FCC Adopts New Cybersecurity Rules for Emergency Systems and Undersea Cables
New FCC cybersecurity rules land for emergency systems and undersea-cable operators, mandating baseline cyber hygiene for alert equipment and a first-in-decades overhaul of submarine-cable licensing and security.
Key Takeaways
|
New FCC cybersecurity rules land for emergency systems and undersea-cable operators, mandating baseline cyber hygiene for alert equipment and a first-in-decades overhaul of submarine-cable licensing and security.
WASHINGTON — The Federal Communications Commission on June 25, 2026 voted unanimously to adopt new cybersecurity requirements for the nation's emergency alerting systems and to overhaul the rules governing undersea communications cables, pairing baseline cyber-hygiene mandates for emergency-alert equipment with the first comprehensive update to submarine-cable licensing in decades. The action, taken at the Commission's June open meeting on a 3-0 vote, advances both final rules and further proposals across two long-running proceedings, and reframes a swath of telecommunications infrastructure as a national-security and cybersecurity concern rather than a purely operational one.
The package matters because of what the affected systems do. The Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA) carry life-safety warnings to the public, while submarine cables carry the overwhelming majority of intercontinental internet traffic. Both have drawn growing scrutiny as governments treat critical infrastructure resilience as a strategic priority, and the FCC's order folds cybersecurity obligations directly into the licensing and operating conditions that telecommunications providers must meet.
| At a Glance | |
|---|---|
| Field | Details |
| Regulator | U.S. Federal Communications Commission (FCC) |
| Action | EAS cybersecurity Report and Order; submarine-cable Second Report and Order and Further Notice of Proposed Rulemaking |
| Scope | EAS participants and emergency-alert equipment; submarine-cable licensees and SLTE owners/operators |
| Vote | Unanimous, 3-0, at the June 25, 2026 open meeting |
| Effective | Most provisions ~30 days after Federal Register publication; PRA-dependent items later |
| Status | Adopted (final rules plus further proposals open for comment) |
What the FCC Adopted
The Commission's emergency-alerting action was adopted as a Report and Order and Further Notice of Proposed Rulemaking, identified as FCC 26-38 and filed under PS Docket Nos. 25-224, 22-329, 15-91 and 15-94. The final rules apply to EAS participants — the broadcasters, cable operators, and other providers that relay alerts to the public — and require them to secure the equipment supporting their programming stream. Specifically, participants must change default passwords and use strong passwords, promptly test and install security patches issued by equipment manufacturers, and deploy a firewall or comparable network-segmentation practice to limit access to alerting gear. The intent, the agency said, is to reduce the risk of unauthorized access to systems that broadcast warnings to the public.
Two of the most-discussed measures — requiring that all alerts be authenticated before transmission, and establishing universal alert identification numbers to detect and block duplicate messages — were advanced as proposals in the accompanying Further Notice of Proposed Rulemaking rather than adopted as final rules. The further notice also seeks comment on eliminating outdated WEA geotargeting exceptions and on expanding EAS geotargeting to polygon-based delivery. Those items are not yet binding requirements; they are open for public comment as part of a broader effort to modernize EAS and WEA.
Alongside the alerting item, the FCC adopted a Second Report and Order and Further Notice of Proposed Rulemaking on submarine cables, providing what the agency described as the first comprehensive update to its submarine-cable rules in decades. That order tightens national-security and cybersecurity requirements in several areas while streamlining licensing in others — including a presumptive exemption from Team Telecom national-security review for qualifying applications — and it was the centerpiece of the Commission's framing of undersea infrastructure as a security priority. Both items passed on the same unanimous 3-0 vote.
Implementation Implications for Telecommunications Operators
For emergency-alert participants, the practical work is verification and documentation. The adopted requirements — strong passwords in place of defaults, prompt patching of manufacturer-issued updates, and firewalling or segmentation of alerting equipment — are baseline practices many mature operators already follow, but the rules convert them from optional hygiene into compliance obligations. Operators will need to confirm that every EAS device in their footprint meets the standard, that patch cycles are tracked against vendor advisories, and that the network paths to alerting gear are restricted rather than broadly reachable. This aligns the alerting tier with the kind of zero-trust posture that federal guidance has increasingly pushed across government and critical-infrastructure systems.
For submarine-cable operators, the implications run deeper because the FCC has expanded the universe of regulated parties. The order extends licensing and oversight to owners and operators of submarine line terminal equipment (SLTE) — the gear that converts optical signals arriving over the cable into electrical signals for connection to U.S. terrestrial networks, and one of the most sensitive points in the entire system. SLTE licensees become subject to routine conditions and reporting requirements, including obligations to comply with FCC rules and international communications treaties, to file annual circuit-capacity reports, and to maintain cybersecurity and physical-security risk-management plans. That last requirement formalizes security planning as a condition of operating, not an afterthought.
Timing is the immediate operational question. The FCC delegated to its Office of International Affairs the task of announcing effective dates through Federal Register notices. As a general matter, most rule changes are expected to take effect roughly 30 days after publication in the Federal Register, while provisions that require Paperwork Reduction Act approval — typically the new reporting and certification obligations — take effect later, after Office of Management and Budget review and a further FCC notice. Operators should not wait for those later dates to begin work, since building a compliant risk-management plan and certification process takes lead time.
Undersea-Cable Cybersecurity Context
Submarine cables carry the large majority of the world's intercontinental internet and voice traffic, which makes their security a matter of national and economic resilience well beyond any single carrier's network. The FCC's overhaul reflects a years-long shift in how regulators view this infrastructure: not merely as commercial undersea lines, but as strategic assets whose compromise or disruption could ripple across the broader digital economy. The Commission's decision to license SLTE — the landing-station equipment that bridges the wet plant to terrestrial networks — closes a long-standing gap by bringing one of the system's most exposed components under direct oversight.
A central thrust of the order is restricting equipment tied to foreign adversaries. Under the new framework, principal equipment — the primary electronic components that support cable systems end to end — produced by entities controlled by a designated foreign adversary may not be used or added to submarine-cable systems. Any entity controlled by a designated foreign adversary, or listed on the FCC's Covered List (which includes companies such as Huawei, ZTE, and HMN Tech), is excluded from the streamlined blanket-license path and must instead apply for an individual license under a standard the Commission has signaled will be one of presumptive denial. The order also adds certification requirements covering the use of "covered" equipment and services on cable systems.
The same rulemaking pairs that tightening with deregulation elsewhere, exempting some qualifying applicants from the more stringent Team Telecom national-security licensing review in an effort to accelerate the buildout of cables that do not raise the same concerns. The result is a bifurcated regime: a faster track for trusted operators and equipment, and a markedly harder path for anything connected to adversary-controlled suppliers. For the cybersecurity community, the most durable change is the explicit requirement that licensees maintain and certify cybersecurity and physical-security risk-management plans, embedding security governance into the license itself.
Industry-Association Responses and What to Watch For
Because the Commission paired final rules with a Further Notice of Proposed Rulemaking, much of the substantive debate now moves to the comment phase. Broadcasters and equipment vendors in the alerting space will weigh in on the proposed alert-authentication mandate and universal alert-identification scheme — measures intended to prevent spoofed or duplicate warnings, but which carry implementation cost and coordination questions across a large installed base of EAS gear. The further notice's geotargeting proposals, including expanding EAS to polygon-based delivery, will likewise draw responses from participants who must implement them.
On the submarine-cable side, the most consequential reactions will come from cable consortia, landing-station operators, and equipment suppliers now newly within the FCC's licensing perimeter. The SLTE licensing requirement and the cybersecurity risk-management-plan certifications represent new compliance overhead, and industry comment is likely to focus on the scope of "principal equipment," the mechanics of certification, and the timelines for compliance. The foreign-adversary equipment restrictions, while broadly aligned with prior FCC and U.S. government policy, will sharpen attention on supply chains for any operator that has historically used affected vendors.
The key things to watch are procedural but decisive: the Federal Register publication dates that set the compliance clock, the OMB review timeline for the reporting and certification obligations, and the comment record that will shape whether the proposed alert-authentication and universal-ID requirements become binding. For practitioners, the safe assumption is that the direction is set — more security obligations, more oversight of sensitive equipment, and tighter exclusion of adversary-linked suppliers — even if specific deadlines firm up only as the notices issue.
Open Questions
Several points remain unsettled. The precise effective dates for both the EAS requirements and the submarine-cable provisions depend on Federal Register publication and, for some items, on Paperwork Reduction Act review, so the compliance timeline is not yet fully fixed. The proposed alert-authentication mandate and universal alert-identification numbers are still proposals, not rules; whether and in what form they are adopted will turn on the comment record. And the operational definition of "principal equipment" for submarine systems, along with the exact contours of the certification process, will be worked out as the rules are implemented.
What is settled is enough to act on: the FCC has adopted binding cybersecurity requirements for emergency-alert equipment, extended its licensing reach to submarine line terminal equipment, mandated cybersecurity and physical-security risk-management plans for cable licensees, and excluded foreign-adversary-controlled equipment from the streamlined licensing path. These changes sit alongside a broader wave of federal action on infrastructure security — from post-quantum cryptography mandates to zero-trust guidance — and signal that telecommunications operators should treat regulatory cybersecurity obligations as a permanent and expanding feature of doing business.
For telecommunications operators weighing what to do now, the following implementation checklist captures the near-term work the order creates: inventory all EAS equipment and confirm default passwords have been replaced with strong credentials; establish a tracked patch cycle tied to equipment-manufacturer security advisories and verify timely installation; deploy firewalls or comparable network segmentation around alerting gear and restrict reachability to the segments that genuinely need it; for cable operators, determine whether any owned or operated assets fall within the new SLTE licensing scope and prepare licensing applications accordingly; audit submarine-cable supply chains for principal equipment from Covered List or foreign-adversary-controlled entities and plan remediation or individual-licensing paths where needed; draft or update cybersecurity and physical-security risk-management plans to meet the new certification requirements; assign ownership for monitoring Federal Register notices so compliance clocks are caught the moment they start; and engage in the open comment proceeding where the proposed alert-authentication and universal-ID requirements would directly affect deployed infrastructure.