The Wireline Competition Bureau (Bureau) of the FCC has denied NTCA—The Rural Broadband Association’s (NTCA) waiver request seeking an extension until July 1, 2024, for Enhanced Alternative Connect America Cost Model (E-ACAM) carriers to certify and submit their initial cybersecurity and supply chain risk management plans (“Plan(s)”). Thus, E-ACAM carriers are required to implement a Plan by January 1, 2024, and certify and submit the Plan by January 2, 2024, or within 30 days of Office of Management and Budget (OMB) approval, whichever is later. The Bureau denied NTCA’s request stating that a delay would not serve the public interest as it would delay the FCC’s ability to ensure and monitor E-ACAM carriers’ implementation of Plans to improve the cybersecurity of the broadband networks to protect consumers from online risks such as fraud, theft, and ransomware through accepted security measures. If an E-ACAM carrier fails to meet these requirements during the support term, the Bureau will direct USAC to withhold 25% of monthly support until the carrier comes into compliance.
The Bureau also clarified that an E-ACAM carrier that submits a Plan that complies with the draft National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, version 2.0, will meet the obligation to file a plan that reflects the latest version of the NIST framework. However, if the final version adopted by NIST changes, carriers would need to submit updated plans. Finally, as the FCC does not yet have OMB approval, the Bureau anticipates that Plans will be due no sooner than early February 2024. However, E-ACAM carriers must still implement operational plans by January 1, 2024.
