; http://www.census.gov/cgi- bin/sssd/naics/naicsrch?code=515112&search=2007 NAICS Search. 22 News Release, Broadcast Station Totals as of March 31, 2013 (MB rel. Apr. 12, 2013) (“March 31, 2013 Broadcast Station Totals Press Release”), available at http://transition.fcc.gov/Daily_Releases/Daily_Business/2013/db0412/DOC-320138A1.pdf. 23 See March 31, 2013 Broadcast Station Totals Press Release. 24 “[Businesses] are affiliates of each other when one [business] controls or has the power to control the other, or a third party or parties controls or has the power to control both.” 13 C.F.R. § 121.103(a)(1). 25 See U.S. Census Bureau, 2007 NAICS Definitions, 517110 Wired Telecommunications Carriers, http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517110&search=2007 NAICS Search. 26 Id. Federal Communications Commission FCC 16-5 they operate to provide a variety of services, such as wired telephony services, including VoIP services; wired (cable) audio and video programming distribution; and wired broadband Internet services. 27 By exception, “establishments providing satellite television distribution services using facilities and infrastructure that they operate are included in this industry.” 28 In this category, the SBA deems a wired telecommunications carrier to be small if it has 1,500 or fewer employees. 29 Census data for 2007 shows 3,188 firms in this category. 30 Of these, 3,144 had fewer than 1,000 employees. 31 On this basis, the Commission estimates that a substantial majority of the providers of wired telecommunications carriers are small. 32 15. Cable and Other Subscription Programming. This industry comprises establishments primarily engaged in operating studios and facilities for the broadcasting of programs on a subscription or fee basis. The broadcast programming is typically narrowcast in nature (e.g., limited format, such as news, sports, education, or youth-oriented). These establishments produce programming in their own facilities or acquire programming from external sources. The programming material is usually delivered to a third party, such as cable systems or direct-to-home satellite systems, for transmission to viewers. 33 The SBA size standard for this industry establishes as small any company in this category which receives annual receipts of $38.5 million or less. 34 U.S. Census data for 2007 show that 396 firms operated for the entire year. Of these, 349 operated with annual receipts of less than $25 million a year. Based on this data, the Commission estimates that the majority of firms operating in this industry is small. 35 16. Cable System Operators (Rate Regulation Standard). The Commission has also developed its own small business size standards for the purpose of cable rate regulation. Under the Commission’s rules, a “small cable company” is one serving 400,000 or fewer subscribers nationwide. 36 Industry data indicate that there are currently 4,600 active cable systems in the United States. 37 Of this total, all but nine cable operators nationwide are small under the 400,000-subscriber size standard. 38 In addition, under the Commission’s rate regulation rules, a “small system” is a cable system serving 15,000 or fewer 27 See id. 28 Id. 29 See 13 C.F.R. § 121.201, NAICS Code 517110. 30 See U.S. Census Bureau, American FactFinder, “Information: Subject Series – Estab and Firm Size: Employment Size of Establishments for the United States: 2007 – 2007 Economic Census,” NAICS code 517110; available at, http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?pid=ECN_2007_US_51SSSZ5&prodTyp e=table. 31 See id. 32 Id. 33 http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=515210&search=2007. 34 See 13 C.F. R 121.201, NAICS Code 515210. 35 http://factfinder.census.gov/faces/tableservices/jsf/pages/productview.xhtml?pid=ECN_2007_US_51SSSZ4&prodTyp e=table 36 47 C.F.R. § 76.901(e). The Commission determined that this size standard equates approximately to a size standard of $100 million or less in annual revenues. Implementation of Sections of the Cable Television Consumer Protection And Competition Act of 1992: Rate Regulation, MM Docket No. 92-266, MM Docket No. 93-215, Sixth Report and Order and Eleventh Order on Reconsideration, 10 FCC Rcd 7393, 7408 (1995). 37 The number of active, registered cable systems comes from the Commission’s Cable Operations and Licensing System (COALS) database on August 15, 2015. See www.fcc.gov/coals. 38 See SNL KAGAN, htpps://www.snl.com/Interactivex/TopCable MSOs.aspx. Federal Communications Commission FCC 16-5 subscribers. 39 Current Commission records show 4,600 cable systems nationwide. 40 Of this total, 3,900 cable systems have fewer than 15,000 subscribers, and 700 systems have 15,000 or more subscribers, based on the same records. 41 Thus, under this standard, we estimate that most cable systems are small. 17. Cable System Operators (Telecom Act Standard). The Communications Act of 1934, as amended, also contains a size standard for small cable system operators, which is “a cable operator that, directly or through an affiliate, serves in the aggregate fewer than 1 percent of all subscribers in the United States and is not affiliated with any entity or entities whose gross annual revenues in the aggregate exceed $250,000,000.” 42 There are approximately 52,403,705 cable video subscribers in the United States today. 43 Accordingly, an operator serving fewer than 524,037 subscribers shall be deemed a small operator if its annual revenues, when combined with the total annual revenues of all its affiliates, do not exceed $250 million in the aggregate. 44 Based on available data, we find that all but nine incumbent cable operators are small entities under this size standard. 45 We note that the Commission neither requests nor collects information on whether cable system operators are affiliated with entities whose gross annual revenues exceed $250 million. 46 Although it seems certain that some of these cable system operators are affiliated with entities whose gross annual revenues exceed $250,000,000, we are unable at this time to estimate with greater precision the number of cable system operators that would qualify as small cable operators under the definition in the Communications Act. 18. Satellite Telecommunications. This category comprises firms “primarily engaged in providing telecommunications services to other establishments in the telecommunications and broadcasting industries by forwarding and receiving communications signals via a system of satellites or reselling satellite telecommunications.” 47 This category has a small business size standard of $32.5 million or less in average annual receipts, under SBA rules. 48 For this category, Census Bureau data for 2007 show that there were a total of 512 satellite communications firms that operated for the entire year. 49 Of this total, 482 firms had annual receipts of less than $25 million. 50 Consequently, the Commission estimates that the majority of Satellite Telecommunications firms are small entities that might be affected by our action. 19. Other Telecommunications. This category includes “establishments primarily engaged in . . . providing satellite terminal stations and associated facilities operationally connected with one or more terrestrial communications systems and capable of transmitting telecommunications to or receiving 39 47 C.F.R. § 76.901(c). 40 See supra note 39. 41 See id. 42 47 U.S.C. § 543(m)(2); see 47 C.F.R. § 76.901(f) & nn. 1-3. 43 See SNL KAGAN, htpps://www.snl.com/interactivex/MultichannelIndustryBenchmarks.aspx. 44 See 47 § C.F.R 901(f), nn ff. 1, 2, and 3. 45 See SNL KAGAN, htpps://www.snl.com/Interactivex/TopCable MSOs.aspx. 46 The Commission does receive such information on a case-by-case basis if a cable operator appeals a local franchise authority’s finding that the operator does not qualify as a small cable operator pursuant to § 76.901(f) of the Commission’s rules. See 47 C.F.R. § 76.901(f). 47 See U.S. Census Bureau, 2007 NAICS Definitions, 517410 Wired Telecommunications Carriers, http://www.census.gov/cgi-bin/sssd/naics/naicsrch?code=517410&search=2007 NAICS Search. 48 See 13 C.F.R. § 121.201, NAICS code 517410. 49 See AMERICAN FACT FINDER, UNITED STATES CENSUS BUREAU, http://factfinder.census.gov/servlet/IBQTable?_bm=y&-geo_id=&-_skip=900&-ds_name=EC0751SSSZ4&-_lang=en. 50 See id. Federal Communications Commission FCC 16-5 telecommunications from satellite systems.” 51 The SBA definition of Other Telecommunications entities comprises those that have $32.5 million or less in average annual receipts. 52 For this category, Census Bureau data for 2007 show that there were a total of 2,383 firms that operated for the entire year. 53 Of this total, 2,346 firms had annual receipts of under $25 million and 37 firms had annual receipts of $25 million to $49,999,999. 54 Consequently, the Commission estimates that the majority of Other Telecommunications firms are small entities that might be affected by our action. 20. The Educational Broadcasting Services. In addition, the SBA’s placement of Cable Television Distribution Services in the category of Wired Telecommunications Carriers is applicable to cable-based Educational Broadcasting Services. Since 2007, these services have been defined within the broad economic census category of Wired Telecommunications Carriers, which was developed for small wireline businesses. This category is defined as follows: “This industry comprises establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired telecommunications networks. Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services; wired (cable) audio and video programming distribution; and wired broadband Internet services.” 55 The SBA has developed a small business size standard for this category, which is: all such businesses having 1,500 or fewer employees. 56 Census data for 2007 shows that there were 31,996 establishments that operated that year. 57 Of this total, 30,178 establishments had fewer than 100 employees, and 1,818 establishments had 100 or more employees. 58 Therefore, under this size standard, we estimate that the majority of businesses can be considered small entities. In addition to Census data, the Commission’s internal records indicate that as of September 2014, there are 2,207 active EBS licenses. 59 The Commission estimates that of these 2,207 licenses, the majority are held by non-profit educational institutions and school districts, which are by 51 Office of Management and Budget, North American Industry Classification System, 513 (1997) (NAICS code 517910. 52 13 C.F.R. § 121.201, NAICS code 517910. 53 AMERICAN FACT FINDER, UNITED STATES CENSUS BUREAU, http://factfinder.census.gov/servlet/IBQTable?_bm=y&- geo_id=&-_skip=900&-ds_name=EC0751SSSZ4&-_lang=en. 54 AMERICAN FACT FINDER, UNITED STATES CENSUS BUREAU, http://factfinder.census.gov/servlet/IBQTable?_bm=y&- geo_id=&-_skip=900&-ds_name=EC0751SSSZ4&-_lang=en. 55 U.S. Census Bureau, 2012 NAICS Definitions, “517110 Wired Telecommunications Carriers” (partial definition) at http://www.census.gov/cgi-bin/sssd/naics/naicsrch. Examples of this category are: broadband Internet service providers (e.g., cable, DSL); local telephone carriers (wired); cable television distribution services; long-distance telephone carriers (wired); closed circuit television (“CCTV”) services; VoIP service providers, using own operated wired telecommunications infrastructure; direct-to-home satellite system (“DTH”) services; telecommunications carriers (wired); satellite television distribution systems; and multichannel multipoint distribution services (“MMDS”). 56 13 C.F.R. § 121.201; 2012 NAICS code 517110. 57 U.S. Census Bureau, 2007 Economic Census. See U.S. Census Bureau, American FactFinder, “Information: Subject Series – Estab and Firm Size: Employment Size of Establishments for the United States: 2007 – 2007 Economic Census,” NAICS code 517110, Table EC0751SSSZ2; available at http://factfinder2.census.gov/faces/nav/jsf/pages/index.xhtml. 58 Id. 59 FCC, UNIVERSAL LICENSING SYSTEM, http://wireless2.fcc.gov/UlsApp/UlsSearch/results.jsp;JSESSIONID_ULSSEARCH=wJ50JkbCQKvNWBJjv1s0ZZW QQs1FnmNDjQwvSHsDG2FHSyGV6hdf!203694623!-701794836. Federal Communications Commission FCC 16-5 statute defined as small businesses. 60 21. Direct Broadcast Satellite (“DBS”) Service. DBS service is a nationally distributed subscription service that delivers video and audio programming via satellite to a small parabolic “dish” antenna at the subscriber’s location. DBS is now included in SBA’s economic census category “Wired Telecommunications Carriers.” This category is defined as follows: “This industry comprises establishments primarily engaged in operating and/or providing access to transmission facilities and infrastructure that they own and/or lease for the transmission of voice, data, text, sound, and video using wired telecommunications networks. 61 Transmission facilities may be based on a single technology or a combination of technologies. Establishments in this industry use the wired telecommunications network facilities that they operate to provide a variety of services, such as wired telephony services, including VoIP services; wired (cable) audio and video programming distribution; and wired broadband Internet services. 62 The SBA has developed a small business size standard for this category, which is: all such businesses having 1,500 or fewer employees. 63 Census data for 2007 shows 3,188 firms in this category. 64 Of these, 3,144 had fewer than 1,000 employees. 65 Based on that data, we conclude that the majority of wireline firms are small under the applicable standard. However, based on more recent data developed internally by the Commission, currently only two entities provide DBS service, which requires a great deal of capital for operation: DIRECTV and DISH Network. 66 Accordingly, we must conclude that internally developed Commission data are persuasive that in general DBS service is provided only by large firms. 22. Wireless Telecommunications Carriers (except satellite). This industry comprises establishments engaged in operating and maintaining switching and transmission facilities to provide communications via the airwaves. Establishments in this industry have spectrum licenses and provide services using that spectrum, such as cellular phone services, paging services, wireless Internet access, and wireless video services. The appropriate size standard under SBA rules for the category Wireless Telecommunications Carriers (except satellite) is that a business is small if it has 1,500 or fewer employees. Census data for 2007 show that there were 1,383 firms that operated for the entire year. Of this total, 1,368 firms had employment of fewer than 1000 employees. Thus under this category and the associated small business size standard, the Commission estimates that the majority of wireless telecommunications carriers (except satellite) are small. 23. Broadband Personal Communications Service. The broadband personal communications services (PCS) spectrum is divided into six frequency blocks designated A through F, and the Commission 60 The term “small entity” within SBREFA applies to small organizations (non-profits) and to small governmental jurisdictions (cities, counties, towns, townships, villages, school districts, and special districts with populations of less than 50,000). 5 U.S.C. §§ 601(4)-(6). 61 See supra note 25. 62 See id. Examples of this category are: broadband Internet service providers (e.g., cable, DSL); local telephone carriers (wired); cable television distribution services; long-distance telephone carriers (wired); CCTV services; VoIP service providers, using own operated wired telecommunications infrastructure; DTH services; telecommunications carriers (wired); satellite television distribution systems; and MMDS. 63 See supra note 29. 64 See supra note 30. 65 See id. 66 See Annual Assessment of the Status of Competition in the Market for Delivery of Video Programming, MB Docket No. 12-203, Fifteenth Report, 28 FCC Rcd 10496, 10507 para. 27 (2013). As of June 2012, DRECTV is the largest DBS operator and the second largest MVPD in the United States, serving 19.9 million subscribers. DISH Network is the second largest DBS operator and the third largest MVPD operator, serving 14 million subscribers. See id. at 10546, paras. 110-11. Federal Communications Commission FCC 16-5 has held auctions for each block. The Commission initially defined a “small business” for C- and F-Block licenses as an entity that has average gross revenues of $40 million or less in the three previous calendar years. 67 For F-Block licenses, an additional small business size standard for “very small business” was added and is defined as an entity that, together with its affiliates, has average gross revenues of not more than $15 million for the preceding three calendar years. 68 These small business size standards, in the context of broadband PCS auctions, have been approved by the SBA. 69 No small businesses within the SBA-approved small business size standards bid successfully for licenses in Blocks A and B. There were 90 winning bidders that claimed small business status in the first two C-Block auctions. A total of 93 bidders that claimed small business status won approximately 40 percent of the 1,479 licenses in the first auction for the D, E, and F Blocks. 70 On April 15, 1999, the Commission completed the reauction of 347 C- , D-, E-, and F-Block licenses in Auction No. 22. 71 Of the 57 winning bidders in that auction, 48 claimed small business status and won 277 licenses. 24. On January 26, 2001, the Commission completed the auction of 422 C and F Block Broadband PCS licenses in Auction No. 35. Of the 35 winning bidders in that auction, 29 claimed small business status. 72 Subsequent events concerning Auction 35, including judicial and agency determinations, resulted in a total of 163 C and F Block licenses being available for grant. On February 15, 2005, the Commission completed an auction of 242 C-, D-, E-, and F-Block licenses in Auction No. 58. Of the 24 winning bidders in that auction, 16 claimed small business status and won 156 licenses. 73 On May 21, 2007, the Commission completed an auction of 33 licenses in the A, C, and F Blocks in Auction No. 71. 74 Of the 12 winning bidders in that auction, five claimed small business status and won 18 licenses. 75 On August 20, 2008, the Commission completed the auction of 20 C-, D-, E-, and F-Block Broadband PCS licenses in Auction No. 78. 76 Of the eight winning bidders for Broadband PCS licenses in that auction, six claimed small business status and won 14 licenses. 77 25. Narrowband Personal Communications Service. To date, two auctions of narrowband 67 See Amendment of Parts 20 and 24 of the Commission’s Rules – Broadband PCS Competitive Bidding and the Commercial Mobile Radio Service Spectrum Cap; Amendment of the Commission’s Cellular/PCS Cross-Ownership Rule; WT Docket No. 96-59, GN Docket No. 90-314, Report and Order, 11 FCC Rcd 7824, 7850-52, paras. 57-60 (1996) (PCS Report and Order); see also 47 C.F.R. § 24.720(b). 68 See PCS Report and Order, 11 FCC Rcd at 7852, para. 60. 69 See Alvarez Letter 1998. 70 See Broadband PCS, D, E and F Block Auction Closes, Public Notice, Doc. No. 89838 (rel. Jan. 14, 1997). 71 See C, D, E, and F Block Broadband PCS Auction Closes, Public Notice, 14 FCC Rcd 6688 (WTB 1999). Before Auction No. 22, the Commission established a very small standard for the C Block to match the standard used for F Block. Amendment of the Commission’s Rules Regarding Installment Payment Financing for Personal Communications Services (PCS) Licensees, WT Docket No. 97-82, Fourth Report and Order, 13 FCC Rcd 15743, 15768, para. 46 (1998). 72 See C and F Block Broadband PCS Auction Closes; Winning Bidders Announced, Public Notice, 16 FCC Rcd 2339 (2001). 73 See Broadband PCS Spectrum Auction Closes; Winning Bidders Announced for Auction No. 58, Public Notice, 20 FCC Rcd 3703 (2005). 74 See Auction of Broadband PCS Spectrum Licenses Closes; Winning Bidders Announced for Auction No. 71, Public Notice, 22 FCC Rcd 9247 (2007). 75 Id. 76 See Auction of AWS-1 and Broadband PCS Licenses Closes; Winning Bidders Announced for Auction 78, Public Notice, 23 FCC Rcd 12749 (WTB 2008). 77 Id. Federal Communications Commission FCC 16-5 personal communications services (PCS) licenses have been conducted. For purposes of the two auctions that have already been held, “small businesses” were entities with average gross revenues for the prior three calendar years of $40 million or less. Through these auctions, the Commission has awarded a total of 41 licenses, out of which 11 were obtained by small businesses. To ensure meaningful participation of small business entities in future auctions, the Commission has adopted a two-tiered small business size standard in the Narrowband PCS Second Report and Order. 78 A “small business” is an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $40 million. A “very small business” is an entity that, together with affiliates and controlling interests, has average gross revenues for the three preceding years of not more than $15 million. The SBA has approved these small business size standards. 79 26. Wireless Communications Services. This service can be used for fixed, mobile, radiolocation, and digital audio broadcasting satellite uses. The Commission defined “small business” for the wireless communications services (WCS) auction as an entity with average gross revenues of $40 million for each of the three preceding years, and a “very small business” as an entity with average gross revenues of $15 million for each of the three preceding years. 80 The SBA has approved these definitions. 81 27. 700 MHz Guard Band Licensees. In 2000, in the 700 MHz Guard Band Order, the Commission adopted size standards for “small businesses” and “very small businesses” for purposes of determining their eligibility for special provisions such as bidding credits and installment payments. 82 A small business in this service is an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $40 million for the preceding three years. 83 Additionally, a very small business is an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $15 million for the preceding three years. 84 SBA approval of these definitions is not required. 85 An auction of 52 Major Economic Area licenses commenced on September 6, 2000, and closed on September 21, 2000. 86 Of the 104 licenses auctioned, 96 licenses were sold to nine bidders. Five of these bidders were small businesses that won a total of 26 licenses. A second auction of 700 MHz Guard Band licenses commenced on February 13, 2001, and closed on February 21, 2001. All eight of the licenses auctioned were sold to three bidders. One of these bidders was a small business that 78 Amendment of the Commission’s Rules to Establish New Personal Communications Services, Narrowband PCS, GEN Docket No. 90-314, ET Docket No. 92-100, PP Docket No. 93-253, Second Report and Order and Second Further Notice of Proposed Rulemaking, 15 FCC Rcd 10456 (2000). 79 See Letter to Amy Zoslov, Chief, Auctions and Industry Analysis Division, Wireless Telecommunications Bureau, FCC, from Aida Alvarez, Administrator, SBA (Dec. 2, 1998). 80 Amendment of the Commission’s Rules to Establish Part 27, the Wireless Communications Service (WCS), GN Docket No. 96-228, Report and Order, 12 FCC Rcd 10785, 10879, para. 194 (1997). 81 See Letter from Aida Alvarez, Administrator, SBA, to Amy Zoslov, Chief, Auctions and Industry Analysis Division, Wireless Telecommunications Bureau, Federal Communications Commission (filed Dec. 2, 1998) (Alvarez Letter 1998). 82 See Service Rules for the 746–764 MHz Bands, and Revisions to Part 27 of the Commission’s Rules, WT Docket No. 99-168, Second Report and Order, 15 FCC Rcd 5299 (2000) (746–764 MHz Band Second Report and Order). 83 See id. at 5343, para. 108. 84 See id. 85 See id. at 5343, para. 108 n.246 (for the 746–764 MHz and 776–794 MHz bands, the Commission is exempt from 15 U.S.C. § 632, which requires Federal agencies to obtain SBA approval before adopting small business size standards). 86 See 700 MHz Guard Bands Auction Closes: Winning Bidders Announced, Public Notice, 15 FCC Rcd 18026 (WTB 2000). Federal Communications Commission FCC 16-5 won a total of two licenses. 87 28. Lower 700 MHz Band Licenses. The Commission previously adopted criteria for defining three groups of small businesses for purposes of determining their eligibility for special provisions such as bidding credits. 88 The Commission defined a “small business” as an entity that, together with its affiliates and controlling principals, has average gross revenues not exceeding $40 million for the preceding three years. 89 A “very small business” is defined as an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $15 million for the preceding three years. 90 Additionally, the lower 700 MHz Service had a third category of small business status for Metropolitan/Rural Service Area (MSA/RSA) licenses—“entrepreneur”—which is defined as an entity that, together with its affiliates and controlling principals, has average gross revenues that are not more than $3 million for the preceding three years. 91 The SBA approved these small size standards. 92 An auction of 740 licenses (one license in each of the 734 MSAs/RSAs and one license in each of the six Economic Area Groupings (EAGs)) commenced on August 27, 2002, and closed on September 18, 2002. Of the 740 licenses available for auction, 484 licenses were won by 102 winning bidders. Seventy-two of the winning bidders claimed small business, very small business or entrepreneur status and won a total of 329 licenses. 93 A second auction commenced on May 28, 2003, closed on June 13, 2003, and included 256 licenses: 5 EAG licenses and 476 Cellular Market Area licenses. 94 Seventeen winning bidders claimed small or very small business status and won 60 licenses, and nine winning bidders claimed entrepreneur status and won 154 licenses. 95 On July 26, 2005, the Commission completed an auction of 5 licenses in the Lower 700 MHz band (Auction No. 60). There were three winning bidders for five licenses. All three winning bidders claimed small business status. 29. In 2007, the Commission reexamined its rules governing the 700 MHz band in the 700 MHz Second Report and Order. 96 An auction of 700 MHz licenses commenced January 24, 2008 and closed on March 18, 2008, which included, 176 Economic Area licenses in the A Block, 734 Cellular Market Area 87 See 700 MHz Guard Bands Auction Closes: Winning Bidders Announced, Public Notice, 16 FCC Rcd 4590 (WTB 2001). 88 See Reallocation and Service Rules for the 698–746 MHz Spectrum Band (Television Channels 52–59), GN Docket No. 01-74, Report and Order, 17 FCC Rcd 1022 (2002) (Channels 52–59 Report and Order). 89 See id. at 1087-88, para. 172. 90 See id. 91 See id., at 1088, para. 173. 92 See Alvarez Letter 1999. 93 See Lower 700 MHz Band Auction Closes, Public Notice, 17 FCC Rcd 17272 (WTB 2002). 94 See id. 95 See id. 96 Service Rules for the 698–746, 747–762 and 777–792 MHz Band; Revision of the Commission’s Rules to Ensure Compatibility with Enhanced 911 Emergency Calling Systems; Section 68.4(a) of the Commission’s Rules Governing Hearing Aid-Compatible Telephones; Biennial Regulatory Review—Amendment of Parts 1, 22, 24, 27, and 90 to Streamline and Harmonize Various Rules Affecting Wireless Radio Services; Former Nextel Communications, Inc. Upper 700 MHz Guard Band Licenses and Revisions to Part 27 of the Commission’s Rules; Implementing a Nationwide, Broadband, Interoperable Public Safety Network in the 700 MHz Band; Development of Operational, Technical and Spectrum Requirements for Meeting Federal, State and Local Public Safety Communications Requirements Through the Year 2010; Declaratory Ruling on Reporting Requirement under Commission’s Part 1 Anti-Collusion Rule, WT Docket Nos. 07-166, 06-169, 06-150, 03-264, 96-86, PS Docket No. 06-229, CC Docket No. 94-102, Second Report and Order, 22 FCC Rcd 15289, 15359 n. 434 (2007) (700 MHz Second Report and Order). Federal Communications Commission FCC 16-5 licenses in the B Block, and 176 EA licenses in the E Block. 97 Twenty winning bidders, claiming small business status (those with attributable average annual gross revenues that exceed $15 million and do not exceed $40 million for the preceding three years) won 49 licenses. Thirty three winning bidders claiming very small business status (those with attributable average annual gross revenues that do not exceed $15 million for the preceding three years) won 325 licenses. 30. Upper 700 MHz Band Licenses. In the 700 MHz Second Report and Order, the Commission revised its rules regarding Upper 700 MHz licenses. 98 On January 24, 2008, the Commission commenced Auction 73 in which several licenses in the Upper 700 MHz band were available for licensing: 12 Regional Economic Area Grouping licenses in the C Block, and one nationwide license in the D Block. 99 The auction concluded on March 18, 2008, with 3 winning bidders claiming very small business status (those with attributable average annual gross revenues that do not exceed $15 million for the preceding three years) and winning five licenses. 31. Advanced Wireless Services. AWS Services (1710–1755 MHz and 2110–2155 MHz bands (AWS-1); 1915–1920 MHz, 1995–2000 MHz, 2020–2025 MHz and 2175–2180 MHz bands (AWS-2); 2155– 2175 MHz band (AWS-3)). For the AWS-1 bands, 100 the Commission has defined a “small business” as an entity with average annual gross revenues for the preceding three years not exceeding $40 million, and a “very small business” as an entity with average annual gross revenues for the preceding three years not exceeding $15 million. For AWS-2 and AWS-3, although we do not know for certain which entities are likely to apply for these frequencies, we note that the AWS-1 bands are comparable to those used for cellular service and personal communications service. The Commission has not yet adopted size standards for the AWS-2 or AWS-3 bands but proposes to treat both AWS-2 and AWS-3 similarly to broadband PCS service and AWS-1 service due to the comparable capital requirements and other factors, such as issues involved in relocating incumbents and developing markets, technologies, and services. 101 32. Broadband Radio Service and Educational Broadband Service. Broadband Radio Service systems, previously referred to as Multipoint Distribution Service (MDS) and Multichannel Multipoint Distribution Service (MMDS) systems, and “wireless cable,” transmit video programming to subscribers and provide two-way high speed data operations using the microwave frequencies of the Broadband Radio Service (BRS) and Educational Broadband Service (EBS) (previously referred to as the Instructional Television Fixed Service (ITFS)). 102 In connection with the 1996 BRS auction, the Commission established a small business size standard as an entity that had annual average gross revenues of no more than $40 97 See Auction of 700 MHz Band Licenses Closes, Public Notice, 23 FCC Rcd 4572 (WTB 2008). 98 700 MHz Second Report and Order, 22 FCC Rcd 15289. 99 See Auction of 700 MHz Band Licenses Closes, Public Notice, 23 FCC Rcd 4572 (WTB 2008). 100 The service is defined in section 90.1301 et seq. of the Commission’s Rules, 47 C.F.R. § 90.1301 et seq. 101 See Service Rules for Advanced Wireless Services in the 1.7 GHz and 2.1 GHz Bands, WT Docket No. 02-353, Report and Order, 18 FCC Rcd 25162, Appx. B (2003), modified by Service Rules for Advanced Wireless Services in the 1.7 GHz and 2.1 GHz Bands, WT Docket No. 02-353, Order on Reconsideration, 20 FCC Rcd 14058, Appx. C (2005); Service Rules for Advanced Wireless Services in the 1915–1920 MHz, 1995–2000 MHz, 2020–2025 MHz and 2175–2180 MHz Bands; Service Rules for Advanced Wireless Services in the 1.7 GHz and 2.1 GHz Bands, WT Docket Nos. 04-356, 02-353, Notice of Proposed Rulemaking, 19 FCC Rcd 19263, Appx. B (2005); Service Rules for Advanced Wireless Services in the 2155–2175 MHz Band, WT Docket No. 07-195, Notice of Proposed Rulemaking, 22 FCC Rcd 17035, Appx. (2007). 102 Amendment of Parts 21 and 74 of the Commission’s Rules with Regard to Filing Procedures in the Multipoint Distribution Service and in the Instructional Television Fixed Service and Implementation of Section 309(j) of the Communications Act—Competitive Bidding, MM Docket No. 94-131, PP Docket No. 93-253, Report and Order, 10 FCC Rcd 9589, 9593, para. 7 (1995). Federal Communications Commission FCC 16-5 million in the previous three calendar years. 103 The BRS auctions resulted in 67 successful bidders obtaining licensing opportunities for 493 Basic Trading Areas (BTAs). Of the 67 auction winners, 61 met the definition of a small business. BRS also includes licensees of stations authorized prior to the auction. At this time, we estimate that of the 61 small business BRS auction winners, 48 remain small business licensees. In addition to the 48 small businesses that hold BTA authorizations, there are approximately 392 incumbent BRS licensees that are considered small entities. 104 After adding the number of small business auction licensees to the number of incumbent licensees not already counted, we find that there are currently approximately 440 BRS licensees that are defined as small businesses under either the SBA or the Commission’s rules. 33. In 2009, the Commission conducted Auction 86, the sale of 78 licenses in the BRS areas. 105 The Commission offered three levels of bidding credits: (i) a bidder with attributed average annual gross revenues that exceed $15 million and do not exceed $40 million for the preceding three years (small business) received a 15 percent discount on its winning bid; (ii) a bidder with attributed average annual gross revenues that exceed $3 million and do not exceed $15 million for the preceding three years (very small business) received a 25 percent discount on its winning bid; and (iii) a bidder with attributed average annual gross revenues that do not exceed $3 million for the preceding three years (entrepreneur) received a 35 percent discount on its winning bid.106 Auction 86 concluded in 2009 with the sale of 61 licenses.107 Of the ten winning bidders, two bidders that claimed small business status won 4 licenses; one bidder that claimed very small business status won three licenses; and two bidders that claimed entrepreneur status won six licenses. 34. Wireless Communications Service. This service can be used for fixed, mobile, radiolocation, and digital audio broadcasting satellite uses. The Commission established small business size standards for the wireless communications services (WCS) auction. 108 A “small business” is an entity with average gross revenues of $40 million for each of the three preceding years, and a “very small business” is an entity with average gross revenues of $15 million for each of the three preceding years. The SBA has approved these small business size standards. 109 The Commission auctioned geographic area licenses in the WCS service. In the auction, there were seven winning bidders that qualified as “very small business” entities, and one that qualified as a “small business” entity. 35. Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing. The Census Bureau defines this category as follows: “This industry comprises establishments primarily engaged in manufacturing radio and television broadcast and wireless communications equipment. Examples of products made by these establishments are: transmitting and 103 47 C.F.R. § 21.961(b)(1). 104 47 U.S.C. § 309(j). Hundreds of stations were licensed to incumbent MDS licensees prior to implementation of Section 309(j) of the Communications Act of 1934, 47 U.S.C. § 309(j). For these pre-auction licenses, the applicable standard is SBA’s small business size standard of 1500 or fewer employees. 105 Auction of Broadband Radio Service (BRS) Licenses, Scheduled for October 27, 2009, Notice and Filing Requirements, Minimum Opening Bids, Upfront Payments, and Other Procedures for Auction 86, AU Docket No. 09- 56, Public Notice, 24 FCC Rcd 8277 (2009). 106 Id. at 8296 para. 73. 107 Auction of Broadband Radio Service Licenses Closes, Winning Bidders Announced for Auction 86, Down Payments Due November 23, 2009, Final Payments Due December 8, 2009, Ten-Day Petition to Deny Period, Public Notice, 24 FCC Rcd 13572 (2009). 108 Public Notice, “Auction of Wireless Communications Services, Auction Notes and Filing Requirements for 128 WCS Licenses Scheduled for April 15, 1997,” DA 97-386, Feb. 21, 1997. 109 SBA Dec. 2, 1998 Letter. Federal Communications Commission FCC 16-5 receiving antennas, cable television equipment, GPS equipment, pagers, cellular phones, mobile communications equipment, and radio and television studio and broadcasting equipment.” 110 The SBA has developed a small business size standard for firms in this category, which is: all such firms having 750 or fewer employees. 111 According to Census Bureau data for 2010, there were a total of 810 establishments in this category that operated for the entire year. 112 Of this total, 787 had employment of fewer than 500, and an additional 23 had employment of 500 to 999. 113 Thus, under this size standard, the majority of firms can be considered small. 36. Software Publishers. Since 2007 these services have been defined within the broad economic census category of Custom Computer Programming Services; that category is defined as establishments primarily engaged in writing, modifying, testing, and supporting software to meet the needs of a particular customer. 114 The SBA has developed a small business size standard for this category, which is annual gross receipts of $25 million or less. 115 According to data from the 2007 U.S. Census, there were 41,571 establishments engaged in this business in 2007. Of these, 40,149 had annual gross receipts of less than $10,000,000. Another 1,422 establishments had gross receipts of $10,000,000 or more. 116 Based on this data, the Commission concludes that the majority of the businesses engaged in this industry are small. 37. NCE and Public Broadcast Stations. The Census Bureau defines this category as follows: “This industry comprises establishments primarily engaged in broadcasting images together with sound. These establishments operate television broadcasting studios and facilities for the programming and transmission of programs to the public.” 117 The SBA has created a small business size standard for Television Broadcasting entities, which is: such firms having $38.5 million or less in annual receipts. 118 According to Commission staff review of the BIA Publications, Inc., Master Access Television Analyzer Database as of May 16, 2003, about 814 of the 1,220 commercial television stations in the United States had revenues of $12 (twelve) million or less. We note, however, that in assessing whether a business concern qualifies as small under the above definition, business (control) affiliations 119 must be included. Our 110 U.S. Census Bureau, 2007 NAICS Definitions, “334220 Radio and Television Broadcasting and Wireless Communications Equipment Manufacturing”; http://www.census.gov/naics/2007/def/ND334220.HTM#N334220. 111 13 C.F.R. § 121.201, NAICS code 334220. 112 U.S. Census Bureau, American FactFinder, 2010 Economic Census, Industry Series, Industry Statistics by Employment Size, NAICS code 334220 (released June 26, 2012); http://factfinder.census.gov. The number of “establishments” is a less helpful indicator of small business prevalence in this context than would be the number of “firms” or “companies,” because the latter take into account the concept of common ownership or control. Any single physical location for an entity is an establishment, even though that location may be owned by a different establishment. Thus, the numbers given may reflect inflated numbers of businesses in this category, including the numbers of small businesses. 113 Id. Eighteen establishments had employment of 1,000 or more. 114 http://www.census.gov/cgi-bin/sssd/naics/naicsrch . 115 13 C.F.R. Section 121.201. 116 http://factfinder2.census.gov/faces/tableservices/jsf/pages/productview.xhtml?pid=ECN_2007_US_54SSSZ1&prodTy pe=table. 117 U.S. Census Bureau, 2002 NAICS Definitions, “515120 Television Broadcasting” (partial definition); http://www.census.gov/epcd/naics02/def/NDEF515.HTM. 118 13 C.F.R. § 121.201, NAICS code 515120. 119 “Concerns are affiliates of each other when one concern controls or has the power to control the other or a third party or parties controls or has to power to control both.” 13 C.F.R. § 21.103(a)(1). Federal Communications Commission FCC 16-5 estimate, therefore, likely overstates the number of small entities that might be affected by our action, because the revenue figure on which it is based does not include or aggregate revenues from affiliated companies. 38. In addition, an element of the definition of “small business” is that the entity not be dominant in its field of operation. We are unable at this time to define or quantify the criteria that would establish whether a specific television station is dominant in its field of operation. Accordingly, the estimate of small businesses to which rules may apply do not exclude any television station from the definition of a small business on this basis and are therefore over-inclusive to that extent. Also as noted, an additional element of the definition of “small business” is that the entity must be independently owned and operated. We note that it is difficult at times to assess these criteria in the context of media entities and our estimates of small businesses to which they apply may be over-inclusive to this extent. There are also 2,117 low power television stations (LPTV). 120 Given the nature of this service, we will presume that all LPTV licensees qualify as small entities under the above SBA small business size standard. 39. The Commission has estimated the number of licensed NCE television stations to be 380. 121 We note, however, that, in assessing whether a business concern qualifies as small under the above definition, business (control) affiliations 122 must be included. Our estimate, therefore, likely overstates the number of small entities that might be affected by our action, because the revenue figure on which it is based does not include or aggregate revenues from affiliated companies. The Commission does not compile and otherwise does not have access to information on the revenue of NCE stations that would permit it to determine how many such stations would qualify as small entities. D. Description of Projected Reporting, Recordkeeping, and Other Compliance Requirements for Small Entities 40. This Notice of Proposed Rulemaking proposes to expand the scope of State EAS Plans to include additional information necessary to reflect advances in technology, and to ensure the successful transmission of a Presidential Alert, such as uniform EAS designations, a description of SECC governance structure, expanded descriptions of emergency alerting procedures, a more accurate statement of monitoring requirements, a statement of the extent to which states leverage one-to-many/many-to-one communications, expanded testing procedures and security elements. It proposes that such Plans be submitted via an online State EAS Plan Filing Interface (SEPFI) designed to minimize filing burdens attendant to our State EAS Plan requirements, and to offset any additional burden that our expanded requirements may impose. 41. This Notice of Proposed Rulemaking also proposes adding an annual certification to the existing Form 1 of the mandatory electronic reporting system, the Electronic Test Reporting System (ETRS), that EAS Participants have done the following: (1) kept their systems updated with the latest firmware and software patches, (2) put a program in place to control access to EAS devices that includes changing default passwords, requiring password complexity, and removing or disabling expired accounts, (3) ensured that all EAS devices are not directly accessible from the Internet, and that, if required, any remote access is properly secured and logged, and (4) configured EAS devices to validate digital signatures on CAP messages if the source of the CAP message requires this feature. Depending on whether the employee checking for performance of required security measures is also the certifying official, including a certification on Form 1 could take between five minutes and an hour for the many EAS Participants that already have performed all required security measures. We estimate that additional time, and legal and 120 FCC News Release, “Broadcast Station Totals as of September 30, 2005.” 121 See Broadcast Station Totals, supra IRFA note 11. 122 “[Business concerns] are affiliates of each other when one concern controls or has the power to control the other or a third party or parties controls or has to power to control both.” 13 C.F.R. § 121.103(a)(1). Federal Communications Commission FCC 16-5 managerial resources may be needed for some EAS Participants to complete this certification in the first instance only. For those who are not using best practices, we estimate it should take no more than four hours per device to perform the necessary changes. Given the importance of maintaining basic security hygiene, the Commission proposes that the impact on small entities of this annual certification would not impose an undue burden. 42. The Commission also proposes extending ETRS to include a false alert and lockout reporting requirement. An initial report including only the EAS header codes and time discovered of the false message may be required within fifteen to thirty minutes of identification of a false EAS message transmission, and a final report may be required within seventy-two hours including the root cause of the improper transmission. Because EAS security incidents have occurred at a rate of one or two per year and EAS Participants must already investigate unauthorized EAS alert matters as they occur, a reporting requirement for false alerts and lockouts would likely have a very minimal impact on small entities. E. Steps Taken to Minimize the Significant Economic Impact on Small Entities, and Significant Alternatives Considered 43. The RFA requires an agency to describe any significant, specifically small business alternatives that it has considered in reaching its proposed approach, which may include the following four alternatives (among others): “(1) the establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (2) the clarification, consolidation, or simplification of compliance or reporting requirements under the rule for small entities; (3) the use of performance, rather than design, standards; and (4) and exemption from coverage of the rule, or any part thereof, for small entities.” 123 44. With respect to the State EAS Plan filing process, converting the paper-based filing process into an online process is intended to reduce reporting costs and associated burdens for SECCs. With respect to State EAS Plan contents, we seek comment on whether the same EAS designations and plan components can be applied universally to all states, and have taken steps to allow states flexibility to stipulate EAS Plans that fit their individual needs. With respect to live code tests, we seek comment on whether removing the need for SECCs to request a waiver of our rules to conduct live code tests will reduce costs and remove regulatory burdens. With respect to forced tuning and selective override provisions, we seek comment on whether small entities should be subject to different requirements than their larger counterparts. 45. With respect to security, smaller entities often face particular challenges in maintaining awareness of current security measures, due to limited human, financial or technical resources; however, the Commission is merely proposing performance of required security measures to which many EAS Participants, including smaller entities, already adhere. Because proper patching and updating and basic account management are common best practices accepted across the sector, the assumption is that there would be no additional impact on small entities to keep EAS systems current. An annual certification allows small entities to comply even if they choose to update patches semi-annually rather than quarterly, and small entities may alternatively explain why they are unable to certify. Digital signature authentication has more of an impact on states, which must modify EAS plans, and smaller entities often have the advantage of simpler setups than those of large entities. 46. We seek comment on whether the Presidential Alert warrants additional/heightened security measures whose costs may exceed the benefits when applied to alerts that are issued more commonly, and that have a less immediate impact on national security. We seek comment on whether to except EAS Participants currently designated as PN stations from some or all of the security requirements we proposes. We also seek comment on whether and how we should consider excepting EAS Participants that qualify as “small businesses” under the Small Business Association (SBA) standard their respective industries from 123 5 U.S.C. §§ 603(c)(1)-(c)(4). Federal Communications Commission FCC 16-5 some or all of the security requirements we propose. Finally, we propose implementation timeframes for each of our rules that are intended to allow EAS Participants to come into compliance with our rules in a manner that balances the need for improving EAS organization and effectiveness as soon as possible, with any potential burdens that may be imposed by adoption of our proposals. F. Federal Rules that May Duplicate, Overlap, or Conflict with the Proposed Rules 47. None Federal Communications Commission FCC 16-5 STATEMENT OF CHAIRMAN TOM WHEELER Re: Amendment of Part 11 of the Commission's Rules Regarding the Emergency Alert System (PS Docket No. 15-94) and Wireless Emergency Alerts (PS Docket No. 15-91). This past weekend’s historic winter storm reminded us how much we rely broadcasters and other TV providers to keep us informed during emergencies. Today, we move to strengthen one of the most important tools broadcast, cable, and satellite providers use to keep the public safe in times of crisis: the Emergency Alert System (EAS). The Emergency Alert System is our national public warning system. We most often associate the EAS with severe weather warnings. But in recent months we’ve seen attacks in Paris, San Bernardino, and other locations that remind us of the many scenarios where community preparedness and incident response tools are vital. Technology is evolving, which presents both a challenge and an opportunity for the EAS. We not only need to ensure that Americans continue to reliably receive alerts, but we also have the chance to make alerting even more valuable to the public. Today’s item lays the groundwork to do just that. First, we are taking steps to improve some of our existing processes. Most notably, given that state and local authorities are instrumental in emergency response efforts, we are proposing rule changes and seeking input to empower communities to take fuller advantage of alerting to meet the needs of their residents. We are also beginning an important dialogue with stakeholders about the future of alerting. For example, as Americans increasingly view programming over new platforms, how can we ensure that the public still receives critical warnings when disaster strikes? How can we responsibly leverage social media techniques, like crowdsourcing, for sharing information as crises unfold? Today’s item is part of our broader agenda to ensure that emergency communications best leverage advancements in technology. For example, in November we put forth proposals to improve the Wireless Emergency Alert system, which sends life-saving warnings to our mobile devices. And we are working on many fronts to modernize 911 communications and accelerate the transition to Next Generation 911. One of the greatest benefits of technology is its potential to improve public safety. This NPRM will help us promote better community preparedness and ensure that Americans are best served by the warnings and alerts they receive during emergencies. Thank you to the Public Safety Bureau for their work on this item. Federal Communications Commission FCC 16-5 STATEMENT OF COMMISSIONERMIGNON L. CLYBURN Re: Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System; PS Docket No. 15-94; Wireless Emergency Alerts; Docket No. 15-91, Notice of Proposed Rulemaking The FCC’s role in strengthening our nation’s public alert and warnings systems barely registers a blip over the news and public awareness radar screens; yet this obligation is one of this agency’s most important. I strongly support today's Notice of Proposed Rulemaking, even in the absence of fanfare or praise, because it takes a comprehensive approach to improving those critical systems that warn citizens of imminent threats to life and property. During my tenure at the FCC, we have focused on the three services that the federal government regulates or manages: the Emergency Alert System or EAS, Wireless Emergency Alerts, and the Integrated Public Alert Warning System; but today’s item, properly recognizes, that advanced commercial technologies, such as social media platforms, can also play important roles in keeping citizens safe. These technologies enable services such as crowdsourced data, multilingual accessibility, and multimedia capability which may offer public safety agencies, at all levels, new ways to warn our citizens when they are their most vulnerable, as well as enable us to assess the public’s response to new and evolving approaches. The item acknowledges that some social media platforms are already improving the accessibility of emergency messages by offering users the ability to translate alerts from English into more than forty languages. And yes, we should encourage emergency managers at the federal, state, and local levels, to integrate those proven, most advanced, commercial technologies into their matrices so that no member of our society is left more at risk in times of crisis. Another important aspect of this Notice, is that it proposes several thoughtful approaches in addressing significant vulnerabilities in the nation’s EAS infrastructure. Over the past several years, there have been a number of security breaches where hackers gained access to Emergency Alert Security facilities and actually sent out fraudulent or false alerts. One such breach is one too many. The Commission has worked hard, mostly behind the scenes, to strengthen security protocols by encouraging parties to voluntarily adopt industry best practices; but now is the time for us to consider instituting more uniform, accurate and consistent measures when it comes local, state and national EAS plans. The Notice recommends common sense measures such as requiring the filing of annual certifications which would affirm that entities are performing those best practices recommended by our CSRIC advisory committee, mandating the reporting of false alerts, as well as ensuring that jurisdictions are taking the necessary steps to ensure that those alerts are originated by authorized sources. I hope all relevant stakeholders will carefully consider these proposals, weigh in, and provide details on any alternative methods that can more effectively help us meet our public safety as well as local, state and national security goals. And I commend Chairman Wheeler for his leadership, and thank Admiral David Simpson and the Public Safety Bureau for putting forth proposals that seek to strike the appropriate balance between cost, interoperability, and public safety. Federal Communications Commission FCC 16-5 STATEMENT OF COMMISSIONER JESSICA ROSENWORCEL Re: Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, PS Docket No. 15-94; Wireless Emergency Alerts, PS Docket No. 15-91. Twenty years ago this month, a child in Arlington, Texas was snatched by a stranger while riding her bike with her younger sibling. This is a horror no parent should ever know. It’s one I can’t even begin to imagine. But that tragic event led to the creation of the AMBER Alert program. This program is a nationwide partnership that combines the resources of law-enforcement officials, broadcasters, and wireless providers. Since its inception it has been credited with saving nearly 800 missing or abducted children from across the country. The AMBER Alert program is not the focus of our rulemaking today, but it strikes me as a powerful demonstration of the power of emergency alerts. There is no shortage of other examples. Take early last year in Sand Spring, Oklahoma when the alert system prompted the director of a school to lead 60 children and adults into the basement. While 100-mile-per-hour winds tore apart the building, leading to the collapse of the roof, no one was injured because they got the information they needed to stay safe. Last week, in Woodbridge, New Jersey, I toured an area damaged by Hurricane Sandy—another instance when emergency alerts helped limit inconceivable damage from Mother Nature’s wrath. Closer to home, last weekend the mid-Atlantic was blanketed with snow—and broadcasting and emergency alerts played a formidable role in helping us safely ride out the storm. So emergency alerts can do great things. But great programs do not thrive without continued attention and care. The emergency alert program deserves this consideration. It needs to be modernized. Thanks to our Public Safety and Homeland Security Bureau this rulemaking starts the process to do just that. It proposes a streamlined online filing process for State Emergency Alert plans. It proposes expanded testing under real-life conditions. It asks about changing technology—and it seeks to improve security of the Emergency Alert System and protect essential infrastructure from attack. This has my unconditional support Federal Communications Commission FCC 16-5 STATEMENT OF COMMISSIONER AJIT PAI Re: Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, PS Docket No. 15-94; Wireless Emergency Alerts, PS Docket No. 15-91. President Harry S. Truman established our nation’s first emergency broadcast system. He gave it a name that in hindsight sounds like it was plucked from the classic television show Get Smart: It was called “CONELRAD,” which stood for Control of Electromagnetic Radiation. That early system directed the public to tune their radios to 640 or 1240 on the AM dial so that the President could address the nation in the event of an attack. 1 Its name has changed a few times over the years, and its capabilities have expanded. But the emergency alert system (EAS) still serves the basic and important purpose of providing the American public with timely access to emergency information. This past year alone, our federal, state, and local partners sent out over 25,000 alerts in communities across the country, including severe weather alerts, missing child notifications, and other emergency information. So I am pleased that this Notice of Proposed Rulemaking (Notice) will explore ways we can strengthen and improve our alerting system. I am particularly pleased that the Notice now includes a section that asks some fundamental questions about the structure of our alerting system. Right now, EAS messages are transmitted in one of two ways: either through the traditional, broadcast-based EAS protocol or through a newer, Internet-based protocol. Does it make sense to maintain these two approaches for redundancy or other purposes? Or should we switch to a single distribution method? We also seek comment more broadly on whether our alerting system is appropriately tailored to today’s communications landscape. Do we need to rethink the basic structure of our system in light of advances in technology? Or is the current system flexible enough to continue to serve as our alerting platform going forward? Vital questions all, and I’m glad that we’re now asking them. As important as what’s in the document is what’s not. The Notice no longer seeks comment on imposing regulations on over-the-top (“OTT”) providers in a way that would have tilted the regulatory playing field against a subset of those providers. Given the nascent, competitive, and dynamic nature of the OTT market, I thought it was important to move forward in a more balanced manner, and I appreciate the compromise struck on this point. As we modernize the system, we must be mindful of how our regulations might impact the market for IP-based offerings. Finally, I want to thank the staff of the Public Safety and Homeland Security Bureau, including Steven Carpenter, Gregory Cooke, Lisa Fowlkes, Nicole McGinnis, Zenji Nakazawa, Admiral Simpson, and James Wiley for their hard work on this item. 1 Notably, the CONELRAD system directed Americans to tune their radios to those two channels so that foreign bombers could not home in on a particular city based on the frequency used by a local radio station. Federal Communications Commission FCC 16-5 STATEMENT OF COMMISSIONER MICHAEL O’RIELLY APPROVING IN PART, DISSENTING IN PART Re: Amendment of Part 11 of the Commission’s Rules Regarding the Emergency Alert System, PS Docket No. 15-94; Wireless Emergency Alerts, PS Docket No. 15-91. I recognize that, as we consider this item, many people may have Snowzilla and the drama of last week’s commute in mind. Most of us sat in front of our televisions watching the snow accumulate and traffic come to a screeching halt. We got minute-by-minute – or inch-by-inch – updates from our local broadcasters, cable channels and the Internet. Americans have abundant access to emergency information outside of the Emergency Alert System (EAS). Although EAS has its place, we must remember that the underlying purpose of the Commission’s rules is to deliver Presidential emergency alerts – a protocol that, in fact, has never, ever been activated by the President. Not only must we ensure that we do not place unnecessary burdens on states and other EAS participants, but we also need to ensure that the alerts are reliable and not so intrusive or testing so pervasive that people start ignoring them. As I have often said, the Commission must periodically review its regulations to ensure they are still needed and to modify or update them as necessary. And EAS is no different. Therefore, I am generally supportive of a proceeding to re-evaluate our rules. I am highly skeptical, however, about some of the issues raised, if they were to be part of any final item. For instance, the ideas about obtaining information on the use of social media and highway signs as part of state emergency plans, some of the testing procedures and outreach measures, and machine-translation technologies for accessibility could result in unnecessarily burdensome rules. I am also concerned that the portion of the order on software-defined EAS networks could lead to duplicative EAS infrastructures and technology mandates. Let’s hope the record adequately addresses all of these issues to ensure that the correct balance is achieved and costs are minimized. Our main goal must be an EAS system that works, not a half-baked mandate for inclusion in every communication mechanism. However, I am most disturbed about those portions of the item that seek, or could be used, to capture the Internet in our EAS rules. For instance, there are questions about whether our requirements should be expanded beyond channels that carry programming, which could possibly capture channels carrying interactive games, the Internet, and Internet access. Further, we seek comment on expanding alerts to “emerging video technology,” which could ultimately be used to impose EAS requirements on over-the-top (OTT) providers, such as multichannel video programming distributor (MVPD) and broadcaster mobile applications, Netflix, Hulu, and others. Had the public seen the first version of this item, they would likely be outraged by how directly it attempted to capture certain OTT services in this morass. Making the language vaguer does not hide its true intentions. Beyond the harmful direction in policy, we have limited statutory authority to regulate the Internet or edge providers, and I will not be supportive of any efforts to do so. The item also questions whether Wireless Emergency Alerts (WEA) alerts should be expanded to tablets capable of connecting to a wireless provider’s network (i.e., 4G LTE-enabled). Many of these lines of inquiry could lead to regulating some services and devices, but not others, opening the door to a mess of regulatory parity problems. Although the Commission asserts that it is just seeking information on these new technology issues, this is a façade. We have been down this road before. Using the guise of an advisory committee, industry best practices have turned into Commission mandates before our very eyes. We actually use this approach in this very item. This item takes the security measures that are part of CSRIC best practices Federal Communications Commission FCC 16-5 2 and makes them mandatory by requiring certifications of compliance from EAS participants. It highlights the broken advisory committee process I identified long ago – a problem that is likely to be repeated if the Commission re-establishes the National Advisory Committee with expanded membership and responsibilities. Finally, the statutory authority and cost/benefit discussions are, once again, sorely lacking. Additionally, I do not agree with the Commission’s use of section 706 of the Communications Act, which provides the President the authority, during times of war, to “direct such communications as in his judgment may be essential to the national defense and security,” as authority for all of the ideas in this notice. If so, let me see the communications between the White House and the Commission advocating for these changes. For these reasons, I must dissent in part. I do thank the Chairman’s Office and Commission staff for working through some issues and taking a few of my suggestions, however, the edits taken just did not go far enough.