The Secure and Trusted Communications Networks Act: Law Explained

Most communications providers would agree that network security is a critical issue.

The Secure and Trusted Communications Networks Act aims to strengthen network security by establishing new standards and reimbursement programs.

This article will explain the key provisions of the Act, including its implementation timeline, reimbursement program details, required security measures, FCC oversight, industry impacts, and more.

Introduction to the Secure and Trusted Communications Networks Act

The Secure and Trusted Communications Networks Act was passed in 2021 to address security risks in the telecommunications infrastructure and promote the use of trusted communications equipment vendors.

Purpose and Goals of the Secure Communications Act

The main goals of the Secure Communications Act are to:

Enhance security of telecom networks and protect against threats
Establish standards for secure, trusted communications equipment
Provide funding to remove insecure equipment from networks
Promote use of trusted, reliable vendors for network equipment

The motivation was to address concerns over potential security risks from certain equipment vendors.

Key Provisions of the Secure Networks Act

Key provisions of the law include:

Creating a reimbursement program to help providers remove insecure equipment
Establishing a list of approved, trusted communications vendors
Requiring providers to use equipment only from approved vendors
Directing the FCC to make new equipment security regulations

Implementation Timeline of Public Law 117-55

The Secure Networks Act will be implemented in phases:

Reimbursement program rules were issued in 2022
Covered list of approved vendors will be published in 2023
New security standards take effect starting in 2023
Providers must be fully compliant by 2025

The law aims to improve network security through a combination of funding, vendor vetting, and updated regulations.

What is the Secure Networks Act?

The Secure and Trusted Communications Networks Act, also known as the Secure Networks Act, is a United States federal law enacted in 2021 to address security risks in telecommunications networks and infrastructure.

The full title of the Act outlines its key objectives:

An act to prohibit certain Federal subsidies from being used to purchase communications equipment or services posing national security risks, to provide for the establishment of a reimbursement program for the replacement of communications equipment or services posing such risks, and for other purposes.

In summary, the Secure Networks Act aims to:

Prohibit federal subsidies from being used to purchase communications equipment or services that pose national security risks
Establish a reimbursement program to help replace risky communications equipment/services
Enhance security of US communications networks and infrastructure

The Act authorizes the Federal Communications Commission (FCC) to publish and maintain a list of covered communications equipment or services that pose an unacceptable risk to national security. It prohibits the use of federal funds to purchase or use any equipment or services included on this "Covered List".

Additionally, the Act establishes the Secure and Trusted Communications Networks Reimbursement Program to help small communications providers remove and replace equipment on the Covered List. This program will provide reimbursements for costs associated with removing prohibited equipment or services from networks.

Overall, the Secure Networks Act is a key piece of legislation aimed at securing US communications networks by reducing reliance on equipment and services that pose national security threats. It provides regulatory authority to the FCC while also offering financial assistance to impacted small providers through its reimbursement program.

What is the Freedom of communication Act?

The Freedom of Communication Act refers to Section 230 of the Communications Decency Act, which was passed by the U.S. Congress as part of the Telecommunications Act of 1996. This section states that "No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider."

In plain language, Section 230 protects websites and internet service providers from liability for content created by third parties. Some key aspects of Section 230 protections include:

Websites Cannot Be Sued - If a user posts something illegal or defamatory on a site, the site itself cannot be sued for the user's speech. Only the original poster is liable.
Platforms Can Moderate Content - Sites can moderate content by removing posts that violate policies, without losing Section 230 protections. Moderation makes sites NOT publishers.
Promotes Free Speech - Without Section 230, sites might over-censor content to limit legal risk. The law enables platforms to host a diversity of voices.

Section 230 is seen as vital to enabling free speech online and the growth of internet companies and services. However, some critics argue it allows harmful content to spread too easily. Potential changes to Section 230 remain controversial and complex to balance properly.

Is the Communications Act of 1934 still in effect?

The Communications Act of 1934 established the Federal Communications Commission (FCC) and remains the foundation for regulation of interstate and international communications in the United States. However, the Act has been amended many times over the years.

Some of the key amendments to the Communications Act include:

Telecommunications Act of 1996: This extensively updated the 1934 Act, including provisions to open up competition in the telecommunications industry. It aimed to encourage investment and deployment of new technologies.
Twenty-First Century Communications and Video Accessibility Act of 2010: This expanded communications access for people with disabilities.
Repack Airwaves Yielding Better Access for Users of Modern Services Act of 2018 (RAY BAUM'S Act): This included a wide range of provisions related to communications policy and infrastructure.

So while the core of the 1934 Communications Act still provides the basis for the FCC's authority, many aspects have been updated over the past 80+ years to account for changes in technology, market conditions, and public policy priorities around communications.

The current text includes accumulated amendments over the decades. So the 1934 Act is still in effect and active, but in a significantly evolved form compared to the original. Any future substantive changes to US communications policy would still likely come in the form of amendments to the Communications Act.

What is the FCC reimbursement program?

The FCC Reimbursement Program was established under the Secure and Trusted Communications Networks Act to provide financial assistance to providers of advanced communications services. Specifically, it reimburses providers with 10 million or fewer customers for reasonable costs incurred when removing, replacing, and disposing of covered communications equipment or services that pose a national security risk.

To be eligible for reimbursement, the equipment or services must be on the FCC's Covered List. This list identifies communications equipment and services that have been deemed a threat to national security if used in US networks. It includes companies like Huawei and ZTE.

The Reimbursement Program will distribute up to $1.9 billion to reimburse providers for replacing existing equipment and services on the Covered List. The funding aims to accelerate the transition to more secure networks and protect critical communications infrastructure in the US.

To apply for reimbursement, providers must submit detailed cost data to substantiate the costs they have incurred. The FCC reviews applications and determines reasonable costs to reimburse. The process aims to be fair, efficient and transparent.

Understanding the Secure and Trusted Communications Networks Reimbursement Program

The Secure and Trusted Communications Networks Act established the Secure and Trusted Communications Networks Reimbursement Program to help providers remove insecure network equipment. This section outlines eligibility requirements, the reimbursement process, and funding details.

Eligibility Requirements under 47 CFR Part 2

To qualify for reimbursement, providers must:

Be designated as eligible telecommunications carriers under 47 U.S.C. 214(e)
Have 2 million or fewer customers
Submit required documentation about covered communications equipment or services

Covered equipment includes any that poses an unacceptable risk to national security as published in the Covered List.

Reimbursement Process and Procedures

Eligible providers can apply to receive reimbursement for:

Removal, replacement, and disposal costs
Related reasonable expenses during transition

Applications undergo review by the Reimbursement Program Office. If approved, funds get disbursed on a rolling basis.

Allocation of Funds and Network Security

The Secure Networks Act allocates $1.9 billion to reimburse providers for removing insecure network components. This improves national security by reducing reliance on equipment vulnerable to exploitation.

The program also requires recipients to submit network security plans ensuring they meet security standards issued by the FCC. This enhances protections against cyber threats.

In summary, the reimbursement program incentivizes and supports providers to heighten network security through removing covered equipment. It allocates substantial funding paired with ongoing oversight to achieve this aim.

The Secure Networks Act Covered List

Development of the Covered List under Section 2

The Secure Networks Act directs the FCC to publish a list of equipment and services that pose an unacceptable risk to national security. This "Covered List" will include telecommunications equipment produced by Huawei and ZTE. Other companies like Hytera Communications may also be included.

The FCC examines several factors when determining what equipment to include on the Covered List:

Whether the equipment producer has ties to foreign adversaries
If the equipment could be manipulated for surveillance or sabotage
If the company follows best practices around software integrity and supply chain security

The goal is to prohibit equipment that could undermine national security while still allowing innovative technology. The Covered List aims to strike this balance.

Prohibitions on Use of Non-Compliant Equipment

Once certain equipment makes the Covered List, telecom carriers cannot use that equipment to build new networks. They must also remove existing prohibited equipment from current networks.

The Secure Networks Act phases out this equipment over time:

Carriers cannot accept new equipment on the list as of the law's enactment
No subsidies can fund procurement of listed equipment
Carriers must cease use of listed equipment entirely within 60 months

These prohibitions ensure U.S. networks don't rely on gear vulnerable to foreign meddling. They also give carriers time to replace prohibited equipment.

Removal Process from the Secure Equipment Act of 2021

The Secure Networks Act permits companies to petition for removing their equipment from the Covered List. To start this process, they must submit a request to the FCC showing:

They are not owned/controlled by a foreign adversary
Their equipment meets security standards and best practices
An independent testing facility has validated these claims

If this evidence satisfies the FCC, they may remove the equipment from the Covered List. This allows manufacturers to innovate their technology to meet evolving security needs.

Required Security Measures and Network Protection

Network Security Plans Under 47 CFR Part 15

The Secure Networks Act mandates that providers receiving reimbursement funds under the program establish network security plans (NSPs) that meet certain requirements outlined in 47 CFR Part 15. These include:

Implementing policies and procedures to ensure the security of the communications network. This involves regular network monitoring, vulnerability assessments, and risk management.
Utilizing products and services meeting security criteria outlined by the FCC. This helps ensure network equipment comes from trustworthy sources.
Establishing an insider threat and insider risk mitigation program to guard against breaches.
Developing and communicating breach notification procedures in the event of a cybersecurity incident.

Software Integrity Requirements under 47 U.S.C. 1603

The Secure Networks Act established a Software Integrity Requirements Framework (SIRA) for testing and verifying software integrity and security. Under 47 U.S.C. 1603, providers must:

Utilize testing labs meeting National Institute of Standards and Technology (NIST) criteria for evaluating product security and trustworthiness.
Perform assessments to ensure software does not contain vulnerabilities, security risks, or compromise integrity.
Establish procedures for rapid mitigation and reporting in the event vulnerabilities are identified.

This framework ensures providers deploy secure network software vetted for risks.

Supply Chain Best Practices and Communications Infrastructure

The Secure Networks Act provides guidance to providers on supply chain best practices for developing secure network infrastructure, including:

Utilizing trusted suppliers and vendors meeting security control requirements. This reduces third-party risks.
Following NIST standards for product integrity, development procedures, and ongoing supplier reviews.
Establishing procedures for tracking and maintaining data on network equipment deployment locations.

Adhering to these practices fortifies the security of providers' communications supply chains.

Oversight and Enforcement by the Federal Communications Commission

FCC Monitoring Authority under 47 U.S.C. 154

The Federal Communications Commission (FCC) has authority under 47 U.S.C. 154 to oversee implementation of the Secure Networks Act. This includes monitoring covered communications equipment and services for compliance. The FCC can require providers to submit information and reports to ensure they are following regulations.

Penalties for Violations and Practice and Procedure

If an entity is found to violate provisions of the Secure Networks Act, there are enforcement mechanisms in place. Under 47 CFR Part 1, Subpart A, the FCC can issue fines and forfeitures. Serious offenses may result in criminal penalties. Entities have rights to due process, with notice and opportunities for hearings on disputed issues.

Government Reports to Congress and Executive Order No. 13873

As mandated by the Secure Networks Act, the FCC must submit annual reports to Congress assessing remaining security gaps and providing a list of suggested measures. This reporting ensures oversight on progress made in securing communications networks. The President's Executive Order No. 13873 also requires status updates on implementation efforts to mitigate national security risks.

Industry Impacts and Reactions to the Secure Equipment Act

Costs and Strategic Adjustments for Telecommunication

The Secure Networks Act will require telecommunication carriers to remove equipment deemed insecure from their networks. This could be costly, as it may require replacing hardware before end-of-life. However, it also presents opportunities to upgrade infrastructure and improve security. Carriers may shift strategies to partner with trusted vendors for future equipment needs. Overall costs will depend on the extent of required changes. Some carriers have already begun making adjustments, while others await specifics on reimbursement programs.

Feedback on Implementation of the Defend Our Networks Act

Industry commentary on the Secure Networks Act rollout has been mixed. Some carriers want more clarity around reimbursement logistics and eligible expenses. Others caution against overreach that could limit competition and innovation. There is general agreement that supply chain security is important, but debate continues around the law's scope. Suggestions include phasing in requirements and focusing on highest-risk equipment first.

Outlook Going Forward for Network Security

Long-term impacts to competition and innovation remain uncertain. On one hand, restricting certain vendors could reduce options. But the upgrades spurred by this law may also catalyze new solutions. Carriers able to tap reimbursement programs can redirect those savings toward security-enhancing emerging technologies. Forthcoming FCC regulations will provide more insight into how prescriptive policies may shape the market landscape moving forward.

Comparisons with Global Security Efforts in Telecommunications

Europe's Cybersecurity Act and Network Security

The EU's Cybersecurity Act aims to establish an EU framework for cybersecurity certification of ICT products and services. It requires manufacturers to comply with cybersecurity standards and have their products certified before being placed on the EU market.

In contrast, the US Secure Networks Act does not mandate cybersecurity standards or product certification. It focuses more narrowly on restricting equipment from specific companies deemed national security threats. The EU takes a broader, standards-based approach while the US law targets specific vendors.

China's Cryptography Regulations and 47 U.S.C. 153(2)

China imposes strict controls on encryption products and algorithms. Manufacturers must obtain licenses from the State Cryptography Administration to sell encryption technologies in China. These restrictions aim to support government surveillance and data access needs.

The US law does not regulate encryption itself but defines telecommunications to include encrypted transmissions under 47 U.S.C. 153(2). This means equipment used to transmit encrypted data could fall under the Secure Networks Act's scoping restrictions. The US approach is more concerned about equipment security risks rather than controlling encryption methods.

India's Trusted Telecom Policy and Secure Communications

India is developing a Trusted Telecom Portal to verify telecom equipment supply chains and restrict vendors deemed high-risk. The program resembles efforts under 47 U.S.C. 1603 to identify covered communications equipment.

Both countries aim to ensure integrity across telecom supply chains and network infrastructure. India references security, quality, and resilience as objectives. The US law emphasizes national security and critical infrastructure protection when determining covered equipment. The programs align regarding supply chain verification but may differ on vendor restriction criteria.

Conclusion and Key Takeaways on the Secure and Trusted Communications Networks Act

The Secure and Trusted Communications Networks Act aims to protect critical communications infrastructure from security threats. As technology continues to advance, new vulnerabilities emerge that require vigilant oversight. This law establishes provisions to identify high-risk equipment and services, creating standards to improve resilience.

While the goals are worthwhile, policymakers must weigh economic impacts alongside security priorities. Ongoing review will determine if the regulations strike an appropriate balance.

Impact on Network Security and the Code of Federal Regulations

The Secure Networks Act authorizes new rulemaking powers to restrict use of communications equipment deemed insecure. This allows the FCC and other agencies to better respond to emerging threats.

Over time, the law could improve safeguards across critical systems by replacing vulnerable network components. However, success depends on proper implementation and industry cooperation.

Economic Costs and Benefits of Compliance

Complying with the Secure Networks Act will require investment to upgrade equipment and services. These costs may trickle down to consumers.

However, more resilient infrastructure can minimize outage risks and economic disruption from cyber attacks. Finding the right balance remains a key challenge.

Outstanding Policy Considerations and 47 U.S.C. 1601

While this law tackles equipment security, wider issues like data privacy and lawful access still require attention. As technology progresses, policymakers must keep pace.

Ongoing review of 47 U.S.C. 1601 and related regulations will determine if additional steps are needed to fulfill the goals of the Secure Networks Act over time.