[Federal Register Volume 85, Number 62 (Tuesday, March 31, 2020)]
[Proposed Rules]
[Pages 17818-17830]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-06085]


=======================================================================
-----------------------------------------------------------------------

FEDERAL COMMUNICATIONS COMMISSION

47 CFR Part 4

[PS Docket No. 15-80; FCC 20-20; FRS 16584]


Disruptions to Communications

AGENCY: Federal Communications Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: In this document, the Commission seeks comment on a proposed a 
framework to provide state and federal agencies with access to outage 
information to improve their situational awareness while preserving the 
confidentiality of this data, including proposals to: Provide direct, 
read-only access to NORS and DIRS filings to qualified agencies of the 
50 states, the District of Columbia, Tribal

[[Page 17819]]

nations, territories, and federal government; allow these agencies to 
share NORS and DIRS information with other public safety officials that 
reasonably require NORS and DIRS information to prepare for and respond 
to disasters; allow participating agencies to publicly disclose NORS or 
DIRS filing information that is aggregated and anonymized across at 
least four service providers; condition a participating agency's direct 
access to NORS and DIRS filings on their agreement to treat the filings 
as confidential and not disclose them absent a finding by the 
Commission that allows them to do so; and establish an application 
process that would grant agencies access to NORS and DIRS after those 
agencies certify to certain requirements related to maintaining 
confidentiality of the data and the security of the databases.

DATES: Submit comments on or before April 30, 2020; and reply comments 
on or before June 1, 2020.

ADDRESSES: You may submit comments, identified by PS Docket No. 15-80, 
by any of the following methods:
     Federal Communications Commission's Website: http://fjallfoss.fcc.gov/ecfs2/. Follow the instructions for submitting 
comments.
     Filings can be sent by hand or messenger delivery, by 
commercial overnight courier, or by first-class or overnight U.S. 
Postal Service mail. See the SUPPLEMENTARY INFORMATION section for more 
instructions.
     People with Disabilities: Contact the FCC to request 
reasonable accommodations (accessible format documents, sign language 
interpreters, CART, etc.) by email: [email protected] or phone: 202-418-
0530 or TTY: 202- 418-0432.
    For detailed instructions for submitting comments and additional 
information on the rulemaking process, see the SUPPLEMENTARY 
INFORMATION section of this document.

FOR FURTHER INFORMATION CONTACT: For further information, contact 
Saswat Misra, Attorney-Advisor, Cybersecurity and Communications 
Reliability Division, Public Safety and Homeland Security Bureau, (202) 
418-0944 or via email at [email protected] or Brenda D. Villanueva, 
Attorney-Advisor, Cybersecurity and Communications Reliability 
Division, Public Safety and Homeland Security Bureau, (202) 418-7005 or 
via email at [email protected].

SUPPLEMENTARY INFORMATION: This is a summary of the Commission's Second 
Further Notice of Proposed Rulemaking (FNPRM), PS Docket No. 15-80; FCC 
20-20, adopted on February 28, 2020, and released on March 2, 2020. The 
full text of this document is available for inspection and copying 
during normal business hours in the FCC Reference Center (Room CY-
A257), 445 12th Street SW, Washington, DC 20554 or via ECFS at http://fjallfoss.fcc.gov/ecfs/. The full text may also be downloaded at: 
https://apps.fcc.gov/edocs_public/attachmatch/FCC-16-63A1.pdf.
    Pursuant to Sec. Sec.  1.415 and 1.419 of the Commission's rules, 
47 CFR 1.415, 1.419, interested parties may file comments and reply 
comments on or before the dates indicated on the first page of this 
document. Comments may be filed using the Commission's Electronic 
Comment Filing System (ECFS). See Electronic Filing of Documents in 
Rulemaking Proceedings, 63 FR 24121 (1998).
     Electronic Filers: Comments may be filed electronically 
using the internet by accessing the ECFS: http://apps.fcc.gov/ecfs/.
     Paper Filers: Parties who choose to file by paper must 
file an original and one copy of each filing. If more than one docket 
or rulemaking number appears in the caption of this proceeding, filers 
must submit two additional copies for each additional docket or 
rulemaking number.
    Filings can be sent by hand or messenger delivery, by commercial 
overnight courier, or by first-class or overnight U.S. Postal Service 
mail. All filings must be addressed to the Commission's Secretary, 
Office of the Secretary, Federal Communications Commission.
     All hand-delivered or messenger-delivered paper filings 
for the Commission's Secretary must be delivered to FCC Headquarters at 
445 12th St. SW, Room TW-A325, Washington, DC 20554. The filing hours 
are 8:00 a.m. to 7:00 p.m. All hand deliveries must be held together 
with rubber bands or fasteners. Any envelopes and boxes must be 
disposed of before entering the building.
     Commercial overnight mail (other than U.S. Postal Service 
Express Mail and Priority Mail) must be sent to 9300 East Hampton 
Drive, Capitol Heights, MD 20743.
     U.S. Postal Service first-class, Express, and Priority 
mail must be addressed to 445 12th Street SW, Washington, DC 20554.
    People with Disabilities: To request materials in accessible 
formats for people with disabilities (braille, large print, electronic 
files, audio format), send an email to [email protected] or call the 
Consumer & Governmental Affairs Bureau at 202-418-0530 (voice), 202- 
418-0432 (tty).

Synopsis

I. Introduction

    1. The Commission supports our Nation's incident preparedness goals 
and emergency response efforts by, among other things, collecting and 
providing accurate and timely communications outage and infrastructure 
status information via our Network Outage Reporting System (NORS) and 
Disaster Information Reporting System (DIRS). NORS and DIRS provide 
critical information about significant disruptions or outages to 
communication services, including among others, wireline, wireless, 
cable, broadcast (radio and television), satellite, and interconnected 
VoIP, as well as communications disruptions affecting Enhanced 9-1-1 
facilities and airports. Given the sensitive nature of this data to 
both national security and commercial competitiveness, the outage data 
is presumed to be confidential.
    2. Today when a major disaster or outage occurs, we make this 
information available to the Department of Homeland Security's (DHS) 
National Cybersecurity and Communications Integration Center (NCCIC). 
DHS uses this information to assess the needs of an affected area and 
to coordinate overall emergency response efforts with state and local 
first responders so that assets such as equipment, fuel, and personnel 
can be directed to where they are most needed.
    3. Our experience over the years with major outages--from the 2017 
hurricanes, tornadoes, and flooding, to power shutdowns in California 
and the latest earthquakes in Puerto Rico--all underscore the value of 
reliable and timely outage information to the rapid restoration of 
communications (including wireline and wireless telephone, television, 
radio, and satellite). This experience has also heightened our 
understanding of the crucial role state and local authorities can play 
in the successful restoration of disrupted communications. We thus now 
consider how more direct access to outage information might improve the 
situational awareness and ability of state and local authorities to 
respond more quickly to outages impacting their communities and to help 
save lives. Specifically, this Second Further Notice of Proposed 
Rulemaking proposes an information sharing framework that would provide 
state and federal agencies with access to NORS and DIRS information 
while also preserving the confidentiality of that data.

[[Page 17820]]

II. Background

    4. In 2004, the Commission adopted rules that require outage 
reporting for certain communications providers to address ``the 
critical need for rapid, complete, and accurate information on service 
disruptions that could affect homeland security, public health or 
safety, and the economic well-being of our Nation, especially in view 
of the increasing importance of non-wireline communications in the 
Nation's communications networks and critical infrastructure.'' 69 FR 
68859 (Nov. 26, 2004) (2004 Part 4 Report and Order).
    5. Under these rules, certain service providers must submit outage 
reports to NORS for outages that exceed specified duration and 
magnitude thresholds. 47 CFR 4.9. Service providers are required to 
submit a notification into NORS generally within 30 minutes of 
determining that an outage is reportable to provide the Commission with 
timely preliminary information. The service provider must then either 
(i) provide an initial report within three calendar days, followed by a 
final report with complete information on the outage within 30 calendar 
days of the notification; or (ii) withdraw the notification and initial 
reports if further investigation indicates that the outage did not in 
fact meet the applicable reporting thresholds. 47 CFR 4.11.
    6. All three types of NORS filings--notifications, initial reports, 
and final reports--contain service disruption or outage information 
that, among other things, include: The reason the event is reportable, 
incident date/time and location details, state affected, number of 
potentially affected customers, and whether enhanced 911 (E911) was 
affected. The Commission analyzes NORS outage reports to, in the short-
term, assess the magnitude of major outages, and in the long-term, 
identify network reliability trends and determine whether the outages 
likely could have been prevented or mitigated had the service providers 
followed certain network reliability best practices. Information 
collected in NORS has contributed to several of the Commission's outage 
investigations and recommendations for improving network reliability.
    7. NORS filings are presumed confidential and thus withheld from 
routine public inspection, 47 CFR 0.457(d)(vi), 4.2. The Commission 
grants read-only access to outage report filings in NORS to the NCCIC 
at DHS, but it does not currently grant access to other federal 
agencies, state governments, or other entities. DHS, however, may share 
relevant information with other federal agencies at its discretion. The 
Commission publicly shares limited analyses of aggregated and 
anonymized data to collaboratively address industry-wide network 
reliability issues and improvements.
    8. In the wake of Hurricane Katrina, the Commission established 
DIRS as a means for service providers, including wireless, wireline, 
broadcast, and cable providers, to voluntarily report to the Commission 
their communications infrastructure status and situational awareness 
information during times of crisis. The Commission recently required a 
subset of service providers that receive Stage 2 funding from the 
Uniendo a Puerto Rico Fund or the Connect USVI Fund to report in DIRS 
when it is activated in the respective territories, 84 FR 59937, 59959-
60 (Nov. 7, 2019) (Puerto Rico & USVI USF Fund Report and Order). DIRS, 
like NORS, is a web-based filing system. The Commission analyzes 
infrastructure status information submitted in DIRS to provide public 
reports on communications status during DIRS activation periods, as 
well as to help inform investigations about the reliability of 
communications following disasters.
    9. The Commission treats DIRS filings as presumptively confidential 
and limits the disclosure of information derived from those filings. 
The Commission grants direct access to the DIRS database to the NCCIC 
at DHS. The Commission prepares and provides aggregated DIRS 
information, without company identifying information, to the NCCIC, 
which then distributes the information to Emergency Support Function #2 
(ESF-2) participants, including other units in DHS, during an ESF-2 
incident. ESF-2 is led by DHS and composed by other participants, 
including the Department of Agriculture, Department of Commerce, 
Department of Defense, General Services Administration, Department of 
Interior, and the Federal Communications Commission. Agencies use the 
analyses for their situational awareness and for restoration priorities 
for communications infrastructure in affected areas. The Commission 
also provides aggregated data, without company-identifying information, 
to the public during disasters.
    10. In 2009, the California Public Utilities Commission (CPUC) 
filed a petition requesting that the Commission amend its rules in 
order to permit state agencies to directly access the Commission's NORS 
filings for outages filed in their respective states, Petition of the 
California Public Utilities Commission and the People of the State of 
California, ET Docket No. 04-35 (filed Nov. 12, 2009) (CPUC Petition). 
The Commission sought public comment on the CPUC's request.
    11. In 2015, the Commission proposed to grant state governments 
``read-only access to those portions of the NORS database that pertain 
to communications outages in their respective states,'' 80 FR 34321, 
34357 (June 16, 2015) (2015 Part 4 NPRM). The Commission also asked if 
this access should extend beyond states and include ``the District of 
Columbia, U.S. territories and possessions, and Tribal nations.'' The 
Commission proposed to condition access on a state's certification that 
it ``will keep the data confidential and that it has in place 
confidentiality protections at least equivalent to those set forth in 
the federal Freedom of Information Act (FOIA).'' The Commission sought 
comment on other key implementation details, including how to ``ensure 
that the data is shared with officials most in need of the information 
while maintaining confidentiality and assurances that the information 
will be properly safeguarded.'' Similarly, in the 2015 Part 4 NPRM, the 
Commission sought comment on sharing NORS filings with federal agencies 
pursuant to certain safeguards to protect presumptively confidential 
information.
    12. In the 2016 Order and Further Notice, the Commission found that 
the record reflected broad agreement that state and federal agencies 
would benefit from direct access to NORS data and that ``such a process 
would serve the public interest if implemented with appropriate and 
sufficient safeguards,'' 81 FR 45055, 45064 (July 12, 2016) (2016 Part 
4 Order and Further Notice). The Commission determined that providing 
state and federal government agencies with direct access to NORS 
filings would have public benefits but concluded that the process 
required more development for ``a careful consideration of the details 
that may determine the long-term success and effectiveness of the NORS 
program.'' Finding that the record was not fully developed and that the 
``information sharing proposals raise a number of complex issues that 
warrant further consideration,'' the Commission directed the Public 
Safety and Homeland Security Bureau (PSHSB) to further study and 
develop proposals regarding how NORS filings could be shared with state 
commissions and federal agencies in real time, keeping in mind the 
information sharing privileges already granted to DHS.
    13. The Bureau subsequently conducted ex parte meetings to solicit 
additional viewpoints from industry, state public service commissions, 
trade

[[Page 17821]]

associations, and other public safety stakeholders on the issue of 
granting state and federal government agencies direct access to NORS 
and DIRS filings.
    14. This Second Further Notice of Proposed Rulemaking is part of 
our overarching effort to promote the reliability and redundancy of 
communications service in the United States. For example, the 
Commission is undertaking a comprehensive re-examination of the 
Wireless Resiliency Cooperative Framework to ensure that it is meeting 
the needs of communities, with a particular focus on increasing 
wireless service provider coordination with backhaul providers and 
electric utilities. Two federal advisory committees to the Commission, 
the Broadband Deployment Advisory Committee (BDAC) and the 
Communications Security, Reliability, and Interoperability Council VII 
(CSRIC VII) are developing recommendations to improve broadband and 
broadcast resiliency, respectively. PSHSB conducted an investigation 
into the preparations for and impact of 2018's Hurricane Michael on 
communications services and issued a report with recommendations to 
improve future recovery efforts. The Bureau also sent letters to 
wireless providers seeking information on their preparations for 
electric power shutoffs and wildfires in California, and it conducted 
outreach with communications and electric industry stakeholders to 
assess lessons learned.

III. Discussion

    15. Based on the record before us, the majority of commenters agree 
that sharing NORS and DIRS information with state and federal 
agencies--in a manner that preserves the confidentiality of that 
information--would provide important public safety benefits. 
Accordingly, we propose a framework for granting state and federal 
government agencies direct access to NORS and DIRS filings that will 
assist agencies in their efforts to keep the public safe while 
preserving confidentiality, ensuring appropriate access, and 
facilitating reasonable information sharing.

A. Sharing NORS Filings With State and Federal Agencies

    16. NORS filings contain timely information on communications 
service disruptions or outages impacting a provider's networks. For 
example, NORS filings may include useful information about the 
operational status of communications services or 911 elements that have 
been affected, as well as incident date, time, and location details. 
The Commission previously found that sharing NORS data with state and 
federal agencies would serve the public interest--provided that 
appropriate and sufficient safeguards were implemented. We now propose 
to reaffirm this finding and to refresh the record.
    17. The Puerto Rico Telecommunications Bureau shared its experience 
in responding to Hurricane Maria in 2017, specifically that the outages 
impacted communication services for the government agencies responsible 
for providing essential services. Further, the Puerto Rico 
Telecommunications Bureau strongly encouraged the Commission to grant 
state access to NORS so that the agency can coordinate assistance to 
companies and to emergency government agencies in order to restore 
communication services and assist its citizens. The Massachusetts 
Department of Telecommunications and Cable (Massachusetts DTC) in turn 
argues that state agencies need ``timely, unrestricted access to 
accurate outage information in order to respond quickly and maintain 
public safety.'' Massachusetts DTC supports state access to NORS, 
citing the specific challenges it faced in accessing accurate and 
reliable information during the nationwide CenturyLink outage in 
December 2018, which also disrupted 911 service throughout the state. 
Massachusetts DTC states that during the December 2018 outage, 
``misinformation was disseminated'' regarding the extent of the state's 
911 outages.
    18. We believe that subject to appropriate safeguards, giving 
qualified state and federal agencies NORS access would help restore 
affected communications and ultimately help save lives. To what extent 
are state or federal agencies' efforts to ensure the safety of the 
public frustrated by the fact that information about communications 
outages is either difficult to obtain or unavailable? Have there been 
recent public safety incidents where state or federal agencies could 
have led a more successful response had they been granted direct access 
to NORS filings at the time of the incident? How would direct access to 
NORS filings have assisted in the response for such public safety 
incidents? Are there additional benefits associated with granting 
direct access to NORS that we should consider?

B. Sharing DIRS Filings With State and Federal Agencies

    19. As with NORS data sharing, we propose sharing DIRS filings with 
eligible state and federal agencies. Unlike NORS filings, which provide 
a baseline measure for network reliability in a jurisdiction prior to 
and after disasters, DIRS filings are focused on network status during 
disasters and in their immediate aftermath. As emergency management 
officials in California have reported, their currently available 
resources for identifying the status of communications networks reflect 
data gaps and inconsistencies at times, which make it difficult for 
officials to make informed emergency management decisions at the local 
level, such as identifying and knowing how to move the public of out 
danger and how to report ``medically-difficult situations.''
    20. DIRS filings, on the other hand, contain timely information 
about the operational status of service providers' networks and the 
associated infrastructure equipment, typically submitted on a daily 
basis during disaster conditions. DIRS filings also reflect a snapshot 
of whether specific service provider infrastructure equipment is 
running on backup power or out of service, as well as the operational 
status of 911 call centers. As we have found in past communications 
outages following a disaster, information indicating which counties 
have a large percentage of its cell towers out of service can provide 
state authorities the situational awareness they need to appropriately 
address the communications needs of vulnerable populations in affected 
areas. After its experience with Hurricane Maria, the Puerto Rico 
Telecommunications Bureau shared that the DIRS information that it 
received from communication service providers, not available from the 
DIRS public reports, was helpful and future access to DIRS information 
would be an ``essential tool'' to coordinate assistance to the 
companies and emergency government agencies in order to restore 
communication services and assist citizens affected by an outage. For 
these reasons, we believe that sharing DIRS information with qualified 
state and federal agencies would help them to better direct their 
limited resources, including field staff, to areas of most need, 
thereby enhancing their communications response and recovery efforts in 
times of disaster. Service providers who report in DIRS submit 
information as frequently as on a daily basis. Thus, the information 
submitted may often represent near-real time status updates on critical 
communications infrastructure inside the counties most devasted during 
a

[[Page 17822]]

natural disaster like a category 5 hurricane or wildfire.
    21. Moreover, because the Commission affirmatively waives mandatory 
NORS reporting requirements for service providers that voluntary report 
in counties where DIRS is activated, DIRS sharing will provide more 
complete and actionable status of communications outages. As the 
Michigan Public Service Commission observed, a state agency would have 
an ``incomplete picture of outages'' without access to both NORS and 
DIRS whenever DIRS is activated.
    22. We seek comment on our analysis and these anticipated benefits. 
To what extent would our proposal to share DIRS filings with state and 
federal agencies improve the effectiveness of response and recovery 
efforts during and after disasters and emergencies? Are there other, 
equally effective methods that state and federal agencies may already 
use to obtain communications status information on a daily basis, 
especially during and after a devastating event such as a hurricane or 
wildfire, that does not require access to DIRS? Conversely, what, if 
any, harms may arise from granting state and federal agencies access to 
DIRS information? Given that service providers may voluntarily report 
confidential information in DIRS, we seek comment on whether federal 
and state agency access to DIRS filings would in any way reduce service 
provider participation or diminish the level of detail that service 
providers submit in DIRS. To what extent would any such harms outweigh 
the benefits of sharing that information? Could those harms be 
mitigated through the implementation of the safeguards proposed below, 
and if so, to what extent?

C. Eligible State, Federal, and Tribal Nation Government Agencies

    23. We believe that providing state and federal agencies, including 
Tribal Nation government agencies, access to NORS and DIRS information 
will help promote the timely restoration of communications in affected 
communities. However, access to NORS and DIRS must be balanced against 
a need to safeguard and protect the presumed confidentiality of that 
information. We therefore believe it is necessary to limit the types of 
agencies that are eligible to receive direct access to NORS and DIRS. 
We propose that direct access to NORS and DIRS be limited to agencies 
acting on behalf of the federal government (we note that the NCCIC of 
DHS already has direct access to NORS and DIRS information; we do not 
propose to modify the terms by which the NCCIC accesses this 
information), the fifty states, the District of Columbia, Tribal Nation 
governments, and United States territories (including Puerto Rico and 
the U.S. Virgin Islands) that reasonably require access to the 
information in order to prepare for, or respond to, an event that 
threatens public safety, pursuant to its official duties (i.e., 
agencies with a ``need to know''). Henceforth, we use the term 
``state'' in this Further Notice to broadly refer to any of the fifty 
states, the District of Columbia, tribal governments, and United States 
territories. For purposes of our proposal, we use the term ``agency'' 
to refer to any distinct governmental department, commission, board, 
office, or other organization established to fulfill a specific purpose 
or role, including a state public utility commission or state 
department of public safety. We also propose that NORS and DIRS 
information accessed by these agencies should only be used for public 
safety purposes. We believe that this proposal provides NORS and DIRS 
access to the agencies that are in the best position to use outage and 
infrastructure status information to promote public safety across their 
jurisdictions. We seek comment on our definition of ``need to know'' 
and on any objective criteria that would be sufficient or necessary for 
a state or federal agency to establish that it satisfies the ``need to 
know'' standard. What supporting materials should a state or federal 
agency provide to the Commission to support its assertion that it has a 
``need to know'' as a condition of access to the NORS and DIRS data? We 
seek comment on the public safety purposes for which eligible agencies 
may use NORS and DIRS information, as well as on our proposal to 
condition access to this information on its use for public safety 
purposes only.
    24. While local agencies will not be able to access NORS and DIRS 
directly under our proposal, we note that these agencies generally fall 
within the oversight jurisdiction of state agencies that are eligible. 
Therefore, the local entities would be in a position to obtain NORS and 
DIRS filings or information from an affiliated state agency, on a case-
by-case basis, provided that the state agency finds that the local 
entities have a ``need to know'' justification. We further believe this 
approach is necessary for a NORS and DIRS information sharing framework 
to be administrable by the Commission, as county and local eligibility 
would be likely to result in tens of thousands of applications for 
access, which would take significant time to process and place 
significant burdens on Commission staff. We seek comment on our 
proposal.
    25. Are there reasons why local entities require direct access to 
NORS and DIRS filings, and if so, how could these filings be protected 
from improper disclosure in view of the extremely large number of such 
local entities in the nation? Are there other entities, besides the 
state and federal agencies that we have identified above, that also 
should be eligible to participate in the proposed information sharing 
framework? How can we best balance addressing the public safety need 
for enhanced situational awareness against the risk of inadvertent 
disclosure of NORS and DIRS information, particularly given the large 
number of local entities in the nation?
    26. For example, should additional criteria be applied to determine 
whether a specific type of local entity (e.g., local alert-originating 
entities) should be granted direct access to NORS and DIRS filings? If 
so, what should those additional criteria be? Should we introduce 
additional criteria for state-level agencies, such as limiting access 
to certain types of state agencies (e.g., state public safety and 
emergency management departments)? Should we exclude from eligibility 
agencies located in states that have diverted or transferred 911/
Enhanced 911 (E911) fees for purposes other than 911/E911? If so, how 
should we address conditions of access for states that have 
inadequately responded to Commission inquiries as to their practices 
for using 911/E911 fees? Relatedly, should the types of federal 
agencies eligible for direct access to NORS and DIRS filings be limited 
and if so, what criteria should we consider?
    27. Tribal Nation Governments. We seek comment on our inclusion of 
Tribal Nation governments in today's proposed information sharing 
framework. Given the rural location of many Tribal Nation governments, 
there may be fewer providers offering service in Tribal lands and each 
piece of communications equipment may be more critical to maintaining 
connectivity. Does this consideration weigh in favor of different 
standards for determining whether Tribal Nation government agencies 
should be granted access to NORS and DIRS filings compared to the other 
government agencies described in today's proposal? If so, what 
alternative standards should we use to best tailor our proposal to 
Tribal Nation governments?

[[Page 17823]]

D. Confidentiality Protections

    28. The Commission currently treats NORS and DIRS filings as 
presumptively confidential. This means that the filings and the 
information contained therein would be withheld from public disclosure, 
shared on a limited basis to eligible entities, and provided to others 
in summarized and aggregated form and only in narrow circumstances. We 
propose to extend this policy by requiring that participating state and 
federal government agencies treat NORS and DIRS filings as confidential 
unless the Commission finds otherwise. For clarity, ``eligible 
agencies'' refers to agencies that qualify for direct access to NORS 
and DIRS under this proposal, while ``participating agencies'' refers 
to agencies that have applied for and been granted direct access by the 
Commission.
    29. We continue to believe that NORS filings should be 
presumptively confidential due to the ``sensitive data'' they contain 
that ``could be used by hostile parties to attack . . . networks, which 
are part of the Nation's critical information infrastructure.'' We also 
continue to believe that DIRS filings should be presumptively 
confidential ``[b]ecause the information that communications companies 
input to DIRS is sensitive, for national security and/or commercial 
reasons.'' We remain concerned that our national defense and public 
safety goals could be undermined if information from outage reports 
could be used by malicious actors to harm, rather than improve, the 
nation's communications infrastructure.
    30. Further, we continue to be sensitive to the notion that the 
public disclosure of the NORS information, and more likely, the public 
disclosure of voluntarily submitted DIRS information, could make 
``regulated entities less forthright in the information submitted to 
the Commission'' due to the ``likelihood of substantial competitive 
harm from disclosure'' of their submitted outage or infrastructure 
status information. We seek comment on these views and on any 
alternative approaches. We note that some service providers have 
recently announced plans to publicly release outage information not 
previously disclosed. We seek comment on the status of current 
policies, as well as any future plans, of service providers with regard 
to publicly releasing outage and infrastructure status information, 
including specific details as to the types of information that 
providers intend to release and the circumstances under which they will 
release it. Verizon has argued that ``increased public disclosure of 
company-specific outage information will further improve information 
flow and transparency during disasters and other emergencies without 
compromising competitively sensitive data.'' We seek comment on how 
this argument should affect our views on the presumption of 
confidentiality afforded to NORS and DIRS data.
    31. Moreover, we seek to provide confidence to NORS and DIRS filers 
that the information they submit would continue to be protected against 
public disclosure at its current level and to ensure consistency in the 
information that is publicly disclosed. We believe that a uniform 
confidentiality standard for granting state and federal agencies access 
to NORS and DIRS filings would help secure these results. We therefore 
propose that a participating agency's direct access to NORS and DIRS 
filings be conditioned on the participating agency agreeing to treat 
the filings as confidential and not disclose them absent a finding by 
the Commission that allows them to do so. We propose that participating 
agencies that seek to disclose information would request the 
Commission's review, which would occur in the same manner that the 
Commission reviews requests for disclosure under FOIA. This proposal 
mirrors the way in which federal agencies share homeland security 
information with state governments under section 892 of the Homeland 
Security Act of 2002, in which the federal agency remains in control of 
the information and state law that otherwise authorizes disclosure of 
information does not apply, 6 U.S.C. 482(e). We believe that our 
proposal would limit distribution of the information for unauthorized 
purposes, ensure the security and confidentiality of the information, 
and protect the rights of companies that submit the information. We 
seek comment on this approach.
    32. We seek comment on alternative proposals that may address 
confidentiality concerns. Do any states have substantially different 
disclosure standards than federal FOIA and, if so, would this condition 
be satisfied in jurisdictions with more permissive state open record 
laws or with court decisions favoring more permissive disclosure? We 
note that the Commission has dealt with similar issues before. With 
respect to competitively sensitive information submitted by carriers 
with respect to the North American Numbering Plan, the Commission 
recognized that some states had open record laws that might not allow 
state public utility commissions to protect the information from public 
disclosure. The Commission stated that it would work with those 
commissions to enable them to obtain the information they needed while 
protecting the confidential nature of the information. We acknowledge 
that in all cases, agencies would need to determine whether they can 
certify to the Commission that the agency would uphold the 
confidentiality protections we propose. We seek comment on whether 
these approaches are appropriate and workable here. Should the 
Commission rely on additional procedures to protect confidential 
materials from public disclosure by participating state or federal 
government agencies in this context?
    33. To further ensure consistency in disclosure and confidence that 
submitted information will continue to be protected as it is today, we 
also propose to require participating state and federal agencies to 
notify the Commission on issues related to confidentiality in two 
instances. First, we propose that state and federal agencies notify the 
Commission within 14 calendar days from the date the agency receives 
requests from third parties for NORS filings and DIRS filings, or 
related records. This would provide the Commission the ability to 
notify the original NORS or DIRS submitter and give them an opportunity 
to object. Second, we propose that state and federal agencies notify 
the Commission at least 30 calendar days prior to the effective date of 
any change in relevant statutes or rules that would affect the agency's 
ability to adhere to the confidentiality protections that we require. 
This would provide the Commission with an opportunity to determine 
whether to terminate an agency's access to NORS or DIRS filings or take 
other appropriate steps as necessary, before the agency is no longer in 
a position to protect this information. We seek comment on this 
approach or on any alternative approaches that may achieve the stated 
goals.

E. Proposed Safeguards for Direct Access to NORS and DIRS Filings

1. Read-Only Direct Access to NORS and DIRS
    34. We believe that agencies should receive access to NORS and DIRS 
in a format that reduces or eliminates the risk that their employees 
would make unauthorized modifications to the filings, whether 
unintentional or malicious. The current NORS database only allows users 
assigned to a company to modify reports submitted by that company. 
Preventing such modifications would ensure the

[[Page 17824]]

accuracy of the Commission's oversight work and that of its partners, 
who rely on the accuracy of NORS and DIRS filings at all times. We thus 
renew our proposal that participating state and federal agencies be 
granted direct access to NORS and DIRS filings in a read-only manner. 
Many commenters to the 2015 Part 4 NPRM supported a read-only access 
approach. For example, Verizon stated that ``limit[ing] access to read-
only format is [an] appropriate safeguard'' based on ``public safety, 
security, and competitive sensitivities.'' We seek further comment on 
the proposed read-only approach. Have any developments occurred since 
2015, when we proposed to grant state governments read-only access, 
that weigh in favor or against providing access in a read-only manner? 
In addition, we currently require each user account in NORS and DIRS to 
use a password to access the systems. We seek comment on whether we 
should implement other technology protections to prevent unauthorized 
access to these databases given today's proposal, which would expand 
the number and scope of individuals with access to NORS and DIRS.
    35. We believe that providing participating agencies with direct 
access to historical NORS and DIRS information would allow them to 
identify trends in outages and infrastructure status that would further 
enhance their real-time recovery and restoration efforts. We thus 
propose to grant participating agencies access to NORS and DIRS filings 
made after the effective date of this proposed information sharing 
framework, even if the agency begins its participation at a later date. 
Historical information will allow agencies to determine outage and 
infrastructure status baseline levels in their jurisdictions and 
identify trends, so that they can better predict and respond to 
emerging exigencies more rapidly than would otherwise be possible. We 
propose to limit access agency access to filings made after the 
effective date of this framework to address potential concerns that 
service providers may have about a potential dissemination of filings 
that they originally made to the Commission under an expectation that 
we would keep the filings presumptively confidential and withhold them 
from disclosure, even from federal and state government agencies that 
might seek them.
    36. Are there reasons why we should not provide an agency access to 
filings after the effective date and prior to their participation in 
the proposed framework? Are there reasons that we should provide access 
to all historical filings that can be made available or, instead, that 
are made as of the date of today's proposal? The Commission estimates 
internal costs of approximately $50,000 to revise its NORS and DIRS 
processes to ensure the compatibility of the NORS and DIRS databases 
with historical (e.g., non-multistate) filings. We seek comments on 
these costs. Alternatively, should participating agencies' access to 
NORS and DIRS information be limited to timeframes relevant to specific 
disasters or other events that threaten public safety for which those 
agencies are contemporaneously preparing or responding?
2. Sharing of Confidential NORS and DIRS Information
    37. We recognize that, in many cases, there are individuals, 
including key decision-makers and first responders, who would not 
directly access NORS and DIRS and yet play a vital role within their 
respective jurisdictions in ensuring public safety during times of 
crisis. We believe there would be significant benefit in ensuring that 
these individuals also have access to the information in NORS and DIRS 
filings, in whatever form is most useful to them in furtherance of 
their duties. Accordingly, for each participating state or federal 
government agency, we propose to allow individuals granted credentials 
for direct access to NORS and DIRS filings to share copies (e.g., 
printouts) of NORS and DIRS filings, in whole or part, and any 
confidential information derived from NORS or DIRS filings 
(collectively, confidential NORS and DIRS information), within or 
outside their participating agency, on a strict ``need to know'' basis. 
Confidential NORS and DIRS information may include, as illustrative 
examples, presentations, email summaries, and analysis and oral 
communication reflecting the content of, or informed by, NORS and DIRS 
filings. We also propose to require that this information be used for 
public safety purposes only.
    38. A ``need to know'' basis exists where the recipient would need 
to reasonably require access to the information in order to prepare 
for, or respond to, an event that threatens public safety, pursuant to 
the recipient's official duties. We propose that the sharing of 
confidential NORS and DIRS information be allowed ``downstream'' as 
well, meaning that once an agency with direct NORS and DIRS access 
shares confidential NORS and DIRS information with a recipient, that 
recipient can further summarize and/or share the information with 
others who also have a ``need to know.'' To ensure that non-
participating agencies maintain the confidentiality of NORS and DIRS 
information, we propose to require that participating agencies 
condition access to this information on non-participating agencies' 
certification that it will treat the information as confidential, not 
disclose it absent a finding by the Commission that allows them to do 
so, and securely destroy information when the public safety event that 
warrants their access to the information has concluded. We propose to 
hold participating agencies responsible for inappropriate disclosures 
of NORS and DIRS information by the non-participating agencies with 
which they share it and expect that participating agencies will take 
all necessary steps to have confidence that confidentiality will be 
preserved. We also note that individuals or agencies that make 
inappropriate disclosures of NORS in DIRS information may be subject to 
disciplinary action and/or liability under federal, Tribal and/or state 
laws that protect data, containing, e.g., trade secrets or other 
commercially sensitive information. We seek comment on any federal and 
non-federal restrictions that may apply to the improper dissemination 
of private information by employees of participating agencies and those 
with whom they share NORS and DIRS information, and the consequences of 
violating them.
    39. We seek comment on this approach of participating agencies 
agreeing to be held responsible for downstream information sharing as a 
pre-requisite for accessing NORS and DIRS information. Would the 
measures proposed be sufficient to ensure that downstream recipients 
preserve the confidentiality of NORS and DIRS information they receive? 
Relatedly, we seek comment on state laws and penalties would be 
sufficient to deter any inappropriate disclosure of NORS/DIRS 
information. If these measures and state laws are not sufficient, we 
seek comment on any additional measures that we should include to 
ensure that confidentiality is maintained when sharing NORS and DIRS 
information downstream. For example, to what extent should the 
Commission hold downstream recipients responsible when NORS and DIRS 
information is improperly disclosed and what should the consequences be 
(apart from, for instance, immediate cut-off of access for the agency 
that accessed the NORS and DIRS filings)? To what extent would 
additional measures hinder the ability of first responders and other 
emergency

[[Page 17825]]

response officials to receive critical information, thereby undermining 
their restoration and recovery efforts? Are there measures we can take 
that would adequately preserve the confidentiality of information that 
was earlier shared downstream after the public safety event that 
necessitated sharing is over? We seek comment on the public safety 
purposes for which downstream recipients may use NORS and DIRS 
information, as well as on our proposal to condition access to this 
information on its use for public safety purposes only.
    40. We propose that the sharing agency determine whether a ``need 
to know'' exists on the part of the recipient. We believe that the 
sharing agency is in a strong position to make this determination based 
on their ``on the ground'' knowledge of the public safety-related 
activities of agencies that are not eligible to access NORS and DIRS 
directly. Moreover, we find that it would be impractical for Commission 
to either make these case-by-case determinations, which would often be 
made during on-going exigencies.
    41. Under our proposals, confidential NORS and DIRS information 
could be shared when the recipient has a ``need to know'' basis, for 
example, in the following illustrative scenarios:

    (a) An employee with direct NORS and DIRS access in a 
participating agency may share confidential NORS and DIRS 
information within any number of agency employees or contractors 
(e.g., a public utility agency may share information among its 
employees and contractors to resolve a power outage situation);
    (b) an employee with direct NORS and DIRS access in a 
participating agency may share confidential NORS and DIRS 
information with the employees and contractors of other 
participating or non-participating agencies within the same state/
jurisdiction or in a different state/jurisdiction (e.g., a public 
utility agency may share information with a neighboring state 
governor's office responding to a hurricane; or a state emergency 
management agency may share information with a region-level fire 
chief);
    (c) an employee at a non-participating agency who receives the 
confidential NORS and DIRS information on a ``need to know'' basis 
may then share the information with an employee at another non-
participating agency based on the latter's ``need to know'' (e.g., a 
region-level fire chief may share information with a county 
sheriff's department for the purpose sending first responders to an 
affected area).

We seek comment on this proposal, as well as on other ways to permit 
sharing of NORS and DIRS information by participating agencies when 
such sharing helps to address public safety issues.
    42. Does our approach provide sufficient benefits to key decision-
makers and first responders to outweigh the risk of potential over-
disclosure of confidential information? What additional steps can we 
take, if any, to mitigate such risks while preserving the benefits? 
What would be the burden to participating agencies and others if we 
were to take additional steps? For example, should we require, as a 
condition for access to the data, that participating agencies notify 
the Commission when they share NORS and DIRS information with a 
downstream recipient, and if so, what form should the notification 
take? Should notification include specific information on which 
individuals, localities, and Tribal lands are receiving this 
information downstream and describe the basis for any ``need to know'' 
determinations? Should notification be provided to the Commission 
within a certain timeframe after the sharing occurs? Alternatively, in 
order to ensure that participating agencies' focus during a public 
safety event remains on response and restoration, should notification 
be provided to the Commission in advance in the form of a list of those 
downstream agencies with which it is anticipated the information will 
be shared? For such an approach, we seek comment on whether, in the 
event there is an exigency that necessitates sharing with agencies that 
were not on the advance list, participating agencies should be given a 
certain period of time to notify the Commission of additional 
downstream agencies with which the information was shared?
    43. What steps can we take to ensure that agencies are handling and 
sharing confidential information appropriately? Are there reasons why 
downstream sharing or sharing outside an agency should be more limited 
than described here? Should we adopt further measures to control or 
limit the downstream sharing of confidential NORS and DIRS information 
beyond the specific individuals with direct access, and if so, what 
specific measures should we adopt and what should be the consequences 
if they are not followed? On the other hand, should downstream agencies 
without access to NORS and DIRS be allowed to keep NORS and DIRS data, 
perhaps to allow it to be studied in an after-action review of their 
response efforts? To the extent that commenters recommend less or more 
restrictive frameworks (including ones that nonetheless facilitate 
broader sharing in emergency situations), we request that commenters 
identify in detail how such mechanisms would work, as well as their 
benefits and costs.
3. Disclosing Aggregated NORS and DIRS Information
    44. We believe that the aggregated information in NORS and DIRS 
filings can be of significant benefit to the general public. For 
example, this information can be used to keep the public informed of 
on-going emergency and network outage situations, timelines for 
recovery, and geographic areas to avoid while disaster and emergency 
events are ongoing. We therefore propose to allow agencies to provide 
aggregated NORS and DIRS information to any entity including the 
broader public (e.g., by posting such information on a public website).
    45. We define ``aggregated NORS and DIRS information'' to refer to 
information from the NORS and DIRS filings of at least four service 
providers that has been aggregated and anonymized to avoid identifying 
any service providers by name or in substance. We seek comment on this 
approach and whether there are other appropriate aggregation 
requirements that we should consider. For example, should we require 
aggregation over a larger number of service providers? We note that 
allowing the public disclosure of aggregated NORS and DIRS information 
is consistent with the Commission's own practices.
    46. Here, we propose extending the ability to generate and supply 
aggregated NORS and DIRS information to participating state agencies 
themselves. We believe that granting participating agencies this 
flexibility will allow them to disseminate information to the broader 
public and better fulfill their public safety missions. Moreover, we 
believe that this proposal carries at most a minimal risk of the over-
disclosure of sensitive information since participating agencies must 
anonymize aggregated NORS and DIRS information. We seek comment on this 
proposal. Are there any specifics steps that agencies should take 
beyond aggregating over four or more providers to ensure that NORS and 
DIRS information is adequately aggregated and anonymized prior to 
disclosure? Should we adopt specific measures to ensure that, as a 
condition of access to NORS and DIRS filings and information, 
participating agencies adequately aggregate and anonymize the 
information in NORS and DIRS filings and information prior to 
disclosure? If so, what should those measures be and what should be the 
consequences if they are not followed?

[[Page 17826]]

4. Direct Access to NORS and DIRS Filings Based on Jurisdiction
    47. We observe that an outage or a disaster--such as a hurricane--
may cross multiple jurisdictional boundaries. We believe that agency 
access to NORS and DIRS filings should account for this reality. We 
propose that a participating agency receive direct access to all NORS 
notifications, initial reports, and final reports and all DIRS filings 
for events reported to occur at least partially in their jurisdiction. 
For federal agencies, this generally means for events reported to occur 
anywhere in the country. For state agencies, this generally means for 
the events reported to occur at least partially in the state's 
geographic boundaries. Commenters support granting states access to 
NORS filings and DIRS filings for events that occur within their 
jurisdiction. We propose that it would serve the public interest for 
participating state agencies to access NORS and DIRS filings for outage 
events and disasters that occur in portions of their respective state 
but also span across additional states.
    48. We seek comment on this proposal. How would participating 
agencies make use of NORS and DIRS filings that affect states beyond 
their own? Do participating agencies have a ``need to know'' about the 
effects of multistate outages and infrastructure status outside their 
jurisdiction? Do county or local agencies that cannot access NORS and 
DIRS under our proposal have similar needs? What benefits are expected 
to arise from granting participating state agencies access to these 
NORS and DIRS filings? Are there any harms that may potentially arise 
from granting participating state agency access to multistate outage 
and infrastructure information? As an alternative to our proposal, 
should participating agencies' access to NORS and DIRS filings be 
limited only to those aspects of multistate outages that occur solely 
in their jurisdiction? Are there specific aspects of multistate outages 
for which participating agencies do not have a ``need to know?'' In 
addition, we anticipate that there may be situations where a 
participating agency may share confidential information derived from 
DIRS or NORS filings with non-participating state or federal agencies 
on a strict ``need to know'' basis. We seek comment on this view.
    49. Does a participating federally recognized Tribal Nation's 
government agency that receives direct access to NORS and DIRS filings 
have a ``need to know'' about events that occur entirely outside of its 
borders but within the border of one the state where the Tribal land is 
located? For example, should a participating Tribal Nation agency 
located in Arizona receive direct access to filings throughout all of 
Arizona? Conversely, should a state agency receive direct access to 
NORS and DIRS filings reflecting events occurring entirely within 
Tribal land located in the state's boundaries? For example, should a 
participating Arizona state agency receive direct access to NORS and 
DIRS filings for outages occurring only within Tribal lands located in 
Arizona? We believe that both aspects of this approach are justified 
given the technical nature of many outages, where equipment located in 
a Tribal land affects service in the traditional state(s) surrounding 
the territory, and vice versa. We seek comment on this approach. Are 
there any harms that may potentially arise from granting Tribal Nation 
authorities access to outage and infrastructure information outside of 
their territories? As an alternative to our proposal, should Tribal 
Nation authorities' access to NORS and DIRS filings be limited only to 
those aspects of multistate outages that occur solely in their 
territories? Are there specific aspects of multistate outages for which 
these authorities do not have a ``need to know?''
    50. We seek comment on the technical implementation of our 
proposals. Since the DIRS form already requests filers to include data 
at the county level, we do not anticipate that service providers will 
need to modify their DIRS reporting processes to accommodate multistate 
reporting. We thus estimate that the nation's service providers will 
incur minimal, if any, burdens related to DIRS. We seek comment on this 
assessment.
    51. For NORS filings, however, commenters raise concerns that 
sharing filings with state agencies will require technical adjustments 
for both the service providers' systems and the Commission's internal 
systems. For example, the current NORS forms are designed with a drop-
down menu for a user to select the state where the outage occurred. A 
NORS user may select either a single state or the general option of 
``MULTI STATE'' in the current form without specifying the individual 
states. This existing approach makes it challenging to identify which 
multistate outage filings each participating state agency should have 
permission to access. As Intrado noted previously, in order to filter 
and display the NORS filings that pertain to any given state, including 
multi-outage filings, the NORS form would require adjustments.
    52. We propose to change the Commission's NORS form to allow users 
to select more than one state when submitting a NORS filing. This 
approach will allow us to limit state agencies' access to only those 
outages that occur within their states. We expect that service 
providers will need to make corresponding changes to their NORS 
reporting processes to provide us with information on a state-by-state 
basis. We currently estimate that the nation's service providers will 
incur total initial set up costs of $3.2 million based on our estimate 
of 1,000 service providers incurring costs of $80 per hour and spending 
40 hours to update or revise their software used to report multi-state 
outages to the Commission in NORS. In developing this analysis, the 
Commission estimates that the cost of a software developer of systems 
software is $80/hour, inclusive of wage and benefits. We seek comment 
on the burden and timelines associated with such modifications. We seek 
comment on whether the benefits associated with these modifications 
would outweigh the costs incurred by service providers.
    53. We seek comment on this approach, as well as on any potential 
alternatives, including any adjustments, if needed, to account for 
Tribal land borders. For example, we seek comment on whether, instead 
of modifying the NORS form, we should require service providers to 
submit several state-specific filings instead of submitting single 
aggregated filings for each outage that list all affected states.
5. Limiting the Number of User Accounts per Participating Agency
    54. We believe that it would be beneficial to limit the number of 
users at an agency who have access to NORS and DIRS filings to minimize 
the potential for over-disclosure of the sensitive information 
contained in the filings. At the same time, we recognize that agencies 
typically employ teams of staff members, rather than a lone individual, 
to provide ``around the clock'' coverage for incident response. We 
propose to presumptively limit the number of user accounts granted to a 
participating agency to five NORS and DIRS accounts per state or 
federal agency with additional accounts permitted on an agency's 
reasonable showing of need. We further propose to require that an 
agency assign each user account to a unique employee and manage the 
process of reassigning user accounts as its roster of employees changes 
(e.g., due to arrivals and departures or a chance in roles at the 
participating agency). We believe that these requirements will limit 
access to

[[Page 17827]]

NORS and DIRS information to the employees that are intended to receive 
it and allow participating agencies to identify misuse by specific 
employees.
    55. We seek comment on this approach. For example, are there 
reasons why the Commission, rather than participating agencies, should 
be responsible for assigning individualized user accounts, i.e., 
accounts corresponding with specific named employees, and for re-
assigning user accounts as participating agency personnel changes with 
time? We observe that AT&T, based on concerns for safeguarding the 
commercially and national security-sensitive nature of NORS 
information, proposed a similar approach, suggesting that we impose a 
limit of ``three individuals unless the state can provide adequate 
justification for more employees.'' We agree with a presumptive limit, 
but we believe that the presumptive limit should be at least five 
employees, given our understanding of the size and complexity of 
network monitoring and emergency response operations at many state and 
most federal agencies. Other commenters to the 2015 Part 4 NPRM 
generally support limiting the number of direct access users to NORS.
    56. We recognize that some agencies--such as federal agencies or 
state agencies responsible for large populations or coverage areas--may 
have a reasonable need to provide more than five employees with direct 
access to fulfill their public safety mandate. Thus, we propose to 
consider, on a case-by-case basis, an agency's request to increase 
their limit upon written request to the Commission specifying how many 
additional employees require access and providing specific reasons why 
their access is necessary. We propose to grant such requests upon an 
agency's reasonable showing of need. We seek comment on this approach. 
Would this approach provide such agencies with sufficient flexibility, 
or should we establish a different presumptive limit for federal 
agencies or state agencies with the largest populations or coverage 
areas? Should there be a different presumptive limit of employees for 
agencies that serve a coverage area or population above a certain size? 
If there should be a different presumptive limit, what presumptive 
limit and qualifying size would be appropriate to ensure the 
confidentiality of the information provided NORS and DIRS filings? Are 
there additional or alternative criteria that the Commission should use 
to evaluate requests?
    57. We believe that multiple state and federal agencies often need 
to collaborate on issues such as disaster response, operating with 
jurisdictional boundaries that may not always be clearly demarcated 
under challenging and time-constrained circumstances. For this reason, 
we propose that the Commission review all reasonable requests from 
state and federal agencies, rather than proposing a presumptive limit 
on the number of participating state and federal agencies eligible for 
direct access to NORS and DIRS filings. Given the important and time 
sensitive work of these agencies, we seek to reduce the reliance of any 
one agency on another by allowing each to apply for direct access to 
NORS and DIRS filings. We seek comment on this proposal.
6. Training Requirements
    58. We believe that our proposed sharing framework would be more 
effective, and the risk of over-disclosure of NORS and DIRS information 
minimized, if individuals who receive direct access to NORS and DIRS 
filings also receive training on their privileges and obligations under 
the program, particularly given that NORS and DIRS filings implicate 
both national security and commercial interests. We believe that an 
annual training requirement is justified both generally as an industry 
standard practice and because there are a number of important 
procedural details associated with our proposed safeguards that could 
be easily forgotten and overlooked with time in the absence of 
continued training.
    59. For each participating agency, we propose that each individual 
to be granted a user account for direct access to NORS and DIRS filings 
be required to complete security training on the proper access to, use 
of, and compliance with safeguards to protect these filings. We propose 
that this training be completed by each individual prior to being 
granted initial access to NORS and DIRS filings and then on at least an 
annual basis thereafter.
    60. Rather than mandate an agency's use of a specific program, we 
propose to allow agencies to develop their own training program or rely 
on an outside training program that covers, at a minimum, each of the 
following topics or ``program elements'': (i) Procedures and 
requirements for accessing NORS and DIRS filings; (ii) parameters by 
which agency employees may share confidential and aggregated NORS and 
DIRS information; (iii) initial and continuing requirements to receive 
trainings; (iv) notification that failure to abide by the required 
program elements will result in personal or agency termination of 
access to NORS and DIRS filings and liability to service providers and 
third-parties under applicable state and federal law; and (v) 
notification to the Commission, at its designated email address, 
concerning any questions, concerns, account management issues, 
reporting any known or reasonably suspected breach of protocol and, if 
needed, requesting service providers' contact information upon learning 
of a known or reasonably suspected breach. We seek comment on this 
proposal, including each of the elements.
    61. The majority of commenters who opined on the issue of training 
believe that some form of training is necessary. For example, AT&T 
stated that the ``[C]omission should require states to train their 
authorized employees (annually) on proper handling of NORS 
information,'' and Sprint stated that ``[t]he Commission should require 
that personnel charged with obtaining the information be required to 
have security training, and the identity of these individuals should be 
supplied to the FCC.'' We acknowledge that a minority of commenters 
believe that training is not necessary. Contrary to the concerns 
expressed by some of these commenters, we are not proposing to require 
that any state or federal agency participate in the proposed sharing 
framework. Rather, participation by an agency would be entirely 
voluntary. Further, to the extent training costs are an issue for a 
participating agency, we propose to reduce the agency burden through 
the use of exemplar training programs.
    62. To aid agencies' compliance with our training requirements, we 
propose that the Commission direct PSHSB to identify one or more 
exemplar training programs which would satisfy the required program 
elements. Once finalized, agencies could adopt these program(s) at 
their discretion in place of developing their own training program, 
thereby reducing their compliance time and costs. ATIS suggested that 
an exemplar-type training program could be developed (by its Network 
Reliability Steering Committee) in a matter of ``months'' once the 
Commission issues information sharing rules. We seek comment on the 
benefits and drawbacks to the Commission potentially working with one 
or more external partners, such as ATIS, to develop exemplar training 
programs(s).
    63. We seek comment on whether the Commission should take steps to 
ensure that state and federal agencies' training programs comply with 
our proposed required program elements. Should the Commission require a 
third-party audit of a partner-developed training program? What 
specific steps should the Commission take, if any, to ensure the 
adequacy of such programs? We seek

[[Page 17828]]

comment on whether additional individuals, beyond those granted a user 
account for direct access to NORS and DIRS filings, should be subject 
to the proposed training requirements. Should anyone who receives 
confidential NORS and DIRS information, including downstream 
recipients, be required to complete formal training? Would such a 
requirement be practical or overly burdensome? If we impose such a 
requirement, what should the consequences be if that training is not 
provided?

F. Procedures for Requesting Direct Access to NORS and DIRS

    64. We believe that our proposed information sharing framework 
would be more effective, and the risk of over-disclosure of NORS and 
DIRS information minimized, if we institute specific procedures for 
state and federal agencies to follow in applying for and managing their 
direct access to NORS and DIRS filings. We believe that these goals 
would also be furthered if we require that agency representatives 
provide a signed certification acknowledging their agreement to adhere 
to the key safeguards of our proposed framework.
    65. We therefore propose to institute the following procedures for 
state and federal agencies to apply for and manage their direct access 
to NORS and DIRS filings. Eligible state and federal agencies must 
apply for direct access to NORS and DIRS filings by sending a request 
to the agency's designated email address. The request would include: 
(i) A signed statement from an agency official, on the agency's 
official letterhead, including the official's full contact information 
and formally requesting access to NORS and DIRS filings; (ii) a 
description of why the agency has a need to access NORS and DIRS 
filings and how it intends to use the information in practice; (iii) if 
applicable, a request to exceed the proposed presumptive limits on the 
number of individuals (i.e., user accounts) permitted to access NORS 
and DIRS filings with an explanation of why this is necessary and (iv) 
a completed copy of a Certification Form, a template of which is 
provided in this item as Appendix C. On receipt, the Commission would 
review the request, follow-up with the agency official with any 
potential questions or issues. Once the Commission has reviewed the 
application and confirmed the application requirements are satisfied, 
the Commission would grant NORS and DIRS access to the agency by 
issuing the agency NORS and DIRS user accounts.
    66. As described in detail at Appendix C, an agency official with 
authority to obligate and bind the agency must certify that the agency: 
Will treat NORS and DIRS filings and data as confidential under federal 
and state FOIA statutes and similar laws and regulations, implement a 
NORS and DIRS security training program, adhere to continuing 
requirements for access (including annual recertification), understands 
that the Commission does not guarantee the accuracy of NORS or DIRS 
filings and understands that there may be times access to the filings 
is unavailable. We believe that these requirements would create 
accountability within a state agency and help avoid the over-disclosure 
of sensitive NORS and DIRS information sharing framework. We seek 
comment on this approach and the details included in Appendix C. Is our 
requirement, set forth in Appendix C, that the Commission be notified 
if an agency's certifying official ceases to have authority to obligate 
and bind the agency to the provisions of Appendix C justified or would 
this requirement cause undue burden for an agency?
    67. In addition, we propose to direct PSHSB to promulgate any 
additional procedural requirements that may be necessary to implement 
our proposals for the sharing of NORS and DIRS information, consistent 
with the Administrative Procedure Act. We foresee that such procedural 
requirements may include implementation of agency application 
processing procedures, necessary technical modifications to the NORS 
and DIRS databases (including, potentially, modifications designed to 
improve data protection and guard against unauthorized disclosure), and 
reporting guidelines to ensure that the Commission receives the 
notifications identified in Appendix C. We seek comment on these 
proposals, and whether there are additional safeguards we should adopt 
for the application process. Are there other procedural requirements 
that are anticipated to be necessary to implement our proposals?

G. Compliance Dates

    68. We seek to give interested state and federal agencies ample 
time to prepare their certifications and to give service providers 
sufficient time to adjust their NORS and DIRS filing processes to 
conform with the any technical changes required by the proposed final 
rule changes. We also anticipate that the Commission will require time 
to implement the regime contemplated by our proposed rules in order to 
take such steps as securing OMB approval to the extent required under 
the Paperwork Reduction Act and modifying NORS and DIRS.
    69. To that end, we propose to require revised outage reports be 
filed by a date specified in a Public Notice issued by the Public 
Safety and Homeland Security Bureau, announcing: (i) OMB has approved 
the revised information collections for DIRS and NORS, respectively, in 
accordance with the final order; and (ii) the Commission has made the 
necessary technical adjustments to the NORS and DIRS databases to 
facilitate sharing. The Commission would begin accepting certification 
forms and granting direct NORS and DIRS access to eligible state and 
federal agencies as of the specified date. This approach would permit 
the Bureau to account for the contingencies, i.e., the readiness of the 
databases and the OMB approval that facilitates the implementation of 
the revised regime. We seek comment on this approach, as well as 
alternatives. Commenters proposing alternatives should explain the 
advantages and disadvantages of their preferred approaches.

IV. Procedural Matters

    70. Paperwork Reduction Act. This document contains proposed 
modified information collection requirements. The Commission, as part 
of its continuing effort to reduce paperwork burdens, invites the 
general public and the Office of Management and Budget (OMB) to comment 
on the information collection requirements contained in this document, 
as required by the Paperwork Reduction Act of 1995, Public Law 104 
through 13. In addition, pursuant to the Small Business Paperwork 
Relief Act of 2002, Public Law 107 through 198, see 44 U.S.C. 
3506(c)(4), we seek specific comment on how we might further reduce the 
information collection burden for small business concerns with fewer 
than 25 employees.
    71. Ex Parte Rules--Permit-But-Disclose. This proceeding shall be 
treated as a ``permit-but-disclose'' proceeding in accordance with the 
Commission's ex parte rules, 47 CFR 1.1200 et seq. Persons making ex 
parte presentations must file a copy of any written presentation or a 
memorandum summarizing any oral presentation within two business days 
after the presentation (unless a different deadline applicable to the 
Sunshine period applies). Persons making oral ex parte presentations 
are reminded that memoranda summarizing the presentation must (1) list 
all persons attending or otherwise participating in the meeting at 
which the ex parte

[[Page 17829]]

presentation was made, and (2) summarize all data presented and 
arguments made during the presentation. If the presentation consisted 
in whole or in part of the presentation of data or arguments already 
reflected in the presenter's written comments, memoranda or other 
filings in the proceeding, the presenter may provide citations to such 
data or arguments in his or her prior comments, memoranda, or other 
filings (specifying the relevant page and/or paragraph numbers where 
such data or arguments can be found) in lieu of summarizing them in the 
memorandum. Documents shown or given to Commission staff during ex 
parte meetings are deemed to be written ex parte presentations and must 
be filed consistent with Rule 1.1206(b). In proceedings governed by 
rule 1.49(f) or for which the Commission has made available a method of 
electronic filing, written ex parte presentations and memoranda 
summarizing oral ex parte presentations, and all attachments thereto, 
must be filed through the electronic comment filing system available 
for that proceeding, and must be filed in their native format (e.g., 
.doc, .xml, .ppt, searchable .pdf). Participants in this proceeding 
should familiarize themselves with the Commission's ex parte rules.

V. Initial Regulatory Flexibility Analysis

    72. As required by the Regulatory Flexibility Act of 1980, as 
amended (RFA), the Federal Communications Commission (Commission) has 
prepared this Initial Regulatory Flexibility Analysis (IRFA) of the 
possible significant economic impact on a substantial number of small 
entities by the policies and rules proposed in the Further Notice of 
Proposed Rule Making (Further Notice). Written public comments are 
requested on this IRFA. Comments must be identified as responses to the 
IRFA and must be filed by the deadlines for comments provided in 
``Comment Period and Procedures'' of the Further Notice.

A. Need for, and Objectives of, the Proposed Rules

    73. The Further Notice seeks additional comment on various 
proposals first issued in a Notice of Proposed Rulemaking in PS Docket 
No. 15-80, adopted in 2015, and a Report and Order and Further Notice 
of Proposed Rulemaking in PS Docket Nos. 15-80 and 11-82, adopted in 
2016, to update the Commission's part 4 outage reporting rules. More 
specifically, in the Further Notice the Commission proposes an 
information sharing framework to ensure that state and federal 
government agencies have access to communications network information 
to aid these agencies' response, recovery and restoration efforts and 
allow them to direct their resources quickly, and to the areas of 
greatest need.
    74. The proposals in the Further Notice to grant participating 
agencies of the states, the District of Columbia, Tribal Nations, 
territories, and the federal government (we note that the NCCIC of DHS 
already has direct access to NORS and DIRS information; we do not 
propose to modify the terms by which the NCCIC accesses this 
information), hereinafter agencies, direct access to outage and 
infrastructure status information establish safeguards to protect the 
confidentiality of Network Outage Reporting System (NORS) and Disaster 
Information Reporting System (DIRS) filings. The Commission's proposals 
define the scope of eligible government entities that would be able to 
participate and propose confidentiality protections that include 
requiring that NORS and DIRS data be treated as presumptively 
confidential. The proposals consider providing read-only access, 
limiting access based on agency jurisdiction, limiting the number of 
employees with access at each agency, requiring training requirements 
for employees with access, and specifying procedures for the sharing of 
confidential NORS and DIRS information. The proposed rules also include 
access request and certifications procedures for agencies to apply for 
and manage their direct access NORS and DIRS filings.
    75. The Further Notice seeks further comment on a number of the 
implementation details for proposed agencies' direct access to NORS and 
DIRS filings. To establish appropriate safeguards, the Further Notice 
specifically seeks comment on:
     Providing agencies with read-only access to NORS and DIRS 
filings to reduce the potential for unauthorized modifications;
     Presumptively limiting the number of identified and 
trained personnel that have direct access to NORS and DIRS filings by 
limiting the number of user accounts to five per agency;
     Requiring agencies to treat NORS and DIRS filings and data 
as confidential under federal and state FOIA statutes and similar laws 
and regulations;
     Requiring each individual granted a user account for 
direct access to NORS and DIRS filings complete security training on 
the proper access to, use of, and compliance with safeguards to protect 
the information contained in the filings;
     Limiting agency access to NORS and DIRS filings for events 
reported to occur at least partially within their jurisdictional or 
geographic boundaries;
     Allowing participating agencies to share confidential NORS 
and DIRS information inside or outside the agency if a recipient 
reasonably requires access to the confidential NORS and DIRS 
information to prepare for, or respond to, an event that threatens 
public safety, pursuant to the recipient's official duties;
     Allowing participating agencies to share information from 
the NORS and DIRS filings of at least four service providers that has 
been aggregated and anonymized to avoid identifying any service 
provider by name or in substance with any entity, including the broader 
public; and
     Requiring agencies to provide certain assurances and 
suitable attestation that they will take measures to protect NORS and 
DIRS filings from unauthorized access.

B. Description and Estimate of the Number of Small Entities To Which 
the Proposed Rules Will Apply

    76. The RFA directs agencies to provide a description of, and, 
where feasible, an estimate of, the number of small entities that may 
be affected by the proposed rules, if adopted. The RFA generally 
defines the term ``small entity'' the same as the terms ``small 
business,'' ``small organization,'' and ``small governmental 
jurisdiction.'' In addition, the term ``small business'' has the same 
meaning as the term ``small business concern'' under the Small Business 
Act. A small business concern is one which: (1) Is independently owned 
and operated; (2) is not dominant in its field of operation; and (3) 
satisfies any additional criteria established by the Small Business 
Administration (SBA). See 15 U.S.C. 632. Below is a list of such 
entities.
     Interconnected VoIP services;
     Wireline Providers;
     Wireless Providers--Fixed and Mobile;
     Satellite Service Providers; and
     Cable Service Providers.

C. Description of Projected Reporting, Recordkeeping, and Other 
Compliance Requirements

    77. We expect the proposed rules in the Further Notice will impose 
new or additional reporting or recordkeeping and/or other compliance 
obligations on service providers, and if they choose to participate, on 
agencies that are granted direct access to NORS and DIRS filings,

[[Page 17830]]

and these entities may have to hire professionals to fulfill their 
compliance obligations. The rules proposed in the Further Notice would 
require minor adjustments to the existing reporting process used by 
service providers to account for new or refined multistate reporting 
for the NORS and DIRS filings. We estimate that service providers will 
incur total initial set up costs of $3.2 million based on our estimate 
of 1,000 service provider incurring costs of $80 per hour and spending 
40 hours to implement update or revise their software used to report 
outages to the Commission in NORS and DIRS. We seek comment on costs to 
service providers associated with any updates or modifications to their 
automated software and other systems that would be required for them to 
continue to file NORS reports under our proposed information sharing 
framework.
    78. Pursuant to the proposed confidential protections, if adopted, 
voluntarily participating agencies will be required to notify the 
Commission when they receive requests for NORS filings, DIRS filings, 
or related records and prior to the effective date of any change in 
relevant statutes of laws that would affect the agency's ability to 
adhere to the confidentiality protections that the Commission requires. 
We believe these agencies would incur initial costs to review and 
revise their confidentiality protections in accordance with the 
proposed information sharing framework and minimal reoccurring costs to 
notify the Commission about a request for NORS/DIRS filings or relevant 
statutory changes as described above. The Commission cannot quantify 
the costs for these activities, which would vary based on each 
participating agency's particular circumstances, however, we 
tentatively conclude that the benefits of participation would exceed 
the costs for any participating agency and seek comment on these 
matters.
    79. Under the proposed information sharing framework, voluntarily 
participating agencies will be required to submit to the Commission 
requests for direct access to NORS and DIRS filings which includes a 
description of why the agency has a need to access NORS and DIRS 
filings and how it intends to use the information in practice. These 
agencies will also be required to administer annual security training 
to each person granted a user account for NORS and DIRS filings. In the 
event of any known or reasonably suspected breach of protocol involving 
NORS and DIRS filings participating agencies will be required to report 
this information to the Commission and all affected providers within 24 
hours of the breach or suspected breach. The Commission believes these 
participating agencies will incur costs to comply with the above 
requirements, however, we cannot quantify the costs for these 
activities, which would vary based on each participating agency's 
particular circumstances, however, we tentatively conclude that the 
benefits of participation would exceed the costs for any participating 
agency and seek comment on these matters.
    80. In the Further Notice, the Commission proposes to allow 
participating agencies to share confidential NORS and DIRS information 
within and outside the agency subject to certain limitations. A 
participating agency would likely incur initial costs to determine how 
to appropriately handle and disseminate confidential NORS and DIRS 
information consistent with the proposed information sharing framework. 
The Further Notice also proposes to require participating agencies to 
execute an annual attestation form certifying and acknowledging 
compliance with requirements of the information sharing framework that 
the Commission adopts. These agencies will undoubtably incur costs to 
comply these new requirements if adopted, but the Commission cannot 
quantify the costs for these activities, which would vary based on each 
participating agency's particular circumstances and therefore seeks 
comment on the matters.

D. Federal Rules That May Duplicate, Overlap, or Conflict With the 
Proposed Rule

    81. None.

VI. Legal Basis

    82. Authority for the actions proposed in this Second Further 
Notice of Proposed Rulemaking may be found in sections 1, 4(i), 4(j), 
4(o), 251(e)(3), 254, 301, 303(b), 303(g), 303(r), 307, 309(a), 309(j), 
316, 332, 403, 615a-1, and 615c of the Communications Act of 1934, as 
amended, and section 706 of the Communications Act of 1996, 47 U.S.C. 
151, 154(i) through (j) & (o), 251(e)(3), 254, 301, 303(b), 303(g), 
303(r), 307, 309(a), 309(j), 316, 332, 403, 615a-1, 615c, and 1302.

List of Subjects in 47 CFR Part 4

    Airports, Communications common carriers, Communications equipment, 
Disruptions to communications, Network outages, Reporting and 
recordkeeping requirements, Telecommunications, Federal Communications 
Commission.

Federal Communications Commission.
Cecilia Sigmund,
Federal Register Liaison Officer, Office of the Secretary.

Proposed Rules

    For the reasons discussed in the preamble, the Federal 
Communications Commission proposes to be amend 47 CFR part 4 as 
follows:

47 CFR PART 4 [AMENDED]

0
1. The authority citation for part 4 continues to read as follows:

    Authority: 47 U.S.C. 151, 154(i) through (j) & (o), 251(e)(3), 
254, 301, 303(b), 303(g), 303(r), 307, 309(a), 309(j), 316, 332, 
403, 615a-1, 615c, 1302, unless otherwise noted.

0
2. Section 4.2 is revised to read as follows:


Sec.  4.2   Availability of reports filed under this part.

    Reports filed under this part will be presumed to be confidential, 
except that the Chief of the Public Safety and Homeland Security Bureau 
may grant agencies of the states, the District of Columbia, Tribal 
Nations, territories and federal governments access to portions of the 
information collections affecting their respective jurisdictions only 
after each requesting agency has certified to the Commission that it 
has protections in place to safeguard and limit disclosure of 
confidential information to third parties as described in the 
Commission's Certification Form. Public access to reports filed under 
this part may be sought only pursuant to the procedures set forth in 47 
CFR 0.461. Notice of any requests for public inspection of outage 
reports will be provided pursuant to 47 CFR 0.461(d)(3).

[FR Doc. 2020-06085 Filed 3-30-20; 8:45 am]
 BILLING CODE 6712-01-P