You will find more information about the items on the September meeting agenda after the break:

Promoting More Resilient Networks - The NPRM would seek comment on various issues related to improving the reliability and resiliency of communications networks during emergencies and natural disasters. The NPRM focuses on whether the Framework (a wireless industry agreement aimed at providing mutual aid during emergencies, ensuring municipal and consumer readiness and communicating about service restoration) can be improved, such as by expanding participation, increasing the scope of participants’ obligations or codifying industry disaster-based coordination obligations. The NPRM would also seek comment on enhancing information provided to the FCC during disasters and network outages through the Network Outage Reporting System and the Disaster Information Reporting System. In addition, the NPRM would ask about communications resilience strategies to mitigate the impact of power outages, including coordination between communications providers and power companies and the use of backup power during disasters.

Reassessing 4.9 GHz Band for Public Safety – The Order on Reconsideration would grant requests by public safety organizations to vacate a 2020 order that permits states to lease spectrum in the 4.9 GHz band (designated for public safety use) to third parties for non-public-safety use. The Order on Reconsideration would also lift a freeze on 4.9 MHz licenses to allow incumbent licensees to modify licenses or seek new permanent fixed sites. The FNPRM would propose to establish a nationwide framework for the 4.9 GHz band to maximize public safety while promoting interoperable communications and interference protection throughout the network. Areas for comment would include how to protect public safety users from harmful interference, the use of the Universal Licensing System or another database to maintain relevant technical data, adoption of consistent technical standards to foster interoperability of equipment using the band and giving public safety uses priority. The NPRM would also seek comment on how to manage the band, incentivize public safety licensees to use the latest commercially available technologies and allow non-public safety use of the band without jeopardizing public safety operations.

Authorizing 6 GHz Band Automated Frequency Coordination Systems - The Public Notice would set forth a process for the OET to authorize AFC systems, which are required to operate standard-power devices in the 6 GHz band. Specifically, unlicensed standard power devices that operate in the 6 GHz band are required to check an AFC system prior to operating to avoid harmful interference to incumbent operations. The Public Notice would explain the approval process for AFC system operators, which would include conditional approval, a public trial period and an opportunity for public comment. The Public Notice would provide detailed information about the content of AFC system proposals and request that such proposals be submitted no later than November 30, 2021 (although proposals will be accepted after that date).

Spectrum Requirements for the Internet of Things - The NOI (which is required to be issued by The William M. (Mac) Thornberry National Defense Authorization Act for FY 2021 (Pub. L. No. 116-28) (the “Act”)) would seek comment on whether there is sufficient spectrum available for current and future IoT needs. As directed by the Act, the LOI would ask for comment on how to ensure that adequate spectrum is available for the increased demand for the IoT, whether regulatory barriers would prevent accessing any additional needed spectrum and the roles of licensed and unlicensed spectrum for supporting the IoT.

Shielding 911 Call Centers from Robocalls – The FNPRM would propose to update the FCC’s rules governing the PSAP Do-Not-Call registry. Although the FCC adopted rules in 2012 to establish the registry as a means to protect PSAPs from unwanted robocalls, the registry has not been fully implemented due to security concerns associated with releasing PSAP telephone numbers to entities accessing the registry. The FNPRM would propose that voice service providers block autodialed calls to PSAP telephone numbers on the PSAP Do-Not-Call registry, as an alternative to allowing entities claiming to use autodialers to access the registry to identify telephone numbers that may not be called. In addition, the FNPRM would seek comment on whether autodialed calls and text messages continue to disrupt PSAPs’ operations, security risks associated with maintaining a centralized registry of PSAP telephone numbers, ways to address security issues (such as enhanced caller vetting and data security requirements) and alternative means to prevent robocalls to PSAPs (such as by utilizing other technological solutions or leveraging the National Do-Not-Call registry).

Stopping Illegal Robocalls From Entering American Phone Networks - The FNPRM would propose to require gateway providers to assist in the battle against illegal robocalls by applying STIR/SHAKEN caller ID authentication and other robocall mitigation techniques to calls that originate abroad from U.S. telephone numbers. The FNPRM would also seek comment on several other proposals aimed at mitigating robocalls, including the following requirements that would be applicable to gateway providers: (1) responding to traceback requests within 24 hours; (2) blocking calls upon notification from the Enforcement Bureau that a certain traffic pattern involves illegal robocalling; (3) utilizing reasonable analytics to block calls that are highly likely to be illegal; (4) blocking calls originating from numbers on a do-not-originate list; (5) confirming that a foreign call originator using a U.S. telephone number is authorized to use that number; (6) including robocall mitigation obligations in contracts with foreign customers; and (7) submitting a certification regarding robocall mitigation practices to the Robocall Mitigation Database. In addition, the FNPRM would seek comment on a requirement that service providers block calls from gateway providers identified as bad actors by the FCC and on whether additional information should be collected by the Robocall Mitigation Database. The FNPRM would ask whether there are alternative means to stop illegal foreign-originated robocalls. Finally, while the rulemaking proceeding is pending, the FCC would not enforce the prohibition in Section 63.6305(c) of the FCC’s rules on U.S.-based providers accepting traffic carrying U.S. NANP numbers that is received directly from foreign voice service providers that are not in the Robocall Mitigation Database.

Supporting Broadband for Tribal Libraries Through E-Rate - Pursuant to Section 254(h)(4) of the Communications Act of 1934, as amended, a library may not receive preferential treatment or rates (such as under the E-rate program) unless it is eligible for assistance from a State library administrative agency under the Library Services and Technology Act (“LSTA”). In 2018, the LSTA was amended to specifically include Tribal libraries as eligible for assistance from a State library administrative agency. The NPRM would propose to amend Sections 54.500 and 54.501(b)(1) of the FCC’s rules to clarify that Tribal libraries are eligible for E-rate support. The NPRM would also seek comment on other measures to enable Tribal schools and libraries to gain access to the E-rate program and ways to increase participation in the E-rate program.

Strengthening Security Review of Companies with Foreign Ownership - The Second Report and Order would adopt standardized national security and law enforcement questions (“Standard Questions”) to be answered by applicants with reportable foreign ownership as part of the Executive Branch review of certain applications filed with the FCC. The issuance of Standard Questions is the FCC’s final step in implementing several reforms to formalize and streamline the FCC and Executive Branch review process consistent with Executive Order No. 13913 (April 20, 2020), which established a Committee for the Assessment of Foreign Participation in the United State Telecommunications Sector (“Committee” (formerly known as Team Telecom)) and set forth procedures and timelines for the Committee to complete its review. The Second Report and Order would include Standard Questions for the following types of applications when reportable foreign ownership (generally a 5 percent or greater equity and/or voting interest (indirect or direct) in the applicant) is present: (1) applications for a new or modified International Section 214 authorization or submarine cable landing license; (2) applications for assignment or transfer of control of an International Section 214 authorization or a submarine cable landing license; and (3) petitions for a declaratory ruling to permit foreign ownership in a broadcast licensee, common carrier wireless licensee or common carrier earth station licensee that exceeds the benchmarks in Section 310(b) of the Communications Act. There would also be a supplement to each set of questions to provide personally identifiable information for individuals with a reportable ownership interest, non-U.S. individuals with access to the applicant’s facilities, corporate officers and directors, and a law enforcement point of contact.

Click here for more information and to register.

The core of the legislation is a requirement that the National Institute of Standards and Technology (“NIST”) issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. These standards are then to be incorporated by the Office of Management and Budget and, in turn, in federal procurement standards.

As we noted, this work in standards development at NIST was already far along, with NIST having issued a Core Baseline for IoT Device Cybersecurity in June. Not surprisingly, NIST was ready for the Act’s mandate, and on December 15 issued four additional documents for comment. As NIST explained in a blog post, these four new documents “expand the range of guidance for IoT cybersecurity, with the goal of ensuring IoT devices are integrated into the security and privacy controls of federal information systems.”

To begin, NIST had already issued two key documents, the Core Baseline documents. Specifically, the first two documents in NISTIR 8259 series, NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers, and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline, identified the technical requirements IoT Device manufacturers should address in securing their IoT devices. The new documents are designed to enable these principles to be applied to federal purchases of IoT. They are:

• SP 800-213, IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements. This document provides guidance for federal agencies seeking to integrate IoT devices and services into their systems and infrastructure. SP 800-213 offers recommendations on considering system security from the device perspective and is intended to enable the federal customer to identify device cybersecurity requirements — the abilities and actions a federal agency will expect from an IoT device and its manufacturer and/or third parties.
• NISTIR 8259B, IoT Non-technical Supporting Capability Core Baseline. This document is a complement to the previously released NISTIR 8259 documents. In particular, NISTIR 8259B details additional, non-technical supporting activities typically needed from manufacturers and/or associated third parties.
• NISTIR 8259C, Creating a Profile Using the IoT Core Baseline and Non-Technical Baseline, This document takes the general guidance provided for in the Core Baseline – which is written for a generic IoT device – and provides a process for applying the baseline to specific industries or uses. It details a process that an organization may use integrate the generic baselines with organization-specific or application-specific requirements (e.g., industry standards, regulatory guidance), thus yielding an IoT cybersecurity profile suitable for specific IoT device customers or applications.
• NISTIR 8259D, Profile Using the IoT Core Baseline and Non-Technical Baseline for the Federal Government. Finally, this document follows the above process to develop a profile for federal government IoT uses and provides a device-centric, cybersecurity-oriented profile that also incorporates FISMA criteria for security.

The Internet of Things Cybersecurity Improvement Act of 2020 draws upon work that the National Institute of Standards and Technology (“NIST”) has been doing to address cybersecurity for IoT devices. Referencing work done over the Summer on IoT Device Cybersecurity, the Act directs NIST to issue standards for the “appropriate use and management” of IoT devices owned or controlled by federal agencies. NIST, which already was working on the federal profile of IoT uses, is directed to issue these guideline by March 4, 2021. Within 6 months of that date, the Office of Management and Budget is to review agency information security policies and principles based upon NIST’s guidelines. And, adding a hammer to the incentives, federal government acquisition standards are to be revised to implement these standards. In other words, federal contractors will be required to adhere to the NIST standards in IoT devices sold to the federal government.

The goal of indirect IoT regulation was overt in the legislation. In a press release accompanying passage of the Act by the Senate, Senators Mark Warner (D-VA) and Cory Gardner (R-CO) expressly stated their goal that “leveraging the purchasing power of the federal government…will ultimately help move the wider market towards greater cybersecurity.” As we warned when NIST initiated its IoT device security guidance, non-binding standards can quickly become de facto regulations. That result is obvious here.

In addition, a second objective of the IoT Cybersecurity Improvement Act is to develop standards for the reporting of vulnerability information relating to federal IoT uses. Specifically, NIST is directed to develop guidelines for reporting, coordinating, publishing, and receiving information about a security vulnerability to information systems owned or controlled by the federal government (including but not limited to IoT vulnerabilities). These guidelines are to be aligned, to the maximum extent possible, with international standards adopted by the International Standards Organization and should provide guidance on both disclosing the vulnerability and disseminating information about the resolution of the security vulnerability. NIST is directed to develop these standards by June 2021.

This legislation adds to an already busy plate for NIST’s IoT and cybersecurity programs. But this legislation adds some teeth to the activities, making NIST an agency to watch in 2021.

Click here to listen and subscribe.

Click here for more information and to register.

Part 15 of the FCC’s rules allow unlicensed white space devices to operate at locations on frequencies not in use by licensed services. Twelve years ago, the FCC authorized unlicensed white space device operations for the first time on television channels not being used locally by broadcasters and associated service licensees. The devices are required to obtain a list of available channels and power levels for use at their particular location from FCC-approved entities that maintain accessible databases. Fixed devices must also incorporate geo-location capability. Portable devices must include geo-location and database access capabilities or, alternatively, acquire a list of available channels via another device with geo-location ability and access to a database. While several orders in the intervening years have been designed to increase flexibility and promote additional opportunities for deployment of such devices, such as relaxed technical accommodations for devices in rural and underserved areas, their use has fallen somewhat below initial aspirations.

Last May, Microsoft Corporation filed a petition for rulemaking requesting that the FCC provide yet additional flexibility for white space device operations. Many commenters filed in support, but the National Association of Broadcasters (“NAB”) raised concerns, as did stakeholders with interests in Wireless Medical Telemetry Service (“WMTS”) operations on Channel 37 and proponents of wireless microphones using spectrum not being used by other licensed services.

Proposed New Power and Height Limits for White Space Devices in “Less Congested” Areas

Now, after the NAB and Microsoft have worked together to resolve most of their differences, the FCC proposes to permit fixed white space devices in spectrally “less congested” areas over larger distances through using higher transmit powers (16 v. 10 W EIRP) and deploying antennas at greater heights above average terrain (up to 500 meters from a maximum of 250 meters) – while maintaining the existing one-watt transmitter conducted power limit for fixed devices and proposing certain adjustments when higher gain antennas are used. This flexibility would come with the need to maintain greater separation distances from authorized services, although the FCC also invites comment about even greater flexibility in powers used and antenna heights and whether coordination or notification procedures should be adopted in combination with the proposed relaxed requirements.

Given the foregoing proposals, the FCC, in the NPRM, additionally inquires whether it should relax the limit on antenna height above ground level, including potentially in all areas within the United States. But current power and height limits would remain in Channel 36, which the FCC believes would be adequate to protect WMTS and Radio Astronomy operations in Channel 37.

As an overarching matter, the FCC also inquires whether it should change the definition of “less congested” areas which now are those areas where, within the band of intended operation, at least half of the TV channels that will continue to be allocated and assigned only for broadcast service are unused for broadcast and other protected services, and are thus available for white space device use. For example, the FCC asks whether “less congested” areas should be defined, in part, based on population density.

In conjunction with these proposals, the FCC will consider making additional changes to the protection criteria for operations in the TV bands other than broadcasting, such as TV translator receive sites, Low Power TV (including Class A) receive sites, Multichannel Video Programming Distributor (“MVPD”) receive sites, fixed Broadcast Auxiliary Service (“BAS”) links, the private land mobile radio and commercial mobile radio services (“PLMRS” and “CMRS”), and licensed wireless microphones.

Potential Operation of White Space Devices on Mobile Platforms in Geo-Fenced Locations

Additionally, the NPRM proposes to permit higher-power operation of white space devices on TV Channels 2-35 on mobile platforms inside “geo-fenced” areas (within “less congested” areas) enforced by incorporated geo-location capabilities, e.g., GPS coupled with a database, and new operational requirements, such as prohibiting operation on board aircraft or satellites to limit the potential for interference. The FCC seeks comment on a wide variety of other questions related to permitting wider deployment of white space devices on mobile platforms, including limitations on the size of the area over which a higher-power mobile device could operate, changes to the databases used for white space devices, and other possible safeguards.

Prospective Changes That Might Propose Use of White Space Devices for IoT

The FCC also hopes to facilitate innovative narrowband IoT services by considering certain changes to the power spectral density (“PSD”) limits applicable to white space devices in the TV bands. Matters raised by the NPRM include a revised definition of “narrowband” white space devices and spectrum utilization limits, while the FCC leans toward permitting manufacturers and standards groups to develop their own protocols to prevent multiple devices from transmitting simultaneously and interfering with each other without a regulatory mandate. As with all of the other areas under consideration in the proceeding, the FCC asks whether there are other rule modifications needed to promote narrowband operations while ensuring protection of authorized services that operate in the TV bands from harmful interference potentially caused by narrowband white space devices.

Possible Flexibility for White Space Devices to Operate Adjacent to Occupied TV Channels

Further, the FCC seeks comment about higher-power white space device operation within the service contour of an adjacent-channel TV station. Generally, white space device operations above 40 milliwatts EIRP must generally operate outside the protected contours of adjacent-channel TV stations, although fixed white space devices may operate within the protected contour of adjacent-channel TV stations with a power level of 100 milliwatts EIRP when the white space device operates in a six-megahertz band centered on the boundary of two contiguous vacant channels, which requires three contiguous vacant channels available for use. Microsoft noted that these conditions are not always present and the FCC should therefore consider other ways to permit higher-power operation of white space devices when adjacent TV channels are occupied, such as more sophisticated location-determining computer models (e.g., Longley-Rice) and consideration of improved selectivity in next-generation TV receivers. NAB opposes any consideration of this matter – the primary area where Microsoft and the broadcasters could not reconcile their differences over Microsoft’s proposals.

Interest in Microsoft’s proposals has already been considerable, with almost two dozen parties commenting. There is every reason to expect that a similar level of participation will emerge during the rulemaking. Manufacturers of white space devices, developers of agricultural, mining, construction, and other IoT applications, and potential users of these devices should be especially interested, as well as broadcasters and those operating in the authorized services in the TV bands.

Click here to listen and subscribe.

NIST is seeking comment on the document through September 30 of this year and it held a workshop in August for interested parties to discuss the document. In a prior post, I blogged on takeaways from that workshop. Now, it’s time to take a closer look at the NIST document itself.

Overview of the Baseline

The NIST Baseline (“NISTIR 8259” in government-speak) is subtitled “A Starting Point for IoT Device Manufacturers,” and it is intended as just that. NISTIR 8259 builds upon a base document released in final form on June 27, 2019 relating to cybersecurity and privacy risks for the Internet of Things. IoT manufacturers should review NIST’s Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks before digging into the Baseline document. Considerations (also known as NISTIR 8228) identifies high-level considerations that make IoT security different than IT security and offers suggestions for mitigating cybersecurity and privacy risks. Its intended audience primarily are the users and organizations deploying IoT devices, but it has meaning for manufacturers, network operators and service providers in the space as well.

The NIST Baseline takes these considerations to the manufacturing side, offering (as NIST describes it) to help IoT device manufacturers “understand the cybersecurity risks their customers face” so IoT devices can provide the minimal features to make them securable. (For a discussion of the different meanings that “securable devices” can have in this context, see my blog post on the NIST workshop.)

Securing IoT Devices

The NIST Baseline explains that cybersecurity risks for IoT devices have two high-level risk mitigation goals: protecting device security and protecting data security. As noted in the user-focused Considerations document, the challenges in doing so stem from three features of the Internet of Things:

1. IoT devices interact with the physical world in ways conventional IT devices usually do not. (In other words, they are, by their nature, connected devices.);
2. Many IoT devices cannot be accessed, managed, or monitored in the same ways conventional IT devices can; and
3. The availability, efficiency, and effectiveness of cybersecurity features are often different for IoT devices than conventional IT devices.

For the “core,” NIST identifies six features that IoT devices should address:

1. Device Identification. How the IoT device can be uniquely identified, both logically and physically.
2. Device Configuration. How the device’s software and firmware can be changed and who is authorized to make such changes.
3. Data Protection. How the device can protect from unauthorized access and modification the data that it stores and transmits.
4. Logical Access to Interfaces. How the device can limit (logical) access to its local and network interfaces so that only authorized users may access these elements.
5. Software and Firmware Updates. How the device can be updated by authorized entities only, using a secure and configurable mechanism.
6. Cybersecurity Event Logging. How the device can log cybersecurity events and make the logs accessible to authorized entities only.

Separate from the core features, the NIST Baseline also discusses two areas relevant to securing IoT devices. First, it discusses considerations for implementation of these features in the design and manufacturing process. Second, it discusses considerations in communicating these features and the cybersecurity risks of IoT devices to the manufacturer’s customers and users of the device (users who may not necessarily have been the ones to purchase or configure the device).

Issues for Comment

Unlike FCC or FTC notices seeking comment, the NIST Baseline does not provide specific questions or issues for comment. Instead, the Baseline simply seeks feedback from all stakeholders on the draft, in order to assist NIST in refining the document.

The NIST workshop that I attended offers some insight into the comment areas that NIST would find helpful. In the discussion group sessions, NIST first asked whether the six core features were sufficient, and whether any other considerations should be added to the list. My group spent a lot of time discussing the relationship between the Baseline and efforts to create industry-specific standards or best practices. NIST seemed very interested in determining whether the Baseline would serve as a useful starting point for those efforts.

Second, the discussion group was asked whether customer communication should be a core feature or a separate consideration (as in the draft now). This seemed to focus on the role that shared responsibility among manufacturers, users, control organizations (like a corporate IT group) and/or the government played in securing devices (or making them securable).

Finally, our discussion group was asked about two potential additions to the Baseline. First, we were asked whether considerations in protecting legacy devices in an IoT network should be added. This question raised the issue of the role a single IoT device plays in a larger network, such as a smart home configuration where multiple devices (potentially from multiple manufacturers) are controlled by a central hub device. Second, we were asked whether exterior threats to the devices, such a DDoS attack or botnet attacks, should be part of the Baseline.

Any and all of the above should be fair game for comment to NIST on the Baseline. Comments on the NIST draft may be submitted through September 30. Kelley Drye is working with device manufacturers on potential comments to NIST. If you are interested in submitting comments, please feel free to contact us.

Now, the federal government is trying to provide resources for businesses engaged in the Internet of Things (“IoT”) economy. Building on guidelines it established for cybersecurity generally and IoT cybersecurity specifically, the National Institute for Standards and Technology (“NIST”), a division of the U.S. Department of Commerce, held a workshop for manufacturers on securing IoT devices. I attended the workshop and these are my principal takeaways from the meeting.

NIST Cybersecurity Baseline for IoT Device Manufacturers

Titled Core Cybersecurity Feature Baseline for Securable IoT Devices: A Starting Point for IoT Device Manufacturers, NIST has produced a draft document for comment. The comment period for the draft document runs through September 30, and I’ll have more detail on that document in a follow up post. But, for today, I want to run through impressions from the day-long workshop held at NIST headquarters in Gaithersburg, Maryland.

First, some background. The NIST workshop was held Tuesday August 13, 2019. The crowd in the room appeared to be between 125-150 people, with an unknown number viewing via a webcast. The audience included representatives from tech companies, defense contractors, mobile carriers, research institutions and more (and even at least one lawyer!). In introductory presentations, NIST officials explained that NIST does not have rulemaking authority over private industry. It has a role in setting cybersecurity standards that federal agencies must meet, but any influence NIST has on private industry is through voluntary adoption of its frameworks and standards. More broadly, NIST’s mission is to promote innovation and competitiveness through the use of common standards and measurements. The purpose of this workshop was to receive feedback from industry on the guidance document that has been produced.

Takeaways

By far, the most informative and – judging from conversations the rest of the day, surprising – learning from the day was a presentation on a study conducted by NIST’s Information Technology Laboratory. The presentation discussed consumer perceptions of IoT security. The study consisted of 40 semi-structured interviews with consumers using IoT devices. The participants were not novices – the participants had to be using at least three IoT devices in their homes in order to qualify, and their education levels skewed higher than the U.S. as a whole. The study should re-orient the way we think about the IoT:

• To consumers, the “Internet of Things” is not a thing. Participants did not use the terminology of “IoT” or the Internet of Things. Instead, to the extent that they saw this as a category, participants referred to the devices as “smart home” or “connected devices.” To me, this makes a lot of sense. Consumers don’t want an “IoT doorbell” or likely even know what that might mean. They focus on functionality (it’s a video doorbell, for example) and don’t really care about the labels and buzzwords dominating the policy discussions.

• Participants expressed general concerns about privacy – but used the devices anyway. The rationalizations presented were quite interesting. One participant is quoted as saying that he/she knew the device was collecting personal data but “I like having the convenience of having these things.”

• The participants were confused about the difference between privacy and security and didn’t really seem to understand security. Some took mitigation measures that ranged from the silly (covering cameras with tape) to the minimally effective (not placing devices in certain rooms in the house). The takeaway I had from this is that manufacturers should not expect consumers to know or understand security practices; security will involve a lot of hand-holding to accomplish.

• On a related note, participants were cognizant of a shared responsibility to protect security, but really didn’t take much responsibility themselves. 29 of the 40 participants pointed to the manufacturer as responsible for security. Participants cited manufacturer’s greater knowledge as one factor why they bore a greater proportion of the responsibility for security.

Nevertheless, representatives from regulatory agencies in attendance indicated that they are looking to the NIST baseline as at least a best practice, if not a standard. In my discussion session (one of four), several participants talked about these standards becoming part of government and private industry RFPs, either as requirements or “nice to have” differentiators among bidders. Moreover, several industry groups discussed their efforts to build upon guidance such as the NIST Baseline to develop industry-specific standards. Still others saw multiple standards efforts, and stated that the focus should be on the commonalities among the various standards that are published.

Regardless of how these developments take form, it is clear that the work NIST has done will have an impact, indirect or not, outside of NIST’s limited regulatory authority. Manufacturers should carefully heed the guidance NIST provides, and should consider providing comments on the draft before the September 30 deadline.

Third, the discussion group crystallized some of the interplay among considerations that go into IoT security. Immediately before the discussion groups, a NIST official gave an overview of the draft, emphasizing the difference between a “secure” device and a “secure-able” device. Nevertheless, some in my discussion group suggested that some devices were not worth securing, distinguishing between “securable” devices and those that are not, for cost, utility or other reasons, worthwhile to secure. Others noted that IoT devices most often will operate in a network, not independently, and therefore, security might be provided by other devices in the network (much like a firewall provides security in IT systems today). Moreover, there was general agreement in my discussion group that not every device in a network needed to have all of the security capabilities, and that instead, some devices may have more or different security in order to control (or protect) less secure (or secure-able) devices in the network.

These discussions suggested to me that security is more nuanced and that the concept of “securable” devices depends on multiple factors. While NIST’s document is a starting point, use of it as a standard has pitfalls. Particularly as we are starting to see a wave of IoT security legislation (notably, SB-327 in California and several bills in the U.S. Congress), the inter-dependency of securability and IoT networks is a layer of complexity that policymakers and regulators may not fully appreciate in their oversight activities. Manufacturers and others in the IoT economy have their work cut out for them in explaining how real-world security might work.

Up next: a summary of the NIST Cybersecurity Baseline for IoT devices. Manufacturers and participants in the IoT economy should carefully review this draft and consider filing comments with NIST to inform the final document.

While the NPRM formally does not act on Ligado’s petition (filed by its pre-bankruptcy predecessor LightSquared), the FCC is incorporating the record from the Ligado proceeding into the new docket. That record includes strong opposition from the National Oceanic and Atmospheric Administration (“NOAA”) and several other federal and non-federal users of the band. NOAA is the primary user of the 1675-1680 MHz band, using it for its weather tracking and monitoring capabilities. Numerous unlicensed receive earth station operators and other stakeholders make operational use of the weather data downlinked from NOAA satellites on a direct read out.

NOAA and other incumbents use the band under the current allocations: Meteorological Aids (“MetAids”) and Meteorological-Satellite (“MetSat”) services. MetAids service (i.e., radiosondes) is already transitioning from the band to other frequencies. But the MetSat service is here to stay, as NOAA’s GOES-N and the recently-launched GOES-R satellites operate at the top of and near the 1675-1680 MHz band. Indeed, GOES-R is expected to operate through at least 2036. Because the federal government’s MetSat earth stations are fixed, and relatively limited in number, the FCC contemplates that large geographic areas should be available for commercial wireless users. These tentative conclusions do not take into account the uncertain number of non-federal earth stations that utilize the direct read out. However, the NPRM invites comment on other ways, apart from direct read out, that non-federal entities that rely on the GOES data can gain access to that data, including a non-radio-based content delivery network. Products generated from GOES data support multiple operational activities including dynamic weather forecasting, anticipation of hurricane movements, water level and flood management, warnings for tornadoes and severe weather, wildfire growth tracking, and condition reports for firefighters.

Comments will be due thirty days after Federal Register publication of the NPRM (which has not occurred as of this writing), with replies due 60 days after publication. The FCC seeks comment on numerous issues, with a strong repeated request for cost/benefit information and data, as well as alternative approaches, including:

• Coordination with Federal Systems – How can current federal earth stations in and adjacent to the band be protected from harmful interference? How can future federal earth stations be accommodated by new commercial users in the 1675-1680 MHz band with minimal disruption to their services?
• Non-Federal Users – Which non-federal entities operate receive earth stations in the band? Which entities rely on this direct read out data? What other options exist for non-federal users to access the data from NOAA satellites? Is a content delivery system operated over the Internet an acceptable alternative? Would such a system increase the total number of users with reliable access to NOAA satellite data?
• Band Plan and Licensing – The Commission proposes to license the full five megahertz on an unpaired, geographic area basis. Should the Commission auction licenses by Partial Economic Area (“PEA”)? Should the spectrum be made available solely for downlinks from base stations to user terminals?
• License Term and Performance Requirements – Should the Commission grant 15-year licenses? Should licensees be required to demonstrate reliable signal coverage to 45% of the population within six years and 80% within twelve years, or should other performance measures be utilized? Should there be different performance requirements for Internet of Things (“IoT”) type services, since they may not provide service based on residential population coverage?

Apart from Ligado’s reactions to the Commission’s “non-action” on its petition through the NPRM, NOAA continues to do studies using Spectrum Relocation Fund monies into the compatibility of existing meteorological operations in and adjacent to 1675-1680 MHz band with new entrants. One gets the sense that, while the NPRM clearly opens a new chapter in this long story, much of the chapter remains to be outlined, let alone written.

You will find more details on the significant April meeting items after the break:

Spectrum Incentive Auction: The draft Public Notice would propose auction application and bidding procedures for licenses in the Upper 37 GHz (37.6-38.6 GHz), 39 GHz (38.6 GHz-40.0 GHz), and 47 GHz (47.2-48.2 GHz) bands. In the first auction phase, participants would bid for generic 100 megahertz blocks in the three mmW bands. The first auction phase also would determine the amount of incentive payments due to incumbent licensees that opted to relinquish their existing spectrum holdings. The second auction phase would establish the specific frequency assignments awarded to the auction winners. The actual number of licenses available for auction is not yet settled and will depend upon how many incumbent licensees previously agreed to give up their existing spectrum holdings for payment or accept modified licenses. The FCC would announce the particular licenses available at auction in advance of the auction application deadline. The FCC expects to complete the auction by the end of 2019.

37 GHz/50 GHz Band Access: The draft Order would facilitate the auction of the Upper 37 GHz band by establishing procedures for the Department of Defense (“DOD”) to operate in this spectrum on a shared basis with commercial wireless operators under limited circumstances. Specifically, the FCC would review DOD requests to use Upper 37 GHz band frequencies, contact potentially-affected commercial wireless licensees, and help coordinate shared usage, if possible. The draft item also would permit the licensing of Fixed-Satellite Service earth stations to transmit in the 50 GHz (50.4-51.4 GHz) band to potentially provide faster, more advanced services.

OTARD Reform: The draft Notice of Proposed Rulemaking would reform the FCC’s OTARD rule, which currently protects only end-user antennas (e.g., satellite TV dishes) from state, local, or private restrictions. Under the FCC’s proposal, the OTARD protections would be extended to hub or relay antennas used by fixed wireless providers that represent the backbone of emerging 5G networks. The FCC would seek input on how reforming the OTARD rule would impact small antenna infrastructure deployment, particularly in rural areas. The FCC anticipates retaining OTARD rule exceptions for state, local, and private restrictions on antennas based on public safety issues or historic preservation objectives, so long as the restrictions are not overly burdensome and apply in a nondiscriminatory manner.

Legacy Regulation Forbearance: The draft Order would partially grant a petition filed by USTelecom asking the FCC to forbear from enforcing certain legacy long-distance service regulations applicable to former Bell Operating Companies (“BOCs”) and other incumbent carriers. First, the FCC would no longer require incumbent rate-of-return carriers to offer long-distance service through a separate affiliate. Second, the FCC would grant incumbent carriers relief from the “provisioning interval” requirement obligating them to fulfill telephone exchange service and exchange access requests within the same period that they provide such services to affiliated entities. Third, the FCC would refrain from requiring incumbent carriers to submit reports about their legacy “special access” services. Finally, the FCC would eliminate a BOC-specific requirement to provide nondiscriminatory access to poles, conduits, and rights-of way, finding the obligation duplicative of a similar access rule already imposed on all local exchange carriers. The FCC plans to hold off on USTelecom’s request that it forbear from enforcing its incumbent carrier network element unbundling and resale mandates, but the agency likely will take up this issue before the end of the year.

Rate Floor Elimination: The draft Order would abolish the USF “rate floor” that limited the amount of Connect America Fund support received by some rural carriers to build and maintain networks in underserved areas. Today, if a carrier elects to charge its customers less than the rate floor set by the FCC for voice service, the difference between the amount charged and the rate floor is deducted from the amount of USF support received by the carrier. The FCC plans to conclude that this process results in artificially-inflated rates for rural customers and should be eliminated, along with all of the rate floor’s associated reporting and customer notification requirements. The FCC previously froze the rate floor for two years while it considered reforms and the rule’s elimination would prevent a nearly 50% increase in the rate floor scheduled to take effect in July 2019.

Currently, the Commission’s unlicensed rules permit operations in the 6 GHz Band for wideband systems (e.g., sensor/tag systems used to locate objects) and ultra-wideband operations. In general, the draft NPRM would allow other unlicensed devices to be introduced to the 6 GHz Band by splitting the spectrum into four sub-bands that pair technical and operational parameters with certain 5 GHz U-NII sub-bands, while incorporating features designed to protect incumbent licensees in those sub-bands. The Commission hopes that by mirroring the operational and technical parameters that already exist for unlicensed devices in the 5 GHz Band, it will “create an enhanced ecosystem of unlicensed use in the 6 GHz band and the nearby U-NII bands” (which are spread over 580 megahertz within the 5150-5850 MHz range).

5.925-6.425 and 6.525-6.875 GHz: Automated Frequency Control

The draft item notes that the U-NII-5 and U-NII-7 sub-bands are home to point-to-point microwave links that support public safety, railroad, oil and gas pipeline, utilities, and wireless and wireline communications service, as well as some fixed satellite services. As the fixed service incumbents are at known, fixed locations, the FCC believes the AFC system could be a “simple database” which is automatically queried to determine which frequencies are available for an unlicensed device to use at a given location and time. The FCC seeks comment on numerous aspects of possible approaches to the AFC system concept, thereby highlighting the many technical and other issues that will need to be resolved. These include what are the basic eligibility requirements to be an AFC system operator; whether there should be more than one AFC system; whether the FCC’s ULS system is or can be made sufficiently reliable as the basis for AFC system operation and determination of available frequencies; whether and how AFC systems (assuming there are more than one) will need to exchange data; whether the AFC system(s) should be centralized or de-centralized; whether unlicensed devices will need to register with the AFC system(s) and will need to identify themselves to incumbents; how the location and height of an unlicensed 6 GHz Band device will be determined before frequencies are selected; what security needs to be in place to ensure proper operation of the AFC system(s); whether 6 GHz Band unlicensed devices might cause aggregate harmful interference to satellite space station receivers and, if so, how to mitigate that interference; how often unlicensed devices would need to check the AFC system to confirm the availability of the frequencies they are using; and whether and how AFC system operators can charge access fees. The FCC also requests input on the nature of and metrics for the appropriate interference standard to protect incumbent licensees, ensuring that unlicensed devices in the U-NII-5 and U-NII-7 sub-bands cannot operate co-channel to any fixed link within that link’s defined exclusion zone. In this area, the Commission faces a number of “real-world” challenges, such as properly allowing for multipath fading when an AFC system determines that a frequency is available, with the goal of maximizing spectrum utilization by licensed and unlicensed devices.

6.425-6.525 and 6.875-7.125 GHz: Low-Power, Indoor Operation

Interference Mitigation

During the July 18^th meeting, four working groups presented: (1) the Communicating Upgradability and Improving Transparency working group; (2) the Incentives, Barriers, and Adoption working group; (3) the Standards working group; and (4) the Technical Capabilities and Patching Expectations working group.

The Communicating Upgradability and Improving Transparency working group reached consensus on a final draft document that outlines a communications framework for manufacturers to consider before consumers buy their products. Members of the working group were quick to emphasize that their guidelines are not meant to supersede regulation or serve as a legal standard. Instead, the working group sought to identify and consolidate critical points it recommends manufacturers weigh as they develop IoT devices.

According to the final draft, “key” considerations manufacturers should communicate to consumers include:

• Whether the device can receive security updates;
• How the device receives security updates; and
• The anticipated timeline for the end of security support.

Importantly, working group members noted there is no strategic plan for using the final draft going forward. Working group co-chairs noted they would like to see how the guidelines operate “in the wild” and that the framework could become part of the government’s effort to combat botnets and automated threats. The working group will discuss next steps on its next conference call, at a date still to be determined.

The three other working groups also presented status updates on their initiatives, which remain in earlier stages of drafting. NTIA plans a September 12, 2017 meeting in Washington, D.C. to attempt to reach consensus on these three drafts.

If you have questions about NTIA’s multistakeholder process on IoT issues, or would like to learn more about how to get involved, please contact the authors of this post.